Re: [Lxc-users] Piping output of lxc-monitor to a file without buffering
On Thu, Sep 6, 2012 at 11:13 PM, Fajar A. Nugraha wrote: > On Fri, Sep 7, 2012 at 7:46 AM, Ken Elkabany wrote: > > Hi, > > > > The following outputs container state changes to the terminal as > expected: > > > > $ lxc-monitor -n container-1 > > > > However, the following outputs the same state changes to a file only > after a > > certain buffer size has been reached: > > > > $ lxc-monitor -n container-1 &> output > > > > This is problematic because it means that live monitoring cannot be done > by > > a separate program. The buffering delays messages, potentially > indefinitely. > > > > Is there a way around this? > > (optional: start a screen session) > $ script -f /path/to/your-logfile.txt > $ lxc-monitor -n container-1 > > ... and on other terminal > $ tail -f /path/to/your-logfile.txt > > -- > Fajar > Unfortunately, in my application there won't be any open terminals. I simply used that as an example to illustrate my point. Ken -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)
Quoting Dan Kegel (d...@kegel.com): > On Fri, Sep 7, 2012 at 4:01 PM, Dan Kegel wrote: > >> mkfifo /tmp/fifo > >> ln /tmp/fifo /tmp/fifo2 > >> fails with "operation not permitted". > >> > > Aha. Starting with 'lxc-start' yields a system which can do the ln. > > Starting with 'lxc-start-ephemeral' yields a system which can't. > > Has nothing to do with /tmp. > > > > Is overlayfs at fault? > > I see there are several rumored sources of restrictions on hardlinks, e.g. > https://lkml.org/lkml/2011/5/19/384 > https://lkml.org/lkml/2012/2/21/397 > > And I see this is a known issue: > http://comments.gmane.org/gmane.linux.ubuntu.devel/34948 > > Happily, using the -U aufs option to lxc-start-ephemeral seems to work > around the problem, at least in my little test. I'll know soon if it fixes > my real system. > > But I was not able to find a bug for this issue in launchpad. Should > I file one? There are several other bugs in overlayfs which are not hurriedly getting fixed. If you have a testcase to show that it's definately an overlayfs bug, you might just take it o lkml. But yeah, filing a bug against 'linux' (the kernel package) saying it's an overlayfs bugs would be good. thanks, -serge -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)
On Fri, Sep 7, 2012 at 4:01 PM, Dan Kegel wrote: >> mkfifo /tmp/fifo >> ln /tmp/fifo /tmp/fifo2 >> fails with "operation not permitted". >> > Aha. Starting with 'lxc-start' yields a system which can do the ln. > Starting with 'lxc-start-ephemeral' yields a system which can't. > Has nothing to do with /tmp. > > Is overlayfs at fault? I see there are several rumored sources of restrictions on hardlinks, e.g. https://lkml.org/lkml/2011/5/19/384 https://lkml.org/lkml/2012/2/21/397 And I see this is a known issue: http://comments.gmane.org/gmane.linux.ubuntu.devel/34948 Happily, using the -U aufs option to lxc-start-ephemeral seems to work around the problem, at least in my little test. I'll know soon if it fixes my real system. But I was not able to find a bug for this issue in launchpad. Should I file one? - Dan -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)
On Fri, Sep 7, 2012 at 3:47 PM, Dan Kegel wrote: > I just discovered that, inside my lxc ubuntu 10.04 container, doing > mkfifo /tmp/fifo > ln /tmp/fifo /tmp/fifo2 > fails with "operation not permitted". > > This makes the app I'm trying to run vewwy vewwy mad, and it > creates approximately alph null fifos in /tmp as revenge. > > Where is this restriction coming from? Aha. Starting with 'lxc-start' yields a system which can do the ln. Starting with 'lxc-start-ephemeral' yields a system which can't. Has nothing to do with /tmp. Is overlayfs at fault? - Dan -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] selinux trouble in lxc?
I just discovered that, inside my lxc ubuntu 10.04 container, doing mkfifo /tmp/fifo ln /tmp/fifo /tmp/fifo2 fails with "operation not permitted". This makes the app I'm trying to run vewwy vewwy mad, and it creates approximately alph null fifos in /tmp as revenge. Where is this restriction coming from? -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ephemeral disk space redux: adding --overlaydir option to lxc-start-ephemeral?
On Fri, Sep 7, 2012 at 1:51 PM, Stéphane Graber wrote: > I have now pushed lxc-start-ephemeral to the github staging branch as a > python3 script using the new LXC API rather than as a shell script. Woot! > I'll add myself a todo item to port your change to the python version. > > Looking at it, it shouldn't be too difficult to do, though I'm not sure > how that option should work when you have more than one overlayfs (when > you have bind mount entries in the source container's fstab). Another wrinkle: I have since discovered that badly behaved client systems can produce overlay directories that are hard to clean up (e.g. it takes too long to delete the million fifos one left behind in /tmp), so I may change the script to create a filesytem using loopback mount on a file. This is getting kind of complex, especially the cleanup! - Dan -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ephemeral disk space redux: adding --overlaydir option to lxc-start-ephemeral?
On 12-09-05 07:02 PM, Dan Kegel wrote: > On Wed, Sep 5, 2012 at 3:25 PM, Dan Kegel wrote: >> I see Florian asked this a few weeks ago: >> So that's one more requirement discovered: I need lxc-start-ephemeral >> to support nontrivial amounts of disk storage, more than will >> fit in tmpfs. >> >> Maybe I'll add an argument "--overlaydir PATH" for where to store the files; >> if that's set, setup_container() will use that rather than doing >> OVERLAY_DIR=`mktemp -d /tmp/lxc-lp-XXX` >> sudo mount -t tmpfs none $OVERLAY_DIR >> >> For safety, I would create a subdirectory inside the specified directory, >> and use that for $OVERLAY_DIR. That would let me clean up >> that directory before and after runs without worrying about >> accidentally destroying the host system if the user makes a typo. > > Kinda like the attached patch. (It's a little dirty. I'll try to > send a clean one > once I've actually used it in production for a while.) Hi Dan, Sorry for not replying to this e-mail earlier. I have now pushed lxc-start-ephemeral to the github staging branch as a python3 script using the new LXC API rather than as a shell script. I'll add myself a todo item to port your change to the python version. Looking at it, it shouldn't be too difficult to do, though I'm not sure how that option should work when you have more than one overlayfs (when you have bind mount entries in the source container's fstab). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc staging branch on github
Hello everyone, As you probably noticed Serge and I have been trying to keep up with all the changes going to the lxc-users and lxc-devel mailing lists with some varying success. For quite a while now Serge has been maintaining a separate git branch on github where he'd merge the changes that we're using in Ubuntu and then regularly ask Daniel to review the branch and merge into the master branch on sourceforge. To try and make this all a bit more official, I took ownership of the lxc project on github at: https://github.com/lxc We now have an lxc repository at: https://github.com/lxc/lxc With the main branch being called "staging" and containing what used to be in Serge's tree. This should now make it pretty easy to contributors to branch and send over pull requests. We'll continue monitoring the mailing-lists and merging the changes proposed on there as soon as it seems we reached an agreement. It'd be great if anyone who submitted changes on the mailing-list or through any other mean could check that their changes are in the staging tree and if not, re-submit the change so we can include it. @Daniel: Please let me know if you have a github account so I can add you to the project admins. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc, CIFS mounts, MySQL SSL and apparmor
On Thursday, September 06, 2012 09:25:54 you wrote: > > [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED" > > operation="mount" info="failed type match" error=-13 parent=5073 > > profile="lxc- container-default" name="/mnt/wxdata/" pid=5074 > > comm="mount.cifs" fstype="cifs" srcname="//192.168.0.10/Share" > > flags="rw" > > I haven't tried this, but it sure looks like this should be fixed with your > rule. > > > Short of turning apparmor off, which is my next step... > > Well it's certainly worth trying turning apparmor off (just with > lxc.aa_profile = unconfined) to make sure it's the problem. The > network filesystems are still persnickity in containers, and I'm > not even sure cifs will work at all. > > > Any apparmor guru's know how to remove this block ? ? ? lxc.aa_profile=unconfined in the container profile, does allow the CIFS/Samba mount to work stoping and starting the container DOES NOT allow the mount to work with the rule change I made. Any ideas on changes to the rules for apparmor ? And still *no joy* on the MySQL SSL front, still "DISABLED" which means that something esle is not enabled or blocking it, as "NO" would mean MySQL didn't support SSL. So it appears apparmor is not the culprit here as its disabled. -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Using VMware as a test-bed for hosting lxc containers. [SOLVED]
Greetings, Apologies for being a bonehead. the routing table in the container was problem #1, plus it turns out that I also forgot to turn on ip routing inside the vm. DOH! Anyway, thanks so much for your help. Have a good day. > Date: Fri, 7 Sep 2012 11:35:06 +0700 > Subject: Re: [Lxc-users] Using VMware as a test-bed for hosting lxc > containers. > From: l...@fajar.net > To: spier...@hotmail.com > CC: lxc-users@lists.sourceforge.net > > On Fri, Sep 7, 2012 at 11:29 AM, Peter-Frank Spierenburg > wrote: > > Anyway, I am having trouble convincing the lxc guests to talk to the network > > outside the box hosting the vm hosting the container. > > If you use latest ubuntu it'll work out of the box. > > > I've also got iptables configured to do the masquerading for the br0 device: > > I usually just let lxc or libvirt create lxcbr0/virbr0, with the > necessary rules. Much simpler that way. > > > > Finally, one of the lxc containers: > > > > eth0 Link encap:Ethernet HWaddr 00:16:3e:38:88:bb > > inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 > > > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric RefUse > > Iface > > 0.0.0.0 192.168.2.1 0.0.0.0 UG0 00 eth0 > > > And you're wondering why it DOESN't work? seriusly? > Hint: check the ip address on eth0 and the gateway. > > -- > Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users