Hi,
It seems that systemd builds incorrectly cgroup hierarchy when is
running in the container. Systemd duplicates part of the hierarchy
below machine.slice/machine...scope/. It causes finally that non root
user session cannot be created due to lack of permissions.
In nspawn container problem with non root session creation not
appears. The minor difference between containers that we found is only
in cgroup hierarchy.
Cgroup hierarchy for tested case:
1. cgroup hierarchy for non systemd container
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user@5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-starter.service
│ │ L-2711 /usr/bin/starter
│ +-xorg.service
│ │ L-2709 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-2681 /bin/bash
L-system.slice
+-1 /sbin/init
+-connman.service
│ L-29225 /usr/sbin/connmand -n
2. cgroup hierarchy for running container with system
sh-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user@5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3185 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-console-getty.service
│ │ L-3240 /sbin/agetty --noclear -s console 115200 38400 9600
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
3. cgroup hierarchy for running container and running user session
h-4.2# systemd-cgls
+-user.slice
│ L-user-5000.slice
│ +-session-c1.scope
│ │ L-2362 /usr/bin/user-session-launch seat0 5000
│ L-user@5000.service
│ +-2365 /usr/lib/systemd/systemd --user
│ +-2366 (sd-pam)
│ +-xorg.service
│ │ L-3468 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor
-sharevts
│ +-msg-service.service
│ │ L-2373 /usr/bin/msg-server
│ L-email.service
│ L-2371 /usr/bin/email-service
+-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 --
security=
│ L-machine.slice
│ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ +-machine.slice
│ │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope
│ │ L-user.slice
│ │ L-user-0.slice
│ │ L-user@0.service
│ │ L-3483 /usr/lib/systemd/systemd --user
│ +-user.slice
│ │ L-user-0.slice
│ │ +-session-c1.scope
│ │ │ +-3240 login -- root
│ │ │ L-3486 -bash
│ │ L-user@0.service
│ │ L-3484 (sd-pam)
│ L-system.slice
│ +-2681 /usr/lib/systemd/systemd
│ +-systemd-logind.service
│ │ L-3215 /usr/lib/systemd/systemd-logind
│ +-connman.service
│ │ L-3214 /usr/sbin/connmand -n
│ +-dbus.service
│ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: --
nofork --n
│ +-wpa_supplicant.service
│ │ L-3241 /usr/sbin/wpa_supplicant -u
│ L-systemd-journald.service
│ L-3200 /usr/lib/systemd/systemd-journald
L-system.slice
+-1 /sbin/init
+-connman.service
Best regards
Jacek Pielaszkiewicz
Samsung R&D Institute Poland
Samsung Electronics
Email: j.pielasz...@samsung.com
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
