Quoting Brian Campbell (lam...@continuation.org): > On Feb 18, 2014, at 12:16 AM, Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > >> Ah, that's the ticket: > >> > >> lambda@gherkin:~$ cat /proc/sys/kernel/unprivileged_userns_clone > >> 0 > >> > >> Looks like this is a Debian specific patch, > > > > *cough* pls not to ask how i knew to query it kthx > > > >> which is why looking at the upstream kernel source left me puzzled about > >> why I'd be getting an EPERM. > >> > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712870 > >> > >> * namespaces: Enable USER_NS (Closes: #712870) > >> - Restrict creation of user namespaces to root (CAP_SYS_ADMIN) by > >> default (sysctl: kernel.unprivileged_userns_clone) > >> > >> Works much better when I flip that to 1! > >> > >> lambda@gherkin:lxc$ lxc-create -l DEBUG -o lxc.log --name precise-test > >> -t download -- -d ubuntu -r precise -a amd64Setting up the GPG keyring > >> Downloading the image index > >> Downloading the rootfs > >> Downloading the metadata > >> The image cache is now ready > >> Unpacking the rootfs > >> > >> --- > >> You just created an Ubuntu container (release=precise, arch=amd64). > >> The default username/password is: ubuntu / ubuntu > >> To gain root privileges, please use sudo. > >> > >> Now I need to figure out what is required for the setup of cgroups, > >> since now that's failing. It looks like it's trying to clear out the > >> cgroup hierarchy to be able to set it up differently, but obviously > >> doesn't have permissions to do so. I'm running systemd, which uses the > >> cgroup hierarchy already. I've seen references to cgroup-lite, > >> cgroup-bin, and cgroup-tools; do I need one of these to packages to > >> set up cgroups appropriately for unprivileged containers? Or is it > >> possible to do natively with systemd? > >> > >> lambda@gherkin:lxc$ lxc-start -n precise-test > >> lxc_container: Could not set clone_children to 1 for cpuset hierarchy in > >> parent cgroup. > > > > I thought we'd stopped doing that, but I guess not fully. > > Could you try this patch? > > > > Subject: [PATCH 1/1] continue if we cannot set cpuset.clonechildren > > > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > > It does get rid of that specific error, but still goes on to fail: > > lambda@gherkin:lxc (master)$ lxc-start -n precise-test > lxc_container: Permission denied - Could not create cgroup /precise-test > lxc_container: Permission denied - cgroup_rmdir: failed to delete > /sys/fs/cgroup/perf_event/
It looks like you're in the root cgroup and starting as non-root. Without being root you indeed do not have the rights to create new cgroups there. You'll need to either use lxc as root, or do something like for d in /sys/fs/cgroup/*; do sudo mkdir $d/lambda sudo chown -R lambda: $d/lambda echo $$ > $d/lambda/tasks done -serge _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel