Re: [Lxc-users] GUI container
On Thu, 2010-12-09 at 22:21 -0800, Nirmal Guhan wrote: Hi, Has anyone tried running a GUI app (firefox for instance) inside a container or as an application container? Just want to know if this requires any special steps before I tread that path. Am using Fedora 12 for both host and container. Please let me know. Thanx, Nirmal -- ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users Although not directly using the LXC tools, but the same backend functions (kernel namespaces), you might be interested in the sandbox tool I developed. You can learn more on: http://www.stgraber.org/category/sandbox/ It's meant to be used with recent kernels, offers nautilus integration and a GUI. I've been running a few graphical application in there without any issue. Packages are available for Ubuntu natty (development release) and Ubuntu maverick (stable release). The code automatically detects the kernel version and lets you know what to do to get GUI application support. Hope it helps! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: This is a digitally signed message part -- Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Howto detect we are in LXC contener
On Thu, 2011-05-26 at 01:51 +0200, David Touzeau wrote: Dear all to detect if we are inside an OpenVZ, openvzve,xen machine we can check the presence of : /proc/vz/veinfo /proc/vz/version /proc/sys/xen /sys/bus/xen /proc/xen But i did not find any information inside the LXC contener in order to detect We are really in an LXC contener. Is there a tip ?? Best regards My current trick is to check: if [ -f /proc/1/cgroup ] grep -vq /$ /proc/1/cgroup; then echo lxc! fi This check won't guarantee it's LXC but there shouldn't be too many other setups where init is in a cgroup. If there's a more reliable way of doing it, I'm also interested! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: This is a digitally signed message part -- vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid.
On Thu, 2011-06-23 at 11:13 -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com My thought (which I meant to point out in the help output) was that we should default to the latest LTS. lucid for now, 12.04 when it comes out. What do you think? If you think it's better to use the host's release by default, I'm fine with that. I kind of like having all the defaults set to what I'm currently running. One thing that bothers me is that we can't give the distro, arch, ... as parameter when doing a lxc-create (which I'm assuming is the most common way of using our templates). Should we change the template to prompt the user instead? showing the supported values for the distro and architecture (at least) and using the current system's values as a default? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: This is a digitally signed message part -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid.
On Thu, 2011-06-23 at 13:27 -0400, Stéphane Graber wrote: On Thu, 2011-06-23 at 11:13 -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com My thought (which I meant to point out in the help output) was that we should default to the latest LTS. lucid for now, 12.04 when it comes out. What do you think? If you think it's better to use the host's release by default, I'm fine with that. I kind of like having all the defaults set to what I'm currently running. One thing that bothers me is that we can't give the distro, arch, ... as parameter when doing a lxc-create (which I'm assuming is the most common way of using our templates). Should we change the template to prompt the user instead? showing the supported values for the distro and architecture (at least) and using the current system's values as a default? Looking at some e-mail from Serge I now saw that -- options should be working though it's not really intuitive as I can't find any reference to it doing lxc-create --help. So I'd suggest to either have the script prompt the user or make sure the help is up to date and the template options are easy enough to find for our users (including their default values). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: This is a digitally signed message part -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Base arch detection code on debootstrap's with some additions when we don't have dpkg or udpkg
On Thu, 2011-06-23 at 11:19 -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-ubuntu.in | 24 ++-- 1 files changed, 18 insertions(+), 6 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 2a20c7d..4f75336 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -391,15 +391,27 @@ eval set -- $options release=lucid bindhome= -arch=$(arch) -trim_container=0 -if [ $arch == x86_64 ]; then arch=amd64 -fi -if [ $arch == i386 ]; then -arch=i686 +# Code taken from debootstrap +if [ $arch != ]; then +true My only objection here is that I don't think we want to support passing arch in through the environment. Now that we support passing it in through command line, supporting environment as well seems a bit too magic. What do you think? The rest looks good, thanks. Agreed, the initial if statement comes from debootstrap's code and should indeed be dropped. We can already set the value with --arch/-a. +elif [ -x /usr/bin/dpkg ] /usr/bin/dpkg --print-architecture /dev/null 21; then +arch=`/usr/bin/dpkg --print-architecture` +elif type udpkg /dev/null 21 udpkg --print-architecture /dev/null 21; then +arch=`/usr/bin/udpkg --print-architecture` +else +arch=$(arch) +if [ $arch = i686 ]; then +arch=i386 +elif [ $arch = x86_64 ]; then +arch=amd64 +elif [ $arch = armv7l ]; then +arch=armel +fi fi +trim_container=0 + hostarch=$arch while true do -- 1.7.5.4 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: This is a digitally signed message part -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Ubuntu daily builds of LXC's master branch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I just setup daily builds for Ubuntu 10.10, 11.04 and oneiric. These are automatically triggered once a day if something new got pushed to the git branch. Packages: https://launchpad.net/~ubuntu-lxc/+archive/daily The PPA, bzr branches and recipe are managed by the ubuntu-lxc team which I created for that purpose. It's using Launchpad's automated git import to get new revisions from git, add packaging on top of that and build. I didn't configure the recipe to build for lucid as the current packaging requires debhelper 8 which doesn't exist on lucid. If people really want it, a separate recipe could be added with a slightly different packaging for lucid. Enjoy! - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOLNHJAAoJEMY4l01keS1nPZkP/RKRoWGnBgI0+Z1eQJ0T8uAh LgoEuIx2Yqu9yKP8X+pGRAzQiyO+qYSF5roVdYSt7n+eONIgXBmSGMS7Oy8h/dbr wtEU3Fgbvsd3x1bCmAD+u953l8VU7gSERxgklfOcrOkfd6pCovm7ZjlrV7DRl7pL oLElaYc3Sqq5gI38B9rcqEFdmRthX0KBNVgHkWR1at+o0sO3/hP9BmZruVDa83Bj pYdQOmG8mH4dXf/ET23B9sHa242wW46l+7U5zz9MHDgz4Kevu554lVm1ip/mEeaM 4WmFGjkH8cMbUeyJR1A+94d6zciSi89bo/cUOGY7svW8YOV17x+n3mCFz5j5MoL1 LrBkIWnNTdm381LJqZI1+Ipg4uStZY530m8ThghDow7Cmw2x0evJ/75fQNfhsh3i OU/FVnPk31exJf59U7iLnMoFWXLQAQ7kw8ho52/3j1EI/31ktss16jzjJTzXhHu9 imislpi3DdI3oTo3hkX4itM5V7eUj/LLUBJM+Tt/68KazZd9P+1x+bgofFwPnGKt BbNORhXVoDHDHRe5FA/oIcgtqlZPUgBRTsdwcBCygDAyfLOKzOLR5SgH3UWgFzgX 0fBR61gJNFru2D7LPhZub60eByC+yf1r6pxpJlX0/vaKN6dbWhuau2A02JOYFv+w xsER/ua8Oy+XW9qeRzLY =g92W -END PGP SIGNATURE- -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] security question
On 08/19/2011 03:54 PM, Ulli Horlacher wrote: On Fri 2011-08-19 (15:38), Dong-In David Kang wrote: We've found out that inside of an LXC instance, root can insert/remove modules of the host. Is it normal? If it is doable, an LXC image may corrupt the host system, which is not good in terms of security. Put: lxc.cap.drop = sys_module to your LXC container config file. And by the way: lxc.cap.drop = sys_admin is also a good idea, to prevent that the container root can modify mount options, for example set the container filesystem to read-only, which can effect ALL containers! So, for a more generic answer: LXC doesn't pretend to be secure when you run stuff as root inside the container. The proposed solutions above will restrict what root can do and so may solve a good part of your issues. Stuff like echo b /proc/sysrq-trigger will still be possible until we get the user namespaces (that specific example could be blocked by some of the security modules though). Last week during the LXC/container hackfest in Austin, there's been some good progress being done on the user namespace and so we can hope to have these eventually implemented in the kernel. Until then, I'd recommend not running untrusted software as root in a container. It's perfectly safe to run something as a user though. For cases where you trust your container user, like development environments, it's of course fine running stuff as root and I do that everyday. Hope that clarifies the current situation :) -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] network problem with lxc
On 08/22/2011 11:13 PM, Canhua wrote: hi, one additional info: I use lxc on a vmware virtual machine. And I suspect that veth* virtual interface should be assigned mac address with vmware's mac prefix (00:50:56:*). But I don't know how to manually set mac address of the veth* interface. On Mon, Aug 22, 2011 at 10:55 PM, Canhuadreamerat...@gmail.com wrote: hi I have a network problem with lxc. I use bridge and veth for the network setup. Now I can connect to the containers from host system, but can't from network outside. My various interfaces are as shown in pastebin: http://pastebin.com/RqtyitG6. In those interfaces, eth1 is irrelavant, and eth0 is the bridged physical interfaces, and those two veth* are interface of two container. Any suggestions? Thank you. Best regards. Hi, Unfortunately VMWare doesn't allow multiple MAC addresses to come out of one virtual network card. This is a problem for anyone doing briding within a virtual machine. Some tricks exist to reconfigure the vswitch to allow multiple mac addresses though last I checked it involved making it a hub which is far from desirable in most cases. The two other way around the limitation that I know of are: 1) Route a subnet to your VM and then re-distribute these for your containers 2) Add one virtual network card to your VM for each container you want to have inside it. Then directly assign each of these network interfaces to a container using the phys network type in lxc. Hope it helps! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu /etc/init.d/xinetd kills container's xinetd
On 10/05/2011 12:43 PM, Ulli Horlacher wrote: I have an Ubuntu LXC hosts with several containers running internet services via xinetd. Sometimes the container services died without any reason and no logfile entry. First, I thought LXC is not that stable as I hoped, but now I found the bug inside /etc/init.d/xinetd ! The problem is: when I stop xinetd on the host with command /etc/init.d/xinetd stop this stops all LXC container xinetd processes, too! /etc/init.d/xinetd contains bad code which does not respect the xinetd pidfile. See man man start-stop-daemon: Note: unless --pidfile is specified, start-stop-daemon behaves similar to killall(1). start-stop-daemon will scan the process table looking for any processes which match the process name (...) The following patch prevents this unwanted behaviour: --- /tmp/xinetd 2011-10-05 18:08:13.0 +0200 +++ xinetd2011-10-05 18:23:19.0 +0200 @@ -17,7 +17,7 @@ DAEMON=/usr/sbin/$NAME PIDFILE=/var/run/$NAME.pid -test -x $DAEMON || exit 0 +test -x $DAEMON || exit 0 test -e /etc/default/$NAME . /etc/default/$NAME case $INETD_COMPAT in @@ -47,18 +47,20 @@ start) checkportmap log_daemon_msg Starting internet superserver $NAME -start-stop-daemon --start --quiet --background --exec $DAEMON -- \ --pidfile $PIDFILE $XINETD_OPTS +start-stop-daemon --start --pidfile $PIDFILE --quiet --background \ + --exec $DAEMON -- -pidfile $PIDFILE $XINETD_OPTS log_end_msg $? ;; stop) log_daemon_msg Stopping internet superserver $NAME -start-stop-daemon --stop --signal 3 --quiet --oknodo --exec $DAEMON +start-stop-daemon --stop --pidfile $PIDFILE --signal 3 --quiet \ + --oknodo --exec $DAEMON log_end_msg $? ;; reload) log_daemon_msg Reloading internet superserver configuration $NAME -start-stop-daemon --stop --signal 1 --quiet --oknodo --exec $DAEMON +start-stop-daemon --stop --pidfile $PIDFILE --signal 1 --quiet \ + --oknodo --exec $DAEMON log_end_msg $? ;; restart|force-reload) @@ -66,7 +68,7 @@ $0 start ;; status) - status_of_proc -p $PIDFILE $DAEMON xinetd exit 0 || exit $? + status_of_proc -p $PIDFILE $DAEMON xinetd exit 0 || exit $? ;; *) echo Usage: /etc/init.d/xinetd {start|stop|reload|force-reload|restart|status} Hi! Can you file a bug here: http://launchpad.net/ubuntu/+source/xinetd/+filebug Then attach the patch to the bug making sure that it's flagged as a patch. This should ensure someone will look at it, sadly not for Oneiric (11.10) but hopefully for Precise (12.04). Launchpad lets you mark a bug as affecting multiple packages, so I'd suggest you add a task to any other package showing the same bug so they can easily be tracked and fixed (though a good part of that will probably have to happen in Debian). Thanks -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-stop make Kernel crashing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/14/2011 04:35 PM, Admin wrote: I am using lxc tools (0.7.4-0ubuntu7.1) on a ubuntu natty kernel 2.6.38-11-server, running several lucid containers with iptables rules inside. Sometimes (quite difficult to reproduce), stopping the container make the host kernel crashing : # lxc-stop -n lucid [system hangs] Oct 14 16:12:07 lab2 kernel: [ 1629.627196] br0: port 2(vethlucid1) entering forwarding state Oct 14 16:12:07 lab2 kernel: [ 1629.781408] br0: port 2(vethlucid1) entering disabled state Oct 14 16:12:09 lab2 kernel: [ 1629.839799] [ cut here ] Oct 14 16:12:09 lab2 kernel: [ 1629.840899] kernel BUG at /build/buildd/linux-2.6.38/net/netfilter/xt_recent.c:610! Oct 14 16:12:09 lab2 kernel: [ 1629.873678] invalid opcode: [#1] SMP Oct 14 16:12:09 lab2 kernel: [ 1629.905346] last sysfs file: /sys/devices/system/cpu/cpu7/cache/index2/shared_cpu_map Oct 14 16:12:09 lab2 kernel: [ 1629.969152] CPU 7 Oct 14 16:12:09 lab2 kernel: [ 1629.969615] Modules linked in: xt_multiport xt_recent ipt_LOG xt_limit xt_state xt_tcpudp iptable_mangle iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_raw iptable_filter ip_tables x_tables veth mptctl vesafb bridge stp lp i7core_edac ghes edac_core hed psmouse ioatdma serio_raw joydev parport dca raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov usbhid hid mptsas mptscsih ahci mptbase libahci raid6_pq async_tx scsi_transport_sas raid1 raid0 multipath e1000e linear btrfs floppy zlib_deflate libcrc32c Oct 14 16:12:09 lab2 kernel: [ 1630.240144] Oct 14 16:12:09 lab2 kernel: [ 1630.275030] Pid: 230, comm: kworker/u:5 Not tainted 2.6.38-11-server #50-Ubuntu Supermicro X8STi/X8STi Oct 14 16:12:09 lab2 kernel: [ 1630.347107] RIP: 0010:[a02e98dd] [a02e98dd] recent_net_exit+0x3d/0x40 [xt_recent] Oct 14 16:12:09 lab2 kernel: [ 1630.421399] RSP: 0018:8805eb1bfda0 EFLAGS: 00010202 Oct 14 16:12:09 lab2 kernel: [ 1630.459109] RAX: 8805ed667c20 RBX: a02ec038 RCX: Oct 14 16:12:09 lab2 kernel: [ 1630.497969] RDX: 8805eeb50f00 RSI: a02ec040 RDI: 8805edfa8a00 Oct 14 16:12:09 lab2 kernel: [ 1630.536978] RBP: 8805eb1bfda0 R08: 7a80fff8 R09: fff8fff8 Oct 14 16:12:09 lab2 kernel: [ 1630.576091] R10: fff8fff8 R11: 7a80fff8 R12: a02ec040 Oct 14 16:12:09 lab2 kernel: [ 1630.614431] R13: 8805edfa8a00 R14: 8805eb1bfde0 R15: 814ddf80 Oct 14 16:12:09 lab2 kernel: [ 1630.652751] FS: () GS:8800df4e() knlGS: Oct 14 16:12:09 lab2 kernel: [ 1630.729573] CS: 0010 DS: ES: CR0: 8005003b Oct 14 16:12:09 lab2 kernel: [ 1630.769127] CR2: 7f2fd5e7be3c CR3: 01a03000 CR4: 06e0 Oct 14 16:12:09 lab2 kernel: [ 1630.809478] DR0: DR1: DR2: Oct 14 16:12:09 lab2 kernel: [ 1630.848909] DR3: DR6: 0ff0 DR7: 0400 Oct 14 16:12:09 lab2 kernel: [ 1630.887002] Process kworker/u:5 (pid: 230, threadinfo 8805eb1be000, task 8805eb6044a0) Oct 14 16:12:09 lab2 kernel: [ 1630.962073] Stack: For information, i have iptables rules running inside my containers and they use the netfilter recent module that seems playing a role in the lernel panic. I will try disabling recent rules inside containers to see if the problem disappears If someone have an idea how to fix it. Another question, anybody implement iptables inside containers and could give me advices configuring LOG chain or rsyslog inside container to isolate iptables kernel log message from the hypervisor ? Regards Tony OGER -- LibrA-LinuX Sounds like: https://bugs.launchpad.net/ubuntu/+source/linux-lts-backport-natty/+bug/843892 - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOmGF5AAoJEMY4l01keS1n2cUP/3BlBnLUboT8ASwgMRlY/Y5e JiuJI9kRE5+jBlc5YJ10cz1KnLPz+3sZK5RR9EBE4diRn1DIR+Po7lCgPm/x5tzQ 3dRpy+Rd6eljBk8F2J/e5uq4T1rAZMrOyEuAsxpfXBZ/dbOzA/F+Am0wIfu05m/V 63b8PizsGuG3peMv7mAEhNXRBF9mFYI8JUpm7Ha5SNgh2rH7am0rg2wxn/Zp+Dzg A7/RxEqBYnsnr++B5OUm7RPuDJ7xdiKTB0fJEqoC90NvVoYtiG9ovBWuQh4tzLBt rUCBlRsCLGBnOYjjPJolqQ+nPBdbSe3sSgzGEgANlPemKs/ImuH/ZrTltVlKhGfs 7jdLij0X5qdcDqB1y7FzjjNh3hhEIw/mruPlSsZ9+rkl+nDc6SIa/5iyIMDoSMNz MVhvjOhhagUYeZM2aj+oUvvVVb1YYyGdYcugGAIlrRWzGXJuc3U70xnZFb0sYtJM pRCcZjytqUfw+Ogf/s/dbBgzi1LbTzis81NgqgxtZR5P3ZicjbD5pmJoZEPz1qEd GlkDFMTfb8zKvzrRqUodEcEkA+MEnp3WKoivy/rwxFjvbv9s2+vtwFIZrN0v+2LK w2pnynEz99tUsOjmRrIdOQS9yaNquN43KkihaWCDLl4BjuyGDpXzzAq4vHS0Dvik 1GXcxVzki3TnesmfA7I/ =wlSG -END PGP SIGNATURE- -- All the data continuously
Re: [Lxc-users] Ubuntu /etc/init.d/xinetd kills container's xinetd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/06/2011 12:49 PM, Stéphane Graber wrote: On 10/06/2011 12:51 AM, Daniel Baumann wrote: On 10/06/2011 03:48 AM, Stéphane Graber wrote: though a good part of that will probably have to happen in Debian which is why the bug should be filled in debian in the first place: http://www.debian.org/Bugs/Reporting The reason I pointed him to Launchpad rather than Debian for xinetd is because the xinetd version number in Ubuntu suggests Ubuntu-specific changes. In such case it's usually good practice to file it against Ubuntu so that we can determine if the bug comes from us or Debian and then forward to Debian if it comes from there. In the past we had quite a few complaints from Debian developers when Ubuntu users would file a bug for a package with a -ubuntuX version number indicating changes done in Ubuntu. Just sending a reply to this e-mail to ask for testing of the fix uploaded to: - lucid-proposed - maverick-proposed - natty-proposed - oneiric-proposed I'd appreciate it if Ubuntu users using one of the above could test the package from -proposed and comment in bug: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/600941 - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOnYpBAAoJEMY4l01keS1nsCcP/RplsoAbSJ6uwuM6c70U1FmQ LcSpNBDNCS4F+BXCQdfBEdEAiLoiDIGD7i8vESKkN7iZSJuPWu/VHetiXmn90IH0 UBFW+nr6VJzTaHee4eBbWpk65FLXmnLsyDasIoBF+YWRmsu8Ic2AW+logZPKJLJq dbNKvpDytaABRH2gcFpfujLdsLXPE5iHtBmm54ZxVK1wsaXhWWgaG3UQD0BIKue1 wIk0UJp0s8E1riUhYNQ/FKhmfpnAukDSZgkpmlB/rIJQ7LLLG+uqJ7QALey7uo1B F5c9s7FutI85FqsyPwDsd8prXlRB/2tdPkFKfIKG/lL6X9M1TjhJtC2VzQG18yig H9ts004O9NuFJp4c2x2t7Af93DjXfWm+ZbkXeAXzroHqNNzd7TDC1peicJ6kD8Ye 6uck2LW+w1c225CwU1bz11bxL55m0TW8uZKbWDegdVMmAkzEbsQARtIOz2MCmeUH d+dh10uI+TkwEPYijTGz7MgM22icM57stqSyTeqmXF7HJmW4UHDLEy60K5BRDTlg aXPcJIUWprxWPjyEg2EMiZcITKA/NKf4rMQfayQ47B7UloREAIOFgscEevbdFRuE ZV3gp5dIo6A9YzjT/b1gS+kkKJB+dsmUHg0PV5G2dapfPcSPGbgUDkQUaLykd+Is +0ZKvgxqEJHXk8ElIJct =J7El -END PGP SIGNATURE- -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] /proc/process id/ns is not found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/03/2011 04:08 PM, Dong-In David Kang wrote: Hello, I'm trying to use lxc-attach. The kernel I'm running is 2.6.38.8. I'm using lxc-0.7.5. When I run lxc-attach it tries to open /proc/process id/ns/..., but I cannot find it. Did I configure the Linux kernel in a wrong way? I could run an lxc instance. But I cannot use lxc-attach at the host. Any help? Thanks, David. lxc-attach requires a kernel patch to add the pid namespace to the process. So unless you're running a patched kernel, you won't be able to use lxc-attach at this time. I think the most up to date version of that patch is at: http://git.kernel.org/?p=linux/kernel/git/ebiederm/linux-namespace-control-devel.git;a=summary - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOsv6HAAoJEMY4l01keS1neDcP/2mX6r0xd31XC7o4s3sIXQay 1kW+sVFTCsKUswupsDmXc6f+kJGwebs7LYiyd1/1g652UVjCCAfpXucfdUhoMA4o PxNdb9HL+AGiLXTbGcYk7KgDQAg7nA/BokDvVqx325VQdBDSFo1fbaALvRPjiphh UJLprGBQSb56PnDFad4dxYAGP+3FBdkADLKmUUXj/3dgD2ZplVfkFBIuud5+Ncmf UDZqYycEpTo4sFm182Lhq2EyQHBn86jBg5jcVSkM7KsZQ8TEhOjSTfT5k0y0lUoL kpQOqdxPX5ni/O7hLXbtPIdj9fzv1sVXeVbZWyw415wXijpi8oWez1b9vitLJVNp Vd7u+u/p9JWArFtwX2Aogps5ivMwJTuKthy6d2B3JMzkYopTQGj59Qq4losVGcBC xbB3Oo0hSiclMurMPiyKZUkvkpvl3d5YEaXa7ow9pLCV2QiYoqr8iDouJRjG8RtY v/4eFjzsAihen0AO7TZvycYr3f+a92c+nsjX2zDzexbybf8EsVBMfVhB5EJNAdjZ QsIH8ASRg5NJ0pg7O8DitqOPIg+TghnqQqiDxrQ/62DU4H3uU9bxyXWxDj+9Sj+u aLHKUkEriApj7EnIVfMGSV2zX9WCxo6UEOGNYdO9ZcNZu/GNa+ubGiwVwzXNwdDj LiGPJdHpVgtrX04MEsKb =fuJ+ -END PGP SIGNATURE- -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mknod after instance creation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/05/2011 11:51 AM, Gordon Henderson wrote: On Sat, 5 Nov 2011, Daniel Lezcano wrote: On 11/05/2011 12:06 AM, Dong-In David Kang wrote: Hi, Is it possible to do mknod after creation of an LXC instance? I need to do mknod not only at bootup time, but also at run-time. This is needed when I want to dynamically add devices to LXC instance. Is it possible? If it is, how can I do it? I've seen the case of mknod at bootup time of an LXC instance. But, I haven't seen the usage of mknod at run-time after boot-up. Is it the limitation of LXC? Just comment out the lxc.cgroup.devices.* lines in the configuration file. Yup - same issue I had a few days ago. However it also helped me yesterday too when I had been given a vmware instance to extract some data from - I manged to unpack it into a regular filesystem, then on a whim, I decided to run it up under LXC - it kicked off udev which mknods, so letting it do that make it work OK - actually work very OK after I tweaked a few things in the startup scripts to stop it grabbing the console, so much so that the people I was doing it for want to keep it going for a while rather than extract the data and import it into their new system - it turned out to be an FC11 image - my host is Debian! Gordon You may want to apply the change I submitted to lxc-devel a few days ago: - --- templates/lxc-ubuntu.in |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 4f44b03..2be8680 100644 - --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -179,9 +179,12 @@ lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab lxc.arch = $arch - -lxc.cap.drop = sys_module mac_override mac_admin +lxc.cap.drop = sys_module lxc.cgroup.devices.deny = a +# Allow any mknod (but not using the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm - -- 1.7.7 This will allow any mknod to succeed but won't grant access to the created devices unless whitelisted. This should solve most of the runtime issues I noticed (upgrading udev being one of them). - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOtzFDAAoJEMY4l01keS1n7QcQANct4lCROE1EMsaYKQ79xwSu kquXbRewiyebE9ji2gavGSCUffx+wDHw5AwOVpSppmlEPIhawgJhDcXSWJ+YWPyp ZM5C+w7/pcUVox/prxNB2pFaPBecXWVS5YeOXAC5XXyqNJkWtBlU7abt8UT4lrNz BKoMc8YlQdDc2pYVmTyMBv6lMFQsV40Cm5TpEXvraRC7KlH4/gL1cIwXdpC4Aku/ D7775KRohl/OqCgijTxT3fsrcvIiKPes9toXaR+2JqAPh74x3tEui+qQfkZMs+78 CieEx+buJy83iMWv5L60bS/LW5pVk34Cz3nAfWZ50kUbB4HEdTR6ldBSwLD7O626 F0iqnIzMR6MKn/zvCC5tKK2Dp8/zMUyojDzKV+03DSDLQ88kNLu2nllw18rKVPUx IQemtJ2NfpXluin9ccDEcpJaw+8AcicoFgK4as+DQv50favSgJDhTTYbqBPWyPQU znsUiPv3Oei+nMXXjQnOlSfa/rOBD6kMM7QSDgBpuDQNz+8A7jYPsesyuhJ6RYOz jvt3yfIdu6n/okutLbFKgs2cNuLhZjHz8EwdWkP0bxM10dE8rNAQAu5c590cgY5F ZP22DLDbshjPTfioTVi4O+oLtBHt19sY5lOVQSYAbL/61jp+WoAeen6dsw+zgEiU +Qq1K61uAh4FJMYNZIwl =tA0q -END PGP SIGNATURE- -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 1/1] ubuntu template: use -updates and -security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 11/10/2011 04:42 PM, Serge E. Hallyn wrote: Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use release-security and release-updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. As mentioned on IRC, I think it'd be worth making sure no daemon will start when running dist-upgrade. This is usually done using: cat EOF #!/bin/sh exit 101 EOF ) /usr/sbin/policy-rc.d chmod +x /usr/sbin/policy-rc.d Then removing it once the dist-upgrade is done. - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJOvKDcAAoJEMY4l01keS1nw9IQAIjpGHvXIWSCfl+YTvlsVQI1 vKFb6aVi48hymVa0Gfo2d9VbINRhqhkPP5cdlZ+XsPvxw1I9qz+qOm+sxaj61qc7 KSfesci/Gl1/0B4iY3+VGKL5xlz92maxz8VVruu/jqxgFgpQtt0USwH8imwxL/oZ EXdZ1wYJSAVkcx1oKFuux2udp4tAX4V8dV3NSwNAO/G2n8iuEYxv8vJrcYWf7psJ xq1bdoC3egKObBqzeK3hffgczNrd1ESH8px3GmmYuSOucyIii5t5RS04JfXoqE48 PgHfFUy2NoGfdtXpmxvc4gRzYMBE9JTWTQW6yzT8ieGSmGGGVsfwax5qUYkEnH5I IhswMMugSmgQ7gDFzGddirZgVOprCQC/BPDRnzbcuYP+ZoBoOdXAQMCQRN3SQVPa JgAKqwopB5/K1f1Ts/anWMExtzbcEhAOx8u52RxTmTQTNJsLnUGy0jaxJMQ1IJWX wP2buGJDfP9IjXwwYdbuvQu9vELCXpKyHMxO8ojoI0qMQ+AvKXcFhtmkx8fwB9D2 Pu1J1o3cX/GSIllHJiKcIygcbAvyRlXCN+1o460EQ8TD0j/5NuOewTKvIO6jqOm1 4e7VJE9/ectlXCkVxwznnoQe8ADvLZxOnqGrqWEvqVtQb9YpuBYZKUn6kxUQbuY/ dVWojXYH75k1NF/Sf8kU =dzjE -END PGP SIGNATURE- -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can not write log, openpty() failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/26/2012 10:08 AM, Serge Hallyn wrote: Quoting christian mueller (christian.muell...@gmx.de): Hi Serge, For now, I recommend you do it the old fashioned way: either symlink or bind mount /home/chm/lxc to /var/lib/lxc: rm -rf /var/lib/lxc mkdir -p /home/chm/lxc ln -s /home/chm/lxc /var/lib/lxc Now just do lxc-create -f lxc.conf -n p1 -t ubuntu and the container will sit in your homedir. this works - thank you. Question: How long does it usually take until you get your prompt after executing lxc-create? Here is takes several minutes - fells like it takes longer than booting on physical hardware. It should be fast - a few seconds. If it takes longer, please file a bug with 'ubuntu-bug lxc'. Stephane suggested that when he has seen slow boots it's been due to dhcp, in particular (one time) due to virbr0 having stp on. We'll likely have to either find the problem in your network setup, or else switching to static network setup should work around it regardless. -serge Right, Can you post the result of brctl show? - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPIW+XAAoJEMY4l01keS1nVn8P/1U21/g/ZuTGhb35f2Tuc9Ze CP4roTZcZn+aOZ+3BGiw6p5QYXthJYIi8FllHOwtjjMdG5XwHb+CO3GOGJ3udVXr cT025oH2gQnyl1suL77NSfYUMUcsI8iPv1x71Sge12/VCorIsB639D3B3NOljh0J ksT1VecbVKVq6nv6krYqut+PtMbeI21HVvAig/JuS5UmAWpVMd3WzavvAkeimOIk Ft8Ij454JK3hyn+rWMmrweycsRYMG/Dc0D3KTbo/PCUunWApGe4JsxDoO0t1TtJY bgUxFCgeSlWLau4DmjOMNPoE9GnfUt4zix7xUIdlCZhGZ4xQpy5jSwxzAohJW1gi Dy9Q7JhbgMzYaM+1hzr5Xd24Zq7skKLg75w6Lms+edim1YbDuzIYPgt+1jK9+sMK Uo3NLk4vPd/2Dr5mDjFlYRgu46xaT0vjkOPqGddmIyn3lMYPQQEF3ktWFLKRwM/X quisVM6Uwcy0qpX497rhH83xId6u6WR1sYJEMR9Ig7Nz0vGfzu9TKYppYIVqpJB8 hO/diVcjhKrX3m71fyDVhFiEw9AaaN7NW4nyInKqgOiQ1rBvWiJD2Q5M4lpic8zA UKZ/yn+Mp4eKJl9wBi8dEX5+N3gI7kM6TZQW7Iv2UrXoFyiO/HcNUs2m2kyFl6iG AyDrMj4n1TlnYP/zrSw4 =5O87 -END PGP SIGNATURE- -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04 linux-container package and init modifications
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/06/2012 11:03 PM, Fajar A. Nugraha wrote: On Wed, Mar 7, 2012 at 10:45 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): # cat /etc/init/lxc-lo.conf start on startup env container pre-start script if [ x$container != xlxc -a x$container != xlibvirt ]; then stop; fi initctl start network-interface INTERFACE=lo exit 0; end script So now the modifications (both from lxcguest and my local addition) are all new .conf files, which would be ignored if it's not started in lxc environment. Might try 12.04 container later. If your guest is uptodate 12.04, you should have /etc/init/network-interface-container.conf from ifupdownpackage which emits that signal for you. You shouldn't need your own lxc-lo.conf any more. What is Canonical's plan for older guests? Will network-interface-container.conf be backported to lxc-guest, or will manual configuration still necessary? Starting in 12.04 we did the necessary changes to upstart, udev, mountall, ifupdown, ... to be container aware. For older releases our template still installs lxcguest that does a similar job though a bit more hackish :) As Serge said, if anything doesn't start for you with a clean 12.04 container running on 12.04, it's a bug and we want to fix it. My goal for 12.04 was to make a perfectly clean and standard Ubuntu system work in a container without any change whatsoever and I think we achieved this: http://www.stgraber.org/2012/03/04/booting-an-ubuntu-12-04-virtual-machine-in-an-lxc-container/ If you're writing custom upstart jobs or other scripts, you may be interested by the new events and tools we introduced on all Ubuntu systems since 12.04: - The upstart container event giving you CONTAINER=technology - The upstart not-container event - /bin/running-in-container that will exit 0 in a container and exit 1 otherwise, even it exits 0 it'll also print the technology. I added code to upstart to detect (referred above as technology): - lxc - lxc-libvirt - openvz - vserver Though we only really support lxc and lxc-libvirt, the rest is best effort and we expect people to give us patches or access to a machine. This means the upstart job below is now possible: start on container CONTAINER=lxc exec /usr/sbin/my-lxc-monitoring-service I hope this helped explain what we're doing in 12.04. I'm planning on a generic what's new in LXC for 12.04 blog post in the next few days, once we've turned apparmor back on and have somewhat secure containers again (hopefully later today). Again, please try an up to date Ubuntu 12.04 system and report any bug that you see, we're trying to closely look at LXC bugs and fix them as soon as possible. Cheers - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPV6YHAAoJEMY4l01keS1n5icP/3UfPJcrPOA1M79z+hUZT/QT eDCZTe/6nCEsjPXn/Jt7agkXAI8S4RcK1qjYKm7IbgsvOT0IpR4OXEX3NdJDQuGo dHHEhgQfUuRQ9ndWID0bSubum4iBMJLbzSEtZUBZ3ejmtsPX/L2qWxmT1tX+xOtd ZJG/HmcVj78dXRXXc7rHQagljd0YZs16ZvPnO8wO6jFJlT1DsqNtATu5hUhCXNXa X/f7c3cTZq6Ig9HGawJRjIAjlbpoww+YgqfoduKEjEuOrLDDrBexm3AwwSRFOAMn RauTAveug0kFx3SHIRGw7EHZ5w9TOBHtXyfYAek3Sna8N5CEPozZ2V6gQocGQiuX Q6Qq8mB9xZMAekB2xnmYeBVf3DcjkNOb1h7wg6u6WunEGDHGR+jwOM25g+c2EEW8 1mNFc61TMfp+4GFh3djnI8i9CqMNJX7olPCgDcULuglqYx4eFYJGN8p5P1G4DhLk 0VETCuJywEYoLa/5xlCveqPg6nMfddgLX3bo3ELD3zKmyNifjwuh9j7Xx1RCmNIO D1Ga8l9MPKv0x0dI6bnbQRbq1v0kH84ZZXZrdZb+P2XYnIGZk2fXIzedj7CUDoZ9 dMmcAaJRG3znHBckL/1I4RjZgxyUB6CdtPPn4naMeWcdkX5zpumFEc8T/jn+xsOj DBjf6BATJV595nPVzAF0 =kV4d -END PGP SIGNATURE- -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Upgrade distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/07/2012 04:20 AM, Miroslav Lednicky wrote: Hello, i have question about LXC in Ubuntu. Is it possible to do upgrade system inside LXC? From 10.04 to 12.04 for example. Did somebody try it? Best regards, Miroslav. It's possible but I wouldn't recommend it until 12.04. In my experience upgrading will at least require you to umount /lib/init/fstab and tty[1234] and console in /dev, otherwise udev, mountall and a few others will fail to upgrade. We fixed all this in 12.04 so that a 12.04 to 12.10 upgrade will work just fine, sadly these required substantial changes to upstart, mountall, udev and lxc itself that are too risky to backport to older releases. - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPV6aSAAoJEMY4l01keS1nDZgP/2Ztg1h82JdAAkBuA6kuCknX T7vhPsL5TV5RxCsGmhpUhr/06vqrbLOggfidwGJIOnReQ7eclFe9Tq0dfUE8fDEy ick6e11Zq6HpBkrAdC1IYNxXkTdCS7ogAIo6Rw9jzHw8vcvIsT1YIwkWHxAlqGoo GQS45mIwgoGHoEwSWCE5xgJVsoxwZ0zRhjAniOeZYr1ZMGQMQPff08XpQq4pxSZL mMOcUBhRyWo3yIWuZ9dfCfegoLMQmncjkCmpyOhhkxC69/QZKlOsiKHniOyHRhWh 86GxrjiJrWJayfTU8kbgPwLVKs8WnDlHyp8jhtppRWiZxcgT4Q1fekVMJwdatgkk 2+mL5MWqIX+QmPKBzCjsMskMUlkXciNcttOpUObs7rtwFZIS5b5N6u45DIXWc9yP hU142khzAGWSnukPDMCGXT4LLH2fqxxZt3FSv0P1tDSR504E/UnmqgYQ3MBqZowp WyVKE53tbkseF8bMxWXVPFPcmANh+FZLrXFqmWy7EHqMx59cfrZqvs2bjw1cL3oK r/S+mHzaWFDDl5qVwLO9ey/6PIMm5OpO8lm7eIC8h9+wLB63i6cQ3LeNyaMmiJW7 9qD+iiO97rJ1X/8Rf7ls9nB9QVFI9H25QPJu9K4Isxz8GvRGAmpCvAMRHgwgRHol kNDUIq8/Q5yifZehhNBT =12M4 -END PGP SIGNATURE- -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Upgrade distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/08/2012 02:27 AM, Papp Tamas wrote: On 03/07/2012 07:18 PM, Stéphane Graber wrote: It's possible but I wouldn't recommend it until 12.04. In my experience upgrading will at least require you to umount /lib/init/fstab and tty[1234] and console in /dev, otherwise udev, mountall and a few others will fail to upgrade. I tried it multiple time, lucid - ... - oneiric was almost OK, but of course I made some fixes by hand. We fixed all this in 12.04 so that a 12.04 to 12.10 upgrade will work just fine, sadly these required substantial changes to upstart, mountall, udev and lxc itself that are too risky to backport to older releases. Actually udev update is still not working with 12.04 when new package arrives. tamas That's most likely because you're not using a clean template and so are missing a bit from your container config: lxc.devttydir = lxc With this one, all the console files will be in /dev/lxc/* and so udev upgrade will work fine, well, we've seen a few bugs with apparmor blocking the udev upgrade but apparmor is currently off and the new apparmor will fix that. If you're hit by the apparmor issue, running the upgrade a second time works fine. - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPWPA+AAoJEMY4l01keS1nzocQANF0QvNoCUQ3m5ubhZpzwDyD AU6ggaQDUoH/2XZWcUhy7J4Eck3CIAw4zUk+dKoIpK4SrF5YLw/Ale70DBfYYIxm 9g2ITAjEndZMVcLXo/ESz2nIoOW1lOw1e+qxAIw10EvvW6yH7GnQAMC6Lh82Jv+m f6SAVNb8cdSQTi3UuuvlPG17xK9JfVbkKlFeU9l4ON9xLqIs2L27YkUtNeZtnCYa VceMEoasE8mN4GQf3ryc4weg4nSgAqR7BywFkGSn18VLP1TfnpyisBb0TZxhiVAt 1RVesJx4QgynHtFg0Mw7cd2hhvhWYsyr6UqEhrNM26wf9E5CUiN83yg9FJ1rB7WG l5Glb+v/3u+fn5JyME7iczFSviuyA0t5k0G6raP9S4JlNc1B0vyQn+NvGHnvvkSN IVoRaDxwriRlxJtfMsE2Yp/iAoayAZqTahMoQOTAMZ0fdQGCSr/PrUCNkX/R8wC4 flVZNIgG698yiV4HmE7Mx5Awzay4cJ412Ivni9CpMTl31dccnyBbRkS6GVnT2mVU DcFel44uBugwV9+kU46pRdB6tc37HodyI0K4/1PU+a+VP2LTvtidek3LZWynH4sl xFV8QtaOK6nPtt1XAu61qNxYdRDe+fzQGIko5BCrVseMVj79xsD7mTCgNPKBSzVZ 3GpGro/X+bYklQ8Lt9T0 =re56 -END PGP SIGNATURE- -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] loop mount inside container
On 06/05/2012 02:58 PM, Marc Aymerich wrote: Dear all, I'm trying to mount an image file inside a container but it complains about write permissions: (vct: container, bestia: hw node) root@vct:/dev# mount -o loop /root/server_bootable.img /mnt/ mount: block device /root/server_bootable.img is write-protected, mounting read-only mount: cannot mount block device /dev/loop1 read-only root@vct:/# ls -al /dev/loop* crw--- 1 root root 10, 237 Jun 4 14:52 /dev/loop-control brw-rw 1 root disk 7, 0 Apr 26 17:10 /dev/loop0 brw-rw 1 root disk 7, 1 Apr 26 17:10 /dev/loop1 brw-rw 1 root disk 7, 2 Apr 26 17:10 /dev/loop2 brw-rw 1 root disk 7, 3 Apr 26 17:10 /dev/loop3 brw-rw 1 root disk 7, 4 Apr 26 17:10 /dev/loop4 brw-rw 1 root disk 7, 5 Apr 26 17:10 /dev/loop5 brw-rw 1 root disk 7, 6 Apr 26 17:10 /dev/loop6 brw-rw 1 root disk 7, 7 Apr 26 17:10 /dev/loop7 Write permissions to /dev/loop1 are provided through the container config file lxc.cgroup.devices.allow = b 7:* rwm lxc.cgroup.devices.allow = c 10:237 rwm but in the end, I can't write to it: root@vct:/dev# echo '' /dev/loop1 -bash: echo: write error: Operation not permitted writing to other loop devices seems possible: root@vct:/dev# echo '' /dev/loop2 -bash: echo: write error: No space left on device I'm using ubuntu 10.04 with: root@vct:/# uname -r 3.2.0-23-generic root@bestia:/# lxc-version lxc version: 0.8.0-rc1 Any idea about what the problem could be? Thank you very much!! Ubuntu 10.04?? based on your kernel and LXC version this sounds more like 12.04, so I'll give you the procedure for 12.04 :) 1) Copy /etc/apparmor.d/lxc/lxc-default to /etc/apparmor.d/lxc/lxc-default-with-loops 2) Edit /etc/apparmor.d/lxc/lxc-default-with-loops - Rename lxc-container-default to lxc-container-default-with-loops - Add an entry: mount - /mnt/, or matching the source node, fstype, ... depending what you exactly want to allow 3) sudo /etc/init.d/apparmor reload 4) Edit your container's configuration and set lxc.aa_profile to lxc-container-default-with-loops 5) Restart your container Alternatively, you could set lxc.aa_profile = unconfined which would turn off apparmor entirely for the container. It's to be noted that apparmor is what's currently preventing your container from doing damage to your host, so it's best practice to have the most restrictive profile possible, at least until we have user namespaces. The mount - /mnt/ entry I proposed above isn't exactly safe as it'll allow the user to mount anything under /mnt, including a proc filesystem (which you could then use to access stuff like sysrq_trigger that are usually blocked by apparmor). The safest would be something like: mount fstype=ext3 /dev/loop0 - /mnt/, Assuming you can know all of these in advance. Hope it helps! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] kernel.shmmax in LXC
On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote: On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano daniel.lezc...@free.fr wrote: On 06/07/2012 12:45 PM, Jan Den Ouden wrote: Hi, About a week ago I posted exactly the same question on this list, but I didn't get any responses. I have googled high and low for the answer to this, but no result. It's not related to capabilities, because you can only drop capabilities, not add them. It's not related to the cgroup memory controller, because that seems to deal with total memory, not shared memory. Therefore, I think it's a bug. I tried on a 3.0.0 kernel version and that works. Isn't possible this is related to app armor ? Yep, that should be it, as testing with apparmor disabled the following works on guest container in my test system # cat /proc/sys/kernel/shmmax 33554432 # echo 335544320 /proc/sys/kernel/shmmax # cat /proc/sys/kernel/shmmax 335544320 However the apparmor problem might not seem obvious because there's no apparmor warning on syslog when you try to set shmmax with apparmor enabled. Also: (1) If you ONLY uncomment lxc.aa_profile=unconfined (with apparmor still enabled), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to unconfined (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to /etc/apparmor.d/disable, you'd still get permission denied error (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor teardown), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default (4) Combining (1) and (2), or (1) and (3), you can set shmmax from inside the guest container so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo. Please reboot your machine ;) the unconfined profile problem (giving you the No such file or directory) was a kernel bug and was fixed a couple of weeks ago, letting me think you're running an out of date kernel. As for shmmax, it's simply not whitelisted at the moment as it wasn't in the list of known-safe container aware proc entries, we probably should whitelist it (after doing some extra checking). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] kernel.shmmax in LXC
On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote: On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote: On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano daniel.lezc...@free.fr wrote: On 06/07/2012 12:45 PM, Jan Den Ouden wrote: Hi, About a week ago I posted exactly the same question on this list, but I didn't get any responses. I have googled high and low for the answer to this, but no result. It's not related to capabilities, because you can only drop capabilities, not add them. It's not related to the cgroup memory controller, because that seems to deal with total memory, not shared memory. Therefore, I think it's a bug. I tried on a 3.0.0 kernel version and that works. Isn't possible this is related to app armor ? Yep, that should be it, as testing with apparmor disabled the following works on guest container in my test system # cat /proc/sys/kernel/shmmax 33554432 # echo 335544320 /proc/sys/kernel/shmmax # cat /proc/sys/kernel/shmmax 335544320 However the apparmor problem might not seem obvious because there's no apparmor warning on syslog when you try to set shmmax with apparmor enabled. Also: (1) If you ONLY uncomment lxc.aa_profile=unconfined (with apparmor still enabled), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to unconfined (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to /etc/apparmor.d/disable, you'd still get permission denied error (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor teardown), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default (4) Combining (1) and (2), or (1) and (3), you can set shmmax from inside the guest container so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo. Please reboot your machine ;) the unconfined profile problem (giving you the No such file or directory) was a kernel bug and was fixed a couple of weeks ago, letting me think you're running an out of date kernel. Probably. Although there's no please restart to complete update warning on my desktop. It's not really urgent for me though, so I'll just reboot later when possible. Thanks for letting me know that this is a fixed issue. As for shmmax, it's simply not whitelisted at the moment as it wasn't in the list of known-safe container aware proc entries, we probably should whitelist it (after doing some extra checking). BTW, I thought that all blockings done by selinux would show up on syslog? Am I looking at the wrong place? If there were a warning on syslog, the OP would've probably been able to solve their problem by themselves earlier. The default profile in 12.04 contains explicit deny rules that will silent the output to dmesg. Only entries that we don't know about and haven't explicitly blocked will be rejected and logged in dmesg. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04: initscripts.postinst
On 06/15/2012 09:10 AM, Papp Tamas wrote: hi All, I upgraded initscripts package: # apt-get install initscripts Reading package lists... Done Building dependency tree... Done Recommended packages: psmisc The following packages will be upgraded: initscripts 1 upgraded, 0 newly installed, 0 to remove and 46 not upgraded. Need to get 27.8 kB of archives. After this operation, 1024 B of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ precise/main initscripts amd64 2.88dsf-13.10ubuntu11 [27.8 kB] Fetched 27.8 kB in 0s (1166 kB/s) (Reading database ... 11725 files and directories currently installed.) Preparing to replace initscripts 2.88dsf-13.10ubuntu10 (using .../initscripts_2.88dsf-13.10ubuntu11_amd64.deb) ... Unpacking replacement initscripts ... Processing triggers for ureadahead ... Setting up initscripts (2.88dsf-13.10ubuntu11) ... mount: block device /dev/shm is write-protected, mounting read-only mount: cannot mount block device /dev/shm read-only dpkg: error processing initscripts (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: initscripts E: Sub-process /usr/bin/dpkg returned an error code (1) If I change line #48: if mount -t $FSTYPE $SRC $DEST $OPTS ; then to if ! mount -t $FSTYPE $SRC $DEST $OPTS ; then It's OK. But it's of course is not usable solution. What would be it? Thank you, tamas Hi, The logic in initscripts postinst is indeed a bit broken, Serge has been looking at fixing it, not sure how far he got. In the mean time, you should be able to workaround it by essentially doing initscripts' job for it: - rmdir /dev/shm - ln -s /run/shm /dev/shm Then run the upgrade and it should succeed. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Test packages of liblxc and python3-lxc for Ubuntu 12.04 and 12.10
Hello, Serge and I have been busy working on liblxc and its python binding. After some more work on these two, I finally was able to build test packages containing Serge's patchset and my python3-lxc work. You can find the packages in: https://launchpad.net/~stgraber/+archive/experimental All the usual LXC tools should be working as usual but you'll notice the addition of lxc-test-containertests and lxc-test-startone that can be used to test the new liblxc0 package. As I mentioned, these packages also bundle a python 3.x module that directly uses the new liblxc0 package and lets you do things like: http://paste.ubuntu.com/1048114/ I'll be regularly updating these packages until we think both the liblxc API and the python-lxc API are good enough for upstream inclusion. No API stability is guaranteed at this time, I can actually guarantee you that we'll break it over the next few days ;) Bugs, feedback and suggestion of missing features/calls is most welcome. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [lxc-devel] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP
On 06/29/2012 11:41 AM, Serge Hallyn wrote: The following patch allows me to run lxc-execute -n p1 -- /bin/ls as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git. Thanks, Sam, for pointing this out. CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel actually supports. If the kernel supports fewer capabilities, then a cap_get_flag for an unsupported capability returns -EINVAL. Recognize that, and don't fail when initializing capabilities when this happens, rather accept that we've reached the last capability. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Reported-by: Sam Wang zhefw...@gmail.com --- src/lxc/caps.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/lxc/caps.c b/src/lxc/caps.c index 10a0b4a..c32e7e4 100644 --- a/src/lxc/caps.c +++ b/src/lxc/caps.c @@ -28,6 +28,7 @@ #include limits.h #include sys/prctl.h #include sys/capability.h +#include errno.h #include log.h @@ -90,6 +91,7 @@ int lxc_caps_up(void) cap_t caps; cap_value_t cap; int ret; + int lastcap = 0; /* when we are run as root, we don't want to play * with the capabilities */ @@ -108,9 +110,15 @@ int lxc_caps_up(void) ret = cap_get_flag(caps, cap, CAP_PERMITTED, flag); if (ret) { - ERROR(failed to cap_get_flag: %m); - goto out; + if (errno == EINVAL) { + INFO(Last supported cap was %d\n, cap-1); + break; + } else { + ERROR(failed to cap_get_flag: %m); + goto out; + } } + lastcap = cap; ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, cap, flag); if (ret) { The idea of the change looks good, though you're defining a new lastcap variable that you then set but never actually seem to use as you're instead using cap-1 in the INFO() call. Am I just missing some context or is that indeed not used? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP (v2)
On 06/29/2012 12:14 PM, Serge Hallyn wrote: CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel actually supports. If the kernel supports fewer capabilities, then a cap_get_flag for an unsupported capability returns -EINVAL. Recognize that, and don't fail when initializing capabilities when this happens, rather accept that we've reached the last capability. Changelog: remove unused lastcap variable (thanks stgraber) Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/caps.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/lxc/caps.c b/src/lxc/caps.c index 10a0b4a..94c134d 100644 --- a/src/lxc/caps.c +++ b/src/lxc/caps.c @@ -28,6 +28,7 @@ #include limits.h #include sys/prctl.h #include sys/capability.h +#include errno.h #include log.h @@ -108,8 +109,13 @@ int lxc_caps_up(void) ret = cap_get_flag(caps, cap, CAP_PERMITTED, flag); if (ret) { - ERROR(failed to cap_get_flag: %m); - goto out; + if (errno == EINVAL) { + INFO(Last supported cap was %d\n, cap-1); + break; + } else { + ERROR(failed to cap_get_flag: %m); + goto out; + } } ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, cap, flag); Acked-by: Stéphane Graber stgra...@ubuntu.com -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container hostname not visible to host, ubuntu 12.04
On 07/06/2012 04:09 AM, Ben Butler-Cole wrote: [back on-list] On 6 July 2012 08:59, Li, Zeyang a.bankn...@gmail.com mailto:a.bankn...@gmail.com wrote: I also see that you seem to be running the LXC network inside the guest as well as on the host (it too has an lxcbr0 bridge network). Is this intentional? This is not intentional, but I don't remember ever setting it up so frankly I don't know why it showed. It does have any adverse effect? I think it will appear automatically if you have installed the lxc package on the guest (which should not be necessary unless you are trying to nest containers). I don't know of any adverse effect, but I don't have a good understanding of networking. -Ben Well, it's actually creating a relatively big mess :) When you have lxcbr0 on both your host and your container, you'll have the following case: - host lxcbr0: 10.0.3.1/24 - container eth0: 10.0.3.X/24 - container lxcbr0: 10.0.3.1/24 So when you're pining 10.0.3.1 from the container, you're not pinging the host at all, you're pinging the container on its lxcbr0 interface. In short, installing lxc in the container will in most cases cut you from the outside world completely. You have a few ways of fixing this: - If you want to use lxcbr0 in that container, then edit /etc/default/lxc in the container to change the subnet to something else than 10.0.3.0/24, then reboot your container. - If you don't want lxcbr0 in the container, also edit /etc/default/lxc in the container and set USE_LXC_BRIDGE to false, then reboot the container. After that, all should be back to normal. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container hostname not visible to host, ubuntu 12.04
On 07/06/2012 11:18 AM, Li, Zeyang wrote: That fixed my problem. million thanks :D Btw, is there a way to have lxc.init while not installing the full lxc package? Is lxc.init the only thing I need in the container to have lxc-execute working? Zeyang That's correct, you only need lxc-init. There's no easy way to only install lxc-init though. I supposed you could try to copy lxc-init and liblxc.so.0 to the container without actually installing the package. On Fri, Jul 6, 2012 at 9:48 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 07/06/2012 04:09 AM, Ben Butler-Cole wrote: [back on-list] On 6 July 2012 08:59, Li, Zeyang a.bankn...@gmail.com mailto:a.bankn...@gmail.com wrote: I also see that you seem to be running the LXC network inside the guest as well as on the host (it too has an lxcbr0 bridge network). Is this intentional? This is not intentional, but I don't remember ever setting it up so frankly I don't know why it showed. It does have any adverse effect? I think it will appear automatically if you have installed the lxc package on the guest (which should not be necessary unless you are trying to nest containers). I don't know of any adverse effect, but I don't have a good understanding of networking. -Ben Well, it's actually creating a relatively big mess :) When you have lxcbr0 on both your host and your container, you'll have the following case: - host lxcbr0: 10.0.3.1/24 - container eth0: 10.0.3.X/24 - container lxcbr0: 10.0.3.1/24 So when you're pining 10.0.3.1 from the container, you're not pinging the host at all, you're pinging the container on its lxcbr0 interface. In short, installing lxc in the container will in most cases cut you from the outside world completely. You have a few ways of fixing this: - If you want to use lxcbr0 in that container, then edit /etc/default/lxc in the container to change the subnet to something else than 10.0.3.0/24, then reboot your container. - If you don't want lxcbr0 in the container, also edit /etc/default/lxc in the container and set USE_LXC_BRIDGE to false, then reboot the container. After that, all should be back to normal. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container hostname not visible to host, ubuntu 12.04
On 07/06/2012 12:01 PM, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On 07/06/2012 11:18 AM, Li, Zeyang wrote: That fixed my problem. million thanks :D Btw, is there a way to have lxc.init while not installing the full lxc package? Is lxc.init the only thing I need in the container to have lxc-execute working? Zeyang That's correct, you only need lxc-init. There's no easy way to only install lxc-init though. I supposed you could try to copy lxc-init and liblxc.so.0 to the container without actually installing the package. perhaps we should have lxc package providing configuration stuff, lxc-init package providing lxc-init, and both depending on liblxc package, which provides liblxc.so (with all the api and templates). I suppose it'd actually be enough to just move lxc-init to liblxc0, then you'd only need to install liblxc0 in the container for lxc-execute to work. Where to put the templates is an interesting question, I think properly splitting to different packages will be tricky at the beginning, so I'd propose we initially go for the very simple: - lxc (arch: any, contains all the lxc-* commands, init scripts, templates, apparmor profiles, ...) - liblxc0 (arch: any, multi-arch, contains liblxc0 and lxc-init) - liblxc-dev (arch: all, contains the headers) - python3-lxc (arch: any, python module and python wrapper) lxc depends on liblxc0 (and may depend on python3-lxc at some point) python3-lxc depends on liblxc0 and recommends lxc liblxc0 recommends lxc liblxc-dev depends on liblxc0 That'd allow someone to use: apt-get install --no-install-recommends liblxc0 And only get liblxc0 + lxc-init in a container. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container hostname not visible to host, ubuntu 12.04
On 07/06/2012 12:42 PM, Ben Butler-Cole wrote: On 6 July 2012 17:13, Stéphane Graber stgra...@ubuntu.com mailto:stgra...@ubuntu.com wrote: - python3-lxc (arch: any, python module and python wrapper) Should I understand that there are (or will be) Python bindings for lxc? -Ben There will be. Serge and I are currently working on liblxc0 and python3-lxc. Test packages are available in: https://launchpad.net/~stgraber/+archive/experimental -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] multiple IP-addresses
On 07/09/2012 10:43 AM, Matthias P. Würfl wrote: Hello! I habe a new container set up (precise on precise) and it works well. Network configuration is: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up lxc.network.hwaddr = [...]:ed:d8 lxc.network.ipv4 = 84.16.228.72/32 if i add a second id address: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up lxc.network.hwaddr = [...]:ed:d9 lxc.network.ipv4 = 84.16.228.75/32 ...i can see this in the container (ifconfig) as eth1, but i cannot ping the container from the outside using this ip-address. I think i need to add a route, as the output of route shows nothing for eth1. What's the recommended way to get this working? Matthias This isn't LXC specific, what's happening in your case is that you're contacting eth1 but getting a reply from eth0 as that's where your default route is. To support a scenario like this one, you'll typically need some basic source based routing rules. Try the following: ip route add default dev eth1 table 100 ip rule add pref 100 from 84.16.228.75 table 100 I'm also a bit surprised that using a /32 works well but I'm assuming you have some routes to make that all work. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxcbr0 on Ubuntu 12.04
On 07/13/2012 03:36 AM, groupie wrote: Hi all! I tried to figure out a glitch with the bridge interface in precise. Its a fresh desktop install and after booting the machine, lxcbr0 never exists. I open a terminal and do sudo service lxc restart and woop, without errors, it just comes up. Two more details: I dont have any containers in auto, I start them as needed. And there is a named running for local dns resolution on all virtual networks (using kde and vmware on the same machine) Any ideas where to tweak? Cheers, Your groupie You'll probably want to check /var/log/upstart/lxc* for errors. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxcbr0 on Ubuntu 12.04
On 07/14/2012 09:48 AM, Serge Hallyn wrote: Quoting Clemens Perz (cp...@gmx.net): On 13.07.2012 17:08, Stéphane Graber wrote: On 07/13/2012 03:36 AM, groupie wrote: Hi all! I tried to figure out a glitch with the bridge interface in precise. Its a fresh desktop install and after booting the machine, lxcbr0 never exists. I open a terminal and do sudo service lxc restart and woop, without errors, it just comes up. Two more details: I dont have any containers in auto, I start them as needed. And there is a named running for local dns resolution on all virtual networks (using kde and vmware on the same machine) Any ideas where to tweak? Cheers, Your groupie You'll probably want to check /var/log/upstart/lxc* for errors. That contained a hint indeed: dnsmasq: failed to create listening socket for 192.168.122.1: Address already in use A look into lxc-net.conf shows that it buggers out when it cant start dnsmasq and removes the bridge completely. So at starttime named is some milliseconds faster to aquire the bridge interface and makes dnsmasq fail. Bridge removed, named kicked in the ass. So you do a restart later everything works fine. I just added USE_LXC_DNSMASQ=false to the lxc defaults and the corresponding if statement to lxc-net.conf. Works now even on boot time. Cheers, Groupie Note that the fix for this (installing an /etc/dnsmasq.d/lxc file which makes the system-wide dnsmasq bind-interfaces except lxcbr0) should be clearing SRU soon. (I thouhgt it already had) -serge It did. It was part of the last batch (0.7.5-3ubuntu59). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Alternative network protocols
On 07/16/2012 09:24 PM, Joe Stringer wrote: Hi there, I've come across an issue when trying to use SCTP with lxc, and I wonder if anyone might have some insight into what's causing this. My set up has two lxc hosts connected to an instance of Open vSwitch, vm0 and vm1. When I attempt to use the sctp_test utility that comes with the debian package lksctp-tools from within either VM, it reports back that the address family is not supported:- root@vm0:~# sctp_test -H 0 -P 250 -l local:addr=0.0.0.0, port=250, family=2 seed = 1342081047 Starting tests... socket(SOCK_SEQPACKET, IPPROTO_SCTP) *** socket: failed to create socket: Address family not supported by protocol *** The interfaces appear to be set up fine, I can ping from one vm to the other with no trouble. The host can successfully run the above command as well. Is this because of socket using SOCK_SEQPACKET? Cheers, Joe It's not easy to tell whether it's the case here, but some protocols require extra kernel modules to work properly. On a regular system these modules are loaded dynamically the first time you try to create a socket of that type, but in a container, it typically won't work. If that's the case, check on a regular system what the modules are and load them on your host, then try again from the container. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Epehemral Disk space
On 07/24/2012 12:30 PM, Serge Hallyn wrote: Quoting Florian Motlik (flomot...@gmail.com): Hey guys, is there any way to increase the disk size you get when running lxc-start-ephemeral. By default I get only 450 MB, which leads to problems with some projects. That's odd, overlayfs (and iirc aufs) doesn't impose such a limit. And I don't see it here. Do you see that output in 'df -h .'? Does either your /tmp or your /var/lib/lxc have a shortage of space? IIRC tmpfs defaults to 50% of your memory, so I'm guessing you probably have just 1024MB of memory on that machine (with a bit of it assigned to the video card). The amount is configurable when mounting tmpfs, though setting it to more than 50% can be quite dangerous. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC, AppArmor, NFS, and Ubuntu 12.04
On 08/02/2012 11:59 AM, Nathan Fisher wrote: Hi, Previously using Ubuntu 11.10, upgraded to 12.04. Under 12.04, NFS shares no longer function due to AppArmor constraints on the mount command. What is the prescribed best practise to mount NFS shares within a Guest that will minimise maintenance with future Ubuntu updates for 12.04? I see three options at the moment; 1) Mount within the host. That might not work because of the different mount namespaces. 2) Modify the AppArmor profile for lxc-containers (will this evolve within 12.04 LTS?) That's certainly an option and we might be doing it by default as I don't think nfs is really dangerous to mount. 3) Disable AppArmor. That's obviously a pretty bad idea :) 4) Add the line to /var/lib/lxc/container/fstab instead of /etc/fstab This will get lxc to mount it for you when creating the container. At that point of the process, the apparmor profile shouldn't prevent it from happening (though I haven't tested it). Are there any other options that I've missed? Option 2 is the most desirable as it means the guest is self-contained and *somewhat* transportable between a cluster of hosts. Thanks! Nathan w: http://junctionbox.ca/ -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Viewing a container's /proc mount from the host
On 12-09-06 04:55 PM, Ken Elkabany wrote: Hi, We're trying to find the ports that a container is currently listening on. This information is available from /proc/net/tcp and /proc/net/udp. However, as far as I can tell, the host cannot view a container's /proc mount due to namespacing. We would prefer to view those files from the host, rather than connecting to the container's tty, and viewing it from within the container. As an aside, we do not want to use port scanning. Best, Ken The net entries can be accessed using /proc/pid on host/net/{udp|tcp}, no need to actual access the /proc of the container. lxc-netstat -n container may also help you get what you want. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc staging branch on github
Hello everyone, As you probably noticed Serge and I have been trying to keep up with all the changes going to the lxc-users and lxc-devel mailing lists with some varying success. For quite a while now Serge has been maintaining a separate git branch on github where he'd merge the changes that we're using in Ubuntu and then regularly ask Daniel to review the branch and merge into the master branch on sourceforge. To try and make this all a bit more official, I took ownership of the lxc project on github at: https://github.com/lxc We now have an lxc repository at: https://github.com/lxc/lxc With the main branch being called staging and containing what used to be in Serge's tree. This should now make it pretty easy to contributors to branch and send over pull requests. We'll continue monitoring the mailing-lists and merging the changes proposed on there as soon as it seems we reached an agreement. It'd be great if anyone who submitted changes on the mailing-list or through any other mean could check that their changes are in the staging tree and if not, re-submit the change so we can include it. @Daniel: Please let me know if you have a github account so I can add you to the project admins. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ephemeral disk space redux: adding --overlaydir option to lxc-start-ephemeral?
On 12-09-05 07:02 PM, Dan Kegel wrote: On Wed, Sep 5, 2012 at 3:25 PM, Dan Kegel d...@kegel.com wrote: I see Florian asked this a few weeks ago: So that's one more requirement discovered: I need lxc-start-ephemeral to support nontrivial amounts of disk storage, more than will fit in tmpfs. Maybe I'll add an argument --overlaydir PATH for where to store the files; if that's set, setup_container() will use that rather than doing OVERLAY_DIR=`mktemp -d /tmp/lxc-lp-XXX` sudo mount -t tmpfs none $OVERLAY_DIR For safety, I would create a subdirectory inside the specified directory, and use that for $OVERLAY_DIR. That would let me clean up that directory before and after runs without worrying about accidentally destroying the host system if the user makes a typo. Kinda like the attached patch. (It's a little dirty. I'll try to send a clean one once I've actually used it in production for a while.) Hi Dan, Sorry for not replying to this e-mail earlier. I have now pushed lxc-start-ephemeral to the github staging branch as a python3 script using the new LXC API rather than as a shell script. I'll add myself a todo item to port your change to the python version. Looking at it, it shouldn't be too difficult to do, though I'm not sure how that option should work when you have more than one overlayfs (when you have bind mount entries in the source container's fstab). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] What should 'uptime' say inside an lxc container?
On 12-09-10 02:02 PM, Dan Kegel wrote: 'uptime' seems to be the uptime of the host, not of the guest. Is that intended? uptime reads /proc/uptime which is gets you the time since the kernel was started. There are a few ways of fixing that issue: - Implement a new time namespace allowing us to reset the time to 0 when spawning a new container. - Use the fuse filesystem that was described at plumbers (some kind of lxcfs) that will let us generate the right value in userspace and bind-mount it over /proc/uptime in the container. The first is I believe the right way to do it, though it's not an high priority namespace, we have the user namespace, device namespace and syslog namespace that seem to be more pressing. The second solution is a good temporary workaround that'd equally apply to /proc/cpuinfo, /proc/meminfo, ... and wouldn't require any change in the kernel (or even lxc for that matter). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Strange heisenbug no space left on device errors, leftover ephemeralbind mounts?
On 12-09-10 07:31 PM, Dan Kegel wrote: This is probably just a bad dream that will end when I move to running lxc inside vmware instead of virtualbox. I'm running Ubuntu 12.04.1 in Virtualbox, and inside that, Ubuntu 10.04 via lxc-start-ephemeral, and inside that, a buildbot slave. I'm slowly working my way through various issues that keep the buildbot from working properly (most recently, I had to switch to aufs from overlayfs, still need to file a bug for that). Now the problem is that inside the container, even though there is lots of disk space shown via df, I'm getting no space left on device after running make check for the project I'm building. Did you check that you aren't running out of inodes? The error message would be identical (check with df -i). The virtualbox has 2GB ram and 22GB disk space free. I can trigger the error by running just a little bit of make check, but if I try stracing that, the problem doesn't seem to happen. The other strange thing is that I'm seeing leftover ephemeralbind mounts, even though the log from lxc-start-ephemeral clearly shows the umount statement. Hopefully these no longer exist with the python + lxc-hooks port as everything is mounted in the container's mount namespace which is killed on shutdown. Both problems are triggered by running the testcase. Next step: switch to vmware and hope this all goes away. If it doesn't, then maybe I start looking at that overlayfs bug... -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [lxc-devel] lxc staging branch on github
On 12-09-07 04:47 PM, Stéphane Graber wrote: Hello everyone, As you probably noticed Serge and I have been trying to keep up with all the changes going to the lxc-users and lxc-devel mailing lists with some varying success. For quite a while now Serge has been maintaining a separate git branch on github where he'd merge the changes that we're using in Ubuntu and then regularly ask Daniel to review the branch and merge into the master branch on sourceforge. To try and make this all a bit more official, I took ownership of the lxc project on github at: https://github.com/lxc We now have an lxc repository at: https://github.com/lxc/lxc With the main branch being called staging and containing what used to be in Serge's tree. This should now make it pretty easy to contributors to branch and send over pull requests. We'll continue monitoring the mailing-lists and merging the changes proposed on there as soon as it seems we reached an agreement. It'd be great if anyone who submitted changes on the mailing-list or through any other mean could check that their changes are in the staging tree and if not, re-submit the change so we can include it. @Daniel: Please let me know if you have a github account so I can add you to the project admins. For Ubuntu users, we now have daily automated builds of the staging branch available at: https://launchpad.net/~ubuntu-lxc/+archive/daily These are triggered automatically on code change of the staging branch and will let us confirm that everything is still buildable and hopefully soon, run additional tests on the built binaries. We are currently running builds for Ubuntu 12.04 and 12.10. Use these are your own risks, these are fully automated, non-tested builds without any patch or override of the binaries coming from lxc. If you find any packaging bug with these, feel free to e-mail me directly. If you find bugs with LXC using these packages, please report them on this mailing-list so we can track the regression and fix it before it has a chance to get into the stable branch. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC in production envivroment
On 12-09-13 06:56 PM, Stuart Yoder wrote: I would not use lxc for shared vps setup (like openvz) at this moment due to some unsolved security issues. I've seen security issues with lxc mentioned in a few places, but nothing very specific (one thing specific was something to do with /proc filtering). (I've googled a bit, but it's hard to tell what is up to date) Is there a summary anywhere of potential security issues with LXC? Stuart Serge wrote an overview of LXC security when working on Ubuntu 12.04 LTS: https://wiki.ubuntu.com/LxcSecurity Most of the points on there have been handled the best way we can by using apparmor, if you're not using Ubuntu with apparmor, all of these points are still very real issues. Some other distros are trying to drop as many capabilities at container boot time, it's however pretty difficult to get something usable without having to compromise on some capabilities that essentially would let an attacker get back to full root. The way forward is the use of the user namespaces which are still slowly making their way into the mainline kernel. Once fully implemented, we'll be able to start LXC containers as non-privileged users (except for some glue running as root) which will automatically fix all the issues listed on that wiki page. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start leaks network interfaces?
On 10/11/2012 03:18 PM, Dan Kegel wrote: On Thu, Oct 11, 2012 at 12:16 PM, Serge Hallyn serge.hal...@canonical.com wrote: Thanks, Dan. I've reproduced it and commented in the bug. It's not really a bug in lxc. I at least when the veth is destroyed a uevent should be sent saying net-device-removed. Still digging/thinking. Now I know I'm an early adopter :-) Odd that I didn't notice that before, I indeed have several thousands of those on my servers ;) Anyway, it's not going to impact the performance or cause any real effect besides polluting upstart's instance list. Even though I could (with my ifupdown maintainer hack on) fix the upstart job to ignore veth, it's not really the right solution, as Serge said, I think the right way of handling that would be to get a net-device-removed even from udev when moving a veth device inside the container. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] use lxc in python,manage lxc
On 10/15/2012 04:19 AM, 宣铭艺 wrote: can we use lxc with python2 I find a lxc binding for python3 http://www.stgraber.org/2012/09/28/introducing-the-python-lxc-api/ But I used python2. And Do we have a software which can manage lxc-containers such as create,destroy,start,modify containers.But not command with shell . Thanks. The bindings are for python3 only and I don't intend to support python2 as it'd mean twice the amount of implementation time and testing + a nightmare for unicode handling. python3 has now been around for a long time and should be the preferred python version for any new development. There are a few scripts already using python3-lxc to manage containers, Jonathan Carter has one on his github: https://github.com/highvoltage/llxc -- 樱宝宝: http://www.xuanmingyi.com -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Using lxc on production
On 10/22/2012 02:39 PM, swair shah wrote: I've been trying out lxc for a week now, and it seems there are a lot of issues if the host system is centos and things work fine while using ubuntu as the host. any way, right now I don't think lxc seems to be fit to run on production boxes. I was wondering if anyone is using lxc on production. and if you don't mind disclosing, for what purpose do you use it on production? cheers, swair I use LXC in production for all my server services (web hosting, dns servers, internal dhcp, directory services, ...) and for the Edubuntu WebLive VDI service (hundred of desktop installations running under LXC). All in all, that's somewhere around 300-400 containers I'm managing in production, without any problem so far. This is all running on Ubuntu 12.04 LTS with apparmor on both host and containers. Using apparmor fixes all the security concerns that have been highlighted so far with containers and Ubuntu ships the latest upstream LXC and has a container-aware userspace that doesn't require any kind of hack to work in containers. You mention you're using Centos, I'd suggest that's really your problem as nobody is working on LXC on Centos so the distribution probably wasn't made container aware, we don't actually have a maintained template for it and it's likely that some other bits of LXC plain don't work because nobody tested it on centos. We recently got some contributions for LXC support on Oracle Linux which as far as I know is pretty close to RHEL6/CentOS, so maybe that work will lead to a better experience on CentOS, but that may take some time. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Using lxc on production
On 10/23/2012 12:29 AM, Ulli Horlacher wrote: On Mon 2012-10-22 (14:53), Stéphane Graber wrote: All in all, that's somewhere around 300-400 containers I'm managing How do you handle a host (hardware) failure? Everything that runs in the container is in a configuration management system, so any container can be redeployed from scratch in just a couple of minutes without needing the actual rootfs. On top of that, all the containers are backed up centrally using data deduplication, so if I really need it, I can extract a .tar.gz of the rootfs of any container in minutes and then just dump that on another machine. Though technically all the critical services are already redundant, so in case of a host failure, all I'd see is an increase of load on the other servers while I fix the host and get the rest back online. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] systemd inside LXC
On 10/23/2012 12:05 AM, Michael H. Warfield wrote: On Mon, 2012-10-22 at 16:21 -0500, Serge Hallyn wrote: Quoting Michael H. Warfield (m...@wittsend.com): On Mon, 2012-10-22 at 15:14 -0500, Serge Hallyn wrote: Trimming some overhead we've seen enough of... How about just a devtmpfs? We actually now do this by default (as of very recently) in ubuntu by adding devtmpfsdev devtmpfs defaults 0 0 NO! That's the problem! That leads to the container connecting to the hosts console and other devices and committing random acts of terrorism. No, it shouldn't, because lxc sets up the console after doing the mounts. Damn, dude! That worked! That kludge rang da bell. Of course, I also discovered the boneheaded typo I had in attempting the tmpfs mount in the process. :-P I now have a container running systemd up and running with Fedora 17 in it. I'm not sure I'm totally happy with it. Because of doing the devtmpfs thing, the guest can immediately see things like removable drives coming and going and might, presumably, be able to mount them. Not thrilled with that from a security standpoint. Would also mean the guests could access things like my permanent forensic CDs that are in the CD drives. I guess that can be restricted in the config but still makes me a bit uncomfortable that the guest has complete visibility into the hosts dev system. That's actually similar to what Ubuntu has had for the past few releases as we're running udevd in the container. Basically all the block devices of the host and any hotplugged device will appear in /dev but our default configuration is to only allow mknoding them, not read or write to them. So the end result is basically the same as if they weren't there to start with, except that for those that are actually allowed, they then behave like they'd on the host by showing up when added and disappearing when removed without any manual interaction. It's not ideal, but it's safe. For the ideal implementation, we'll need to wait for the device namespace. Another gotcha, albeit a much more minor one... When systemd drops into this mode, you no longer have vty consoles available so lxc-console won't work. That's actually on their page. I remember seeing this: -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] sudo: unable to resolve host..
On 11/16/2012 09:26 AM, Serge Hallyn wrote: Quoting Rintcius Blok (rintc...@gmail.com): Hi, I am getting messages like this with every sudo I do in the container: sudo: unable to resolve host test.lxc It happens with every container I create on 12.10 (with 12.10 container). Reproduction: lxc-create -t ubuntu-cloud -n test.lxc -- --auth-key $HOME/.ssh/id_rsa.pub --userdata /root/my-userdata with a simple userdata file like this: #!/bin/sh ifconfig eth0 /ifconfig-eth0 It is easy to solve for me: just add the container name to /etc/hosts. But I was wondering whether it would make sense to add it in a generic way? Hm, I don't get this, either on 12.04 or 12.10. -serge Can you attach the content of /etc/hosts and /etc/hostname in the container? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] sudo: unable to resolve host..
On 11/16/2012 11:32 AM, Rintcius Blok wrote: Yes sure. This is in a container called b.lxc: ubuntu@b:~$ cat /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ubuntu@b:~$ cat /etc/hostname b.lxc Ok, so the problem is that you don't have an entry for b.lxc in your /etc/hosts. Add an extra line (below the localhost one): 127.0.1.1 b.lxc This should then silence sudo. I remember writing code that does that in the ubuntu template, maybe the ubuntucloud template is missing that code somehow or the sed magic fails for hostnames containing a dot. Would have to check... Can you file a bug about it at? https://launchpad.net/ubuntu/+source/lxc/+filebug Thanks On 16/11/12 14:41, Stéphane Graber wrote: On 11/16/2012 09:26 AM, Serge Hallyn wrote: Quoting Rintcius Blok (rintc...@gmail.com): Hi, I am getting messages like this with every sudo I do in the container: sudo: unable to resolve host test.lxc It happens with every container I create on 12.10 (with 12.10 container). Reproduction: lxc-create -t ubuntu-cloud -n test.lxc -- --auth-key $HOME/.ssh/id_rsa.pub --userdata /root/my-userdata with a simple userdata file like this: #!/bin/sh ifconfig eth0 /ifconfig-eth0 It is easy to solve for me: just add the container name to /etc/hosts. But I was wondering whether it would make sense to add it in a generic way? Hm, I don't get this, either on 12.04 or 12.10. -serge Can you attach the content of /etc/hosts and /etc/hostname in the container? -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 12/06/2012 02:45 PM, John wrote: On 06/12/12 17:10, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 05/12/12 21:59, Serge Hallyn wrote: You have to specify a template, i.e. '-t debian'. Oh. I wasn't using a template. Up to now, I have an existing root fileyststem, say /srv/lxc/mycontainer.x86_64 that is pointed to by my configuration file, say mycontainer.conf, by its lxc.rootfs entry. I have seen lxc-create as merely inserting the config from mycontainer.conf into /var/lib/lxc/mycontainer/config and nothing more. I haven't used a template script to create a container because I've got my own that I have been using ever since I first started using lxc (there were no templates back then, well not for arch anyway!). I've always done a destroy/create to update the LXC configuration for a container. This now seems to be the wrong way given destroy removes the rootfs and create expects a template. What's the new way ? I've looked at the man page for lxc-create but am none the wiser. How do I now create a container (or just update the config) for an existing root filesystem ? Hm, I see. Yeah this behavior likely changed with the introduction of custom template paths. Perhaps we should allow '-t none' for exactly your use case. Stéphane? -serge Or perhaps, allow leaving off the -t unless you want to work with a template ? (kind of like it's been to date). Would that not work ? Yeah, that makes sense, I'll fix it. Basically allow for -t none and have it default to that when not specified, that should essentially revert to the previous behaviour. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Networking between host and container
On 12/28/2012 10:27 AM, Marko Anastasov wrote: Hello, What is the best way to broadcast container's hostname to host? I want to be able to ssh from host into the container using its hostname as handle, instead of an IP address. I'm using the default template in Ubuntu 12.04. I have made a container template that I want to reuse. My first attempt was to install avahi-daemon on host and container, replace hostname in container config, fstab, /etc/hosts, /etc/hostname and dhclient.conf with some unique id. This worked in VirtualBox, but for some reason not on a real machine. Thanks, Marko Not exactly an answer to your question, but should be an answer to your problem anyway: http://www.stgraber.org/2012/07/17/easily-ssh-to-your-containers-and-vms-on-ubuntu-12-04-lts/ -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Networking between host and container
On 12/28/2012 01:20 PM, Marko Anastasov wrote: On Dec 28, 2012, at 11:47 , Stéphane Graber stgra...@ubuntu.com wrote: On 12/28/2012 10:27 AM, Marko Anastasov wrote: Hello, What is the best way to broadcast container's hostname to host? I want to be able to ssh from host into the container using its hostname as handle, instead of an IP address. I'm using the default template in Ubuntu 12.04. I have made a container template that I want to reuse. My first attempt was to install avahi-daemon on host and container, replace hostname in container config, fstab, /etc/hosts, /etc/hostname and dhclient.conf with some unique id. This worked in VirtualBox, but for some reason not on a real machine. Thanks, Marko Not exactly an answer to your question, but should be an answer to your problem anyway: http://www.stgraber.org/2012/07/17/easily-ssh-to-your-containers-and-vms-on-ubuntu-12-04-lts/ Hi Stéphane, I should note that I'm working with a server installation of 12.04, and packages dnsmasq and resolvconf are actually not installed by default. I've added them but I'm not sure what's next. So I think I'm missing some configuration that you assume on your blog. LXC in Ubuntu comes with dnsmasq-base and resolvconf was introduced by default by me in Ubuntu 12.04, so you have it for sure or you're not using a supported Ubuntu installation (resolvconf is part of ubuntu-minimal). Eg output of host $(echo %h | sed s/\\.lxc//g) 10.0.3.1 is Using domain server: Name: 10.0.3.1 Address: 10.0.3.1#53 Aliases: Host %h not found: 3(NXDOMAIN) That's because once put in your ssh config, the %h will be replaced by the name of your container. Try host container name 10.0.3.1, that'll return the IP address of your container as long as it's using DHCP for its IP configuration. Thanks, Marko -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] total RAM limit
On 01/11/2013 01:17 PM, Gary Ballantyne wrote: Hello All I understand that I can limit the RAM of a single container via lxc.cgroup.memory.limit_in_bytes. But, is there a way to limit the total RAM available to all containers (without limiting each individually)? E.g., say we have 4G available. Rather than specifying a maximum number of containers (16 with 250M say), I'd like to allocate 4G to all containers, without a hard upper limit on the number of containers (16 in this case), and let the performance degrade gradually as more containers are added. (I'm anticipating being able to use many more containers this way, since our container's RAM usage is likely to be bursty). You can, but not through lxc configuration. LXC uses the lxc directory in the cgroup hierarchy, so that your container is typically at: lxc/container name/ Manually changing the keys in the lxc directory will set a shared quota for everything under it. As a concrete example, on my laptop, the memory cgroup is mounted at: /sys/fs/cgroup/memory/ And individual container cgroups are at: /sys/fs/cgroup/memory/lxc/container name So setting /sys/fs/cgroup/memory/lxc/memory.limit_in_bytes would do what you want. Many thanks Gary -- Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc configuration bug
On 02/22/2013 09:57 AM, Papp Tamas wrote: On 02/22/2013 03:54 PM, Serge Hallyn wrote: Why not? Why would I do that? It would just make myself confused. I don't see any reason to do that. tamas The biggest reason for the lxcpath feature is the introduction of user namespaces. Once every user will be able to just run lxc containers, you don't want them to have to check what container names the others are using to avoid clashing with them. It'd have been confusing to restrict system containers but not user containers, so the change works for all of them. I expect most people won't have identically named containers running as the same user from two different paths, but if they do, it'll still work. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc configuration bug
On 02/22/2013 10:20 AM, Papp Tamas wrote: On 02/22/2013 04:04 PM, Stéphane Graber wrote: Once every user will be able to just run lxc containers, you don't want them to have to check what container names the others are using to avoid clashing with them. I see, you're absolutely right. It'd have been confusing to restrict system containers but not user containers, so the change works for all of them. I expect most people won't have identically named containers running as the same user from two different paths, but if they do, it'll still work. However in that case a per-user lxcpath supposed to be used or user always have to use -P switch? tamas We're planning on setting up a default lxcpath for user run containers, -P will just be used to override this. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04 LTSEnablementStack: missing user namespace
On 02/28/2013 06:40 AM, Christoph Mitasch wrote: Hello, I'm running a Ubuntu 12.04 system with LXC system containers. Ubuntu 12.04.2 offers a 3.5 kernel through the LTSEnablementStack. https://wiki.ubuntu.com/Kernel/LTSEnablementStack This 3.5 kernel does apparently NOT support user namespaces. Is this a problem for LXC system containers on 12.04? Should a bug report be filed for that? Thank you, Christoph It's not a problem. No kernel until 3.8 (and slightly higher actually) will really support user namespaces. In any case, the lxc version in 12.04 doesn't know how to use the user namespaces even if they were there. So that output from lxc-checkconfig is safe to ignore. # cat /proc/version Linux version 3.5.0-25-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #39~precise1-Ubuntu SMP Tue Feb 26 00:07:14 UTC 2013 # lxc-checkconfig Kernel config /proc/config.gz not found, looking in other places... Found kernel config file /boot/config-3.5.0-25-generic --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: missing Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxcpath
On 03/02/2013 06:45 PM, Papp Tamas wrote: On 02/25/2013 02:56 PM, Serge Hallyn wrote: Quoting Papp Tamas (tom...@martos.bme.hu): hi Serge and Others, lxc version: 0.9.0.alpha3 lxcpath=/data/lxc tank/lxc/ltest on /tank/lxc/ltest type zfs (rw,noatime) # sh -x /usr/bin/lxc-create -n ltest -t ubuntu + . /usr/share/lxc/lxc.functions + globalconf=/etc/lxc/lxc.conf + bindir=/usr/bin + templatedir=/usr/share/lxc/templates + lxcinitdir=/usr/lib/x86_64-linux-gnu + get_default_lxcpath + grep -v ^# /etc/lxc/lxc.conf + grep [ \t]*lxcpath[ \t]*= + awk -F= { print $2 } + lxc_path=/data/lxc + backingstore=_unset + fstype=ext4 + fssize=500M + vgname=lxc + custom_rootfs= + [ 4 -gt 0 ] + opt=-n + shift + optarg_check -n ltest + [ -z ltest ] + lxc_name=ltest + shift + [ 2 -gt 0 ] + opt=-t + shift + optarg_check -t ubuntu + [ -z ubuntu ] + lxc_template=ubuntu + shift + [ 0 -gt 0 ] + wantedhelp=0 + [ -z /data/lxc ] + [ ! -r /data/lxc ] + [ -z ltest ] + [ -z ] + lvname=ltest + id -u + [ 0 != 0 ] + [ -n ] + : + [ -d /data/lxc/ltest ] + basename /usr/bin/lxc-create + echo lxc-create: 'ltest' already exists lxc-create: 'ltest' already exists + exit 1 So a new container cannot be created, because the directory already exists, as it's on an own filesystem. Yes lxcpath does not address the case of wanting to import an existing rootfs. Only the case of wanting to keep the rootfs on a different partition. But you can now keep the container config in /data/lxc/ltest/config instead of under /var/lib/lxc/ltest, which might keep things (like where the fstab should be) less confused. I'm not sure, I understand, what you get to point. Or maybe I miss that:) This is, what I do: 1. I create a partition or zfs volume for the container to keep 2. lxc-create -t ubuntu What about this small change? --- /usr/bin/lxc-create.ORIG 2013-03-03 00:38:19.749777404 +0100 +++ /usr/bin/lxc-create 2013-03-03 00:39:17.050725908 +0100 @@ -205,7 +205,7 @@ ;; esac -if [ -d $lxc_path/$lxc_name ]; then +if [ -d $lxc_path/$lxc_name/rootfs ]; then echo $(basename $0): '$lxc_name' already exists 2 exit 1 fi Though not perfect at all since it cannot handle the case, when there is a mountpoint inside the rootfs (eg. rootfs/var). But I think with this change it would work way comfortable. tamas The change proposed above wouldn't work for cases where you create the container config in /var/lib/lxc/container but don't store the rootfs there. For example when using lvm-backed containers. In such case, a second call to lxc-create would completely destroy the config of the existing container... I guess we could do 'if [ -f $lxc_path/$lxc_name/config ]' instead, which should work fine for any lxc-create generated container. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-list fails silently when not run as root?
On 03/05/2013 01:25 PM, Dan Kegel wrote: short story: I'm on Ubuntu 12.04, using the default lxc, 0.7.5-3ubuntu67 lxc-list seems like a nice command, but doesn't work when not run as root... worse, it doesn't tell you it doesn't work, it just silently doesn't show running containers. Is this a known issue? Yes, it can't run as root. The new lxc-ls we have in 0.9 deals with that problem properly. lxc-ls will list the containers, which can be done as any user. Passing any extra option (to know the running ones for example) requires root and the new lxc-ls makes this clear to the user. long story: lxc-ls shows my containers, and then also shows my running ones: $ lxc-ls testbot01-ubu1004testbot01-ubu1004-temp-nobuild-unique testbot01-ubu1204-temp-g-speak-unique testbot01-ubu1004-temp-g-speak-unique testbot01-ubu1204 testbot01-ubu1204-temp-nobuild-unique testbot01-ubu1004-temp-g-speak-unique testbot01-ubu1004-temp-nobuild-unique testbot01-ubu1204-temp-g-speak-unique testbot01-ubu1204-temp-nobuild-unique But lxc-list doesn't show my running ones: $ lxc-list RUNNING FROZEN STOPPED testbot01-ubu1004 testbot01-ubu1204 Running $ sh -x /usr/bin/lcx-list shows the problem: $ lxc-info -n testbot01-ubu1004-temp-g-speak-unique lxc-info: failed to get state for 'testbot01-ubu1004-temp-g-speak-unique': Permission denied And running as root works: $ sudo lxc-list RUNNING testbot01-ubu1004-temp-g-speak-unique testbot01-ubu1004-temp-nobuild-unique testbot01-ubu1204-temp-g-speak-unique testbot01-ubu1204-temp-nobuild-unique FROZEN STOPPED testbot01-ubu1004 testbot01-ubu1204 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start leaks environment variables
On 03/08/2013 04:34 AM, Ivan Vilata i Balaguer wrote: Hi all, I'm running lxc 0.9.0~alpha3-1 on a Debian sid box and I created a container using lxc-debconf which doesn't set any default locale. When starting the container using lxc-start, I expected it to have no LANG variable defined, but I noticed that it had inherited that from my root session in the host. Of course this causes several warnings in different programs, but I'm more concerned about the leaking of environment variables itself. Is this a known or expected behaviour, or rather a bug? Maybe other variables are leaking too. Thanks, That seems pretty unlikely considering we explicitly clearenv() before starting the container now. What you're describing can be true for LXC before the 0.9 series, but with 0.9, the container starts with an empty environment, so any environment variable that's set is as a result of the boot process. Speaking of the locale environment variables specifically, it might be worth noting that ssh sets those when you connect to a system over ssh. To make sure, you may want to look at: cat /proc/1/environ | tr '\0' '\n' Which will show you the environment of PID 1 in the container. Typically, it's made of a single variable: root@raring-dev:~# cat /proc/1/environ | tr '\0' '\n' container=lxc -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc and security
On 03/27/2013 01:49 PM, Jean-François Leroux wrote: Thanks for your input. So basically, if I can define cgroup.limits, drop capabilities, etc. I shall have about the same security as with Ubuntu ? JFL The main addition Ubuntu does to securing apparmor, outside of trying to lead the work to get user namespaces is the apparmor integration. You won't be able to get safe LXC containers if you don't have apparmor support in your kernel and use something based on the apparmor profiles we ship in Ubuntu. Assuming that just using cgroup limits and dropping capabilities will give you secure container is wrong, until we get user namespaces, you need something like apparmor before you can call a container as safe. I'm not sure what's the state of apparmor in Debian nowadays but last I checked, LXC in Debian wasn't shipping with the apparmor integration. Le 27/03/2013 01:32, Fajar A. Nugraha a écrit : On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux leroux.jeanfranc...@gmail.com mailto:leroux.jeanfranc...@gmail.com wrote: Hi all, I'm rather new to LXC (although I've been using it for two years now) and have some questions about security. I know many of these have been discussed in various websites, but I'd like to get advice from real users - and many articles I've read may be outdated. 1) I've read that lxc wasn't secure because anyone with root access on the container might have access to the host. Is it true with ssh access (I mean no console)? Distros like Ubuntu overcome that problem using cgroups limits, capability drop, and apparmor. When setup properly (e.g. created using default template with distro-bundled kernel and tools), AFAIK it should be secure-enough. Note that the above might not apply on manual installation. For example, if you install lxc on top of Centos6 with custom kernel and hand-made container config file. 2) Which capabilities would you drop for web servers were users have www-data access? No idea. The defaults works for me. 3) What are/would be the danger of running lxc in production servers? I'd say it's roughly the same danger as running your production servers on top any virtualization products. Many thanks for your input. :-) JFL PS: I'm planning on running lxc (squeeze) containers inside debian hosts. I'd suggest Ubuntu instead. It's more integrated and easier. Of course if you're familiar-enough and know how to make the necessary changes, any distro will do. -- Fajar -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Own the Future-Intelreg; Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc installation on ubuntu (login) - newbie
On 04/19/2013 11:57 AM, David Shwatrz wrote: Hello, I followed: https://help.ubuntu.com/12.04/serverguide/lxc.html I ran: lxc-create -t ubuntu -n CN and then: lxc-start -n CN /sbin/init I reach Ubuntu 12.10 CN console. login: what are the credentials ? Just read what's written on the screen? :) stgraber@castiana:~$ sudo lxc-create -t ubuntu -n CN lxc-create: No config file specified, using the default config /etc/lxc/default.conf Checking cache download in /var/cache/lxc/raring/rootfs-amd64 ... Copy /var/cache/lxc/raring/rootfs-amd64 to /var/lib/lxc/CN/rootfs ... Copying rootfs to /var/lib/lxc/CN/rootfs ... Generating locales... en_US.UTF-8... up-to-date Generation complete. ## # The default user is 'ubuntu' with password 'ubuntu'! # Use the 'sudo' command to run tasks as root in the container. ## 'ubuntu' template installed 'CN' created So as the message says, the login is ubuntu and the password is ubuntu. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] The liblxc is not thread-safe, correct?
On 04/23/2013 03:58 PM, Vallevand, Mark K wrote: I’m using Ubuntu 12.04 LTS with its associated LXC 0.7.5. As far as I can tell, liblxc is not thread-safe. Is this correct? That's correct. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problem with core dumps generated from containers, apport
On 04/25/2013 02:18 PM, Hans Feldt wrote: Thanks great! But what I don't (yet) understand is shouldn't the new %P behaviour be the default of %p instead? I mean a container PID never makes sense in host user space since there is a 1:n mapping. Meaning PID x can have n mappings on the host. Thanks, Hans Well, to make apport work we actually need both as we need %P to figure out what container that's and we need %p to tell apport in that container what PID to look at. So I preferred not to break things by changing the meaning of %p in the kernel. On 04/25/2013 12:23 PM, Stéphane Graber wrote: On 04/24/2013 02:10 PM, Hans Feldt wrote: -Original Message- From: Serge Hallyn [mailto:serge.hal...@ubuntu.com] Sent: den 23 april 2013 14:52 To: Hans Feldt Cc: lxc-users@lists.sourceforge.net Subject: Re: [Lxc-users] Problem with core dumps generated from containers, apport 260 is the PID of my test program (sleep 1000) in the container. It of course had another PID on the host... Hm, well that's certainly surprising to me, but there it is, in fs/coredump.c:format_corename(): case 'p' uses task_tgid_vnr(). Would you like to send a patch upstream to add 'P' as an option for using the global pid? Sorry this is out of my competence. I did check the code you pointed at and I think there's a name space conversion thing missing before handing over the PID over to user space. I could not find what function could do the trick. As a workaround if I temporarily change the core_pattern to write to file instead, I should get a readable useable core dump from a container process Thanks, Hans I've proposed a patch against the upstream kernel which adds a new %P with the global PID. This then makes the following core_pattern work on Ubuntu systems: |/usr/sbin/chroot /proc/%P/root /usr/share/apport/apport %p %s %c https://lkml.org/lkml/2013/4/24/518 -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] errors
On 05/22/2013 07:46 PM, Tamas Papp wrote: On 05/23/2013 01:36 AM, Tamas Papp wrote: On 05/23/2013 01:02 AM, Tamas Papp wrote: hi All, # lxc-ls --fancy Traceback (most recent call last): File /usr/bin/lxc-ls, line 221, in module ips = container.get_ips(protocol=protocol, timeout=1) TypeError: 'protocol' is an invalid keyword argument for this function # lxc-info -n sc --state-is=running # echo $? 1 The container is running. ii lxc 0.9.0.0~staging~20130521-1727-0ubuntu1~ppa1~pre Linux Containers userspace tools # lsb_release -a No LSB modules are available. Distributor ID:Ubuntu Description:Ubuntu 12.04.2 LTS Release:12.04 Codename:precise Linux virt102 3.2.0-43-generic #68-Ubuntu SMP Wed May 15 03:33:33 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux I'm not sure, it's related, but the server is after a restart, because lxc-* commands were segfaulting. Do you have an idea? I downgraded to 0.9.0.0~staging~20130516-1655-0ubuntu1~ppa1~precise1, segfault. Then reboot and now it's stuck at this stage: Process 77488 detached ... wait4 resumed [{WIFEXITED(s) WEXITSTATUS(s) == 0}], 0, NULL) = 77488 --- SIGCHLD (Child exited) @ 0 (0) --- fstat(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 lseek(3, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) read(3, , 6) = 0 close(3)= 0 geteuid() = 0 open(/dev/shm/sem.lxcapi.bioreg-vmc01, O_RDWR|O_NOFOLLOW) = 3 fstat(3, {st_mode=S_IFREG|0640, st_size=32, ...}) = 0 mmap(NULL, 32, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0x7fe5c5fce000 close(3)= 0 stat(/var/lib/lxc/bioreg-vmc01/config, {st_mode=S_IFREG|0644, st_size=1552, ...}) = 0 futex(0x7fe5c5fce000, FUTEX_WAIT, 0, NULL This is the first container on the list. Sorry for the massmail... In outline there was a segfault. I rebooted the machine, then there was no segfault, but api protocol error. I downgraded lxc version, reboot and it was stuck. I upgraded lxc (no reboot), and segfault is there. I have two this kind of machines: lxc latest version from the daily ppa, zfs backend, but different kernel (3.2 vs. 3.8 - backported). 10-30 container. Both produce the issue. There is a similar (actually a couple of days ago installed machine, with 3 easy containers and no issue). I hope, it helps, tamas Oops, looks like I broke lxc-ls --fancy with my recent get_ips() API change. I'll fix it directly to staging (trivial fix) and trigger a new daily build, you should be able to update to a fixed package in the next couple of hours. Thanks for the report. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] errors
On 05/23/2013 01:46 AM, Tamas Papp wrote: On 05/23/2013 04:27 AM, Stéphane Graber wrote: Oops, looks like I broke lxc-ls --fancy with my recent get_ips() API change. I'll fix it directly to staging (trivial fix) and trigger a new daily build, you should be able to update to a fixed package in the next couple of hours. hi, Although the the package is not here, I downloaded the raw file from github, and the function is indeed fixed. Though still there is the FUTEX_WAIT error strace -ff lxc-ls --fancy: [...] geteuid() = 0 statfs(/dev/shm, {f_type=0x1021994, f_bsize=4096, f_blocks=16498192, f_bfree=16498156, f_bavail=16498156, f_files=16498192, f_ffree=16498155, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0 futex(0x7ff06b4cc31c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open(/dev/shm/sem.lxcapi.jcb-vmc02, O_RDWR|O_NOFOLLOW) = 3 fstat(3, {st_mode=S_IFREG|0640, st_size=32, ...}) = 0 mmap(NULL, 32, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0x7ff06b65d000 close(3)= 0 stat(/var/lib/lxc/jcb-vmc02/config, {st_mode=S_IFREG|0644, st_size=1293, ...}) = 0 futex(0x7ff06b65d000, FUTEX_WAIT, 0, NULL And it's waiting here... What is it waiting for? I quite lost now.. Thanks, tamas That looks like broken locking, though Serge would know for sure. You may want to try clearing /dev/shm/*lxc* and see if that fixes the problem (not usually recommended as those locks are there for a reason). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Regarding creating a LXC container in fedora 17
On 05/24/2013 12:10 PM, Michael H. Warfield wrote: On Sat, 2013-05-18 at 12:09 -0700, jjs - mainphrame wrote: Interesting. I didn't realize how spoiled I am and how easy I have it with lxc on ubuntu! Don't get too too comfortable. I don't know if Ubuntu is transitioning to systemd yet or not (or planning to or creating a new alternative) but this was a talk tease from a talk delivered by my friend and co-guru Mark Torres (formerly of Suse fame) to the Atlanta Unix Users Group a couple of months ago... Ubuntu has no plan to switch to systemd, upstart is actively developed and maintained and has been proven to work extremely well with LXC containers (the fact that I'm an upstream contributor of both upstart and LXC may have helped there). Ubuntu does provide some of the DBus systemd APIs however so that people don't need to support two APIs and we also run some of the systemd helpers like logind but the main init system is upstart and we have no plan of changing that. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Try New Relic Now We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Some important project changes
Hey everyone, So there are quite a few major changes coming to the way the LXC project will is managed and to the infrastructure we use. As most of you probably noticed, Daniel Lezcano has been incredibly busy of late and only had time to do the final review and merge before tagging a release, leaving the rest of the review work to Serge Hallyn and I in the staging branch. After doing that for over a year, we've sat with Daniel here at Plumbers 2013 and agreed that Serge and I would become the new maintainers for the LXC project with Daniel being available as a last resort but no longer being on the critical release path. On top of that change, we're also going to rework the infrastructure of the project, to hopefully make it simpler for everyone. Specifically, the following will happen over the next few days/weeks: - The git master branch from sourceforge will be moved to github - The current staging branch will be merged into the master branch - The staging branch will be removed - The git server on sourceforge will be closed, redirecting to github (if at all possible) - All the bug reports on sourceforge will be moved to github - The bug tracker on sourceforge will be closed, redirecting to github (if at all possible) - The website on lxc.sourceforge.net will be moved to linuxcontainers.org, going through a bit of a redesign in the process. A redirection will be put in place. - A mailman server will be setup on lists.linuxcontainers.org and the two existing mailing-lists will be moved over there (including existing subscribers and mailing-list history). In the end, the plan is to completely stop using sourceforge and instead use github for everything but the mailing-lists which will be handled by our own mailman server. This should make it easier for everyone to get an overview of the project, fork our master branch and contribute changes. The transition will be as seamless as I can possibly make it, I'll be sending an e-mail to this list every time I cross one of those items of the list. Finally, I'd like to thank Daniel for the hard work he's been putting into LXC for over 5 years now and wish him all the best for his new projects! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Some important project changes
On Fri, Sep 20, 2013 at 07:40:49PM +0200, Tamas Papp wrote: On 09/20/2013 06:37 PM, Stéphane Graber wrote: hi Stephane, Don't hesitate to contact me, if you need help with the infrastructure or the migration process. Though I guess you're fine about these things:) For the website (I see it the first time now): lxc-ls --fancy | grep p1 I would change this example to: lxc-ls --fancy p1 Hi, Very good point about lxc-ls, I wrote that thing but completely forgot it allows passing the name (or partial name) of a container directly as an argument :) -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-shutdown and guests running upstart
On Sun, Sep 22, 2013 at 02:00:08PM +0300, Johannes Graumann wrote: Hello, When setting up a centos lxc container from scratch I ran into the fact that (according to my interpretation of my extensive googling) upstart-running distributions cannot be gracefully coerced into shutting down via lxc- shutdown ... this is true for both my manual centos and a lxc-fedora generated fedora container ... I have not found a way around this. Can anyone share how to configure an upstart guest to listen to a kill -s INT $pid and/or kill -s PWR $pid as used by lxc-shutdown? Thank you for any hints. Sincerely, Joh Hmm, that's surprising, it definitely works fine on Ubuntu. My guess is that you're missing the upstart job which reacts on SIGPWR being received by PID1. Try adding this as /etc/init/shutdown.conf in your container: # Trigger an immediate shutdown when upstart receives SIGPWR # this is useful for some UPS monitoring tools and for clean # shutdown of containers description Trigger an immediate shutdown on SIGPWR start on power-status-changed task exec shutdown -h now SIGPWR received After that lxc-shutdown should work fine. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [lxc-devel] Disable IPv6 for container interfaces. Support for sysctl in containers
On Thu, Oct 03, 2013 at 09:32:15AM +, Purcareata Bogdan-B43198 wrote: Hello, I am currently running a setup with hundreds of containers starting on the same Linux host. Each of these containers receive a single virtual interface eth0 connected to a host interface using macvlan. These containers only use IPv4, but by default they receive an IPv6 address as well. This causes my kernel to start dumping messages, complaining about IPv6 neighbour table overflow: [ 558.739929] net_ratelimit: 3833 callbacks suppressed [ 558.743597] IPv6: Neighbour table overflow [ 558.746517] IPv6: Neighbour table overflow [ 558.749426] IPv6: Neighbour table overflow [ 558.752386] IPv6: Neighbour table overflow [ 558.755302] IPv6: Neighbour table overflow Is there any way to disable IPv6 in containers? I'm thinking about something like lxc.network. ... in the config file, that I don't know about? My current solution is to enter the container and issue echo 1 /proc/sys/net/ipv6/conf/eth0/disable_ipv6. This made me think that it would be a nice feature to control /proc/sys kernel parameters at runtime using the container config file. I'm thinking some lines that would start with lxc.sysctl and then contain the whole path to the parameter and the value. So for my usecase it would be something like: lxc.sysctl.net.ipv6.conf.eth0.disable_ipv6 = 1 What do you think? Bogdan P. Most distros support a mechanism to set sysctl knobs at boot time, I don't think it should be LXC's job to do so but instead you should just update the right config file in your distribution to do that for you. Something like: net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf should do the trick. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134791iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] bind (re)mount possible?
On Fri, Oct 25, 2013 at 12:35:04AM -0500, Serge Hallyn wrote: Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): On Thu 2013-10-24 (15:11), Serge Hallyn wrote: If your kernel is new enough (check whether /proc/self/ns/mnt exists) you could lxc-attach into the container with the -e flag to keep elevated privileges, and do the remount. Ubuntu 12.04: root@vms3:~# l /proc/self/ns/mnt l: /proc/self/ns/mnt - No such file or directory root@vms3:~# uname -a Linux vms3 3.2.0-55-generic #85-Ubuntu SMP Wed Oct 2 12:29:27 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux What is new enough? = 3.8 So, from the host system, a remount is not possible? Correct. The container is in a private mount namespace, and you cannot enter it. You can view it somewhat through /proc/$pid/root, but you can't mount under that because you'd be trying to mix two vfsmounts belonging to different mount namespaces. -serge -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Videos from the container mini-summit at Linux Plumbers 2013
Hello, I remember quite a few of you asking whether the container mini-summit would be recorded and for those to be made available online. Well, this has now been done. We have videos for the following talks: == On the road to LXC 1.0 == Presented by: Stéphane Graber Video: http://www.youtube.com/watch?v=O7JrxIQRWCw == LXC and Android == Presented by: Stéphane Graber Video: http://www.youtube.com/watch?v=XZWy2g9YY30 == Let Me Contain That For You! == Presented by: Rohit Jnagal Video: http://www.youtube.com/watch?v=UdZOSQHFmss == State of CRIU (Checkpoint Restart In Userspace) and integration with LXC == Presented by: Pavel Emlianov Video: http://www.youtube.com/watch?v=d2DkDoz-Oh0 == Device namespace == Presented by: Amir Goldstein and Oren Laadan Video: http://www.youtube.com/watch?v=yGrTCMgBTOI == Fedora/systemd on LXC == Presented by: Michael H Warfield Video: http://www.youtube.com/watch?v=pLj5nvqU86I == Use Cases for Containers in OpenStack == Presented by: Daniel Salinas Video: http://www.youtube.com/watch?v=k0kyd0ozaYM == Containers control tools: can we unify those? == Presented by: Kirill Kolyshkin and Stéphane Graber Video: http://www.youtube.com/watch?v=ern3qWNKbD4 Some of the slides and extra information may also be found here: http://www.linuxplumbersconf.org/2013/ocw/events/LPC2013/tracks/153 Thanks to everyone who participated in this year's container mini-summit and looking forward to seeing you all at another edition! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] a mistake from LXC website
On Fri, Nov 08, 2013 at 05:22:28PM +0800, Qiang Huang wrote: Hi, list: Hope website administrator can see this. http://linuxcontainers.org/ In the beginning part, === Current LXC uses the following kernel features to contain processes: Kernel namespaces (ipc, uts, mount, pid, network and user) Apparmor and SELinux profiles Seccomp policies Chroots Kernel capabilities Control groups (cgroups) === Here *Chroots* actually should be *Pivot_root*, right? This could be important information for some users as I know, think we should fix it :) Well, most people have no idea what pivot_root does but are familiar with chroots, so that's why I tried to avoid mentioning what's essentially implementation details. Anyway, I've now added (using pivot_root) next to the Chroots line which should be enough for anyone wondering about the implementation details. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fwd: LXC and sound in container -
On Thu, Nov 14, 2013 at 11:57:04AM -0600, Serge Hallyn wrote: Quoting brian mullan (bmullan.m...@gmail.com): I'm not sure the lxc-user alias will take an file attachment or not. If not I'll try something else. I tried to document everything I did to finally get sound working in an LXC container on my Ubuntu 13.10 system. Thanks Brian. If you're interested, I would suggest splitting this into two howtos, and posting them in a wiki or at linuxcontainers.org. One would be on just setting up x. That actually could be a main page with a list of options, one being the one you documented, another (soon) spice, etc. The other would be on pulseaudio. Stéphane, could you briefly comment on what arkose did to allow simulatenous host and container pulseaudio access? Brian mentioned something about glueing in a pulseaudio socket? arkose basically runs: pactl load-module module-native-protocol-unix socket=/some/path auth-cookie-enabled=0 The bind-mounts that socket inside the container and exports PULSE_SERVER=/some/path in the container's environment. -- Stéphane Graber Ubuntu developer http://www.canonical.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Mailing-list move on Sunday 8th of December
Hello, You are receiving this e-mail because you are currently subscribed to: lxc-de...@lists.sourceforge.net On this coming Sunday (8th of December), all LXC mailing-lists will be moved to a new home at: http://lists.linuxcontainers.org This is the last step of our migration out of sourceforge. The new mailman server is hosted by myself and shared with a few other projects (on other domains). That new server has daily offsite backups and a redundant e-mail infrastructure on two continents. So I'm not expecting any more problem with our lists there than on SourceForge. On Sunday, I'll disable the list on sourceforge, do one last mbox export and load it on the new server. From that point on, any e-mail reaching the old address will simply be rejected with an error indicating the new address (short of having found a way to redirect to the new address...). All of the list history and all subscriptions and settings will stay as they are, so once you have updated your mail filters and aliases everything should be back to normal. Sorry for the inconvenience and looking forward to a SourceForge free world! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-users mailing list lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mailing-list move on Sunday 8th of December
On Wed, Dec 04, 2013 at 06:57:20PM -0500, Stéphane Graber wrote: Hello, You are receiving this e-mail because you are currently subscribed to: lxc-de...@lists.sourceforge.net ^ I meant lxc-users@lists.sourceforge.net On this coming Sunday (8th of December), all LXC mailing-lists will be moved to a new home at: http://lists.linuxcontainers.org This is the last step of our migration out of sourceforge. The new mailman server is hosted by myself and shared with a few other projects (on other domains). That new server has daily offsite backups and a redundant e-mail infrastructure on two continents. So I'm not expecting any more problem with our lists there than on SourceForge. On Sunday, I'll disable the list on sourceforge, do one last mbox export and load it on the new server. From that point on, any e-mail reaching the old address will simply be rejected with an error indicating the new address (short of having found a way to redirect to the new address...). All of the list history and all subscriptions and settings will stay as they are, so once you have updated your mail filters and aliases everything should be back to normal. Sorry for the inconvenience and looking forward to a SourceForge free world! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-users mailing list lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-users mailing list lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Last e-mail on the old mailing-lists
Hello, This is going to be the last e-mail of the lxc-devel and lxc-users mailing-lists on sourceforge.net. Both lists starting now will live at http://lists.linuxcontainers.org lxc-de...@lists.sourceforge.net = lxc-de...@lists.linuxcontainers.org lxc-users@lists.sourceforge.net = lxc-us...@lists.linuxcontainers.org The archive will get re-imported in the next few minutes and so will all the existing subscribers. A new password will be generated for you by the system and sent along a welcome e-mail in the coming hours. Once that's all done, I'll be sending an e-mail to both new lists indicating that the move is over. I'll also be updating as many of the places where the old lists are referenced as I can. If you know of some more, please feel free to update them. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-users mailing list lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users