Skip rootfs pinning for read-only file system.

[weimzh]

Anbox mounts a squashfs image and uses it as the lxc container root. The squashfs image is mounted read-only, hence the rootfs pinning code in newer versions of lxc breaks anbox.

This fixes the issue.

Reference: bug report of anbox: anbox/anbox#1801

[lxc-jenkins]

This pull request didn't trigger Jenkins as its author isn't in the whitelist.

An organization member must perform one of the following:

• To have this branch tested by Jenkins, use the "ok to test" command.
• To have a one time test done, use the "test this please" command.

Those commands are simple Github comments of the format: "jenkins: COMMAND"

[brauner]

jenkins: test this please

[brauner]

Thank you!

[gardotd426]

Unfortunately this doesn't fix the issue.

[ 2021-05-24 00:43:30] [client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.group.devices.deny
[ 2021-05-24 00:43:30] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.
[ 2021-05-24 00:43:30] [daemon.cpp:61@Run] Container is not running
[ 2021-05-24 00:43:30] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.

This is running the latest lxc master.

[brauner]

Unfortunately this doesn't fix the issue.

[ 2021-05-24 00:43:30] [client.cpp:48@start] Failed to start container: Failed to start container: Failed to set config item lxc.group.devices.deny
[ 2021-05-24 00:43:30] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.
[ 2021-05-24 00:43:30] [daemon.cpp:61@Run] Container is not running
[ 2021-05-24 00:43:30] [session_manager.cpp:164@operator()] Lost connection to container manager, terminating.

This is running the latest lxc master.

That's reporting that device cgroup values failed to apply though which is a bit odd. Any more details like a trace log or something that you could provide?

[weimzh]

That's reporting that device cgroup values failed to apply though which is a bit odd. Any more details like a trace log or something that you could provide?

that's because name of some cgroup-related lxc config items seems to be changed. I asked them to apply this patch in the bug report of anbox and they have got it working:

-  set_config_item("lxc.group.devices.deny", "");
-  set_config_item("lxc.group.devices.allow", "");
+  set_config_item("lxc.cgroup2.devices.deny", "");
+  set_config_item("lxc.cgroup2.devices.allow", "");

ref: anbox/anbox#1801 (comment)

[brauner]

Hm, I thought I had changed LXC to ignore lxc.cgroup. directives on pure cgroup2 layouts.