[Forwarding to new lxc-devel as I replied to old sf list]
---------- Forwarded message ---------- From: S.Çağlar Onur <cag...@10ur.org> Date: Mon, Dec 9, 2013 at 4:26 PM Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined or nesting containers back to ubuntu.common.conf To: Stéphane Graber <stgra...@ubuntu.com> Cc: lxc-de...@lists.sourceforge.net Hi Stéphane, On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: > On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote: >> Signed-off-by: S.Çağlar Onur <cag...@10ur.org> > > I'll reword the comment a bit to let them know to copy/paste the comment > to the container's config instead of changing it in the common file > which would get overwritten on upgrade and would also affect all > containers. Thanks for doing that. On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups hook seems to have some issues (but couldn't find some time to debug further). I migrated my nested containers to the new style config (that's how I realized those comments are gone :P) but now the first start is always failing with "lxc-start: command get_cgroup failed to receive response" error and one after just works. [caglar@oOo:~] sudo lxc-ls --fancy NAME STATE IPV4 IPV6 --------------------------- raring STOPPED - - saucy STOPPED - - [caglar@oOo:~] sudo cat /var/lib/lxc/raring/config # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu # Parameters passed to the template: --release raring # For additional config options, please look at lxc.conf(5) # Common configuration lxc.include = /usr/share/lxc/config/ubuntu.common.conf # Container specific configuration lxc.rootfs = /var/lib/lxc/raring/rootfs lxc.mount = /var/lib/lxc/raring/fstab lxc.utsname = raring lxc.arch = amd64 # Network configuration lxc.network.type = veth lxc.network.hwaddr = 00:16:3e:2e:74:e4 lxc.network.flags = up lxc.network.link = lxcbr0 lxc.aa_profile = unconfined lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups [caglar@oOo:~] sudo lxc-start -d -n raring lxc-start: command get_cgroup failed to receive response [caglar@oOo:~] sudo lxc-ls --fancy NAME STATE IPV4 IPV6 --------------------------- raring STOPPED - - saucy STOPPED - - [caglar@oOo:~] sudo lxc-start -d -n raring [caglar@oOo:~] sudo lxc-ls --fancy NAME STATE IPV4 IPV6 ------------------------------------------- raring RUNNING 10.0.3.204, 10.0.4.1 - saucy STOPPED - - [caglar@oOo:~] And also nothing cleans up the cgroup entries but I'm not sure whether that was always the case or not. [caglar@oOo:~] find /sys/fs/cgroup/ -name "raring*" /sys/fs/cgroup/systemd/lxc/raring /sys/fs/cgroup/systemd/lxc/raring/raring.real /sys/fs/cgroup/hugetlb/lxc/raring-1 /sys/fs/cgroup/hugetlb/lxc/raring /sys/fs/cgroup/hugetlb/lxc/raring/raring.real /sys/fs/cgroup/perf_event/lxc/raring-1 /sys/fs/cgroup/perf_event/lxc/raring /sys/fs/cgroup/perf_event/lxc/raring/raring.real /sys/fs/cgroup/blkio/lxc/raring-1 /sys/fs/cgroup/blkio/lxc/raring /sys/fs/cgroup/blkio/lxc/raring/raring.real /sys/fs/cgroup/freezer/lxc/raring-1 /sys/fs/cgroup/freezer/lxc/raring /sys/fs/cgroup/freezer/lxc/raring/raring.real /sys/fs/cgroup/devices/lxc/raring-1 /sys/fs/cgroup/devices/lxc/raring /sys/fs/cgroup/devices/lxc/raring/raring.real /sys/fs/cgroup/memory/lxc/raring-1 /sys/fs/cgroup/memory/lxc/raring /sys/fs/cgroup/memory/lxc/raring/raring.real /sys/fs/cgroup/cpuacct/lxc/raring-1 /sys/fs/cgroup/cpuacct/lxc/raring /sys/fs/cgroup/cpuacct/lxc/raring/raring.real /sys/fs/cgroup/cpu/lxc/raring-1 /sys/fs/cgroup/cpu/lxc/raring /sys/fs/cgroup/cpu/lxc/raring/raring.real /sys/fs/cgroup/cpuset/lxc/raring-1 /sys/fs/cgroup/cpuset/lxc/raring /sys/fs/cgroup/cpuset/lxc/raring/raring.real [caglar@oOo:~] sudo lxc-stop -n raring [caglar@oOo:~] find /sys/fs/cgroup/ -name "raring*" /sys/fs/cgroup/systemd/lxc/raring /sys/fs/cgroup/systemd/lxc/raring/raring.real /sys/fs/cgroup/hugetlb/lxc/raring /sys/fs/cgroup/hugetlb/lxc/raring/raring.real /sys/fs/cgroup/perf_event/lxc/raring /sys/fs/cgroup/perf_event/lxc/raring/raring.real /sys/fs/cgroup/blkio/lxc/raring /sys/fs/cgroup/blkio/lxc/raring/raring.real /sys/fs/cgroup/freezer/lxc/raring /sys/fs/cgroup/freezer/lxc/raring/raring.real /sys/fs/cgroup/devices/lxc/raring /sys/fs/cgroup/devices/lxc/raring/raring.real /sys/fs/cgroup/memory/lxc/raring /sys/fs/cgroup/memory/lxc/raring/raring.real /sys/fs/cgroup/cpuacct/lxc/raring /sys/fs/cgroup/cpuacct/lxc/raring/raring.real /sys/fs/cgroup/cpu/lxc/raring /sys/fs/cgroup/cpu/lxc/raring/raring.real /sys/fs/cgroup/cpuset/lxc/raring /sys/fs/cgroup/cpuset/lxc/raring/raring.real > Acked-by: Stéphane Graber <stgra...@ubuntu.com> > >> --- >> config/templates/ubuntu.common.conf.in | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/config/templates/ubuntu.common.conf.in >> b/config/templates/ubuntu.common.conf.in >> index 8c61033..1195175 100644 >> --- a/config/templates/ubuntu.common.conf.in >> +++ b/config/templates/ubuntu.common.conf.in >> @@ -17,6 +17,13 @@ lxc.pts = 1024 >> # Default capabilities >> lxc.cap.drop = sys_module mac_admin mac_override sys_time >> >> +# When using LXC with apparmor, uncomment the next line to run unconfined: >> +#lxc.aa_profile = unconfined >> + >> +# To support container nesting on an Ubuntu host, uncomment next two lines: >> +#lxc.aa_profile = lxc-container-default-with-nesting >> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups >> + >> # Default cgroup limits >> lxc.cgroup.devices.deny = a >> ## Allow any mknod (but not using the node) >> -- >> 1.8.3.2 >> >> >> ------------------------------------------------------------------------------ >> Sponsored by Intel(R) XDK >> Develop, test and display web and hybrid apps with a single code base. >> Download it for free now! >> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk >> _______________________________________________ >> lxc-devel mailing list >> lxc-de...@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/lxc-devel > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com -- S.Çağlar Onur <cag...@10ur.org> _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
