i can't start the container and i have find 0 lines in the .log file !
root@localhost:/var/log/lxc# lxc-start -n worker1 ^C root@localhost:/var/log/lxc# vim worker1.log root@localhost:/var/log/lxc# Best Regards. 2015-06-20 13:00 GMT+01:00 <lxc-users-requ...@lists.linuxcontainers.org>: > Send lxc-users mailing list submissions to > lxc-users@lists.linuxcontainers.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.linuxcontainers.org/listinfo/lxc-users > or, via email, send a message with subject or body 'help' to > lxc-users-requ...@lists.linuxcontainers.org > > You can reach the person managing the list at > lxc-users-ow...@lists.linuxcontainers.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of lxc-users digest..." > > Today's Topics: > > 1. "mesh networking" for lxc containers (similar to weave)? > (Tomasz Chmielewski) > 2. Re: Nested container in unpriviledged container (Xavier Gendre) > 3. Re: "mesh networking" for lxc containers (similar to weave)? > (Christoph Lehmann) > 4. Re: "mesh networking" for lxc containers (similar to weave)? > (Tomasz Chmielewski) > 5. Re: "mesh networking" for lxc containers (similar to weave)? > (Janjaap Bos) > 6. Where can i find the causes of restart problems (Thouraya TH) > 7. Re: Where can i find the causes of restart problems (Janjaap Bos) > > > ---------- Message transféré ---------- > From: Tomasz Chmielewski <man...@wpkg.org> > To: lxc-users@lists.linuxcontainers.org > Cc: > Date: Sat, 20 Jun 2015 01:15:23 +0900 > Subject: [lxc-users] "mesh networking" for lxc containers (similar to > weave)? > Are there any solutions which would let one build "mesh networking" for > lxc containers, similar to what weave does for docker? > > Assumptions: > > - multiple servers (hosts) which are not in the same subnet (i.e. in > different DCs in different countries), > - containers share the same subnet (i.e. 10.0.0.0/8), no matter on which > host they are running > - if container is migrated to a different host, it is still reachable on > the same IP address without any changes in the networking > > > I suppose the solution would run only once on each of the hosts, rather > than in each container. > > Is there something similar for lxc? > > -- > Tomasz Chmielewski > http://wpkg.org > > > > > ---------- Message transféré ---------- > From: Xavier Gendre <gendre.rei...@gmail.com> > To: lxc-users@lists.linuxcontainers.org > Cc: > Date: Fri, 19 Jun 2015 18:44:14 +0200 > Subject: Re: [lxc-users] Nested container in unpriviledged container > Le 18/06/2015 06:35, Serge Hallyn a écrit : > >> Quoting Xavier Gendre (gendre.rei...@gmail.com): >> >>> Le 15/06/2015 17:17, Serge Hallyn a écrit : >>> >>>> Quoting Xavier Gendre (gendre.rei...@gmail.com): >>>> >>>>> Hi, >>>>> >>>>> i wanted to run a container in an unpriviledged container and i am >>>>> glad to succes in doing it. The point is that i am not sure if what >>>>> i did is acceptable from the security point of view or not... >>>>> >>>>> Here are the steps i did: >>>>> >>>>> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'. >>>>> >>>>> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in >>>>> its config file: >>>>> >>>>> lxc.mount.auto = cgroup:mixed >>>>> >>>>> 3) create a basic container called 'p1' with the download template >>>>> as root in 'test'. >>>>> >>>>> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to >>>>> the user id mapped to the id 0 in 'test' (this id is 362144 in my >>>>> example), >>>>> >>>>> for T in `ls /sys/fs/cgroup`; do >>>>> chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test >>>>> done >>>>> >>>>> 5) succesfully start the container 'p1' in 'test' :-) >>>>> >>>>> I am not an expert with cgroups and i am wondering if i am letting >>>>> the devil enters in my home with that... >>>>> >>>>> So, what is your opinion: is it a possible security break or is it >>>>> safe? >>>>> >>>> >>>> Two things to make this safer >>>> >>>> 1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe >>>> its 'tasks' and 'cgroup.procs' files. That way the container can create >>>> sub-cgroups but cannot raise its own limits. >>>> >>>> 2. Only do this for the controllers you definately need. Freezer and >>>> memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf >>>> (see lxc.system.conf(5)). >>>> >>>> -serge >>>> >>> >>> Hello Serge, >>> >>> thank you for your advices. Indeed, chowning only the directories is >>> sufficient to start the nested container. I did not have to chown >>> 'tasks' and 'cgroup.procs' in order to simply start it. >>> >>> Your second point is more obscur for me... For now, i have to chown >>> all the controllers: >>> >>> 'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer' >>> 'net_cls,net_prio' 'perf_event' >>> >>> When you say 'need', it applies to the container 'test' or to 'p1' >>> in my example? >>> >> >> The child one, p1. With new enough lxc you should be able to >> use only freezer, setting that as lxc.cgroup.use in the >> system lxc.conf. >> > > Arf, for now, i am still working with Debian Jessie and LXC 1.0.7. I will > be able to try your suggestions when more recent version of LXC will appear > in Debian repositories. Thus, i continue to chown my whole list of > controllers :-° > > If i plan to allow quite general containers to run in >>> my unpriviledged container, all the controllers should be chowned or >>> is there some that are definitely not needed? >>> >> >> General containers are fine, it's only if you need the nested containers >> to be more finely restricted, i.e. if you simply must be able to >> allocated only a subset of test1's cpus or memory. >> > > Ok, thanks for this example, it is clearer for me now. > > Thank you for these explanations, > Xavier > > > > ---------- Message transféré ---------- > From: Christoph Lehmann <p...@christophlehmann.eu> > To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > Cc: > Date: Fri, 19 Jun 2015 20:20:21 +0200 > Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to > weave)? > There is no magic with lxcs networking. Its just a bridge and some > iptables rules for NAT and a dhcp server. > > You can setup a bridge on your public interface, configure the container > to use that bridge and do the same on your second host. > > Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski < > man...@wpkg.org>: >> >> Are there any solutions which would let one build "mesh networking" for >> lxc containers, similar to what weave does for docker? >> >> Assumptions: >> >> - multiple servers (hosts) which are not in the same subnet (i.e. in >> different DCs in different countries), >> - containers share the same subnet (i.e. 10.0.0.0/8), no matter on which >> host they are running >> - if container is migrated to a different host, it is still reachable on >> the same IP address without any changes in the networking >> >> >> I suppose the solution would run only once on each of the hosts, rather >> than in each container. >> >> Is there something similar for lxc? >> >> > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail > gesendet. > > > ---------- Message transféré ---------- > From: Tomasz Chmielewski <man...@wpkg.org> > To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > Cc: > Date: Sat, 20 Jun 2015 10:37:12 +0900 > Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to > weave)? > I know this is just "normal networking", however, there are at least two > issues with your suggestions: > > - it assumes the hosts are in the same subnet (say, connected to the same > switch), so it won't work if the hosts have two different public IPs (i.e. > 46.1.2.3 and 124.8.9.10) > > - with just two hosts, you may overcome the above limitation with some VPN > magic; however, it becomes problematic as the number of hosts grows > (imagine 10 or more hosts, trying to set it up without SPOF / central VPN > server; ideally, the hosts should talk to themselves using the shortest > paths possible) > > > Therefore, I'm asking if there is any better "magic", as you say, for lxc > networking? > Possibly it could be achieved with tinc, running on hosts only - > http://www.tinc-vpn.org/ - but haven't really used it. > And maybe people have other ideas? > > -- > Tomasz Chmielewski > http://wpkg.org > > > On 2015-06-20 03:20, Christoph Lehmann wrote: > >> There is no magic with lxcs networking. Its just a bridge and some >> iptables rules for NAT and a dhcp server. >> >> You can setup a bridge on your public interface, configure the >> container to use that bridge and do the same on your second host. >> >> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski >> <man...@wpkg.org>: >> >> Are there any solutions which would let one build "mesh networking" >>> for >>> lxc containers, similar to what weave does for docker? >>> >>> Assumptions: >>> >>> - multiple servers (hosts) which are not in the same subnet (i.e. in >>> >>> different DCs in different countries), >>> - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter >>> on which >>> host they are running >>> - if container is migrated to a different host, it is still >>> reachable on >>> the same IP address without any changes in the networking >>> >>> I suppose the solution would run only once on each of the hosts, >>> rather >>> than in each container. >>> >>> Is there something similar for lxc? >>> >> >> -- >> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail >> gesendet. >> _______________________________________________ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > > > > > ---------- Message transféré ---------- > From: Janjaap Bos <janjaap...@gmail.com> > To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > Cc: > Date: Sat, 20 Jun 2015 08:16:27 +0200 > Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to > weave)? > Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud / > container / virtualiser agnostic. It will work anywhere and we use it for > connecting containers & vm's across clouds. Also to provide access to users > on Windows / OSX. > > Within the container you need access to the /dev/net/tun device and > depending on the flavour (lxc / lxd / docker) net_admin capabilities. > > You can download it at https://www.zerotier.com or build it from > https://github.com/zerotier/ZeroTierOne > > Since it is peer-to-peer there is very little overhead. Packets destined > for local peers will stay within the local net. You can create very large > distributed flat ether networks. Great for the type of cloud backplane you > described. > > Also, this enables you to live migrate instances while maintaining their > network configuration. > > 2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski <man...@wpkg.org>: > >> I know this is just "normal networking", however, there are at least two >> issues with your suggestions: >> >> - it assumes the hosts are in the same subnet (say, connected to the same >> switch), so it won't work if the hosts have two different public IPs (i.e. >> 46.1.2.3 and 124.8.9.10) >> >> - with just two hosts, you may overcome the above limitation with some >> VPN magic; however, it becomes problematic as the number of hosts grows >> (imagine 10 or more hosts, trying to set it up without SPOF / central VPN >> server; ideally, the hosts should talk to themselves using the shortest >> paths possible) >> >> >> Therefore, I'm asking if there is any better "magic", as you say, for lxc >> networking? >> Possibly it could be achieved with tinc, running on hosts only - >> http://www.tinc-vpn.org/ - but haven't really used it. >> And maybe people have other ideas? >> >> -- >> Tomasz Chmielewski >> http://wpkg.org >> >> >> On 2015-06-20 03:20, Christoph Lehmann wrote: >> >>> There is no magic with lxcs networking. Its just a bridge and some >>> iptables rules for NAT and a dhcp server. >>> >>> You can setup a bridge on your public interface, configure the >>> container to use that bridge and do the same on your second host. >>> >>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski >>> <man...@wpkg.org>: >>> >>> Are there any solutions which would let one build "mesh networking" >>>> for >>>> lxc containers, similar to what weave does for docker? >>>> >>>> Assumptions: >>>> >>>> - multiple servers (hosts) which are not in the same subnet (i.e. in >>>> >>>> different DCs in different countries), >>>> - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter >>>> on which >>>> host they are running >>>> - if container is migrated to a different host, it is still >>>> reachable on >>>> the same IP address without any changes in the networking >>>> >>>> I suppose the solution would run only once on each of the hosts, >>>> rather >>>> than in each container. >>>> >>>> Is there something similar for lxc? >>>> >>> >>> -- >>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail >>> gesendet. >>> _______________________________________________ >>> lxc-users mailing list >>> lxc-users@lists.linuxcontainers.org >>> http://lists.linuxcontainers.org/listinfo/lxc-users >>> >> >> _______________________________________________ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > > > > ---------- Message transféré ---------- > From: Thouraya TH <thouray...@gmail.com> > To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > Cc: > Date: Sat, 20 Jun 2015 12:56:03 +0100 > Subject: [lxc-users] Where can i find the causes of restart problems > Hello all, > > Please, i try to run my container but it is blocked. > > > lxc-start -n worker1 > > > Where can i find the causes of restart problems ? (logs?) > > > Thanks a lot. > Best Regards. > > > ---------- Message transféré ---------- > From: Janjaap Bos <janjaap...@gmail.com> > To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > Cc: > Date: Sat, 20 Jun 2015 13:57:56 +0200 > Subject: Re: [lxc-users] Where can i find the causes of restart problems > /var/log/lxc > > 2015-06-20 13:56 GMT+02:00 Thouraya TH <thouray...@gmail.com>: > >> Hello all, >> >> Please, i try to run my container but it is blocked. >> >> >> lxc-start -n worker1 >> >> >> Where can i find the causes of restart problems ? (logs?) >> >> >> Thanks a lot. >> Best Regards. >> >> _______________________________________________ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
