Bug 1787209

Summary: Explanation of LXC on Fedora 31 and newer is wanted on https://fedoraproject.org/wiki/LXC
Product: [Retired] Fedora Documentation Reporter: Ryutaroh Matsumoto <ryutaroh2006>
Component: fedora-websitesAssignee: Petr Bokoc <pbokoc>
Status: CLOSED DEFERRED QA Contact: Fedora Websites Team <web-members>
Severity: medium Docs Contact:
Priority: unspecified    
Version: develCC: bcotton, nman64, soeren.grunewald, web-members
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-02 13:39:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryutaroh Matsumoto 2020-01-01 13:09:38 UTC 
Description of problem:

Fedora 31 and newer uses the unfied cgroup hierarchy.
LXC (Linux Container) needs special container config on
Fedora 31 and newer. These three trick (written below) should be explained at

https://fedoraproject.org/wiki/LXC
and possibly pages under
https://fedoraproject.org/wiki/Category:Common_bugs

Version-Release number of selected component (if applicable):

How reproducible:

[Item A] On Fedora 31 and newer, a user needs to add

lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

to an LXC container config file. Otherwise he or she gets error message

ERROR    cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2415 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy
ERROR    start - start.c:lxc_spawn:1910 - Failed to setup legacy device cgroup controller limits


[Item B] In addition, if /sbin/init is systemd with hybrid cgroup hierarchy as its
default hierarchy, the user needs to add

lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1

Otherwise she or he gets the error message

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...


[Item C] The above applies to a privileged LXC container started by root.

When a non-root user start an unprivileged container, he or she needs
to run lxc-start as

systemd-run --user --scope -p "Delegate=yes" lxc-start -F ...

otherwise he or she gets the error message

$ lxc-start -F -n nonroot-fedora31
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-1"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-1"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-2"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-2"


Steps to Reproduce:
1. dnf install lxc lxc-templates on Fedora 31 or newer
2. lxc-create -n fedora31 -t download -- -d fedora -r 31 -a amd64
3. lxc-start -F -n fedora31
  
Actual results:

There is no instruction for users to start an LXC container on
Fedora 31 and newer.

Expected results:

There is some friendly documentation and Fedora users do not suffer from
lack of documantation.

Additional info:

Related bug reports against the LXC fedora package
bugs 1765821, 1787093, 1787097
Comment 1 Ben Cotton 2021-03-02 13:39:28 UTC 
The websites team does not maintain the wiki. You can contact the people who have edited that page in the past:
https://fedoraproject.org/w/index.php?title=LXC&action=history

Or if you have a Fedora account that is a member of at least one group, you can edit it yourself. If you aren't in a group but would like to be, you can contact Fedora Join for help:
https://docs.fedoraproject.org/en-US/fedora-join/