Package: systemd-container Version: 239-5 Severity: normal Dear Maintainer,
According to the manual page, --property=Delegate=... with systemd-nspawn should let the executed container to have access to "...", but it does not work as documented with the newest Debian package (and possibly with the upstream?). I wonder if it is a problem with Linux 4.17.0-1-amd64 installed from Debian experimental, or AppArmor... So I first report this to Debian BTS. I also wonder if this behavior and #903011 are just two different symptoms arising from the single root cause. Specifically, when I executed the command systemd-nspawn -b -M container-unstable --network-ipvlan=wls3 --property="Delegate=memory pids cpu io" I see the below. Please note that the CGroup V2 is used with systemd, i.e., systemd.unified_cgroup_hierarcy=1 is given to the kernel command line. Spawning container container-unstable on /var/lib/machines/container-unstable. Press ^] three times within 1s to kill container. systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid) Detected virtualization systemd-nspawn. Detected architecture x86-64. Welcome to Debian GNU/Linux buster/sid Set hostname to <container-unstable>. File /lib/systemd/system/systemd-journald.service:36 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling. Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.) -.slice: Failed to set cpu.weight: Operation not permitted -.slice: Failed to set cpu.max: Operation not permitted -.slice: Failed to set io.weight: Operation not permitted -.slice: Failed to set memory.low: Operation not permitted -.slice: Failed to set memory.high: Operation not permitted -.slice: Failed to set memory.max: Operation not permitted -.slice: Failed to set pids.max: Operation not permitted (The above messages show the problem, and many lines are deleted here) [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux buster/sid container-unstable console container-unstable login: root Password: Last login: Sun Jul 8 18:08:54 JST 2018 on console Linux container-unstable 4.17.0-1-amd64 #1 SMP Debian 4.17.3-1 (2018-07-02) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@container-unstable:~# cd /sys/fs/cgroup/ Here I moved to the root CGroup V2 hirarachy. root@container-unstable:/sys/fs/cgroup# ls -l total 0 -r--r--r-- 1 root root 0 Jul 8 18:26 cgroup.controllers -r--r--r-- 1 root root 0 Jul 8 18:26 cgroup.events -rw-r--r-- 1 root root 0 Jul 8 18:27 cgroup.max.depth -rw-r--r-- 1 root root 0 Jul 8 18:27 cgroup.max.descendants -rw-r--r-- 1 root root 0 Jul 8 18:26 cgroup.procs -r--r--r-- 1 root root 0 Jul 8 18:26 cgroup.stat -rw-r--r-- 1 root root 0 Jul 8 18:26 cgroup.subtree_control -rw-r--r-- 1 root root 0 Jul 8 18:26 cgroup.threads -rw-r--r-- 1 root root 0 Jul 8 18:27 cgroup.type -rw-r--r-- 1 root root 0 Jul 8 18:26 cpu.max -r--r--r-- 1 root root 0 Jul 8 18:27 cpu.stat -rw-r--r-- 1 root root 0 Jul 8 18:26 cpu.weight -rw-r--r-- 1 root root 0 Jul 8 18:27 cpu.weight.nice drwxr-xr-x 2 root root 0 Jul 8 18:26 init.scope -rw-r--r-- 1 root root 0 Jul 8 18:27 io.max -r--r--r-- 1 root root 0 Jul 8 18:27 io.stat -rw-r--r-- 1 root root 0 Jul 8 18:26 io.weight -r--r--r-- 1 root root 0 Jul 8 18:27 memory.current -r--r--r-- 1 root root 0 Jul 8 18:27 memory.events -rw-r--r-- 1 root root 0 Jul 8 18:26 memory.high -rw-r--r-- 1 root root 0 Jul 8 18:26 memory.low -rw-r--r-- 1 root root 0 Jul 8 18:26 memory.max -r--r--r-- 1 root root 0 Jul 8 18:27 memory.stat -r--r--r-- 1 root root 0 Jul 8 18:27 pids.current -r--r--r-- 1 root root 0 Jul 8 18:27 pids.events -rw-r--r-- 1 root root 0 Jul 8 18:26 pids.max drwxr-xr-x 13 root root 0 Jul 8 18:26 system.slice drwxr-xr-x 3 root root 0 Jul 8 18:26 user.slice I see that I have (as root) write permission to the relevant files above. BUT I cannot write values to the relevant files: root@container-unstable:/sys/fs/cgroup# echo 1000 >pids.max -bash: echo: write error: Operation not permitted root@container-unstable:/sys/fs/cgroup# echo 3G >memory.high -bash: echo: write error: Operation not permitted When I executed the above command, I checked the Delegation status of the container from another console, and I got: ryutaroh@unstable:~$ systemctl show systemd-nspawn@container-unstable.service | grep Delegate Delegate=yes DelegateControllers=cpu io memory pids Systemd also thinks that it delegates the requested permissions... -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages systemd-container depends on: ii dbus 1.12.8-3 ii libacl1 2.2.52-3+b1 ii libbz2-1.0 1.0.6-8.1 ii libc6 2.27-3 ii libcurl3-gnutls 7.60.0-2 ii libgcrypt20 1.8.3-1 ii liblzma5 5.2.2-1.3 ii libseccomp2 2.3.3-3 ii libselinux1 2.8-1+b1 ii systemd 239-5 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages systemd-container recommends: ii btrfs-progs 4.16.1-2 ii libnss-mymachines 239-5 systemd-container suggests no packages. -- no debconf information