This question is more specifically targeted at LXC developers (@stgraber, @brauner, if you find some time…)
I see that LXC4 supports CGroups v2. Packaging it into Debian will mean that unprivileged containers won’t work out of the box for users using the unified cgroup hierarchy. Some question arose in my mind following to that:
Should we create a custom lxc-start that, if not root, and running systemd, calls systemd --user or ${otherinit} good feature? Do you plan to offer such specific scripts/commands?
What about libpam_cgfs? Should it still be packaged and integrated?
Are there some other specific things I could have missed and should care about?
This question is more specifically targeted at LXC developers
(@stgraber, @brauner, if you find some time…) >
I see that LXC4 supports CGroups v2. Packaging it into Debian will mean
that unprivileged containers won’t work out of the box for users using
the unified cgroup hierarchy. Some question arose in my mind following
to that:>
Should we create a custom lxc-start that, if not root, and running
systemd, calls systemd --user or ${otherinit} good feature? Do you plan
to offer such specific scripts/commands?>
Hm, well you could start with providing a downstream wrapped for such cases for sure.
So far we haven’t considered adding a wrapper like that to lxc though I wouldn’t nack it as a workaround if someone were to add it.
I think the better solution would be to teach liblxc to request a delegated cgroup from systemd directly.
So far we have stayed away from that because it might require us to introduce a dependency on dbus (but maybe not) and I didn’t want that (not without a compile-time option).
What about libpam_cgfs? Should it still be packaged and integrated?>
We have no current plans of supporting libpam_cgfs for pure unified layouts simply because it doesn’t work and there’s no nice way to make it work, I think.
But I’m happy to hear the input of users.
Are there some other specific things I could have missed and should
care about?>
Package 4.0.3 directly as it contains a bunch of bugfixes and improvements.
4.0.3 will ignore any lxc.cgroup.* directives on pure unified layouts.
4.0.3 supports the ebpf devices controller for root-started (both privileged and unprivileged) containers.
It has the same semantics as the legacy devices configuration keys.
But instead of specifying lxc.cgroup.devices.{allow,deny} it is specified as lxc.cgroup2.devices.{allow,deny}
For that to be used the default or common.conf file needs to be changed, specifically all lxc.cgroup.devices lines need to be replaced with lxc.cgroup2.devices lines.
@brauner I’ve released lxc4 and lxcfs4 in Debian unstable, I’ll try to fine some time to create a script shell that’d do proper things for unprivileged containers when lxc-start is called.