599152 – sys-apps/systemd-232 breaks lxc-start, docker due to cgroup2

Bug 599152 - sys-apps/systemd-232 breaks lxc-start, docker due to cgroup2

Summary: sys-apps/systemd-232 breaks lxc-start, docker due to cgroup2

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo systemd Team

URL:
Whiteboard:
Keywords:

Duplicates (1):	599268 (view as bug list)
Depends on:
Blocks:	CVE-2016-7795, CVE-2016-7796
	Show dependency tree

Reported:	2016-11-07 15:54 UTC by Pablo Cholaky
Modified:	2017-04-20 12:40 UTC (History)
CC List:	8 users (show)

See Also:	https://github.com/systemd/systemd/pull/4628
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pablo Cholaky 2016-11-07 15:54:00 UTC

Using systemd 232, /sys/fs/cgroup/systemd is using cgroup2, causing lxc-start images to fail due cgroup permission (Operation not permitted)

There is a workaround for that? I tried https://github.com/debops/ansible-lxc/issues/15#issuecomment-87253770.

I know this seems to be more a bug between systemd or lxc userspace tools, but I would like to keep this bug here as existing issue and if someone can let some workaround meanwhile and/or use it as base to report properly to systemd or lxc userspace tools with more technical domain of this matter.

I can confirm this works fine with systemd 231, and systemd loading cgroup v1 for systemd. 232 uses cgroup2 causing the problem.

Comment 1 Pablo Cholaky 2016-11-07 15:54:59 UTC

As additional info, using lxc on Ubuntu images, xenial amd64

Comment 2 Mike Gilbert gentoo-dev

2016-11-07 16:11:07 UTC

I do not use lxc, and I am unfamiliar with its use of cgroups. You should work with upstream (systemd and lxc) directly on this.

Comment 3 Mike Gilbert gentoo-dev

2016-11-10 23:28:47 UTC

*** Bug 599268 has been marked as a duplicate of this bug. ***

Comment 4 Mike Gilbert gentoo-dev

2016-11-10 23:31:26 UTC

This has been reverted upstream. We will pick it up with systemd-233, or whenever I backport patches.

Comment 5 Renich Bon Ciric 2017-02-01 20:46:02 UTC

This has been fixed here: https://github.com/systemd/systemd-stable/commit/fb36bef4e4884a62b70cd98f7d2d52abf8091106

As a workaround, just append this to your GRUB_CMDLINE_LINUX_DEFAULT: systemd.legacy_systemd_cgroup_controller=yes

So it looks something like:

# /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.legacy_systemd_cgroup_controller=yes"

This is affecting docker as well (irrelevant to this ticket, I know).

Comment 6 Pacho Ramos gentoo-dev

2017-02-07 15:43:07 UTC

Maybe this backport would be useful for us:
https://patchwork.openembedded.org/patch/134978/

Comment 7 Pacho Ramos gentoo-dev

2017-04-20 12:40:55 UTC

this should be fixed in 233 finally