runc inside systemd-nspawn container

[oneingan]

I am trying to run runc into a systemd-nspawn container. But I get errors because cgroup read-only filesystems. The problem is that the flag --systemd-cgroup is not getting the correct cgroup (the rw one that systemd exposes to container):

# runc --debug --systemd-cgroup run foo
container_linux.go:264: starting container process caused "process_linux.go:261: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/system.slice: read-only file system\""

but the cgroup with the name=systemd attribute is:

# mount | grep systemd
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)

Am I missing something? Thanks in advance.

[pavel]

@cyphar Is there any resolution to this issue? As far as I get runc should not make changes at the top of the cgroup tree, see https://github.com/systemd/systemd/issues/11703#issuecomment-463608337. --systemd-cgroup flag still fails with the error mentioned in the original comment.

Error originates here: https://github.com/opencontainers/runc/blob/e23868603a8bac8f374f5bca129e7ed187cd51c9/libcontainer/process_linux.go#L275

I'm running:

runc version 1.0.0-rc6 commit: ccb5efd37fb7 spec: 1.0.1-dev

[mchugh19]

This also seems to be the case for trying to use buildah inside of nspawn

WARN[0000] signal: killed
ERRO[0000] container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"error while setting cgroup v2: [failed to load program: operation not permitted]\\\"\""
container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"error while setting cgroup v2: [failed to load program: operation not permitted]\\\"\""
error running container: error creating container for [myservice]: : exit status 1