How to use acct inside container

I’d like to account cpu usage by user using standart acct (apt install acct) but it does not work inside continer (unpriveleged) with error

# sa -im
                                 sa: ERROR -- print_stats_nicely called with num_calls == 0

How to fix it?

Thanks

Have you compiled LXCFS and enabled the switch for per container CPU stats ?

The OP just posted a question about IPvlan, so he is running snap LXD. Are you sure it’s possible to use a custom lxcfs with snap lxd ?

Yeah pretty sure you can, ive managed to mount the new lxcfs into a container to get cpu load avs

Also he said cpu ussage nothing about ipvlan

I’m new to lxc/lxd.

Should I use specific version of LXCFS?
Why?
Which exactly?

And yes, I’m using LXD 3.14 from edge snap.

You cant load average per container without the new lxcfs unless im wong @stgraber?

Yeah, that’s right, there are no stable versions of lxcfs shipping with that option.
The version in the edge snap would be sufficient but the feature isn’t enabled there either and obviously you shouldn’t be running edge in any kind of production environment.

@brauner is about to release LXC 3.2, maybe we can do a LXCFS 3.1 at the same time?

1 Like

@stgraber How to enable this feature? I think it is cap_sys_pacct.

It seems ok to me to use edge.

@stgraber

Is it possible now with lxd 3.15?

Should I enable something to container to be able to use acct as sa -im inside?

@stgraber @brauner please help )

(inside ct) # capsh --print | grep acct
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep

but

# accton on
Turning on process accounting, file set to the default '/var/log/account/pacct'.
accton: Operation not permitted

How to fix it?

Latest stable 3.18 LXD from snap.

That’s a kernel limitation most likely.

Having a capability against your user namespace doesn’t mean you have that capability against the rest of the kernel, so if you’re not interacting with a namespaced kernel resource, your capability is meaningless and the kernel will reject it.

Well, I found the solution.

Making container privileged allows me to use acct. This is partially ok to me and I understand all risks of course.

However, I mistakenly expected there will be a translation of calls to the kernel from the root inside container to the host’s kernel, like it works on OpenVZ. Is it really missing? Is it hard to implement? Possibly I can sponsor someone for this work.