On Wed, Feb 17, 2021 at 11:17:01PM -0600, Serge E. Hallyn wrote: > > > > > > dpkg -l libpam-cgfs > > > ii libpam-cgfs 1:3.1.0+really3.0.3-8 i386 PAM module for > > > managing cgroups for LXC > > > > > > My /etc/pam.d/common-session already had a similar line (the last one) > > > but I added your suggestion as well. > > > > > > # here are the per-package modules (the "Primary" block) > > > session [default=1] pam_permit.so > > > # here's the fallback if no module succeeds > > > session requisite pam_deny.so > > > # prime the stack with a positive return value if there isn't one > > > already; > > > # this avoids us returning an error just because nothing sets a success > > > code > > > # since the modules above will each just jump around > > > session required pam_permit.so > > > # and here are more per-package modules (the "Additional" block) > > > session required pam_unix.so > > > session optional pam_winbind.so > > > session optional pam_systemd.so > > > session optional pam_cgfs.so -c freezer,memory,name=systemd > > > # end of pam-auth-update config > > > > > > # Added by Peter Carlsson 2021-02-12 for lxc > > > common-session:session optional pam_cgfs.so -c > > > freezer,memory,name=systemd > > > > > > I also ran pam-auth-update as suggested in the file but I still get: > > > > > > lxc-start -n VisualStudioCode -F > > > Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied > > > [!!!!!!] Failed to mount API filesystems. > > > Exiting PID 1... > > > > > > Thanks for all your help! > > > > > > Best regards, > > > Peter Carlsson > > (Sorry for the delay)
No problem. I really appreciate all your help! > > I decided to remove the line from /etc/pam.d/common-session again since > > I think I the line you were suggesting was already in the file. > > Yeah you don't want it twice. > > > But still the same error message. > > On my laptop, my unprivileged container has: > > cat /proc/3773/cgroup > 12:net_cls,net_prio:/ > 11:pids:/user.slice/user-1000.slice/session-2.scope > 10:hugetlb:/ > 9:memory:/user.slice/user-1000.slice/session-2.scope > 8:cpu,cpuacct:/user.slice > 7:blkio:/user.slice > 6:freezer:/user/serge/0/lxc.payload.mail > 5:rdma:/ > 4:perf_event:/ > 3:cpuset:/ > 2:devices:/user.slice > 1:name=systemd:/user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope > 0::/user.slice/user-1000.slice/session-2.scope > > So the systemd cgroup is > > /user.slice/user-1000.slice/session-2.scope/lxc.payload.mail/init.scope > > where the first part > > /user.slice/user-1000.slice/session-2.scope > > was inherited from my login shell, and > > serge@sl ~$ ls -l > /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-2.scope/ > total 0 > -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.clone_children > -rw-r--r-- 1 root root 0 Feb 17 23:16 cgroup.procs > drwxr-xr-x 2 serge serge 0 Feb 1 08:32 lxc.monitor.mail > drwxrwxr-x 5 serge 100000 0 Feb 1 08:32 lxc.payload.mail > drwxr-xr-x 2 serge serge 0 Feb 9 22:13 lxc.pivot > -rw-r--r-- 1 root root 0 Feb 17 23:16 notify_on_release > -rw-r--r-- 1 root root 0 Feb 17 23:16 tasks I finally got it working by changing the permissions! ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/ totalt 0 -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs drwxr-x--- 2 peter peter 0 feb 17 22:23 lxc -rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release -rw-r--r-- 1 root root 0 feb 18 16:11 tasks chown peter:100000 /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/lxc ls -l /sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-17.scope/ totalt 0 -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.clone_children -rw-r--r-- 1 root root 0 feb 18 16:11 cgroup.procs drwxr-x--- 2 peter 100000 0 feb 17 22:23 lxc -rw-r--r-- 1 root root 0 feb 18 16:11 notify_on_release -rw-r--r-- 1 root root 0 feb 18 16:11 tasks Do you think this problem was caused by not having the correct settings when I initially created the container or could I have prevented this in any way? Just to encounter the next problem... But maybe that has not so much to do about lxc specifically. I want to run Visual Studio Code inside the lxc container. After I have done a lxc-attach and installed Visual Studio Code and all dependencies I run this command: code-insiders --user-data-dir /home/peter Nothing shows and my guess is that I somehow need to tell the lxc container to export the visual presentation to the host? /Peter _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users