Bug 1787209 - Explanation of LXC on Fedora 31 and newer is wanted on https://fedoraproject.org/wiki/LXC
Summary: Explanation of LXC on Fedora 31 and newer is wanted on https://fedoraproject....
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: fedora-websites
Version: devel
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Bokoc
QA Contact: Fedora Websites Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-01 13:09 UTC by Ryutaroh Matsumoto
Modified: 2021-03-02 13:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-02 13:39:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1765821 0 unspecified CLOSED LXC container do not start on Fedora 31 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1787093 0 unspecified CLOSED lxc in Rawhide (Dec 2019) does not start a container in its default config 2021-05-25 17:17:30 UTC
Red Hat Bugzilla 1787097 0 unspecified CLOSED There is no instruction for non-root user to start an LXC container. It needs systemd-run --user --scope 2021-05-25 17:34:42 UTC

Description Ryutaroh Matsumoto 2020-01-01 13:09:38 UTC 
Description of problem:

Fedora 31 and newer uses the unfied cgroup hierarchy.
LXC (Linux Container) needs special container config on
Fedora 31 and newer. These three trick (written below) should be explained at

https://fedoraproject.org/wiki/LXC
and possibly pages under
https://fedoraproject.org/wiki/Category:Common_bugs

Version-Release number of selected component (if applicable):

How reproducible:

[Item A] On Fedora 31 and newer, a user needs to add

lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

to an LXC container config file. Otherwise he or she gets error message

ERROR    cgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2415 - Failed to setup limits for the "devices" controller. The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy
ERROR    start - start.c:lxc_spawn:1910 - Failed to setup legacy device cgroup controller limits


[Item B] In addition, if /sbin/init is systemd with hybrid cgroup hierarchy as its
default hierarchy, the user needs to add

lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1

Otherwise she or he gets the error message

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...


[Item C] The above applies to a privileged LXC container started by root.

When a non-root user start an unprivileged container, he or she needs
to run lxc-start as

systemd-run --user --scope -p "Delegate=yes" lxc-start -F ...

otherwise he or she gets the error message

$ lxc-start -F -n nonroot-fedora31
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-1"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-1"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: mkdir_eexist_on_last: 1279 Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: monitor_create_path_for_hierarchy: 1300 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-2"
lxc-start: nonroot-fedora31: cgroups/cgfsng.c: cgfsng_monitor_create: 1389 Failed to create cgroup "/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/lxc.monitor/nonroot-fedora31-2"


Steps to Reproduce:
1. dnf install lxc lxc-templates on Fedora 31 or newer
2. lxc-create -n fedora31 -t download -- -d fedora -r 31 -a amd64
3. lxc-start -F -n fedora31
  
Actual results:

There is no instruction for users to start an LXC container on
Fedora 31 and newer.

Expected results:

There is some friendly documentation and Fedora users do not suffer from
lack of documantation.

Additional info:

Related bug reports against the LXC fedora package
bugs 1765821, 1787093, 1787097
Comment 1 Ben Cotton 2021-03-02 13:39:28 UTC 
The websites team does not maintain the wiki. You can contact the people who have edited that page in the past:
https://fedoraproject.org/w/index.php?title=LXC&action=history

Or if you have a Fedora account that is a member of at least one group, you can edit it yourself. If you aren't in a group but would like to be, you can contact Fedora Join for help:
https://docs.fedoraproject.org/en-US/fedora-join/
Note You need to log in before you can comment on or make changes to this bug.