Hi, It seems that systemd builds incorrectly cgroup hierarchy when is running in the container. Systemd duplicates part of the hierarchy below machine.slice/machine...scope/. It causes finally that non root user session cannot be created due to lack of permissions.
In nspawn container problem with non root session creation not appears. The minor difference between containers that we found is only in cgroup hierarchy. Cgroup hierarchy for tested case: 1. cgroup hierarchy for non systemd container sh-4.2# systemd-cgls +-user.slice │ L-user-5000.slice │ +-session-c1.scope │ │ L-2362 /usr/bin/user-session-launch seat0 5000 │ L-user@5000.service │ +-2365 /usr/lib/systemd/systemd --user │ +-2366 (sd-pam) │ +-starter.service │ │ L-2711 /usr/bin/starter │ +-xorg.service │ │ L-2709 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor -sharevts │ +-msg-service.service │ │ L-2373 /usr/bin/msg-server │ L-email.service │ L-2371 /usr/bin/email-service +-machine.slice │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 -- security= │ L-2681 /bin/bash L-system.slice +-1 /sbin/init +-connman.service │ L-29225 /usr/sbin/connmand -n 2. cgroup hierarchy for running container with system sh-4.2# systemd-cgls +-user.slice │ L-user-5000.slice │ +-session-c1.scope │ │ L-2362 /usr/bin/user-session-launch seat0 5000 │ L-user@5000.service │ +-2365 /usr/lib/systemd/systemd --user │ +-2366 (sd-pam) │ +-xorg.service │ │ L-3185 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor -sharevts │ +-msg-service.service │ │ L-2373 /usr/bin/msg-server │ L-email.service │ L-2371 /usr/bin/email-service +-machine.slice │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 -- security= │ L-machine.slice │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ L-system.slice │ +-2681 /usr/lib/systemd/systemd │ +-systemd-logind.service │ │ L-3215 /usr/lib/systemd/systemd-logind │ +-connman.service │ │ L-3214 /usr/sbin/connmand -n │ +-dbus.service │ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: -- nofork --n │ +-console-getty.service │ │ L-3240 /sbin/agetty --noclear -s console 115200 38400 9600 │ +-wpa_supplicant.service │ │ L-3241 /usr/sbin/wpa_supplicant -u │ L-systemd-journald.service │ L-3200 /usr/lib/systemd/systemd-journald L-system.slice +-1 /sbin/init +-connman.service 3. cgroup hierarchy for running container and running user session h-4.2# systemd-cgls +-user.slice │ L-user-5000.slice │ +-session-c1.scope │ │ L-2362 /usr/bin/user-session-launch seat0 5000 │ L-user@5000.service │ +-2365 /usr/lib/systemd/systemd --user │ +-2366 (sd-pam) │ +-xorg.service │ │ L-3468 /usr/bin/xorg-launch-helper -ac -r +accessx 0 -nocursor -sharevts │ +-msg-service.service │ │ L-2373 /usr/bin/msg-server │ L-email.service │ L-2371 /usr/bin/email-service +-machine.slice │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ +-2672 /usr/libexec/libvirt_lxc --name tizen-bash-2 --console 20 -- security= │ L-machine.slice │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ +-machine.slice │ │ L-machine-lxc\x2dtizen\x2dbash\x2d2.scope │ │ L-user.slice │ │ L-user-0.slice │ │ L-user@0.service │ │ L-3483 /usr/lib/systemd/systemd --user │ +-user.slice │ │ L-user-0.slice │ │ +-session-c1.scope │ │ │ +-3240 login -- root │ │ │ L-3486 -bash │ │ L-user@0.service │ │ L-3484 (sd-pam) │ L-system.slice │ +-2681 /usr/lib/systemd/systemd │ +-systemd-logind.service │ │ L-3215 /usr/lib/systemd/systemd-logind │ +-connman.service │ │ L-3214 /usr/sbin/connmand -n │ +-dbus.service │ │ L-3212 /usr/bin/dbus-daemon --system --address=systemd: -- nofork --n │ +-wpa_supplicant.service │ │ L-3241 /usr/sbin/wpa_supplicant -u │ L-systemd-journald.service │ L-3200 /usr/lib/systemd/systemd-journald L-system.slice +-1 /sbin/init +-connman.service Best regards Jacek Pielaszkiewicz Samsung R&D Institute Poland Samsung Electronics Email: j.pielasz...@samsung.com _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel