Michael Tokarev wrote: > lxc-start: No such file or directory - failed to mount a new instance of > '/dev/pts' > I'm experimenting with a read-only root fs in the container. > So far it does not work. > > First of all, when trying to start a container in a read-only root > lxc-start complains: > lxc-start: Read-only file system - can't make temporary mountpoint > > This is in conf.c:setup_rootfs_pivot_root() function. That function > uses optional parameter "lxc.pivotdir", or creates (and later removes) > a temporary directory for pivot_root. Obviously there's no way to > create a directory in a read-only filesystem. > Why do you need to use a read-only root fs ?
> But lxc.pivotdir does not work either. In the function mentioned above > it is used with leading dot (eg. if I specify "lxc.pivotdir=pivot" in > the config file the pivot_root() syscall will be made to ".pivot" with > leading dot, not to "pivot"), but later on it is used without that dot, > and fails: > > lxc-start: No such file or directory - failed to open /pivot/proc/mounts > lxc-start: No such file or directory - failed to read or parse mount list > '/pivot/proc/mounts' > lxc-start: failed to pivot_root to '/stage/t' > > (that's with "lxc.pivotdir = pivot" in the config file). After symlinking > pivot to .pivot it still fails: > > lxc-start: Device or resource busy - could not unmount old rootfs > lxc-start: failed to pivot_root to '/stage/t' > It's a bug introduced with the pivot_root feature. Investigation on the way. > Ok, so far so "good". > > Next thing is the /dev directory. I prefer to have it in a tmpfs, because > of several reasons (one is that the root is mounted with -o nodev), but that > fails too unless the directory is pre-populated: > > lxc-start: No such file or directory - failed to mount a new instance of > '/dev/pts' > lxc-start: failed to setup the new pts instance > > That's when specifying: > > lxc.mount.entry = /dev dev tmpfs noexec,nosuid,mode=0755 > > in the config file. That creates an empty directory for container's /dev, > which is populated later in the startup script. > > Similar thing happens when I pre-create dev/pts - it fails to bind-mount > tty1..tty4. > Ok, so your need is to call a script between: lxc.mount.entry = /dev dev tmpfs noexec,nosuid,mode=0755 ... lxc.tty = 4 where the script will populate /dev, right ? mmh, not obvious. > So far it works by using a wrapper around lxc-start which mounts tmpfs > over dev, fills it with a bunch of standard entries, and executes lxc-start. > > But this is really getting quite ugly. And the only solution to all this > mess is to let to perform the setup from a shell script/command which is > called after "forking" the (filesystem) namespace but before entering the > container "for real", or _instead_ of entering the container. As was > discussed previously. > What about the lxc.script configuration line which calls a script at the point it is in the configuration file ? > The whole mess started when I realized that bind-mounting host's /dev > works perfectly _except_ the syslogging, -- /dev/log does not work with > multiple containers, only the container where syslogd (re)started last > works, all the rest gives "ECONNREFUSED" when trying to send any message > to /dev/log. > /dev/log is an af_unix socket, the network is isolated, the af_unix belongs to the network namespace. It's probable /dev/log is unlinked, created again and binded by syslogd. So as /dev/ is shared between the containers, the last one get the socket. Any process outside of the container trying to access this socket won't be able. ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel