-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ghost service PIDs in LXC containers #3520
Comments
Can you show:
as seen from the host, please? |
sure
|
On Fri, Aug 14, 2020 at 06:34:32AM -0700, harridu wrote:
sure
~~~
# cat /proc/2106/cgroup
13:name=systemd:/init.scope
12:rdma:/lxc.payload.il02
11:pids:/lxc.payload.il02
10:perf_event:/lxc.payload.il02
9:net_prio:/lxc.payload.il02
8:net_cls:/lxc.payload.il02
7:memory:/lxc.payload.il02
6:freezer:/lxc.payload.il02
5:devices:/lxc.payload.il02
4:cpuset:/lxc.payload.il02
3:cpuacct:/lxc.payload.il02
2:cpu:/lxc.payload.il02
1:blkio:/lxc.payload.il02
0::/init.scope
~~~
Ok, so looking closer at the issue I understand what is going on.
Your OS doesn't use cgroup2 on a kernel that does support cgroup2. You
can see this from your cat /proc/1/mountinfo output you pasted here.
cgroup2 is different from cgroup1 in that it can be mounted in user
namespaces even if it is not mounted in the initial user namespace.
This means when you start a container - privileged or unprivileged
doesn't matter actually - with a systemd version inside that knows about
cgroup2 then systemd in that container will - rightly so - mount
cgroup2.
Now, when systemd mounts cgroup2 all processes in the initial pid
namespace will be made a member of the newly mounted cgroup2. Since
cgroup2 hasn't been mounted on the host before LXC will not have created
a separate cgroup for the container and so the container and the host
share the same cgroup which is why you see those 0 in there.
Ways to deal with this are:
- prevent the container from mount cgroup2 by modifying it's AppAmor
profile
- mount cgroup2 on the host at /sys/fs/cgroup/unified
- force LXC to pre-mount cgroups for you with e.g. cgroup:rw:force
specified in lxc.mount.auto
Other than that there's not much we can do in such scenarios
unfortunately...
Christian
|
Thanx for your detailed explanation. I highly appreciate this. Of course I will try the workaround/fixes you suggested and post the results here. |
in the lxc config file does not help, AFAICS. systemd in the container uses groupv2 nevertheless. I could have disabled cgroupv2 on the kernel command line, but I did not try that. I have modified cgroupfs-mount on the host to mount cgroup2 as well, e.g.:
That makes systemd in the LXC container happy. |
I'm not happy about the kernel in this respect but this weird scenario was bound to happen at some point because of how cgroup2 mounts work. I'm closing this but if this becomes a persistent issue we need to start thinking about doing something clever. |
Thanks for the bug report! |
Required information
Debian 10
Issue description
There are ghost services with PID=0 in cgroup.procps in the container:
Apparently all these "0" break systemd in the container, see https://lists.freedesktop.org/archives/systemd-devel/2020-August/044999.html .
Lennart wrote
I have seen this issue with LXC hosts running either systemd or sysvinit.
The text was updated successfully, but these errors were encountered: