systemd-nspawn in 239 fails to start older machines with user namespaces: Failed to create root cgroup hierarchy: Permission denied

[wvh]

I'm starting CentOS 7.5 machines (with systemd 219) on an Arch Linux host with systemd 239.

No machines can be started since about the update to systemd 239. The problem is with the -U (user namespace) option to systemd-nspawn:

[root@arch ~]# systemctl --version
systemd 239
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid
[root@arch ~]# systemd-nspawn -bUD /home/build/qbuilder/ --network-zone=machines -M qbuilder systemd.legacy_systemd_cgroup_controller=yes
Spawning container builder on /home/build/qbuilder.
Press ^] three times within 1s to kill container.
Selected user namespace base 1649344512 and range 65536.
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Set hostname to <qbuilder>.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to create root cgroup hierarchy: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object, freezing.

Bug report #9563 just got closed, but suggested fix of adding systemd.legacy_systemd_cgroup_controller=yes doesn't help.

Note this was working reliably last month. Any work-arounds?

[wvh]

Starting the host with systemd.legacy_systemd_cgroup_controller=yes does the trick. I guess CentOS 7.5 with systemd 219 doesn't support that parameter, though I don't know what patches RedHat or CentOS have included beyond just that version number.

Not sure what happened between v238 and v239 that stopped hybrid from working with v219 CentOS virtual machines, since Arch Linux has been using default-hierarchy=hybrid for a while now.

[poettering]

Hmm, so you are saying you are running hybrid mode on the host, and systemd 219 in the payload, and that this used to work and doesn't anymore?

Does setting $UNIFIED_CGROUP_HIERARCHY=0 or $SYSTEMD_NSPAWN_USE_CGNS=0 (or both) change anything if you pass those env vars to nspawn?

[tomeon]

I am experiencing a similar issue trying to boot an Ubuntu 16.04 image:

$ systemctl --version
systemd 239
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid
$ sudo -E env UNIFIED_CGROUP_HIERARCHY=0 SYSTEMD_NSPAWN_USE_CGNS=0 systemd-nspawn -i ./ubuntu-python.raw --boot -U --network-veth --machine=ubuntu-python systemd.legacy_systemd_cgroup_controller=yes                                              
Spawning container ubuntu-python on /some/path/ubuntu-python.raw.                                                                     
Press ^] three times within 1s to kill container.
Selected user namespace base 1367736320 and range 65536.
systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN)   
Detected virtualization systemd-nspawn.
Detected architecture x86-64.

Welcome to Ubuntu 16.04 LTS!

Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
Failed to create /init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.

I also tried passing -E UNIFIED_CGROUP_HIERARCHY=0 -E SYSTEMD_NSPAWN_USE_CGNS=0 to systemd-nspawn in case that's what @poettering meant by "pass those env vars to nspawn"; that did not work, either.

[evverx]

The only workaround I've come up with is to pass --keep-unit and --register=no to systemd-nspawn, that is something like the following should suffice:

systemd-nspawn --keep-unit --register=no ... -b

The regression was introduced in 720f0a2, where the nspawn hierarchy was moved down without changing chown_cgroup accordingly.

$ ls -ln /sys/fs/cgroup/systemd/machine.slice/machine-xenial.scope
total 0
-rw-r--r-- 1 706150400 706150400 0 Sep 17 15:12 cgroup.clone_children
-rw-r--r-- 1 706150400 706150400 0 Sep 17 15:12 cgroup.procs
-rw-r--r-- 1 706150400 706150400 0 Sep 17 15:12 notify_on_release
drwxr-xr-x 2         0         0 0 Sep 17 15:12 payload
-rw-r--r-- 1 706150400 706150400 0 Sep 17 15:12 tasks