I can provision a new LXC container, which includes running a few
"aptitude install foo" lines (inside the containers), and it Just Works.
If I try to provision two containers at the same time, both containers
appear to hang with a dpkg process in the D state[0].
Has anybody run into this before?
I'm invoking aptitude in the post-install hook with triggered when
ISC dhclient acquires a DHCP address. Where /etc/lxc/$name.setup
contains lines like "aptitude install -yq foo",
chroot $target_dir tee >/dev/null /root/lxc-setup </etc/lxc/$name.setup
chroot $target_dir chmod +x /root/lxc-setup
[...]
chroot $target_dir tee >/dev/null
/etc/dhcp3/dhclient-exit-hooks.d/lxc-postinst <<EOF
case \$reason in
BOUND|RENEW|REBIND|REBOOT) :;;
*) return;;
esac
exec >/dev/console 2>&1 </dev/null
rm -f /etc/dhcp3/dhclient-exit-hooks.d/lxc-postinst # delete self
if $debug_p
then ${TERM+export TERM=$TERM} # colour during debug build
PS4="\`tput setaf 2||:\`\$PS4\`tput sgr0||:\`"
set -x
fi
export DEBIAN_FRONTEND=noninteractive
export HOME=\`mktemp -d\` # needed for apt->etckeeper->git
git config --global user.name root
git config --global user.email r...@\`hostname --fqdn\`
etckeeper commit "Generate new SSL host key."
# Generate new SSH host keys.
rm /etc/ssh/ssh_host_???_key*
dpkg-reconfigure openssh-server
etckeeper commit "Generate new SSH host keys."
test -x /root/lxc-setup && /root/lxc-setup
etckeeper commit "Ran container-specific posthook."
EOF
I'm using ubuntu 10.04 for both dom0 and containers, with its stock
2.6.32 kernel, and an lxc 0.7.3 from natty. My config for each
container looks like this:
# Created 2011-01-12 11:31:11.151135457+11:00
# Created 2011-01-12 01:05:41.488025425+11:00 (template)
lxc.utsname = proud
lxc.console = /var/log/lxc/proud.console
lxc.rootfs = /srv/lxc/proud
lxc.tty = 1
lxc.pts = 1024
lxc.network.type = veth
lxc.network.link = br-managed
lxc.network.name = managed
lxc.network.flags = up
# Note: memsw is memory+swap; it CANNOT be less than memory alone.
lxc.cgroup.memory.soft_limit_in_bytes = 128M
lxc.cgroup.memory.limit_in_bytes = 256M
lxc.cgroup.memory.memsw.limit_in_bytes = 512M
# These are: null zero random urandom tty* tty console ptmx pts/* rtc0
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = c 1:5 rw
lxc.cgroup.devices.allow = c 1:8 rw
lxc.cgroup.devices.allow = c 1:9 rw
lxc.cgroup.devices.allow = c 4:* rw
lxc.cgroup.devices.allow = c 5:0 rw
lxc.cgroup.devices.allow = c 5:1 rw
lxc.cgroup.devices.allow = c 5:2 rw
lxc.cgroup.devices.allow = c 136:* rw
lxc.cgroup.devices.allow = c 254:0 r
# Prevent container from using mount(8), esp. remounting its root filesystem
-oro.
# This necessitates mounting *at least* /proc outside.
lxc.cap.drop = sys_admin
lxc.mount.entry = none /srv/lxc/proud/dev/shm tmpfs nosuid,nodev
lxc.mount.entry = none /srv/lxc/proud/lib/init/rw tmpfs
mode=0755,nosuid,size=8m
lxc.mount.entry = none /srv/lxc/proud/proc proc nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/proc/sys/fs/binfmt_misc binfmt_misc
nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/sys sysfs nodev,noexec,nosuid
#lxc.mount.entry = none /srv/lxc/proud/sys/fs/fuse/connections fusectl defaults
#lxc.mount.entry = none /srv/lxc/proud/sys/kernel/debug debugfs defaults
#lxc.mount.entry = none /srv/lxc/proud/sys/kernel/security securityfs defaults
lxc.mount.entry = none /srv/lxc/proud/tmp tmpfs defaults
lxc.mount.entry = none /srv/lxc/proud/var/lock tmpfs
nodev,noexec,nosuid,size=8m
# This mount would break lxc-start's halt/reboot autodetection (in lxc 0.7.x).
#lxc.mount.entry = none /srv/lxc/proud/var/run tmpfs mode=0755,nosuid,size=8m
# Data mountpoints
lxc.mount.entry = /srv/mirror /srv/lxc/proud/srv/mirror none bind,ro
lxc.mount.entry = /home /srv/lxc/proud/home none bind
lxc.mount.entry = /srv/squid /srv/lxc/proud/var/spool/squid none bind
# Disabled because their absence causes problems:
#chown net_admin setgid # getty or login
#net_bind_service net_raw net_broadcast # dhclient
#setuid # rsyslog
#sys_chroot # openssh-server
#fowner dac_override dac_read_search # lots of things (like root_squash)
#kill # needed by default to stop
rsyslogd/slapd
# Disabled because I *think* they're harmless:
#fsetid ipc_lock ipc_owner lease sys_nice sys_ptrace
lxc.cap.drop = audit_control audit_write linux_immutable mac_admin
lxc.cap.drop = mac_override mknod setfcap setpcap sys_admin sys_boot
lxc.cap.drop = sys_module sys_pacct sys_rawio sys_resource sys_time
lxc.cap.drop = sys_tty_config
[0] To make matters worse, attempting to cleanly shut down those
containers causes them to run /bin/sync, which also hangs in D!
I've workaround that part by replacing /bin/sync with a link to
/bin/true in containers, since I see no reason why a container would
need to run it.
------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
