Description of problem: libvirt-lxc not mount the naked cgroupfs tree to /sys/fs/cgroup/systemd, but only a subdirectory. This cause the weird setup that the host tree is "duplicated" for the container! Version-Release number of selected component (if applicable): libvirtd (libvirt) 1.2.2 build from commit: e8684eb541f01df9b45e87e0a8ce446c7bc90a17 How reproducible: Always Steps to Reproduce: 1. Configure host machine: - kernel 3.14 with NAMESPACES, UTS_NS, IPC_NS, USER_NS, PID_NS, NET_NS enabled in kernel config - libvirtd (libvirt) 1.2.2 - systemd 210 2. Configure container: - # yum -y --releasever=rawhide --nogpg --installroot=/var/lib/libvirt/filesystems/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal openssh-server procps-ng - # echo "pts/0" >> /var/lib/libvirt/filesystems/mycontainer/etc/securetty - # chroot /var/lib/libvirt/filesystems/mycontainer /bin/passwd root - # cat /etc/libvirt/lxc/container.xml <domain type='lxc'> <name>mycontainer</name> <uuid>d750af59-6082-437c-b860-922e76b46410</uuid> <memory unit='KiB'>819200</memory> <currentMemory unit='KiB'>819200</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='i686'>exe</type> <init>/usr/lib/systemd/systemd</init> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <filesystem type='mount' accessmode='passthrough'> <source dir='/var/lib/libvirt/filesystems/mycontainer'/> <target dir='/'/> </filesystem> <interface type="network"> <source network="default"/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> 3. Start container: - # virsh --connect lxc:/// define /etc/libvirt/lxc/container.xml - # virsh --connect lxc:/// start mycontainer --console 4. Look at cgroup hierarchy from inside and outside of container with systemd-cgls Actual results: The CGroup hierarchy for the libvirtd machine looks as follows: ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 22 ├─machine.slice │ └─machine-lxc\x2dmycontainer.scope │ ├─4282 /libexec/libvirt_lxc --name mycontainer --console 18 --security=selinux --handshake 21 --background │ └─machine.slice │ └─machine-lxc\x2dmycontainer.scope │ ├─4283 /usr/lib/systemd/systemd │ ├─machine.slice │ │ └─machine-lxc\x2dmycontainer.scope │ │ └─user.slice │ │ └─user-0.slice │ │ └─user │ │ └─4361 /usr/lib/systemd/systemd --user │ ├─system.slice │ │ ├─systemd-logind.service │ │ │ └─4345 /usr/lib/systemd/systemd-logind │ │ ├─dbus.service │ │ │ └─4341 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ │ ├─sshd.service │ │ │ └─4347 /usr/sbin/sshd -D │ │ └─systemd-journald.service │ │ └─4319 /usr/lib/systemd/systemd-journald │ └─user.slice │ └─user-0.slice │ ├─session-15.scope │ │ ├─4349 login -- root │ │ └─4374 -bash │ └─user │ └─4367 (sd-pam) Expected results: The same container running with systemd-nspawn use below hierarchy which is correct. ├─1 /usr/lib/systemd/systemd --switched-root --system --deserialize 22 ├─machine.slice │ └─machine-mycontainer.scope │ ├─4459 /usr/lib/systemd/systemd │ ├─system.slice │ │ ├─systemd-logind.service │ │ │ └─4517 /usr/lib/systemd/systemd-logind │ │ ├─dbus.service │ │ │ └─4509 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation │ │ ├─sshd.service │ │ │ └─4519 /usr/sbin/sshd -D │ │ └─systemd-journald.service │ │ └─4483 /usr/lib/systemd/systemd-journald │ └─user.slice │ └─user-0.slice │ ├─session-16.scope │ │ ├─4522 login -- root │ │ └─4560 -bash │ └─user │ ├─4547 /usr/lib/systemd/systemd --user │ └─4553 (sd-pam) Additional info: discussion on systemd mailing list http://lists.freedesktop.org/archives/systemd-devel/2014-March/017580.html discussion on libvirt-users mailing list https://www.redhat.com/archives/libvirt-users/2014-February/msg00139.html https://www.redhat.com/archives/libvirt-users/2014-March/msg00013.html
When I add the following entry to container configuration XML I have had valid cgroup hierarchy. <filesystem type='mount'> <source dir='/sys/fs/cgroup'/> <target dir='/sys/fs/cgroup'/> </filesystem> I think it is not a solution to the problem and it is only baypass. Whether the cgroup hierarchy shouldn't be valid without mounting cgroup?
Sorry this didn't receive a timely response. From those mailing list threads it sounds like Dan was suggesting that this can't be a libvirt bug since much of the file layout allocation is out of libvirt's hands. Are you still seeing this with a recent distro? Maybe it was a libvirt or systemd issue
Since there's no response, closing as DEFERRED. But if anyone is still affected with newer libvirt versions, please re-open and we can triage from there
FYI this was fixed upstream recently in commit dc576025c360a1d2c89da410d0f3f0da55d0143f Author: Daniel P. Berrange <berrange> Date: Fri Jan 22 16:07:18 2016 +0000 lxc: don't try to hide parent cgroups inside container