My understanding was that you manually set lxc.cgroup.devices.deny = a
after starting up the container. Is that right, or not? If not, please
give your full config files for working and not working cases. -serge
Using only configuration file. Not manually change cgroup after starting.
join config file working and not working.
tigra debian-dev # diff config_working config_notworking
10c10
< #lxc.cgroup.devices.deny = a
---
> lxc.cgroup.devices.deny = a
A config file working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_working -d
tigra debian-dev # lxc-console -n debian-dev
Type <Ctrl+a q> to exit the console
Debian GNU/Linux 6.0 debian-dev tty1
debian-dev login:
----------------------
config file not working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_notworking -d
tigra debian-dev # lxc-console -n debian-dev
Type <Ctrl+a q> to exit the console
not prompt for login
* Anglais - détecté
* Anglais
* Français
* Anglais
* Français
<javascript:void(0);>
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev
#lxc.console = /dev/console
# Device configuration:
# Deny access to all devices:
lxc.cgroup.devices.deny = a
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up
to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid
0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc proc defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs defaults 0 0
# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created
# device nodes inside the container from being used to access the host's
# hardware:
# lxc.cap.drop = mknod
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev
#lxc.console = /dev/console
# Device configuration:
# Deny access to all devices:
#lxc.cgroup.devices.deny = a
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up
to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid
0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc proc defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs defaults 0 0
# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created
# device nodes inside the container from being used to access the host's
# hardware:
# lxc.cap.drop = mknod
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users