wrong cgroup on login to container

Bug #1315521 reported by Serge Hallyn on 2014-05-02
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cgmanager (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
lxc (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

When starting a privileged container with cgmanager, cgroups look like:

3:cpuset:/lxc/u5
2:name=systemd:/user/1000.user/c2.session

where all controllers other than name=systemd are correct. lxc needs
to set the new cgroup for name=systemd, and cgmanager needs to fix a
bug where name=systemd was not being handled right.

========================================================
Impact: containers are not fully placed into their cgroup
Test case:
 sudo lxc-create -t download -n u1 -- -d ubuntu -r trusty -a amdte
 sudo lxc-start -n u1 -d
 sudo lxc-attach -n u1 -- grep systemd /proc/self/cgroup
 Verify that the cgroup is /lxc/u1
Regression potential: user logins and containers could fail to be
moved into their proper cgroups
========================================================

Serge Hallyn (serge-hallyn) wrote :

Patch for lxc has been sent to the mailing list (hence the 'fix committed' status).

Changed in cgmanager (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in cgmanager (Ubuntu Trusty):
importance: Undecided → High
Changed in lxc (Ubuntu):
importance: Undecided → High
Changed in lxc (Ubuntu Trusty):
importance: Undecided → High
Changed in lxc (Ubuntu):
status: New → Fix Committed
Changed in lxc (Ubuntu Trusty):
status: New → Confirmed
Changed in cgmanager (Ubuntu Trusty):
status: New → Confirmed
description: updated
description: updated

Hello Serge, or anyone else affected,

Accepted cgmanager into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/cgmanager/0.24-0ubuntu6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cgmanager (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Serge Hallyn (serge-hallyn) wrote :

the full fix requires an lxc patch, however I tested it by doing

sudo cgm create name=systemd u1
sudo cgm chown name=systemd u1 1000 1000
cgm movepid name=systemd u1 $$
cat /proc/self/cgroup | grep systemd

which gave the expected correct result (a cgroup ending in '/u1')

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cgmanager - 0.24-0ubuntu6

---------------
cgmanager (0.24-0ubuntu6) trusty-proposed; urgency=low

  * 0002-exit-on-startup-error: Don't proceed to accept client connections
    if we failed to connect to the server. (LP: #1317693)
  * 0003-proxy-wait-2-seconds-for-server-reply: do not wait indefinately
    for replies from the cgmanager, as it may have crashed. (LP: #1317623)
  * 0004-Implement-getpidcgroupabs.patch: Provide a way for clients to
    query absolute paths which can be used with MovePidAbs (LP: #1315052)
  * 0005-get_controller_path-use-the-is_same_controller-helpe.patch: Fix
    handling of name=systemd so that containers can be properly entered
    into the proper cgroup. (LP: #1315521)
  * 0006-cgm-make-all-also-reference-name-systemd.patch: make cgm all
    also act on the name=systemd container (LP: #1317687)
 -- Serge Hallyn <email address hidden> Thu, 08 May 2014 18:02:50 -0500

Changed in cgmanager (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cgmanager has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Changed in lxc (Ubuntu):
status: Fix Committed → Fix Released

Hello Serge, or anyone else affected,

Accepted lxc into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/1.0.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Stéphane Graber (stgraber) wrote :

Confirmed that name=systemd: indeed points to a valid sub-cgroup of lxc.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.4-0ubuntu0.1

---------------
lxc (1.0.4-0ubuntu0.1) trusty; urgency=medium

  * New upstream bugfix release. (MRE trackaging bug LP: #1329932)
    - Drop all existing patches (all applied upstream).
    - Fix lxc-attach failing from a different login session. (LP: #1315052)
    - Fix wrong cgroup on login to container. (LP: #1315521)

  * Cherry-pick upstream (stable branch) commits to fix testsuite under adt:
    - tests: Avoid the download template when possible
    - tests: Don't fail when HOME isn't defined
    - tests: apparmor: Always end with a newline

  * Sync packaging with utopic:
    - Depend on either cgmanager or cgroup-lite and recommend cgmanager.
      This should ensure systems get cgmanager by default even if cgroup-lite
      is already installed, yet makes it possible for the user to remove
      cgmanager if they really want to.
    - Remove hardcoded dependency on apparmor, instead generate it from
      rules so that the source package can be backported without changes (the
      right apparmor version will be picked up based on the release number).
    - Do not start lxc-instance in postinst without any instance specified,
      as that is an invalid request.
 -- Stephane Graber <email address hidden> Sat, 14 Jun 2014 20:09:57 -0400

Changed in lxc (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers