CentOS 7.6 unprivileged Centos container "failed to mount cgroup at /sys/fs/cgroup/systemd"

francis · December 19, 2018, 8:53am

Hello,

I have a CentOS 7.6 host with EPEL lxc 1.0.11-1 and try to use CentOS unprivileged containers (no problem with privileged) with the root account.

On the host I added “root:100000:65536” to the files “/etc/subuid” and “/etc/subgid”,
“lxc.id_map = u 0 100000 65536” and “lxc.id_map = g 0 100000 65536” to the file “/etc/lxc/default.conf”,
“user.max_user_namespaces = 7976” (default 0 on CentOS 7) to the file /etc/sysctl.conf.

I created/started the CentOS 7 container with no network.

lxc-create -n centos-nopriv -i download – -d centos -r 7 -a amd64

lxc-start -n centos-nopriv -L DEBUG -d

But the container startup do not complete I have only the “init” process and in the file DEBUG

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!] Failed to allocate manager object, freezing.

I can access the container

lxc-attach -n centos-nopriv

[root@centos-nopriv /]# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 08:38 ? 00:00:00 /sbin/init
root 4 0 0 08:39 ? 00:00:00 /bin/bash
root 42 4 0 08:43 ? 00:00:00 ps -ef
[root@centos-nopriv /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/vgxxx-lvxxx 20957184 2136916 18820268 11% /
devtmpfs 1020884 0 1020884 0% /dev
tmpfs 1022520 0 1022520 0% /dev/shm
tmpfs 1022520 4 1022516 1% /run
tmpfs 1022520 0 1022520 0% /sys/fs/cgroup
[root@centos-nopriv /]# ls -ld /sys/fs/cgroup/systemd
drwxr-xr-x. 3 root root 60 Dec 19 08:39 /sys/fs/cgroup/systemd
[root@centos-nopriv /]# touch /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# rm -f /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# exit

The container config:

lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
lxc.mount.auto = proc:mixed sys:ro
lxc.tty = 4
lxc.pts = 1024
lxc.arch = x86_64
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.utsname = centos-nopriv
lxc.network.type = empty
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module
lxc.cap.drop = sys_nice
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.rootfs = /srv/diode/lxc/centos-nopriv/rootfs

I have no problem with unprivileged containers and a Fedora fc29/lxc 3.0.3-1(no success with fc28/lxc 2…) but I can not used Fedora in prod.

Best regards.

Francis

stgraber · December 19, 2018, 2:49pm

LXC 1.0 isn’t considered to support running systemd containers.
It’s unaware of cgroup namespaces that would help in this case and is also missing a number of other systemd support features like the new /dev handling and console management.

You should really try to get to LXC 2.0 or even better, 3.0 as more recent LTS releases.

francis · December 19, 2018, 3:20pm

Thank You,

No problem to install a kernel 4 from the elrepo but do you where can I download lxc 2 or 3 rpm for CentOS 7 ?

Best regards.

Francis

francis · December 19, 2018, 3:25pm

Stéphane,

No systemd problem with Centos 7/lxc 1 with privileged container.

With no privileged container systemd with FC 28/lxc 2 does not work, I have to use FC 29/lxc 3.

Best regards.

Francis

stgraber · December 19, 2018, 5:09pm

https://copr.fedorainfracloud.org/coprs/ganto/lxc3/ appears to be compatible with CentOS 7 and provides the LXC 3.0 LTS release.

francis · December 20, 2018, 9:15am

Stéphane,

Thank you ! form the “Copr ganto” repo I upgraded lxc to version 3.0.3 (lua-lxc is in 3.0.2 version) and now I can start no privileged CentOS/systemd containers with the default CentOS kernel 3.10.0-957.1.3.

I added the file “/etc/yum.repos.d/ganto-lxc3-epel-7.repo”

[ganto-lxc3]
name=Copr repo for lxc3 owned by ganto
baseurl=https://copr-be.cloud.fedoraproject.org/results/ganto/lxc3/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/ganto/lxc3/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

and updated lxc with

yum update lxc lxc-templates lua-lxc python34-lxc lxc-libs

Now I have some works to implement what we need.

Best regards.

Francis