Hello all, LXC upstream (in CC:) supports "unprivileged containers", i. e. you can create a rootfs in your $HOME and then run lxc-start on it with some initial preparation [1]. While of course they have some limits, they are very useful for a lot of applications and are by nature quite safe towards other users/containers/services on the same machine.
However, that requires putting at least the per-user session cgroup (from logind) into *all* available cgroup controllers, not just the "systemd" one, so that the per-user container actually has privileges to create sub-cgroups under the session-cN.scope parent. Thus this currently only works with cgmanager (which creates all cgroups that way) or with systemd <= 204, which had the "Controllers" option in logind.conf: Controllers=blkio cpu cpuacct cpuset devices freezer hugetlb memory perf_event net_cls net_prio This certainly wasn't pretty, but it did the job. This option went away from later versions with moving to calling pid1's StartTransientUnit() [2]. I'd like to get this functionality back, to eliminate another blocker for switching Ubuntu to systemd by default, and would like to pick your brain what you'd recommend as a solution. Note: this isn't Ubuntu specific at all, just a generic question whether systemd wants to support LXC's per-user containers, and whether potentially changing the default behaviour would collide with anything else systemd wants (or doesn't want to) do. AFAIUI, the consequence of just always adding the session-cN.scope into all controllers is mostly a very small performance penalty due to the additional cgroup translations. If there are reasons to not do this by default, the other options would be to (re-)introduce some config option (which would certainly look different now, as logind cgroups are now not particularly "special" compared to other service cgroups), or carrying a downstream patch (least preferred of course, but if necessary we'll have to do that -- we don't want to regress LXC). Hints are appreciated. Thanks! Martin [1] https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ [2] http://cgit.freedesktop.org/systemd/systemd/commit/?id=fb6becb4436ae -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel