WatchdogSec for the process inside container is not working

Below is my service file,

[Unit]
Description=LXC Container: app

[Service]
Type=notify
WatchdogSec=20s
NotifyAccess=exec

ExecStartPre=/usr/local/bin/lxc-start -n childapp2 -f /var/lib/lxc/childapp2/config
ExecStart = /usr/local/bin/lxc-attach -n childapp2 -f /var/lib/lxc/childapp2/config-- /var/lib/lxc/childapp2/media/app
ExecStop = /usr/local/bin/lxc-stop -n childapp2
User=appfw
Group=appfw
PAMName=systemd-user

[Install]
WantedBy=multi-user.target

I want to send WatchDogSec from /lxc/childapp2/media/app which is being started inside the container.
I think it is not happening with this service file as systemd considers lxc-attach as main process and expects WatchDogSec from it not from /app process.

Could you please suggest solution for this

Why don’t you get the init system inside the container to start your service?

1 Like

Thank you for the feedback.
Do you mean login as user(here it is appfw) and then execute systemctl commands from there?
But is it not possible to use Watchog feature of linux in lxc in host itself

/usr/local/bin/lxc-start -n childapp2 will start the container and its init system.
You can then configure the init system inside that container to run the service you want when the container starts.

“But is it not possible to use Watchog feature of linux in lxc in host itself” - I’m not sure what you mean by that? If the service is running inside the container then it cannot access the host.

My requirement is to run an unprivilaged container via systemd command from the host.
If i give ,
ExecStart= lxc-attach -n <container_name> – <binary_to_execute>
lxc-attach becomes the main process to systemd and it keeps tracking lxc-attach.

I want to maintain the lifecycle of the service based on the application running inside. So i want to make systemd track the binary i executed with lxc-attach

And does this work just running the two commands from the shell rather than from a systemd unit?

i.e.

lxc-start -n <container>
lxc-attach -n <container> – <binary_to_execute>

Yes it works.

And what is the issue/error when run via the systemd unit?

Are you allowing sufficient time in your systemd unit for the container to complete its start up?

yes.

I can even start the container as systemd unit.
My requirement is control the application started inside the container using watchdogSec feature of systemd(i.e., to get the sd_notify from the application nside the container)

ExecStart=/usr/local/bin/lxc-attach -n app -f app – /var/lib/lxc/app/app_c

systemd waits for the watchdog notification from lxc-attach but i want it it be from app_c

How is the watchdog notification sent from the application? Is it sent via stdout/stderr?

vis sd_notify call of systemd

Does that use a notify socket specified in an env var NOTIFY_SOCKET?

If so then that won’t work as the container process won’t be able to access the notify socket from the host’s systemd.

I believe a simpler approach would be to get the systemd inside the container to start the process on container start and then use the watchdog feature inside the container.

ok…thank you for the feedback
is there any particular procedure to get systemd inside the container

Below is the status for one of my servies. Is it normal for app_c not listing under systemd cgroups? Does it mean systemd cannot see the application running from lxc-attach?

childapp2.service - App inside lXC Container: childapp2
Loaded: loaded (/usr/lib/systemd/system/childapp2.service; enabled; vendor preset: enabled)
Active: activating (start) since Wed 2021-09-15 22:20:52 CEST; 31s ago
Main PID: 15072 (code=killed, signal=TERM); Control PID: 6446 (lxc-attach)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/childapp2.service
‣ 6446 /usr/local/bin/lxc-attach -n childapp2 -l trace -o /var/lib/lxc/childapp2/attachlog.txt – /var/lib/lxc/childapp2/media/app_c

Can you show your systemd unit you’re using inside your container?

I am yet to configure systemd inside the container. Could ou please let me know the availability of documentation for this

I’m not sure what you mean. If you are using an image that has systemd as the init system then you have systemd. If not then you don’t.