Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cgroupfs problem #11

Open
Yorizuka opened this issue Dec 19, 2023 · 8 comments
Open

cgroupfs problem #11

Yorizuka opened this issue Dec 19, 2023 · 8 comments

Comments

@Yorizuka
Copy link

Yorizuka commented Dec 19, 2023

this is just a wild guess, but I'm trying this on Artix linux, the distro like void or alpine has no systemD. The reason I think the problem is related to lilipod is because I remember seeing issues related to cgroupfs with other container systems involving systemD.

I might be 100% wrong and the issue could be something else, I am not a person who knows a lot about containers. If this issue is related to distrobox, then please let me know, so I can go and open the issue there instead (and sorry if that's the case).

$ distrobox enter debian
 Error: could not start entrypoint.
2023/12/19 01:12:03 setup cgroupfs: mkdir /sys/fs/cgroup/container-debian.scope: permission denied
@Yorizuka Yorizuka changed the title I think this might be an issue related to systemD and lilipod cgroupfs problem Dec 19, 2023
@Yorizuka
Copy link
Author

also not sure if this is relevant, but my root FS is btrfs

@mirkobrombin
Copy link
Collaborator

mirkobrombin commented Dec 23, 2023

lilipod does not use or is related to systemd. Must be something else 🤔

@Yorizuka
Copy link
Author

Yorizuka commented Dec 26, 2023

In that case I have no idea what is wrong, it was just a guess I made. If there is anything I can do to help say so. The thing I was trying to do is not critical to anything so if it's just me having this issue then don't worry about prioritizing any effort, its OK if this stays unsolved. I just wanted to report the issue :)

Thank you for your time.

@mirkobrombin
Copy link
Collaborator

mirkobrombin commented Dec 26, 2023

Can you share the steps to reproduce? I can setup an environment asap.

Can also be related to missing cgroups support https://github.com/89luca89/lilipod?tab=readme-ov-file#to-do

@patatetom
Copy link

for me, the permission denied problem only occurs with lilipod, not with distrobox, which works perfectly.

@patatetom
Copy link

I'm coming back to this subject with a few points.

nb : distrobox (since uninstalled) ran smoothly because it was based on podman.

/sys/fs/cgroup which was in 555 mode was switched to 755 mode but this changed nothing.

$ ls -l /sys/fs/
total 0
drwx-----T  2 root root 0 juin  13 18:27 bpf
drwxr-xr-x  5 root root 0 juin  13 22:29 btrfs
dr-xr-xr-x 11 root root 0 juin  13 18:27 cgroup
drwxr-xr-x  2 root root 0 juin  13 22:29 ecryptfs
drwxr-xr-x  3 root root 0 juin  13 22:29 ext4
drwxr-xr-x  3 root root 0 juin  13 18:27 fuse
drwxr-x---  2 root root 0 juin  13 18:27 pstore

# chmod 755 /sys/fs/cgroup

$ ls -ld /sys/fs/cgroup
drwxr-xr-x 12 root root 0 juin  13 22:28 /sys/fs/cgroup

$ llpod run -ti --name test archlinux 
2024/06/13 20:29:45 setup cgroupfs: mkdir /sys/fs/cgroup/container-test.scope: permission denied

this folder that can't be created was manually pre-created before the lilipod command was run, but failed with the same error.

# mkdir /sys/fs/cgroup/container-test.scope

# chown me:me /sys/fs/cgroup/container-test.scope

$ ls -ld /sys/fs/cgroup/container-test.scope
drwxr-xr-x 2 me me 0 juin  13 22:30 /sys/fs/cgroup/container-test.scope

$ llpod run -ti --name test archlinux 
2024/06/13 20:31:45 setup cgroupfs: mkdir /sys/fs/cgroup/container-test.scope: permission denied

in the hope that this information will help move the problem forward.

regards, lacsaP.

@jaythomas
Copy link

If this is a systemd-based system then you don't modify folder permissions but instead let systemd manage and provide elevated privileges. It's probably out of the scope of lilipod to do this for you given it's meant to be a bare-bones container manager but some documentation in the README for setting up systemd services would be great.

@jaythomas
Copy link

jaythomas commented Oct 4, 2024

Wanted to share my setup this morning in case it solves your or anyone else's issue. I'm using Nixos to generate a systemd user slice.

module.nix
  # These kernel params not absolutely necessary as v2 should be available on any reasonably up-to-date system
  boot.kernelParams = [
    "cgroup_no_v1=all"
    "systemd.unified_cgroup_hierarchy=1"
  ];
  systemd.user.slices.lilipod = {
    name = "lilipod.slice";
    aliases = [ "llp.slice" ];
    description = "Run lilipod containers in a controlled process";
    documentation = [ "man:systemdSlice(5)" ];
    sliceConfig = {
      CPUQuota = "50%";
      DefaultMemoryAccounting = "yes";
      MemoryMax = "50%";
    };
    after = [ "multi-user.target" ];
    wantedBy = [ "multi-user.target" ];
  };

That will generate this systemd unit file, or you can write the file to /etc/systemd/user/lilipod.slice:

/etc/systemd/user/lilipod.slice
[Unit]
After=multi-user.target
Description=Run lilipod containers in a controlled process
Documentation=man:systemdSlice(5)

[Slice]
CPUQuota=50%
DefaultMemoryAccounting=yes
MemoryMax=50%


[Install]
WantedBy=multi-user.target

Adjust the resource limits to suit your needs, restart systemd (or reboot). Now you can launch a rootless container without super user privileges:

$ systemd-run --user --slice=lilipod.slice --shell
Running as unit: run-u45.service; invocation ID: aa470b9f937e41d192920ef456888667
Press ^] three times within 1s to disconnect TTY.
$ lilipod start -ti first-lilipod
first-lilipod:/# echo "I'm in my container now"
I'm in my container now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants