Control: tags -1 + fixed-upstream upstream Dear LXC maintainers and Systemd maintainers,
I added fixed-upstream to #944389, and it seems that blocking of #943981 by LXC can be lifted after some work. If LXC is the only reason for systemd package to revert to hybrid hierarchy, it can probably return to the unified default. The below is justification/explanation. I did 1. "apt-get source lxc" on Ubuntu Eoan (sorry not Debian Bullseye), 2. overwirtten the source by the * stable-3.0 * branch of lxc github, 3. and rebuilt it by "debuild -b -uc -us". The built package worked as expected with no problem under cgroupv2 / unified hierarchy, on Ubuntu Eoan. Some adjustment to the config file was necessary as below: ERROR cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2415 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy ERROR start - start.c:lxc_spawn:1910 - Failed to setup legacy device cgroup controller limits The above error is caused by failed attempt to use Cgroup V1 device controller, to fix it we need: lxc.cgroup.devices.allow = lxc.cgroup.devices.deny = The newer systemd refuses to start in the LXC container by the error message: Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted [!!!!!!] Failed to mount API filesystems. Exiting PID 1... The reason of this error is lack of /sys/fs/cgroup in the container. To fix this, we need lxc.mount.auto = cgroup:rw:force In another bug report #946480 I reported that a non-root user cannot start an LXC container. The reason of the failure is lack a manipulable CGroup directory by a non-root user. To fix this issue, a non-root user has to start a container by systemd-run --user --scope -p "Delegate=yes" lxc-start -F ... (foreground) or systemd-run --user -r -p "Delegate=yes" lxc-start -F ... (backgroud) so that non-root lxc-start has a manipulable cgroup directory. The essential problem in #946480 is that there is no user instruction of how to start an LXC container by non-root, and #946480 is a purely documentation issue. Maybe updating https://wiki.debian.org/LXC is enough. Conventionally, libpam-cgfs chowned non-root user's session scope so that a non-root LXC container can manipulate it. But merely chowning the session scope is insufficient to make cgroup.subtree_control writable by non-root users under cgroupv2 / unified hierarchy. So libpam-cgfs has become useless in cgroupv2 / unified hierarchy, which was #946170 Best regards, Ryutaroh Matsumoto