I prepared a minimal vivid container with systemd-sysv, and tried to boot it (vivid host):
$ sudo lxc-start -n vivid-systemd -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
[... hangs ...]
In apparmor I see:
[10072.122514] audit: type=1400 audit(1416213339.298:50): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=16469 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
After setting "lxc.aa_profile = unconfined", the container boots (with similar error message spew as in #1, which we can ignore for now), but logging in on the console takes a long time. systemd-journal (in the guest) starts spinning the CPU to 100%. "sudo journalctl" shows me the logs. stracing shows
I tried to set "lxc.kmsg = 0" as Serge indicated in comment 2, but this doesn't seem to have the intended effect: in the container I still see "/dev/kmsg -> console".
For the record: booting and journal work fine in systemd-nspawn; but this has neither apparmor protection nor does it do the /dev/kmsg -> /dev/lxc/console trick; instead, /dev/kmsg does not exist at all there.
I prepared a minimal vivid container with systemd-sysv, and tried to boot it (vivid host):
$ sudo lxc-start -n vivid-systemd -F cgroup/ systemd: Permission denied
Failed to mount cgroup at /sys/fs/
[... hangs ...]
In apparmor I see: 9.298:50) : apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile= "lxc-container- default" name="/ sys/fs/ cgroup/ systemd/ " pid=16469 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[10072.122514] audit: type=1400 audit(141621333
After setting "lxc.aa_profile = unconfined", the container boots (with similar error message spew as in #1, which we can ignore for now), but logging in on the console takes a long time. systemd-journal (in the guest) starts spinning the CPU to 100%. "sudo journalctl" shows me the logs. stracing shows
read(9, "", 8192) = 0 EPOLLERR| EPOLLHUP, {u32=3073693008, u64=14054728852 0016}}, {EPOLLIN, {u32=3073692768, u64=14054728851 9776}}, {EPOLLIN, {u32=3073692288, u64=14054728851 9296}}, {EPOLLIN, {u32=3073692528, u64=14054728851 9536}}} , 14, 0) = 4
epoll_wait(7, {{EPOLLIN|
clock_gettime(0x7 /* CLOCK_??? */, {10618, 410721720}) = 0
writev(2, [{"/dev/kmsg buffer overrun, some m"..., 45}, {"\n", 1}], 2) = 46
I tried to set "lxc.kmsg = 0" as Serge indicated in comment 2, but this doesn't seem to have the intended effect: in the container I still see "/dev/kmsg -> console".
For the record: booting and journal work fine in systemd-nspawn; but this has neither apparmor protection nor does it do the /dev/kmsg -> /dev/lxc/console trick; instead, /dev/kmsg does not exist at all there.