Hello LXC/LXD users! I'm Maciej and this is my first post on the lxc-users mailing list. I'm writing an Ansible role to configure and manage a LXC environment based on Debian Stretch (currently no LXD support due to LXD not being present in the Debian Stable release yet), for production environments. I have encountered two issues with this container setup, I wonder if anybody knows some better solutions.
I'm not sure if there's a way to configure the hidepid=2 option in unprivileged LXC containers, started by root, without modifying the default Debian packages in some way. After googling for a bit I've found this forum thread: https://discuss.linuxcontainers.org/t/hidepid-2-not-working-in-lxc/2060/17 But solutions there seem to be only usable with Proxmox, and not stock Debian Stretch with LXC 2.0.7 install. Has anybody been able to mount /proc with hdepid=2,gid=70 or similar set of options in unprivileged LXC containers? Privileged containers seem to work fine, but that's probably a given. It's not a pressing issue though, I can live with container processes visible for now. The other issue is with stopping the LXC containers using the 'lxc-stop' command. I know that this is related to the systemd inside of the container not configured properly to respond to SIGPWR signal, and I saw some solutions to this issue: https://bugs.debian.org/831691 https://lists.linuxcontainers.org/pipermail/lxc-users/2017-February/012827.html https://github.com/lxc/lxd/issues/2947 The behaviour I'm experiencing on Debian Stretch is that after issuing the 'lxc-stop -n <container>' command the container begins the shutdown procedure but stops after "Stopped Network Service" unit. Terminating the 'lxc-stop' command with ^C and running it again finishes the container shutdown. However, this procedure seems to be a bit complicated to implement with the 'lxc.service' unit, so that system shutdown correctly stops the services inside of the containers, not to mention that currently they just reach the 60s timeout and are forcibly killed anyway. I decided to switch to using 'lxc@.service' system instances to run the containers. This allows me to, via the ExecStop= parameter, attach to the running container and execute 'systemctl --no-block poweroff' command to stop the container "from the inside", which properly shutdowns the services inside of the container and exits without reaching the timeout. However, this solution seems to be counter-intuitive and does not integrate well with lxc-* commands like lxc-stop or lxc-destroy. The final status of the systemd instance can result in the failed state with LXC containers that contain lots of services, or are destroyed with lxc-destroy command without stopping the container first via systemd, but that I can live with. I just wonder if the proposed solution could be improved without modifying official Debian packages. Thanks for reading and have a nice day. Maciej Delmanowski _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users