The systemd-machined integration for libvirt_lxc containers seems to be somewhat broken: - machinectl status lxc-$PID-$CONTAINER does not show IP addresses any more - machinectl shell lxc-$PID-$CONTAINER does drop into a root shell on the host (!) instead of the container I will try to bisect to find the troublesome upstream commit tomorrow. Reproducible: Always Steps to Reproduce: 1. start a libvirt_lxc container 2. use machinectl status or machinectl shell
Created attachment 757767 [details] emerge --info
I have attached an emerge --info. I am running sys-apps/systemd-249.6 with cgroup v2 layout. Looking at this issue a bit more: - Startup and shutdown of lxc containers works just fine - The issue seems to be in /usr/libexec/libvirt_lxc (and independent of the running daemon) when registering a new container with systemd-machined. It seems (for a lack of a better description) that crucial information such as associated namespaces and IPs are missing. - I have bisected the problem down to the following upstream commit: 1b9ce05ce241a581d4e80228c92ceb0266f21f94 is the first bad commit commit 1b9ce05ce241a581d4e80228c92ceb0266f21f94 Author: Cole Robinson <crobinso@redhat.com> Date: Tue Oct 5 09:42:12 2021 -0400 lxc: controller: Fix container launch on cgroup v1 With cgroup v1 I'm seeing LXC container startup failures: $ sudo virt-install --connect lxc:/// --name test-container --memory 128 --boot init=/bin/sh Starting install... ERROR error from service: GDBus.Error:org.freedesktop.machine1.NoMachineForPID: PID 2145047 does not belong to any known machine libvirt 7.0.0 works but 7.1.0+ does not. The root error seems to predate that, showing up in syslog, but commit 9c1693eff made it fatal: commit 9c1693eff427661616ce1bd2795688f87288a412 Author: Pavel Hrdina <phrdina@redhat.com> Date: Fri Feb 5 16:17:35 2021 +0100 vircgroup: use DBus call to systemd for some APIs The error comes from virSystemdGetMachineByPID. The PID that shows up in the above error message does not match the leader PID as reported by machinectl. This change fixes the error. Things seem to continue to work with cgroupsv2 after this change. https://gitlab.com/libvirt/libvirt/-/issues/182 Tested-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Cole Robinson <crobinso@redhat.com> src/lxc/lxc_controller.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
In summary, this change: --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -865,12 +865,12 @@ static int virLXCControllerSetupCgroupLimits(virLXCController *ctrl) nodeset = virDomainNumatuneGetNodeset(ctrl->def->numa, auto_nodeset, -1); if (!(ctrl->cgroup = virLXCCgroupCreate(ctrl->def, - ctrl->initpid, + getpid(), ctrl->nnicindexes, ctrl->nicindexes))) goto cleanup; - if (virCgroupAddMachineProcess(ctrl->cgroup, getpid()) < 0) + if (virCgroupAddMachineProcess(ctrl->cgroup, ctrl->initpid) < 0) goto cleanup; /* Add all qemu-nbd tasks to the cgroup */ somehow breaks the namespace association for systemd-machined for cgroup v2 layout. For example, $ machinectl shell <container> will happily open a shell on the host due to machined talking to the wrong systemd instance (in the root namespace and not in the container namespace).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46d2a0c12d7304c56bcb4ece27fa831e8bcaadf5 commit 46d2a0c12d7304c56bcb4ece27fa831e8bcaadf5 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2021-12-08 21:14:21 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2021-12-08 21:14:52 +0000 app-emulation/libvirt: v7.(9|10).0: (temporary) fix cgroup v2 support Revert an upstream commit that fixed an libvirt_lxc container startup issue with cgroup v1 layout. The patch in question breaks systemd-machined integration (at least under cgroup v2 layout). Le't temporarily revert the commit in question until upstream has found a proper fix. Bug: https://bugs.gentoo.org/828542 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../libvirt/files/libvirt-7.9.0-fix_cgroupv2.patch | 32 ++++++++++++++++++++++ ...virt-7.10.0.ebuild => libvirt-7.10.0-r1.ebuild} | 1 + ...ibvirt-7.9.0.ebuild => libvirt-7.9.0-r1.ebuild} | 1 + 3 files changed, 34 insertions(+)