On 22/10/12 03:06, Michael H. Warfield wrote:
> On Mon, 2012-10-22 at 02:53 +0200, Kay Sievers wrote:
>> On Sun, Oct 21, 2012 at 11:25 PM, Michael H. Warfield <m...@wittsend.com>
>> wrote:
>>> This is being directed to the systemd-devel community but I'm cc'ing the
>>> lxc-users community and the Fedora community on this for their input as
>>> well. I know it's not always good to cross post between multiple lists
>>> but this is of interest to all three communities who may have valuable
>>> input.
>>>
>>> I'm new to this particular list, just having joined after tracking a
>>> problem down to some systemd internals...
>>>
>>> Several people over the last year or two on the lxc-users list have been
>>> discussions trying to run certain distros (notably Fedora 16 and above,
>>> recent Arch Linux and possibly others) in LXC containers, virualizing
>>> entire servers this way. This is very similar to Virtuoso / OpenVZ only
>>> it's using the native Linux cgroups for the containers (primary reason I
>>> dumped OpenVZ was to avoid their custom patched kernels). These recent
>>> distros have switched to systemd for the main init process and this has
>>> proven to be disastrous for those of us using LXC and trying to install
>>> or update our containers.
>>>
>>> To put it bluntly, it doesn't work and causes all sorts of problems on
>>> the host.
>>>
>>> To summarize the problem... The LXC startup binary sets up various
>>> things for /dev and /dev/pts for the container to run properly and this
>>> works perfectly fine for SystemV start-up scripts and/or Upstart.
>>> Unfortunately, systemd has mounts of devtmpfs on /dev and devpts
>>> on /dev/pts which then break things horribly. This is because the
>>> kernel currently lacks namespaces for devices and won't for some time to
>>> come (in design). When devtmpfs gets mounted over top of /dev in the
>>> container, it then hijacks the hosts console tty and several other
>>> devices which had been set up through bind mounts by LXC and should have
>>> been LEFT ALONE.
>>>
>>> Yes! I recognize that this problem with devtmpfs and lack of namespaces
>>> is a potential security problem anyways that could (and does) cause
>>> serious container-to-host problems. We're just not going to get that
>>> fixed right away in the linux cgroups and namespaces.
>>>
>>> How do we work around this problem in systemd where it has hard coded
>>> mounts in the binary that we can't override or configure? Or is it
>>> there and I'm just missing it trying to examine the sources? That's how
>>> I found where the problem lay.
>> As a first step, this probably explains most of it:
>> http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface
> A very long ways, yeah. That looks like it could be just what we've
> been looking for. Just gotta figure out how to set that environment
> variable but that's up to a couple of others to comment on in the
> lxc-users list. Then we'll see where we go from there.
>
> Many thanks!
>
>> Kay
> Regards,
> Mike
>
I've just performed a very quick check on my Arch Linux system here.
on host (running systemd):
# cat /proc/1/environ
TERM=linuxRD_TIMESTAMP=
In a container (running sysvinit):
# cat /proc/1/environ
STY=623.systemd-lithiumTERM=screenTERMCAP=SC|screen|VT 100/ANSI X3.64
virtual terminal:\
:DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\
:cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:\
:do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:\
:le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:\
:li#24:co#80:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:\
:cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:\
:im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:\
:ke=\E[?1l\E>:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:\
:ti=\E[?1049h:te=\E[?1049l:k0=\E[10~:k1=\EOP:k2=\EOQ:\
:k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:\
:k8=\E[19~:k9=\E[20~:k;=\E[21~:F1=\E[23~:F2=\E[24~:\
:kh=\E[1~:@1=\E[1~:kH=\E[4~:@7=\E[4~:kN=\E[6~:kP=\E[5~:\
:kI=\E[2~:kD=\E[3~:ku=\EOA:kd=\EOB:kr=\EOC:kl=\EOD:WINDOW=0SHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=en_GB.UTF-8container=lxc
So it looks like that "container" environment variable is already set on
PID1
Regards,
John
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
