On Thu, 06.03.14 16:55, Dariusz Michaluk (d.micha...@samsung.com) wrote: > > On 05.03.2014 19:16, Lennart Poettering wrote: > >nspawn and libvirt-lxc mostly follow the same code paths and register > >via machined... So it's weird that different things happen. Somehow the > >systemd instance inside the container must be confused about the cgroup > >it is running in... > > Next few cents. I noticed that when I run lxc-libvirt container I > get warning "Failed to install release agent, ignoring: No such file > or directory", which does not occur when I use nspawn.
Oh! Hmm, thta suggests that libvirt-lxc might not mount the naked cgroupfs tree to /sys/fs/cgroup/systemd, but only a subdirectory. This of course might cause the weird setup that the host tree is "duplicated" for the container! Unfortunately it is not possible to only mount a subtree of the cgroup hierarchy into the container, since then the data from /proc/self/cgroup won't match /sys/fs/cgroup/systemd anymore... Also, the root of the cgroup trees has slightly different semantics and more properties than the children. Is this the default setup of libvirt-lxc for those dirs? I figure we should talk to Daniel to get that changed... Each container really needs to see the full tree. The best thing possible to make sure that the containers can't muck with anything outside of the tree is to mount the upper parts read-only with a bind mount, but other than that i don't see that we could do anything there... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
