[Lxc-users] connecting lxc-console is impossible after deny cgroup by default activated

2012-11-02 Thread Thierry 
Hello,

lxc-console not functionnal after activate lxc.cgroup.devices.deny = a

not using cgroup

tigra ~ # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config -d

tigra ~ # lxc-console -n debian-dev

Type Ctrl+a q to exit the console

Password:
Debian GNU/Linux 6.0 debian-dev tty1

debian-dev login:


after activate lxc.cgroup.devices.deny = a

tigra ~ # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config -d

tigra ~ # lxc-console -n debian-dev

Type Ctrl+a q to exit the console

not logging prompt

You are a idea for resolve access by lxc-console ?

host is gentoo

tigra ~ # uname -a
Linux tigra.cynetek.com 3.6.2-hardened--grs-ipv6-64-1

tigra ~ # lxc-version
lxc version: 0.8.0-rc2


guest is debian squeeze


tigra ~ # cat /sys/fs/cgroup/devices/lxc/debian-dev/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:1 rwm
c 254:0 rwm
c 4:0 rwm
c 4:1 rwm
c 4:2 rwm
c 4:3 rwm
c 136:* rwm
c 5:2 rwm



tigra ~ # cat /etc/lxc/debian-dev/conf


lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev
lxc.cgroup.devices.deny = a

#lxc.console = /dev/console

# Device configuration:
# Deny access to all devices:
# lxc.cgroup.devices.deny = a
# Allow only the following devices to be opened:
 lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
 lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
 lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
 lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows
ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start
output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc

# # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can
create up to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3

# pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx


lxc.rootfs = /dev/vg1/debian-dev
lxc.rootfs.mount = /usr/lib/lxc/rootfs

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1

-

--
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] [lxc-devel] [GIT] lxc branch, master, updated. 7f99e339363d9f005c9386f60a1d8c0953c85053

2012-11-02 Thread Michael H. Warfield 
On Thu, 2012-11-01 at 20:15 -0400, Michael H. Warfield wrote:
 On Thu, 2012-11-01 at 19:17 -0400, Michael H. Warfield wrote:
  On Thu, 2012-11-01 at 23:28 +0100, Serge Hallyn wrote:
   Quoting Michael H. Warfield (m...@wittsend.com):
On Thu, 2012-11-01 at 22:44 +0100, Serge Hallyn wrote:
 Quoting Michael H. Warfield (m...@wittsend.com):
  On Thu, 2012-11-01 at 21:20 +0100, Daniel Baumann wrote:
   On 11/01/2012 09:08 PM, Michael H. Warfield wrote:
I know, I KNOW this is an 11th hour request.  Can we please get 
Serge's
autodev stuff into this release?  Please?
  
   release early, release often?
  
   just release current git as 0.8.0 now, and the one with the 
   autofoo as 
   0.8.1 soon after that?
  
  That would be ideal but we've been sitting at 0.8.0rc2 for something
  like 3-1/2 months now.  I know Daniel (the other Daniel, the 
  Daniel) has
  been incredibly busy.  I have no objection to getting this out the 
  door
  as 0.8.0 with a fast bump to 0.8.1 for the systemd stuff, but 
  another
  several months is not good.  Can we get this fast bump?  We'll be
  staring Fedora 18 in the face by then.  The working versions of 
  Fedora
  are no longer in support and we've got more distros adopting 
  systemd.

 I think this will end up slated for 0.9.0 (which we're hoping will be
 soon), but in any case I went ahead and created a branch at
 git://github.com/hallyn/lxc called upstream.nov1.2012.autodev, with
 an autodev patch on top of Daniel's latest push.

 I quickly tried my hand at fixing the error you had with /dev/ttyN.  I
 haven't tested that bit.  I will not be able to be online at all from
 now until weekend or monday, so if it needs more tweaks please feel
 free to 'just fix it'.

Problem.  Works for the systemd containers but not for my older
containers.  I get this...

[root@forest Plover]# cat 2012-10-30-18:17:46.log
  lxc-start 1351635466.998 ERRORlxc_conf - Operation not 
permitted - error 1 creating /usr/lib64/lxc/rootfs/dev/tty6

  lxc-start 1351635466.999 ERRORlxc_conf - failed to setup the 
ttys for 'Plover'
  lxc-start 1351635466.999 ERRORlxc_start - failed to setup the 
container
  lxc-start 1351635466.999 ERRORlxc_sync - invalid sequence 
number 1. expected 2
  lxc-start 1351635466.999 ERRORlxc_start - failed to spawn 
'Plover'

Alcove (the systemd container) was the first one started so it may be an
ordinal thing or it may be a systemd thing.  But it's a problem.
   \
   Hm, perhaps the container doesn't have mknod?
 
  They all should have, but I will investigate.  Those devices would have
  existed in the static file system with /dev.  Could it be a problem with
  the device already existing in the /dev directory?
 
 Ok...  Now this is just bloody weird.  I do not understand this.
 
 Yes the containers come up.  But...
 
 Here's what shows up in the detached container's log...
 
 [root@forest Audience]# cat 2012-10-30-18:52:41.log
   lxc-start 1351637562.011 ERRORlxc_conf - Operation not permitted - 
 error creating /usr/lib64/lxc/rootfs/dev/tty6

 Now wait a minute...  What about 1, 2, 3, 4, and 5???  They succeeded
 but 6 failed?  How does that make any sense.  In the container...

 crw-rw-rw- 1 root root   5,   0 Apr 13  2006 tty
 crw--w 1 root tty  136,  16 Oct 30  2012 tty1
 crw--w 1 root tty  136,  17 Oct 30  2012 tty2
 crw--w 1 root tty  136,  18 Oct 30  2012 tty3
 crw--w 1 root tty  136,  19 Oct 30  2012 tty4
 crw--w 1 root tty  136,  20 Oct 30  2012 tty5
 crw--w 1 root tty  136,  21 Oct 30  2012 tty6

 Ok...  That's probably from a couple of days ago.  But no error messages
 for the others and they are not freshly made either...  That was a
 CentOS 5 container.

 Trying it with another Fedora container but removed the tty? entries.
 No errors.  Hmmm...  Wait...  Another problem...  Container Plover...

 [mhw@plover ~]$ who
 mhw  pts/92012-10-30 19:47 (forest.ip6.wittsend.com)
 [mhw@plover ~]$ sudo -s
 sudo: sorry, you must have a tty to run sudo

 What?

Ok...  The problem with the container plover appears to have been an
error on my part.  I think I cleaned out too many tty devices.

Carefully only removed tty? devices from the static /dev in that
container and started it up...

[root@forest Plover]# cat 2012-10-31-06:41:37.log
  lxc-start 1351680097.900 ERRORlxc_conf - Operation not permitted - 
error creating /usr/lib64/lxc/rootfs/dev/tty6

Still got the error creating /dev/tty6 but not 1-5.

But wait.  In the container itself...

[mhw@canyon mhw]$ ssh plover.ip6.wittsend.com
Last login: Tue Oct 30 18:40:12 2012 from canyon.ip6.wittsend.com
[mhw@plover ~]$ sudo -s
[root@plover mhw]# ls -l /dev/tty?
crw---. 1 root root 136, 36 Oct 31 06:41