One of the core features of cgmanager is to easily, safely, and transparently support the cgroup requirements of container nesting. Processes can administer cgroups exactly the same way whether inside a container or not. This also makes nested lxc very easy.
To create a container in which you can use cgroups, first create a container as usual (note, do this on an Ubuntu 14.04 system, unless you have enabled all the pieces you need – which I am not covering here):
sudo lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
Now to bind the cgmanager socket inside the container,
echo "lxc.mount.auto = cgroup" | sudo tee -a /var/lib/lxc/t1/config
If you also want to be able to start nested containers, then you need to use an apparmor profile which allows lxc mounting:
echo "lxc.aa_profile = lxc-container-default-with-nesting" | \ sudo tee -a /var/lib/lxc/t1/config
Now, simply start the container
sudo lxc-start -n t1
You can run the cgmanager testsuite,
sudo apt-get -y install cgmanager-tests cd /usr/share/cgmanager/tests sudo ./runtests.sh
and use the cgm program to interact with cgmanager
cgm ping sudo cgm create all compile sudo cgm chown all compile 1000 1000 cgm movepid all compile $$
If you changed the aa_profile to permit nesting, then you can simply create and use containers inside the t1 container.
What I showed here is using privileged (root-owned) containers. In this case, the lxc-container-default-with-nesting profile is actually far less safe than the default profile. However, when using unprivileged containers (https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/) for at least the first layer, nesting works the exact same way, and the profile safety difference becomes moot.
S3hh's Blog 
Just a little query:
Can be a state when there will be difference between:
echo “lxc.mount.auto = cgroup” | sudo tee -a /var/lib/lxc/t1/config
and
echo “lxc.mount.auto = cgroup” >> /var/lib/lxc/t1/config
Yes, the first works when you’re not root to begin with 🙂
I didn’t think about it….
Now seriously:
How about sudo echo “lxc.mount.auto = cgroup” >> /var/lib/lxc/t1/config
Is there any difference between this command and the command you are using ?
Yes. When you type ”’sudo echo whatever >> somefile”’, the ‘>>’ is interpreted by your unprivileged shell, not by sudo. Your unprivileged shell doesn’t have the rights to append to /var/lib/lxc/t1/config.
Is it possible, to use this manual in combination with Stéphane Graber’s manual for using gui-apps in unpriviliged containers? And if yes, is this still safer than using Gui-Applications in normal containers? Would you have to make those configurations for pulseaudio, X, and to add sub-uids,sub-gids in both containers (the parent-container and the child-container, in which the Gui-Application would run)?
Hi,
without having tried, I suspect the most challenging part will be poking the whole in the uid mapping for your user, but it should all work.
The container will still run unprivileged, so will be as safe as in the original post. Only the container bring-up will be done with enhanced privileged (running as root).