Re: [Lxc-users] connecting lxc-console is impossible after deny cgroup by default activated

Thierry Mon, 05 Nov 2012 10:24:42 -0800

My understanding was that you manually set lxc.cgroup.devices.deny = a
after starting up the container. Is that right, or not? If not, please
give your full config files for working and not working cases. -serge


Using only configuration file. Not manually change cgroup after starting.

join config file working and not working.

tigra debian-dev # diff config_working config_notworking
10c10
< #lxc.cgroup.devices.deny = a
---
> lxc.cgroup.devices.deny = a



A config file working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_working -d
tigra debian-dev # lxc-console -n debian-dev

Type <Ctrl+a q> to exit the console

Debian GNU/Linux 6.0 debian-dev tty1

debian-dev login:


----------------------
config file not working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_notworking -d
tigra debian-dev # lxc-console -n debian-dev

Type <Ctrl+a q> to exit the console



not prompt for login

  * Anglais - détecté
  * Anglais
  * Français

  * Anglais
  * Français

<javascript:void(0);>

lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev

#lxc.console = /dev/console


# Device configuration:
# Deny access to all devices:
lxc.cgroup.devices.deny = a 
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up 
to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid 
0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults  0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc    proc   defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys     sysfs  defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs  defaults 0 0

# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created 
# device nodes inside the container from being used to access the host's 
# hardware:
# lxc.cap.drop = mknod

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1

lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev

#lxc.console = /dev/console


# Device configuration:
# Deny access to all devices:
#lxc.cgroup.devices.deny = a 
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up 
to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid 
0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults  0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc    proc   defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys     sysfs  defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs  defaults 0 0

# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created 
# device nodes inside the container from being used to access the host's 
# hardware:
# lxc.cap.drop = mknod

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] connecting lxc-console is impossible after deny cgroup by default activated

Reply via email to