WatchdogSec for the process inside container is not working

MTL · September 2, 2021, 8:38pm

Below is my service file,

[Unit]
Description=LXC Container: app

[Service]
Type=notify
WatchdogSec=20s
NotifyAccess=exec

ExecStartPre=/usr/local/bin/lxc-start -n childapp2 -f /var/lib/lxc/childapp2/config
ExecStart = /usr/local/bin/lxc-attach -n childapp2 -f /var/lib/lxc/childapp2/config-- /var/lib/lxc/childapp2/media/app
ExecStop = /usr/local/bin/lxc-stop -n childapp2
User=appfw
Group=appfw
PAMName=systemd-user

[Install]
WantedBy=multi-user.target

I want to send WatchDogSec from /lxc/childapp2/media/app which is being started inside the container.
I think it is not happening with this service file as systemd considers lxc-attach as main process and expects WatchDogSec from it not from /app process.

Could you please suggest solution for this

tomp · September 3, 2021, 8:11am

Why don’t you get the init system inside the container to start your service?

MTL · September 3, 2021, 9:13am

Thank you for the feedback.
Do you mean login as user(here it is appfw) and then execute systemctl commands from there?
But is it not possible to use Watchog feature of linux in lxc in host itself

tomp · September 3, 2021, 1:58pm

/usr/local/bin/lxc-start -n childapp2 will start the container and its init system.
You can then configure the init system inside that container to run the service you want when the container starts.

“But is it not possible to use Watchog feature of linux in lxc in host itself” - I’m not sure what you mean by that? If the service is running inside the container then it cannot access the host.

MTL · September 8, 2021, 10:26am

My requirement is to run an unprivilaged container via systemd command from the host.
If i give ,
ExecStart= lxc-attach -n <container_name> – <binary_to_execute>
lxc-attach becomes the main process to systemd and it keeps tracking lxc-attach.

I want to maintain the lifecycle of the service based on the application running inside. So i want to make systemd track the binary i executed with lxc-attach

tomp · September 13, 2021, 8:28am

And does this work just running the two commands from the shell rather than from a systemd unit?

i.e.

lxc-start -n <container>
lxc-attach -n <container> – <binary_to_execute>

MTL · September 14, 2021, 7:09am

Yes it works.

tomp · September 14, 2021, 8:00am

And what is the issue/error when run via the systemd unit?

Are you allowing sufficient time in your systemd unit for the container to complete its start up?

MTL · September 14, 2021, 9:06am

yes.

I can even start the container as systemd unit.
My requirement is control the application started inside the container using watchdogSec feature of systemd(i.e., to get the sd_notify from the application nside the container)

ExecStart=/usr/local/bin/lxc-attach -n app -f app – /var/lib/lxc/app/app_c

systemd waits for the watchdog notification from lxc-attach but i want it it be from app_c

tomp · September 14, 2021, 9:10am

How is the watchdog notification sent from the application? Is it sent via stdout/stderr?

MTL · September 14, 2021, 9:11am

vis sd_notify call of systemd

tomp · September 14, 2021, 9:27am

Does that use a notify socket specified in an env var NOTIFY_SOCKET?

If so then that won’t work as the container process won’t be able to access the notify socket from the host’s systemd.

I believe a simpler approach would be to get the systemd inside the container to start the process on container start and then use the watchdog feature inside the container.

MTL · September 15, 2021, 8:24pm

ok…thank you for the feedback
is there any particular procedure to get systemd inside the container

Below is the status for one of my servies. Is it normal for app_c not listing under systemd cgroups? Does it mean systemd cannot see the application running from lxc-attach?

childapp2.service - App inside lXC Container: childapp2
Loaded: loaded (/usr/lib/systemd/system/childapp2.service; enabled; vendor preset: enabled)
Active: activating (start) since Wed 2021-09-15 22:20:52 CEST; 31s ago
Main PID: 15072 (code=killed, signal=TERM); Control PID: 6446 (lxc-attach)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/childapp2.service
‣ 6446 /usr/local/bin/lxc-attach -n childapp2 -l trace -o /var/lib/lxc/childapp2/attachlog.txt – /var/lib/lxc/childapp2/media/app_c

tomp · September 16, 2021, 8:05am

Can you show your systemd unit you’re using inside your container?

MTL · September 16, 2021, 9:42am

I am yet to configure systemd inside the container. Could ou please let me know the availability of documentation for this

tomp · September 16, 2021, 9:58am

I’m not sure what you mean. If you are using an image that has systemd as the init system then you have systemd. If not then you don’t.