Comment 11 for bug 1413927
Revision history for this message
| Martin Pitt (pitti) wrote Re: [Bug 1413927] Re: user lxc containers fail to start under systemd: login name=systemd cgroup is not owned by user | #11 |
Stéphane Graber [2015-01-25 17:15 -0000]:
> How are we supposed to run a systemd container on such a system then?
>
> systemd in a container will need to create sub-entries in the
> name=systemd controller.
Yes, that works fine, as the cgroup *directories* are owned by the
user. I just don't want to make the cgroup.procs and task files owned
by the user, as that would allow the user to modify that "session
root" cgroup and move PIDs between host sessions. What user containers
do in sub-groups of the host's "session-XX.cgroup" is up to them, and
of course the user on the host can meddle with them from the outside.