Comment 13 for bug 1413927
Revision history for this message
| Serge Hallyn (serge-hallyn) wrote Re: [Bug 1413927] Re: user lxc containers fail to start under systemd: login name=systemd cgroup is not owned by user | #13 |
Quoting Martin Pitt (<email address hidden>):
> Stéphane Graber [2015-01-25 17:15 -0000]:
> > How are we supposed to run a systemd container on such a system then?
> >
> > systemd in a container will need to create sub-entries in the
> > name=systemd controller.
>
> Yes, that works fine, as the cgroup *directories* are owned by the
> user. I just don't want to make the cgroup.procs and task files owned
> by the user, as that would allow the user to modify that "session
> root" cgroup and move PIDs between host sessions. What user containers
> do in sub-groups of the host's "session-XX.cgroup" is up to them, and
> of course the user on the host can meddle with them from the outside.
If that's all you're objecting to, we can make do with that. The
important things are that (a) the directory be owned by the user
and (b) all files other than tasks and cgroup.procs files NOT be
owned by the user :) Having the tasks file owned by the uesr is
only a nicety.