Re: [Lxc-users] LXC and sound in container -
On 09/11/13 15:12, brian mullan wrote:
I've searched the web for 2 weeks now and can find no documentation
describing steps to configure sound in an LXC container.
Here is what I do. It's just ALSA (not Pulseaudio) but I do run a
desktop in a container and it works for me.
1. install alsa-lib alsa-utils in the container
2. enable autodev in the container's LXC config
# Use autodev to be compatible with systemd
lxc.autodev = 1
lxc.hook.autodev = /etc/lxc/myhost/autodev
(set the autodev path to an apprpriate location on your host)
3. write an autodev script on the host at the path in lxc.hook.autodev
from step 1. Make it executable.
#!/bin/bash
# LXC Autodev hook. Created by Amylum
cd ${LXC_ROOTFS_MOUNT}
mkdir ./dev/snd
ifs_char=$IFS
IFS=$'\n'
ifs_line=$IFS
for i in $(ls -l /dev/snd | grep '^c' | tr -s ' ' | awk -F [ ,]
{'print mknod -m 660 ./dev/snd/$11 c $5 $7 chown root:audio
./dev/snd/$11'})
do
IFS=$ifs_char
eval $i
IFS=$ifs_line
done
4. add devices to lxc config file
# For ALSA Sound
lxc.cgroup.devices.allow = c 116:* rwm # dev/snd/
5. add any users needing to use audio to the audio group
for user in ${audio_users}
do
usermod -a -G audio $user
done
Some explanation:
Container cannot use udev to create device nodes and the way systemd
initialises the container's /dev prevents you creating them from the
host. So, you have to use an autodev hook to create the device nodes at
start-up (steps 2 and 3). You also need allow access to the devices in
the container's config and that is what step 4 does.
I ought to get PA working but I haven't had the time or the inclination.
I hope this is of some help.
John
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC and sound in container -
sorry forgot to add - this is on Arch Linux :) -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-users Digest, Vol 47, Issue 13
On 15/11/13 12:21, brian mullan wrote: John... Thanks for you note also.. I'd seen a very similar Bash script for Arch Linux here: http://pastebin.com/zZEAk3Ny while researching all of this. Brian Ah-ha, yes that pastebin is mine. That paste pre-dates systemd. I think the current implementation using the autodev hook is much cleaner. I used to have a separate script called make_sound_devices that was called on the host after boot to write devs to the containers that used alsa. This was needed because the device nodes appeared to change on every boot. Before systemd it was possible to write a container /dev from the host. The autodev hook does exactly the same thing but is automated per-container during container startup. Good find though :) -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] cgroups permission problem
I am in fact able to write to the file. its initial state is empty. On 2013-10-10 09:24, Serge Hallyn wrote: Quoting John (j...@neutrondawn.com): Greetings LXC, im having problems getting my container operational on centos. cgconfig and cgred are both running. the error is as follows during startup attempts: lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: called for subsys cpuset name lxc/GE lxc-start 1381364626.764 DEBUGlxc_cgroup - using cgroup mounted at '/cgroup/cpuset' lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: returning /cgroup/cpuset/lxc/GE for subsystem cpuset.cpus lxc-start 1381364626.764 ERRORlxc_cgroup - Permission denied - write /cgroup/cpuset/lxc/GE/cpuset.cpus : Permission denied lxc-start 1381364626.764 ERRORlxc_conf - Error setting cpuset.cpus to 0,1,2,3,4,5,6 for lxc/GE Whatis in /cgroup/cpuset/lxc/cpuset.cpus? Are you able to manually write to that file? -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] cgroups permission problem
Serge, Sorry for the confusion, both files have been created and are in fact empty. This is after having removed any configuration constraint on processors in GE.conf. On 2013-10-10 10:03, Serge Hallyn wrote: Quoting John (j...@neutrondawn.com): I am in fact able to write to the file. its initial state is empty. The initial state of which file is empty - /cgroup/cpuset/lxc/cpuset.cpus, or /cgroup/cpuset/lxc/GE/cpuset.cpus? If the former, then that's the problem. That file should have been initialized earlier. /x/y/z/ is not allowed to use cpus which are not authorized for use by /x/y. On 2013-10-10 09:24, Serge Hallyn wrote: Quoting John (j...@neutrondawn.com): Greetings LXC, im having problems getting my container operational on centos. cgconfig and cgred are both running. the error is as follows during startup attempts: lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: called for subsys cpuset name lxc/GE lxc-start 1381364626.764 DEBUGlxc_cgroup - using cgroup mounted at '/cgroup/cpuset' lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: returning /cgroup/cpuset/lxc/GE for subsystem cpuset.cpus lxc-start 1381364626.764 ERRORlxc_cgroup - Permission denied - write /cgroup/cpuset/lxc/GE/cpuset.cpus : Permission denied lxc-start 1381364626.764 ERRORlxc_conf - Error setting cpuset.cpus to 0,1,2,3,4,5,6 for lxc/GE Whatis in /cgroup/cpuset/lxc/cpuset.cpus? Are you able to manually write to that file? -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] cgroups permission problem
Guido, Alas, this appears to be the problem. /cgroups/cgroup.clone_children does not exist. Thanks for the assistance, ill likely begin testing with a new kernel. A workaround for this problem in RHEL/Centos that sidesteps the kernel recompile issue is to permit containers to have access to all CPUs. this will result in oversubscription however. On 2013-10-10 12:40, Guido Jäkel wrote: On 2013-10-10 18:34, John wrote: Guido, Serge Thank you for your insight. the parent, /cgroup/cpuset/lxc, has cpuset.cpus however it hasnt been initialized to any number. my hypothesis is /cgroup/cpuset/lxc/GE/cpuset.cpus therefore cannot be set as its parent hasnt been initialized. im uncertain if clone_children is present, however i would suspect it is or else the qemu_kvm package for centos would run into serious problems. is there a means i can use to check the presence of this flag without fetching the source? Dear Jon, the pseudo-file cgroup.clone_children have to appear in the same way as cpuset.cpus or others. You may read it with 'cat /cgroups/cgroup.clone_childern' and set it via 'echo 1 /cgroups/cgroup.clone_childern' greetings Guido -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] cgroups permission problem
Greetings LXC, im having problems getting my container operational on centos. cgconfig and cgred are both running. the error is as follows during startup attempts: lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: called for subsys cpuset name lxc/GE lxc-start 1381364626.764 DEBUGlxc_cgroup - using cgroup mounted at '/cgroup/cpuset' lxc-start 1381364626.764 DEBUGlxc_cgroup - cgroup_path_get: returning /cgroup/cpuset/lxc/GE for subsystem cpuset.cpus lxc-start 1381364626.764 ERRORlxc_cgroup - Permission denied - write /cgroup/cpuset/lxc/GE/cpuset.cpus : Permission denied lxc-start 1381364626.764 ERRORlxc_conf - Error setting cpuset.cpus to 0,1,2,3,4,5,6 for lxc/GE lxc-start 1381364626.764 ERRORlxc_start - failed to setup the cgroups for 'GE' lxc-start 1381364626.764 WARN lxc_conf - failed to remove interface 'eth0' lxc-start 1381364626.764 ERRORlxc_start - failed to spawn 'GE' lxc-start 1381364626.764 DEBUGlxc_cgroup - destroying /cgroup/cpuset/lxc/GE lxc-start 1381364626.773 DEBUGlxc_cgroup - '/cgroup/cpuset/lxc/GE' unlinked lxc-start 1381364626.773 DEBUGlxc_cgroup - destroying /cgroup/cpu/lxc/GE lxc-start 1381364626.785 DEBUGlxc_cgroup - '/cgroup/cpu/lxc/GE' unlinked lxc-start 1381364626.785 DEBUGlxc_cgroup - destroying /cgroup/cpuacct/lxc/GE lxc-start 1381364626.793 DEBUGlxc_cgroup - '/cgroup/cpuacct/lxc/GE' unlinked lxc-start 1381364626.793 DEBUGlxc_cgroup - destroying /cgroup/memory/lxc/GE lxc-start 1381364626.801 DEBUGlxc_cgroup - '/cgroup/memory/lxc/GE' unlinked lxc-start 1381364626.801 DEBUGlxc_cgroup - destroying /cgroup/devices/lxc/GE lxc-start 1381364626.809 DEBUGlxc_cgroup - '/cgroup/devices/lxc/GE' unlinked lxc-start 1381364626.809 DEBUGlxc_cgroup - destroying /cgroup/freezer/lxc/GE lxc-start 1381364626.817 DEBUGlxc_cgroup - '/cgroup/freezer/lxc/GE' unlinked lxc-start 1381364626.817 DEBUGlxc_cgroup - destroying /cgroup/net_cls/lxc/GE lxc-start 1381364626.825 DEBUGlxc_cgroup - '/cgroup/net_cls/lxc/GE' unlinked lxc-start 1381364626.825 DEBUGlxc_cgroup - destroying /cgroup/blkio/lxc/GE lxc-start 1381364626.833 DEBUGlxc_cgroup - '/cgroup/blkio/lxc/GE' unlinked -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60134071iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Permissions on devpts in container
On 23/09/13 17:07, Serge Hallyn wrote: Quoting John (l...@jelmail.com): Hello list, I have noticed a difference in behaviour on a new host that I have just installed which uses LXC 0.9.0. The differences are noted when compared with another host that has LXC 0.9.0-alpha3 on it. Inside a container under LXC 0.9.0, the devpts mounts are like this: devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666) Previously, under LXC 0.9.0-alpha3, they were like this: devpts on /dev/console type devpts (rw,relatime,mode=600,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,mode=600,ptmxmode=000) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666) The upshot of this is that regular users can't create pty unless they are in the tty group (gid 5). This means the simple task of opening a terminal window will fail for such users. Is this because of a change made some time between 0.9.0-alpha3 and 0.9.0 ? I have trawled the git commit messages but couldn't see anything. Google did throw the following for me: https://bugzilla.redhat.com/show_bug.cgi?id=554203 http://www.redhat.com/archives/libvir-list/2011-February/msg00975.html Those mention the permission change I've experienced but discuss LXC with LibVirt. I am not using LibVirt. My LXC config is the same in both examples, and I am not doing anything differently between the two. They are both running ArchLinux and have kernel versions as follows System 1: LXC 0.9.0-alpha3 Linux 3.7.10-1-ARCH System 2: LXC 0.9.0 Linux 3.11.1-1-ARCH Is the rule now that users have to be in group 'tty' in a container or am I missing something else? I suspect the difference is actually in arch's init. But I'm not sure. The only gid= option I see is specified in the alpine template. How exactly are you creating, starting, and accessing the containers? Having further investigated this I agree it's a problem that lies outside LXC. I know this because I have reproduced the same problem on a test rig host (outside any containers). Thanks for replying to my question Serge. -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Permissions on devpts in container
Having further investigated this I agree it's a problem that lies outside LXC. I know this because I have reproduced the same problem on a test rig host (outside any containers). Thanks for replying to my question Serge. Well I have found the problem and it is LXC-related (kind-of). I have one container on my system that uses init instead of systemd, so its configuration is quite old. In its container config it still has explicit mounts for the system mounts: lxc.mount.entry = none /srv/lxc/mycontainer/dev/pts devpts defaults 0 0 lxc.mount.entry = none /srv/lxc/mycontainer/dev/shm tmpfs defaults 0 0 lxc.mount.entry = none /srv/lxc/mycontainer/proc proc defaults 0 0 lxc.mount.entry = none /srv/lxc/mycontainer/sys sysfs defaults 0 0 I found that the container didn't work with these commented out, so I changed the devpts one to lxc.mount.entry = none /srv/lxc/mycontainer/dev/pts devpts defaults,gid=5,mode=620,ptmxmode=000 0 0 and now it works but, at some point, I will update this container to use systemd. Its interesting that this wasn't an issue before I updated but I think that has something to do with Arch Linux's adoption of glibc 2.18, whch removes pt_chown (but that's getting into stuff I don't know much about). I am still puzzled how a container can effect changes on the host though... Is there some configuration that I should be doing to prevent this, but am perhaps not? -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Permissions on devpts in container
Hello list, I have noticed a difference in behaviour on a new host that I have just installed which uses LXC 0.9.0. The differences are noted when compared with another host that has LXC 0.9.0-alpha3 on it. Inside a container under LXC 0.9.0, the devpts mounts are like this: devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666) Previously, under LXC 0.9.0-alpha3, they were like this: devpts on /dev/console type devpts (rw,relatime,mode=600,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,mode=600,ptmxmode=000) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666) The upshot of this is that regular users can't create pty unless they are in the tty group (gid 5). This means the simple task of opening a terminal window will fail for such users. Is this because of a change made some time between 0.9.0-alpha3 and 0.9.0 ? I have trawled the git commit messages but couldn't see anything. Google did throw the following for me: https://bugzilla.redhat.com/show_bug.cgi?id=554203 http://www.redhat.com/archives/libvir-list/2011-February/msg00975.html Those mention the permission change I've experienced but discuss LXC with LibVirt. I am not using LibVirt. My LXC config is the same in both examples, and I am not doing anything differently between the two. They are both running ArchLinux and have kernel versions as follows System 1: LXC 0.9.0-alpha3 Linux 3.7.10-1-ARCH System 2: LXC 0.9.0 Linux 3.11.1-1-ARCH Is the rule now that users have to be in group 'tty' in a container or am I missing something else? Thanks in advance. John -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151iu=/4140/ostg.clktrk ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] init path in config
Good Morning, Is there a config option available to specify the path of the executable to start in the container? I don't want /sbin/init and I don't want to rely on a symlink inside the container. I can specify it when starting a container like this lxc-start -n mycontainer /path/to/executable but I'd like to set that up in the container configs. Something like lxc.init = /user/lib/systemd/systemd (if such a config item exists, I couldn't find it documented in the man pages). Thanks, John -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] init path in config
Good Morning, Is there a config option available to specify the path of the executable to start in the container? I don't want /sbin/init and I don't want to rely on a symlink inside the container. I can specify it when starting a container like this lxc-start -n mycontainer /path/to/executable but I'd like to set that up in the container configs. Something like lxc.init = /user/lib/systemd/systemd (if such a config item exists, I couldn't find it documented in the man pages). Thanks, John -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mknod inside systemd container
But... A hint may be in the lxc-fedora template where there is
specifically a configure_systemd_fedora function that does this:
configure_fedora_systemd()
{
unlink ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln
-s /dev/null //etc/systemd/system/udev.service chroot ${rootfs_path}
ln
-s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
sed -i 's/After=dev-%i.device/After=/'
${rootfs_path}/lib/systemd/system/getty\@.service }
Something similar does exist in the lxc-archlinux template:
# disable services unavailable for container
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
# set default systemd target
ln
-s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
The lxc-archlinux template script seems very badly broken for me,
expecting an fixed bridge name of br0 and not using the defaults
from /etc/lxc/default.conf and looking for things that are not present
on my Fedora host. So I haven't been able to build an archlinux
container on my host systems.
Did you build yours from lxc-create or did you roll your own? Maybe
you might want to check those /dev/null links in that container.
Looks like udevd should not even start if those have been set
correctly.
Thanks Mike. I roll my own template as I've been doing it since before
an Arch template existed for lxc-create. I have just added the /dev/null
links and removed the cap drop for mknod from the lxc config. A quick
test looks positive so I think that's the answer.
The next problem that I was going to tackle was why
proc-sys-fs-binfmt_misc.automount failed. But you've answered that also.
With mask method (ln -s /dev/null ...) for systemd above, I had success
with lxc from git on 20130402, systemd 198 on (manual build
archlinux) container on a sysvinit/initscripts host.
I run openvpn in this container with following service script:
cat /etc/systemd/system/tundev.service
[Unit]
Description=Add tun device workaround
Wants=network.target
Before=openvpn@.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/mkdir /dev/net
ExecStart=/usr/bin/mknod -m 666 /dev/net/tun c 10 200
[Install]
WantedBy=multi-user.target
Hope that helps.
With best regards Joerg
Yes, good to know someone else has it working too :)
--
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mknod inside systemd container
On 02/04/13 23:59, Michael H. Warfield wrote: On Tue, 2013-04-02 at 16:02 +0100, John wrote: If my understanding is correctl, to stop systemd trying to launch udev and generally make a mess of everything inside a container, you need to remove the mknod capability from the container. Ah... That's kind of old information and not really effective. But what if I want (need) to be able to use mknod inside a container, how can I do that with a systemd container? 1) Get the latest lxc. lxc 0.8 might suffice for systemd in a container but not with systemd in the host and I wouldn't recommend it. 0.9.0 is being pulled and bundled now. It's not up yet but 0.9.0.rc1 is. 2) You'll have to add lxc.autodev = 1 to your configuration file. I already do that. I am running lxc version: 0.9.0.alpha3 I found that, without the removal of mknod capability, everything went crazy. I have working containers with systemd both on host and inside the container (I even run my full desktop inside a container). To get a systemd container working I found I needed three things: lxc.autodev = 1 lxc.cap.drop = mknod lxc.pts = 1024 It's alll working well except for the fact that I might need to allow a container to have mknod capability. Are you saying that with 0.9.0 there are changes that negate the requirement for lxc.cap.drop = mknod? The way I understood it was that it was systemd that behaved differently based on the availability of that capability... I have found that this works to get recent systemd containers (Fedora 17) to work but Fedora 15 and Fedora 16 (neither of which are supported any longer) work due to udev / systemd interaction. I would recommend waiting a couple of days until 0.9.0 is up and then pulling it down and building it. That's your best shot with systemd. I have this container that is a builder of system images for other nodes (containers and/or metal boxes). In order to correctly do this it needs to execute mknod inside the image as it builds it. (note, device nodes created doesn't need to be usable in the context of the image being built - the builder just needs to be able to create it). I've been doing this for ages under sysvinit and it's been fine. I have just migrated this builder container to systemd and hit this problem... Is there another way to keep systemd in line other than removing the mknod capability ? Thanks, John -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] mknod inside systemd container
If my understanding is correctl, to stop systemd trying to launch udev and generally make a mess of everything inside a container, you need to remove the mknod capability from the container. But what if I want (need) to be able to use mknod inside a container, how can I do that with a systemd container? I have this container that is a builder of system images for other nodes (containers and/or metal boxes). In order to correctly do this it needs to execute mknod inside the image as it builds it. (note, device nodes created doesn't need to be usable in the context of the image being built - the builder just needs to be able to create it). I've been doing this for ages under sysvinit and it's been fine. I have just migrated this builder container to systemd and hit this problem... Is there another way to keep systemd in line other than removing the mknod capability ? Thanks, John -- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Confusing behaviour using LXC container with systemd
On 12/03/13 23:21, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 12/03/13 22:25, Serge Hallyn wrote: Quoting John (l...@jelmail.com): ... [root@boron ~]# mount none on /dev type tmpfs (rw,relatime,size=100k) devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) Note there is no 'newinstance' on the devpts mount here. I suspect that's the problem. Note that lxc starts up and gives you a newinstance devpts mount, so this one was done by systemd. Next step (unless I'm misreading) is to look through systemd code to see what you can do to make it not mount that. -serge I have made one step forward... I read here (http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface) that the udev unit files will check for CAP_SYS_MKNOD, and skip udev if that is not available. So I added lxc.cap.drop = mknod to the container configuration and this has stopped devices getting messed up (well, at least it allows the dvb tuner I mentioned earlier to work). I still have the problem with character output on the terminal - I've asked the systemd people and they've said that it is lxc that mounts devpts and, to get that done properly (with newinstance), needs a confiiguration change in the container configuration. I have gone back and checked my old init-based container and its mounts were without newinstance as well so I guess I am missing something in my configuration to make it mount that way? -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Confusing behaviour using LXC container with systemd
On 13/03/13 18:42, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 12/03/13 23:21, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 12/03/13 22:25, Serge Hallyn wrote: Quoting John (l...@jelmail.com): ... [root@boron ~]# mount none on /dev type tmpfs (rw,relatime,size=100k) devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) Note there is no 'newinstance' on the devpts mount here. I suspect that's the problem. Note that lxc starts up and gives you a newinstance devpts mount, so this one was done by systemd. Next step (unless I'm misreading) is to look through systemd code to see what you can do to make it not mount that. -serge I have made one step forward... I read here (http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface) that the udev unit files will check for CAP_SYS_MKNOD, and skip udev if that is not available. So I added lxc.cap.drop = mknod to the container configuration and this has stopped devices getting messed up (well, at least it allows the dvb tuner I mentioned earlier to work). I still have the problem with character output on the terminal - I've asked the systemd people and they've said that it is lxc that mounts devpts and, to get that done properly (with newinstance), needs a confiiguration change in the container configuration. I have gone back and checked my old init-based container and its mounts were without newinstance as well so I guess I am missing something in my configuration to make it mount that way? You shouldn't to specify a devpts mount in your conatiner at all, lxc does it for you regardless. -serge I haven't specified any such mount in the container configuration file and the /etc/fstab inside the container is empty. I am not doing anything to explicitly mount devpts. (previously, my init-based container configuration did but I removed that line when I switched it to autodev and systemd). I used to have the following in the config but these have all since been removed: lxc.mount.entry = none /srv/lxc/lithium.x86_64/dev/pts devpts defaults 0 0 lxc.mount.entry = none /srv/lxc/lithium.x86_64/dev/shm tmpfs defaults 0 0 lxc.mount.entry = none /srv/lxc/lithium.x86_64/proc proc defaults 0 0 lxc.mount.entry = none /srv/lxc/lithium.x86_64/sys sysfs defaults 0 0 Other info in case it's relevant: I've checked lxc-checkconfig and it shows Multiple /dev/pts instances: enabled (everything lists as enabled except User namespace: missing but I've done some checking and believe that's ok. My lxc version is reported as lxc version: 0.9.0.alpha3. I built it from git from git://lxc.git.sourceforge.net/gitroot/lxc/lxc on March 10th using the lxc-git archlinux pkgbuild. thanks for the help as always. -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Confusing behaviour using LXC container with systemd
On 13/03/13 19:51, John wrote:
On 13/03/13 18:42, Serge Hallyn wrote:
Quoting John (l...@jelmail.com):
On 12/03/13 23:21, Serge Hallyn wrote:
Quoting John (l...@jelmail.com):
On 12/03/13 22:25, Serge Hallyn wrote:
Quoting John (l...@jelmail.com):
...
[root@boron ~]# mount
none on /dev type tmpfs (rw,relatime,size=100k)
devpts on /dev/console type devpts
(rw,relatime,gid=5,mode=620,ptmxmode=000)
devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
Note there is no 'newinstance' on the devpts mount here. I suspect
that's the problem. Note that lxc starts up and gives you a
newinstance devpts mount, so this one was done by systemd.
Next step (unless I'm misreading) is to look through systemd code
to see what you can do to make it not mount that.
-serge
I have made one step forward... I read here
(http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface)
that the udev unit files will check for CAP_SYS_MKNOD, and skip
udev if that is not available. So I added lxc.cap.drop = mknod to
the container configuration and this has stopped devices getting
messed up (well, at least it allows the dvb tuner I mentioned
earlier to work). I still have the problem with character output on
the terminal - I've asked the systemd people and they've said that
it is lxc that mounts devpts and, to get that done properly (with
newinstance), needs a confiiguration change in the container
configuration.
I have gone back and checked my old init-based container and its
mounts were without newinstance as well so I guess I am missing
something in my configuration to make it mount that way?
You shouldn't to specify a devpts mount in your conatiner at all, lxc
does it for you regardless.
-serge
I haven't specified any such mount in the container configuration file
and the /etc/fstab inside the container is empty. I am not doing
anything to explicitly mount devpts. (previously, my init-based
container configuration did but I removed that line when I switched it
to autodev and systemd). I used to have the following in the config but
these have all since been removed:
lxc.mount.entry = none /srv/lxc/lithium.x86_64/dev/pts devpts defaults 0 0
lxc.mount.entry = none /srv/lxc/lithium.x86_64/dev/shm tmpfs defaults 0 0
lxc.mount.entry = none /srv/lxc/lithium.x86_64/proc proc defaults 0 0
lxc.mount.entry = none /srv/lxc/lithium.x86_64/sys sysfs defaults 0 0
Other info in case it's relevant: I've checked lxc-checkconfig and it
shows Multiple /dev/pts instances: enabled (everything lists as
enabled except User namespace: missing but I've done some checking and
believe that's ok. My lxc version is reported as lxc version:
0.9.0.alpha3. I built it from git from
git://lxc.git.sourceforge.net/gitroot/lxc/lxc on March 10th using the
lxc-git archlinux pkgbuild.
thanks for the help as always.
I added lxc.pts = 1024 to my config after reading somewhere that this
is what causes the newinstance mount of devpts to happen. Now the
difference in the mounts are as follows:
now:
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=666)
previously:
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
and /dev/ptmx is now a symlink to /dev/pts/ptmx (I have removed the
creation of /dev/pts that I had in my autodev hook).
it looks like it is a separate instance (the contents of /dev/pts differ
between host and guest).
however the problem of character output on the terminal was still there.
But I think I have solved that too...
In my autodev hook I had created the device node for tty0 because it was
missing from the list of device nodes that I had previously in my
init-based container. After deleting this from the hook I no longer get
the spurious character output and things appear to be a bit more normal.
So, to summarise, for systemd I think the following are necessary:
lxc.autodev = 1
lxc.cap.drop = mknod
lxc.pts = 1024
If additional devices required then add
lxc.hook.autodev = /path/to/script
where script is similar to:
#!/bin/bash
# LXC Autodev hook.
cd ${LXC_ROOTFS_MOUNT}/dev
mknod .
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Confusing behaviour using LXC container with systemd
Hello, I've been trying to convert some containers to systemd. I have
implemented a systemd container using lxc.autodev with lxc.hook.autodev
to create additional devices and I can now start containers that run
systemd internally. I am, however, experiencing some problems and am at
a loss as to how I should troubleshoot.
My autodev hook contains the below:
#!/bin/bash
# LXC Autodev hook.
cd ${LXC_ROOTFS_MOUNT}
mknod -m 600 .//dev/tty0 c 4 0
mknod -m 666 .//dev/ptmx c 5 2
The first problem is that starting a container affects devices on the
host. I don't know how widespread the problem is but I noticed it
because my DVB-T tuner card stops working when I start a container that
uses systemd inside. Prior to starting the container I can reliably run
a dvb scan on the host and it works - once the container is started it
no longer works. It's as if the kernel modules somehow get messed up.
I have linked two pastebins below, showing the output of systemctl
status for such a container and systemd-cgls inside that container.
This container does nothing with dvb so has nothing installed inside it
that might explicitly interact with my dvb card.
http://pastebin.com/dGU80cGR
http://pastebin.com/X0J3vwfD
I have no idea how to troubeshoot this so I am looking for guidance. I
do wonder if it might have something to do with systemd-udevd inside
the container (does udev work inside a container now?).
The second problem might be related... If I start a systemd container
from a gui terminal window, the window starts pumping out characters
(normally = symbols but this changes if I type on the keyboard, though
not to the character typed). If I move the focus to another terminal
window the character output moves with the focus. This happens if I
start the container with lxc-start or with systemctl. It does not
happen if I start the container on a text virtual terminal (Alt+F1). (in
case it's relevant, the gui is itself inside a container that is still
init-based).
These problems do not happen with init containers.
I would really appreciate some pointers that might help me troubleshoot
- as I say, I am at a loss...
Thanks very much,
John
3.6.11-1-ARCH #1 SMP PREEMPT Tue Dec 18 08:57:15 CET 2012 x86_64 GNU/Linux
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Confusing behaviour using LXC container with systemd
On 12/03/13 22:25, Serge Hallyn wrote:
Quoting John (l...@jelmail.com):
Hello, I've been trying to convert some containers to systemd. I have
implemented a systemd container using lxc.autodev with lxc.hook.autodev
to create additional devices and I can now start containers that run
systemd internally. I am, however, experiencing some problems and am at
a loss as to how I should troubleshoot.
My autodev hook contains the below:
#!/bin/bash
# LXC Autodev hook.
cd ${LXC_ROOTFS_MOUNT}
mknod -m 600 .//dev/tty0 c 4 0
mknod -m 666 .//dev/ptmx c 5 2
The first problem is that starting a container affects devices on the
host. I don't know how widespread the problem is but I noticed it
Presumably this is just because your guest is running 'udevadm trigger'.
We disable that in ubuntu using apparmor, but if you allow it then the
guest triggers the host into resetting hardware. Sound card goes back
to default level, keyboard gets reset, ...
Hmmm, I'll look at that but it's going to be a bit of a find. I am not
doing that explicitly as far as I know and I don't know where to look to
see if it is happening. I can do some searching with grep ...
...
The second problem might be related... If I start a systemd container
from a gui terminal window, the window starts pumping out characters
(normally = symbols but this changes if I type on the keyboard, though
not to the character typed). If I move the focus to another terminal
window the character output moves with the focus. This happens if I
start the container with lxc-start or with systemctl. It does not
happen if I start the container on a text virtual terminal (Alt+F1). (in
case it's relevant, the gui is itself inside a container that is still
init-based).
Sounds like systemd is playing with /dev in the container. You say
you're using autodev hooks, but (a) what is the actual filesystem in
the container's /dev? If it's devtmpfs then it's shared with your
host, and your container is actually corrupting your host's /dev and
(b) otherwise systemd may simply be re-creating things like /dev/console
and /dev/tty after you've set them up in your autodev hook.
my mounts inside container
[root@boron ~]# mount
none on /dev type tmpfs (rw,relatime,size=100k)
devpts on /dev/console type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
devpts on /dev/tty1 type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw)
mqueue on /dev/mqueue type mqueue (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
[root@boron ~]#
I presume all of the mounts on /dev/are created by autodev.
Oh! or systemd is mounting the host's /dev/pts into the container.
Not sure how to tell if they're the same but they both look identical
(same character device files, same timestamps, etc). I just did a chown
on one device on the host and the change was visible on the guest so I
guess they are the same... is this a config mistake that I have made or
is systemd doing it?
Some additional info... my container config:
# Use autodev to be compatible with systemd
lxc.autodev = 1
lxc.hook.autodev = /etc/lxc/autodev
lxc.utsname = boron
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.cap.drop = sys_module
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rwm # /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm # /dev/full
lxc.cgroup.devices.allow = c 1:8 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm # /dev/random
lxc.tty = 1 # allow this many ttys
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx
lxc.cgroup.devices.allow = c 136:* rwm # /dev/pts/*
lxc.rootfs = /srv/lxc/boron.x86_64
-serge
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] provide access to GPU capabilites to container
On 18/02/13 15:47, Guillaume Thouvenin wrote: Hello, I'm trying to build a container that will be able to use the GPU capabilites of my nvidia graphic card. My distribution is an Ubuntu 12.04 and I downloaded the package cuda_5.0.35_linux_64_ubuntu11.10-1.run. From the nvidia site. I've installed the nvidia driver, the nvidia devkit and also some samples. Everything run fine on the host. Then I installed a container and I added the following in my config file: lxc.cgroup.devices.allow = c 195:* rwm # for nvidia This is what I have too. I am on Arch Linux. I can start and log into my container. Then I created /dev/nvidia0, /dev/nvidia1 and /dev/nvidiactl in the container. I have /dev/nvidia0 c 195 0 mode 666 /dev/nvidiactl c 195 255 mode 666 I install the packages in the container: nvidia You have to have the same version of the driver in the host and guest. I've hit problems with that during updates before. I have been running my everyday desktop inside a container for as long as I have been using LXC. I am not doing gpu development work so my experience is as a user. It look like you're doing the same as me so I can't see why it would not work. Have you tried just running a basic xorg desktop inside the container to see if that works? I install the following to test: xorg-server xorg-xinit. I found it necessary to install xorg-server and nvidia on the host as well (although it's never run there). I installed the cuda development kit and some samples but when I run a test I get: ~/NVIDIA_CUDA-5.0_Samples/0_Simple/clock$ ./clock CUDA Clock sample CUDA error at ../../common/inc/helper_cuda.h:930 code=35(cudaErrorInsufficientDriver) cudaSetDevice(devID) CUDA error at ../../common/inc/helper_cuda.h:931 code=35(cudaErrorInsufficientDriver) cudaGetDeviceProperties(deviceP rop, devID) GPU Device 0: with compute capability 8592.1001 I've also tested to remove the nvidia driver from the host and install it into the container but insmod failed into the container. I get the following error: Kernel module compilation complete. Kernel module load error: insmod: error inserting './kernel/nvidia.ko': -1 Operation not permitted So in short: - when I installed the nvidia driver into the host, I cannot access GPU from the container - when I tried to install the nvidia driver into the container I cannot do the insmod. In both cases I let lxc.cgroup.devices.allow = c 195:* rwm # for nvidia into the config file of the container. What can I try next? Thanks for your help, Regards, Guillaume -- The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials, tech docs, whitepapers, evaluation guides, and opinion stories. Check out the most recent posts - join the conversation now. http://goparallel.sourceforge.net/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-destroy erase rootfs
I raised this issue back on 6th/7th December. It was a side-issue in a discussion entitled unable to run systemd in an LXC container. I have always performed a destroy/create cycle to apply changes written to /etc/lxc/mycontainer.conf. I was asked why I didn't edit in /var directly and I replied that I treated the files created by LXC in /var to be internal and have always used the destroy/create cycle for config updates. There was talk of adding a -k (keep) option to lxc-destroy. I have been working on other commitments and need to come back and revisit this but it's good to see others have experienced the same difficulty when this change in behaviour. I would be interested in current thoughts. John On 07/02/13 23:27, Roland Neary wrote: RE: [Lxc-users] lxc-destroy erase rootfs As it's so easy to redo a container I've come to love the lxc-destroy command. Having said that, the huge pitfall is of course user expectation. The first time I looked at it it did exactly what I wanted, not what I thought it would do. Regards, * * Roland Neary* * -Original message- *From:* Papp Tamas tom...@martos.bme.hu *Sent:* Fri 08-Feb-2013 00:19 *To:* Roland Neary ne...@stone-it.com *Cc:* Christoph Willing cwill...@users.sourceforge.net; lxc-users@lists.sourceforge.net *Subject:* Re: [Lxc-users] lxc-destroy erase rootfs On 02/08/2013 12:10 AM, Roland Neary wrote: Sorry to hear you b0rked your setup. Are you perhaps a Xen user who found out that `'xm destroy` != lxc-destroy? If so, you're probably not the first Actually neither xen, nor virsh destroys_data_ and until v0.7 (or v0.8?) lxc does it only if it was in /var/lib/lxc. I'm and lxc user and that's why I'm surprised. tamas -- Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] sshd container problem
On Tue, Jan 08, 2013 at 09:31:27AM -0600, Serge Hallyn wrote: Quoting John de la Garza (j...@jjdev.com): I am trying to create a sshd container. Any ideas on how to fix this? This is fixed upstream and in 13.04 (raring), but it looks like the fix is not yet in quantal. I'll file a bug for it, thanks. In the meantime, you can either grab raring, or build lxc from the staging branch to get the fix. Great, thank you. -- Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ps lxc-netstat not working
On Mon, Jan 7, 2013 at 10:33 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Shibashish (shi...@gmail.com): I am on CentOS 6.3 and got lxc working on it. But when I run lxc-ps or lxc-netstat, i get the following errors... lxc-ps: no cgroup mount point found lxc-netstat: no cgroup mount point found Relevant lines in lxc-ps.in... (I tried bot the options) # Get the filesystem mountpoint of the hierarchy #mountpoint=$(grep -E ^cgroup [^ ]+ [^ ]+ ([^ ]+,)?$subsystems(,[^ ]+)? /proc/self/mounts | cut -d ' ' -f 2) mountpoint=$(grep -E ^[^ ]+ [^ ]+ cgroup ([^ ]+,)?$subsystems(,[^ ]+)? /proc/self/mounts | cut -d ' ' -f 2) Your problem here (in the second one) is the space before the . If you remove that you should get results. This appears to be what is in the upstream lxc (on sf.net). The version in github staging (git://github.com/lxc/lxc.git #staging) is quite different, you may want to try building and running that. I had the same problem on gentoo. I can confirm that replacing the get_parent_cgroup() function with the code from the git staging fixes the issue for me. Thanks John -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] sshd container problem
I am trying to create a sshd container. Any ideas on how to fix this? here is the output of my reproducing the issue --- root@ubuntu:/usr/share/lxc/templates# cat /etc/lxc/lxc.conf lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up root@ubuntu:/usr/share/lxc/templates# lxc-create -t sshd -n foo No config file specified, using the default config Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): I removed ssh config output 'sshd' template installed 'foo' created root@ubuntu:/usr/share/lxc/templates# lxc-start -n foo lxc-start: Read-only file system - error unlinking /usr/lib/x86_64-linux-gnu/lxc/dev/kmsg lxc-start: failed to setup kmsg for 'foo' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'foo' root@ubuntu:/usr/share/lxc/templates# ls /usr/lib/x86_64-linux-gnu/lxc/ lxc-init -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] sshd container problem
I am trying to create a sshd container. Any ideas on how to fix this? I'm using a stock ubuntu 12.10 server here is the output of my reproducing the issue --- root@ubuntu:/usr/share/lxc/templates# cat /etc/lxc/lxc.conf lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up root@ubuntu:/usr/share/lxc/templates# lxc-create -t sshd -n foo No config file specified, using the default config Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): I removed ssh config output 'sshd' template installed 'foo' created root@ubuntu:/usr/share/lxc/templates# lxc-start -n foo lxc-start: Read-only file system - error unlinking /usr/lib/x86_64-linux-gnu/lxc/dev/kmsg lxc-start: failed to setup kmsg for 'foo' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'foo' root@ubuntu:/usr/share/lxc/templates# ls /usr/lib/x86_64-linux-gnu/lxc/ lxc-init this is the config file created for the container: lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up lxc.rootfs = /var/lib/lxc/foo/rootfs lxc.utsname = foo lxc.pts = 1024 # uncomment the next line to run the container unconfined: #lxc.aa_profile = unconfined lxc.mount.entry=/dev dev none ro,bind 0 0 lxc.mount.entry=/lib lib none ro,bind 0 0 lxc.mount.entry=/bin bin none ro,bind 0 0 lxc.mount.entry=/usr usr none ro,bind 0 0 lxc.mount.entry=/sbin sbin none ro,bind 0 0 lxc.mount.entry=tmpfs var/run/sshd tmpfs mode=0644 0 0 lxc.mount.entry=/usr/share/lxc/templates/lxc-sshd sbin/init none bind 0 0 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry=/lib64 lib64 none ro,bind 0 0 -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Is it possible to configure a bridge inside an LXC guest ?
Hi everyone, I haven't yet tried this yet but thought I'd ask first because it seems a bit crazy, but... Is it possible to configure a container so that it has a bridge in it ? Reason for asking is this: I have a container that runs a desktop environment. I want to run VirtualBox on that desktop, which I have installed and it's working fine with NAT networking. However, I realise I need a bridge for any vm to be able to do anything useful on the network. So, can I configure a container so that it has a bridged network adapter so that I can select it as a bridged adapter in VirtualBox's vm network settings, either the same bridge as on the host or another one within the container that is somehow connected to the lan ? Many thanks, John signature.asc Description: PGP signature -- Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 07/12/12 00:48, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 06/12/12 20:06, Dan Kegel wrote: On Thu, Dec 6, 2012 at 12:00 PM, John l...@jelmail.com wrote: While on the subject, any reason for lxc-destroy now being destructive? Wait, isn't that the point? It's in the name and all. When was it ever nondestructive? It only destroyed the configuration in /var/lib and never deleted the root filesystem until very recently (0.8.0, I guess). Was your rootfs a symbolic link by chance? I'm guessing commit 55116c42e767ce795f796fc51cd2ef7d76cf18af is what you're seeing. Before that it did remove the rootfs, but if your rootfs was a symlink it happened to not do it. That wasn't by intent. Perhaps lxc-destroy should take a flag to not delete the rootfs? Not sure... Ah, I can now see what is wrong. It isn't down to symlinks but beacuase my rootfs isn't under /var/lib/lxc. Looking at that commit, I can see that the remove (on line 126) deletes $lxc_path/$lxc_name but does not explictly remove $rootdev. The new code added at line 122 does indeed remove $rootdev. In my case I have my container rootfs in a directory called /srv/test.i686 (i.e not underneath $lxc_path - /var/lib/lxc). I guess the design assumes that a template is used to create a container and that it would put the rootfs beneath /var/lib/test. So the commit fixes an anomaly but leaves me unsure of a couple of things: 1. what is the correct way to update a container config without removing the rootfs. I have always used destroy/create to do this but that, clearly, won't work if the destroy phase removes the rootfs. I like being able to separately manage the rootfs from its configuration. 2. is it wrong to have the rootfs outside of the /var/lib/lxc ? I have a small /var but use a large dedicated partition for my root filesystem directories. I suspect I need to look at using per-container lvm volumes, something that makes sense but I haven't delved into yet. I would value having options to preserve the rootfs when doing lxc-destroy and for lxc-create to use an existing rootfs (i.e. instead of a template). Thanks very much for the help. -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
Quoting Michael H. Warfield (m...@wittsend.com): You have to add an option to the config file for your systemd containers. lxc.autodev = 1 I would like to understand a bit more about what this option does and learn the correct way of creating devices inside a container. With autodev, if I understand correctly, LXC creates a 100Kb tmpfs for /dev, overmounting any existing /dev. it creates a pts subdirectory plus the devices listed in sutuct lxc_devs (src/lxc/conf.c) - null, zero, full, urandom, random, tty and console. What do I do if I need more than those devices in /dev? To date, I have manually used mknod to create devices during the process of creating a rootfs (i.e. I create them beforehand, on the host). I see the comment in the source about providing a file, so I guess this is being thought about? I like being able to do things in the main config file, so perhaps supporting options like lxc.dev = name mask type maj min ? Also, I can't work out what the autodev option does that allows systemd to work ? It's a bit over my head but I'd like to understand if I can. What's the difference between /dev that is on the rootfs and a /dev that is created and over-mounted? systemd inside container = issues so far: - creating devices in /dev - no vty devices (cannot use lxc-console) Regards, John -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 07/12/12 13:50, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 07/12/12 00:48, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 06/12/12 20:06, Dan Kegel wrote: On Thu, Dec 6, 2012 at 12:00 PM, John l...@jelmail.com wrote: While on the subject, any reason for lxc-destroy now being destructive? Wait, isn't that the point? It's in the name and all. When was it ever nondestructive? It only destroyed the configuration in /var/lib and never deleted the root filesystem until very recently (0.8.0, I guess). Was your rootfs a symbolic link by chance? I'm guessing commit 55116c42e767ce795f796fc51cd2ef7d76cf18af is what you're seeing. Before that it did remove the rootfs, but if your rootfs was a symlink it happened to not do it. That wasn't by intent. Perhaps lxc-destroy should take a flag to not delete the rootfs? Not sure... Ah, I can now see what is wrong. It isn't down to symlinks but beacuase my rootfs isn't under /var/lib/lxc. Looking at that commit, I can see that the remove (on line 126) deletes $lxc_path/$lxc_name but does not explictly remove $rootdev. The new code added at line 122 does indeed remove $rootdev. In my case I have my container rootfs in a directory called /srv/test.i686 (i.e not underneath $lxc_path - /var/lib/lxc). I guess the design assumes that a template is used to create a container and that it would put the rootfs beneath /var/lib/test. So the commit fixes an anomaly but leaves me unsure of a couple of things: 1. what is the correct way to update a container config without removing the rootfs. I have always used destroy/create to do this but that, clearly, won't work if the destroy phase removes the rootfs. I like being able to separately manage the rootfs from its configuration. This I don't really understand - I've always done it by hand. What exactly is made easier by doing destroy/create? Maybe we can reproduce that with an lxc-update or something... Especially if we can then have lxc-update expand variables and take a list of containers to update to batch the operations. Though still right now I would just default to a bash loop calling sed... I always treated /var/lib/lxc as internal. From the early days, /etc/lxc was suggested as a configuration directory and where the original configuration would lie. Using lxc-create copied that config into /var/lxc. This, in my mind, meant that I shouldn't mess with the config inside /var/lib/lxc but should instead modify /etc/lxc and then do a destroy/create. I may have been living on a mis-premise all this time but that's how I've been using it. [...] I would value having options to preserve the rootfs when doing lxc-destroy and for lxc-create to use an existing rootfs (i.e. instead of a template). Ok, I don't *really* want to make lxc-destroy not delete the rootfs just if it is outside of /var/lib/lxc/$container... On the one hand I can see people could do that specifically in the hopes of making it outlive the container. On the other hand I could see people doing it only because they are short on disk space ending up running out of disk space because they lost track of where the undeleted rootfs's were. Maybe lxc-destroy -k -n p1 for --keep (don't delete the rootfs)? yes, that would work. -serge -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 06/12/12 17:10, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 05/12/12 21:59, Serge Hallyn wrote: You have to specify a template, i.e. '-t debian'. Oh. I wasn't using a template. Up to now, I have an existing root fileyststem, say /srv/lxc/mycontainer.x86_64 that is pointed to by my configuration file, say mycontainer.conf, by its lxc.rootfs entry. I have seen lxc-create as merely inserting the config from mycontainer.conf into /var/lib/lxc/mycontainer/config and nothing more. I haven't used a template script to create a container because I've got my own that I have been using ever since I first started using lxc (there were no templates back then, well not for arch anyway!). I've always done a destroy/create to update the LXC configuration for a container. This now seems to be the wrong way given destroy removes the rootfs and create expects a template. What's the new way ? I've looked at the man page for lxc-create but am none the wiser. How do I now create a container (or just update the config) for an existing root filesystem ? Hm, I see. Yeah this behavior likely changed with the introduction of custom template paths. Perhaps we should allow '-t none' for exactly your use case. Stéphane? -serge Or perhaps, allow leaving off the -t unless you want to work with a template ? (kind of like it's been to date). Would that not work ? -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 06/12/12 19:48, Stéphane Graber wrote: On 12/06/2012 02:45 PM, John wrote: On 06/12/12 17:10, Serge Hallyn wrote: Quoting John (l...@jelmail.com): On 05/12/12 21:59, Serge Hallyn wrote: You have to specify a template, i.e. '-t debian'. Oh. I wasn't using a template. Up to now, I have an existing root fileyststem, say /srv/lxc/mycontainer.x86_64 that is pointed to by my configuration file, say mycontainer.conf, by its lxc.rootfs entry. I have seen lxc-create as merely inserting the config from mycontainer.conf into /var/lib/lxc/mycontainer/config and nothing more. I haven't used a template script to create a container because I've got my own that I have been using ever since I first started using lxc (there were no templates back then, well not for arch anyway!). I've always done a destroy/create to update the LXC configuration for a container. This now seems to be the wrong way given destroy removes the rootfs and create expects a template. What's the new way ? I've looked at the man page for lxc-create but am none the wiser. How do I now create a container (or just update the config) for an existing root filesystem ? Hm, I see. Yeah this behavior likely changed with the introduction of custom template paths. Perhaps we should allow '-t none' for exactly your use case. Stéphane? -serge Or perhaps, allow leaving off the -t unless you want to work with a template ? (kind of like it's been to date). Would that not work ? Yeah, that makes sense, I'll fix it. Basically allow for -t none and have it default to that when not specified, that should essentially revert to the previous behaviour. While on the subject, any reason for lxc-destroy now being destructive? This in, my opinion, is a significant behavioural change and I did actually unwittingly delete one of my containers last night. Luckily it was just a test one :) Can we make lxc-destroy work like it did before (or provide a cmdline option to make it so) ? I don't know how else to update lxc config without doing a destroy/create cycle (except for hand-editing /var/lib/mycontainer/config but I expect that's verboten). sorry - going off topic for the original thread. J -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 06/12/12 20:06, Dan Kegel wrote: On Thu, Dec 6, 2012 at 12:00 PM, John l...@jelmail.com wrote: While on the subject, any reason for lxc-destroy now being destructive? Wait, isn't that the point? It's in the name and all. When was it ever nondestructive? It only destroyed the configuration in /var/lib and never deleted the root filesystem until very recently (0.8.0, I guess). -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 04/12/12 21:29, Michael H. Warfield wrote: I raised the question about LXC/systemd a while back and have been trying to follow the conversation but I have to admit it's going somewhat over my head. I've also been away on another piece of work but would now like to understand where things lie with LXC and systemd inside a container. Ok... I'll try to answer some of them... Thanks Mike, much appreciated. I have just updated my system to 0.8.0 and I can't see any changes to make a systemd container work. Are there changes in 0.8.0 ? There are very significant changes in 0.8.0 but, unfortunately, not the ones you need to get systemd to work in a container. We've been testing a lot of these and they are in git but they are not in a release yet. Hopefully soon, just not yet. If so, I'd be grateful for some guidance on what I need to do to to my configuration to make it work. Right now, you'll have to build from git. I will go away and do a git build later today. I presume that would be from git://lxc.git.sourceforge.net/gitroot/lxc/lxc. I'm also happy to help test this if I can. If it helps I am on Arch Linux. There are two problems. One is systemd in an lxc container. I think we have a rope on this one and it's tied down. The other is the more recent (195+) versions of systemd in the host that throw the pivot root errors. That has not been addressed as yet. I use Fedora. Right now, I have Fedora 17 hosts with Fedora 17 containers. Fedora 18 (currently in beta) host (systemd 195) is going to be a train wreck until we sort the pivot root problem. I don't know what you have with Arch Linux. You'll have to tell us what versions of systemd you are running. Ah yes, the pivot root problem. I have worked around this for the time being by doing a mount --make-rprivate /. I created a systemd service on the host as an after dependency on systemd-remount-fs.service to do this. I believe this is ok in the short term (it appears to work ok for me). If I rebuild lxc from git, should I then expect my existing systemd container to work or is there anything else that I need to do ? My versions: lxc version: 0.8.0 Linux hydrogen 3.6.8-1-ARCH #1 SMP PREEMPT Mon Nov 26 22:10:40 CET 2012 x86_64 GNU/Linux systemd 196 many thanks everyone. John Mike Thanks, I really appreciate the help. -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 05/12/12 14:55, Michael H. Warfield wrote: [...] Ah yes, the pivot root problem. I have worked around this for the time being by doing a mount --make-rprivate /. I created a systemd service on the host as an after dependency on systemd-remount-fs.service to do this. I believe this is ok in the short term (it appears to work ok for me). Hmmm... I was thinking someone ran into some problems doing that and causing problems with the /dev/pts mounts or some such. Good to note if that worked for you. I'm about to start playing with Fedora 18 Beta where I expect problems. I'll try that out. If I rebuild lxc from git, should I then expect my existing systemd container to work or is there anything else that I need to do ? Yeah, one other thing (in addition to following Serge's advice regarding git and #stage)... You have to add an option to the config file for your systemd containers. lxc.autodev = 1 Ok got that. I used git://github.com/lxc/lxc.git #staging. Built and installed ok. Existing containers running. When I try to create a new one, with or without the autodev like you suggest, I get the below: # lxc-create -n test2 -f test2.conf lxc-create: unknown template '' lxc-create: aborted I checked and the above create does work with 0.8.0. I realise it's probably a glitch caused by something unrelated and which will probably be fixed quite quickly. I may try a re-build in the morning. Next, I manually edited /var/lib/lxc/test/config to add lxc.autodev to it but attempting to start the container gave me this: # lxc-start -n test2 lxc-start: No such file or directory - failed to mount 'devshm' on '/usr/lib/lxc/rootfs//dev/shm' I had an instruction in the config to mount devshm so I removed that and could then start the container up successfully. I got a login prompt and can log in. Lovely! I now need to run some more tests here but I can confirm that the staging build will allow a container to start on my Arch system. FYI (Arch - specific): I used a modified copy of the lxc-git PKGBUILD (https://aur.archlinux.org/packages/lx/lxc-git/PKGBUILD) to build lxc#staging. I only changed the git root to be git://github.com/lxc/lxc.git. ps. I Just did an lxc-destroy while testing and it appears to now be destructive. That took me by surprise. Regards, John -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 26/10/12 22:02, Michael H. Warfield wrote: On Fri, 2012-10-26 at 12:11 -0400, Michael H. Warfield wrote: On Thu, 2012-10-25 at 23:38 +0200, Lennart Poettering wrote: On Thu, 25.10.12 11:59, Michael H. Warfield (m...@wittsend.com) wrote: I SUSPECT the hang condition is something to do with systemd trying to start and interactive console on /dev/console, which sysvinit and upstart do not do. Yes, this is documented, please see the link I already posted, and which I linked above a second time. This may have been my fault. I was using the -o option to lxc-start (output logfile) and failed to specify the -c (console output redirect) option. It seems to fire up nicely (albeit with other problems) with that additional option. Continuing my research. Confirming. Using the -c option for the console file works. Unfortunately, thanks to no getty's on the ttys so lxc-console does not work and no way to connect to that console redirect and the failure of the network to start, I'm still trying to figure out just what is face planting in a container I can not access. :-/=/ Punch out the punch list one PUNCH at at time here. I've got some more problems relating to shutting down containers, some of which may be related to mounting tmpfs on /run to which /var/run is symlinked to. We're doing halt / restart detection by monitoring utmp in that directory but it looks like utmp isn't even in that directory anymore and mounting tmpfs on it was always problematical. We may have to have a more generic method to detect when a container has shut down or is restarting in that case. I can't parse this. The system call reboot() is virtualized for containers just fine and the container managaer (i.e. LXC) can check for that easily. Apparently, in recent kernels, we can. Unfortunately, I'm still finding that I can not restart a container I have previously halted. I have no problem with sysvinit and upstart systems on this host, so it is a container problem peculiar to systemd containers. Continuing to research that problem. Lennart -- Lennart Poettering - Red Hat, Inc. Regards, Mike -- WINDOWS 8 is here. Millions of people. Your app in 30 days. Visit The Windows 8 Center at Sourceforge for all your go to resources. http://windows8center.sourceforge.net/ join-generation-app-and-make-money-coding-fast/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users I raised the question about LXC/systemd a while back and have been trying to follow the conversation but I have to admit it's going somewhat over my head. I've also been away on another piece of work but would now like to understand where things lie with LXC and systemd inside a container. I have just updated my system to 0.8.0 and I can't see any changes to make a systemd container work. Are there changes in 0.8.0 ? If so, I'd be grateful for some guidance on what I need to do to to my configuration to make it work. I'm also happy to help test this if I can. If it helps I am on Arch Linux. many thanks everyone. John -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC + VirtualBox = Frozen Host
I have been seeing reproducible freezes each time I start a VirtualBox VM when at least one of my LXC containers are already running. Even my mouse cursor is frozen, and all I could do is a hard reset each time. Here are some of the cases that I have tried: 1.) Starting a VirtualBox VM when an LXC container is already running effectively freezes the host. 2.) Starting an LXC container when a VirtualBox VM is already booted is fine. 3.) Starting another LXC container after point (2) is also fine. 4.) Starting antother VirtualBox VM after point (3) is also fine. Could somebody kindly share some light here? It seems that the initial startup of the VirtualBox module is the trigger here. Does LXC and VirtualBox really could co-exists together at the same time? Yes. They have no problem working together for me. I intend to utilize the VirtualBox VMs for other-than-Linux-workload, whereas the LXC containers for all Linux workload. For the info, the host is a Linux Mint 13 (3.2.0-33-generic 64-bit) using VirtualBox 4.2.4. Both VirtualBox VM's files and LXC container's rootfs are on top of ZFS filesystem. I start with a newer kernel. John -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] automount in the container
On Wed, Nov 14, 2012 at 8:09 AM, Olivier Archer olivier.arc...@ifremer.fr wrote: Hi, I'm new to the list, and i've just build my first container under ubuntu 12.04. I've got some problemes with the automounter, and my probleme seem to be the same as in this threads: http://sourceforge.net/mailarchive/message.php?msg_id=26229199 my kernel is 3.2.0-32, and i found a patch here to potentialy solve the pb: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00950.html But this patch is for 2.6.36, ans it doesn't apply to recent kernel. I've grepped the source tree, ans the patch seems to have never been commited. Any clue to make autofs work ? PS: manual mounts works fine automount -fd give: handle_packet: type = 3 handle_packet_missing_indirect: token 11, name mynfsserver, request pid 17542 when a try to ls /home/mynfsserver if i interrupt automount with ctrl-C, the mount occur and i can do ls /home/mynfsserver, but the automount process is ended ... I too am very interested in this. I have used the patches in the past for some time however they have not applied to recent kernels so I no longer can use autofs inside my containers at home or work.. John John -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [systemd-devel] Unable to run systemd in an LXC / cgroup container.
On 22/10/12 03:06, Michael H. Warfield wrote: On Mon, 2012-10-22 at 02:53 +0200, Kay Sievers wrote: On Sun, Oct 21, 2012 at 11:25 PM, Michael H. Warfield m...@wittsend.com wrote: This is being directed to the systemd-devel community but I'm cc'ing the lxc-users community and the Fedora community on this for their input as well. I know it's not always good to cross post between multiple lists but this is of interest to all three communities who may have valuable input. I'm new to this particular list, just having joined after tracking a problem down to some systemd internals... Several people over the last year or two on the lxc-users list have been discussions trying to run certain distros (notably Fedora 16 and above, recent Arch Linux and possibly others) in LXC containers, virualizing entire servers this way. This is very similar to Virtuoso / OpenVZ only it's using the native Linux cgroups for the containers (primary reason I dumped OpenVZ was to avoid their custom patched kernels). These recent distros have switched to systemd for the main init process and this has proven to be disastrous for those of us using LXC and trying to install or update our containers. To put it bluntly, it doesn't work and causes all sorts of problems on the host. To summarize the problem... The LXC startup binary sets up various things for /dev and /dev/pts for the container to run properly and this works perfectly fine for SystemV start-up scripts and/or Upstart. Unfortunately, systemd has mounts of devtmpfs on /dev and devpts on /dev/pts which then break things horribly. This is because the kernel currently lacks namespaces for devices and won't for some time to come (in design). When devtmpfs gets mounted over top of /dev in the container, it then hijacks the hosts console tty and several other devices which had been set up through bind mounts by LXC and should have been LEFT ALONE. Yes! I recognize that this problem with devtmpfs and lack of namespaces is a potential security problem anyways that could (and does) cause serious container-to-host problems. We're just not going to get that fixed right away in the linux cgroups and namespaces. How do we work around this problem in systemd where it has hard coded mounts in the binary that we can't override or configure? Or is it there and I'm just missing it trying to examine the sources? That's how I found where the problem lay. As a first step, this probably explains most of it: http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface A very long ways, yeah. That looks like it could be just what we've been looking for. Just gotta figure out how to set that environment variable but that's up to a couple of others to comment on in the lxc-users list. Then we'll see where we go from there. Many thanks! Kay Regards, Mike I've just performed a very quick check on my Arch Linux system here. on host (running systemd): # cat /proc/1/environ TERM=linuxRD_TIMESTAMP= In a container (running sysvinit): # cat /proc/1/environ STY=623.systemd-lithiumTERM=screenTERMCAP=SC|screen|VT 100/ANSI X3.64 virtual terminal:\ :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:bs:bt=\E[Z:\ :cd=\E[J:ce=\E[K:cl=\E[H\E[J:cm=\E[%i%d;%dH:ct=\E[3g:\ :do=^J:nd=\E[C:pt:rc=\E8:rs=\Ec:sc=\E7:st=\EH:up=\EM:\ :le=^H:bl=^G:cr=^M:it#8:ho=\E[H:nw=\EE:ta=^I:is=\E)0:\ :li#24:co#80:am:xn:xv:LP:sr=\EM:al=\E[L:AL=\E[%dL:\ :cs=\E[%i%d;%dr:dl=\E[M:DL=\E[%dM:dc=\E[P:DC=\E[%dP:\ :im=\E[4h:ei=\E[4l:mi:IC=\E[%d@:ks=\E[?1h\E=:\ :ke=\E[?1l\E:vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l:\ :ti=\E[?1049h:te=\E[?1049l:k0=\E[10~:k1=\EOP:k2=\EOQ:\ :k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:k7=\E[18~:\ :k8=\E[19~:k9=\E[20~:k;=\E[21~:F1=\E[23~:F2=\E[24~:\ :kh=\E[1~:@1=\E[1~:kH=\E[4~:@7=\E[4~:kN=\E[6~:kP=\E[5~:\ :kI=\E[2~:kD=\E[3~:ku=\EOA:kd=\EOB:kr=\EOC:kl=\EOD:WINDOW=0SHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binLANG=en_GB.UTF-8container=lxc So it looks like that container environment variable is already set on PID1 Regards, John -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] systemd inside LXC
On 19/10/12 16:51, Serge Hallyn wrote: Add: lxc.network.type = empty If you don't have any lxc.network.type sections, then the container shares network with the host, and so the container talks to the host's systemd. (same with upstart) Thanks for the reply, I will try that tomorrow. I am sorry I wasn't around to check for replies before now. One question though... I actually want a separate network in the container (hence using veth) so it has its own address distinct from the host. Are you saying that I can't do this any more? I've also read the later replies and they seem to be saying that this simply does not work (systemd inside a container). Given its proliferation into other distros (I'm on Arch and that's the reason I am looking at this now), where does systemd come in the priorities of LXC? I really hope we can get this working, as LXC has so far worked very well for me. Thanks, John -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] systemd inside LXC
Hello, I'm in the middle of a migration from init to systemd. I've completed the transition of my host environment and my 6 existing containers continue to work as expected (they all use sysvinit internally). I've started work on a systemd container and am getting some odd effects. First off, if I use systemd-nspawn to start the container, it starts fine. I can log in and halt it and all goes as expected. If, however I use lxc-start, it clobbers my desktop, which is running in another container. So I have 2 problems: (a) the container does not boot and (b) it manages to effect changes in another container. I've been searching the 'net for most of this morning looking for information on using systemd inside a container. I'm using Arch Linux (3.6.2-1-ARCH) with LXC 0.8.0-rc2. Arch now uses systemd by default. To try to test this, I created a basic container and this exhibits the same problems: $ mkarchroot test base Starting with systemd-nspawn works fine: $ systemd-nspawn -D test/ /sbin/init Starting with LXC does not: $ lxc-create -n test -f test.conf $ lxc-start -n test The file test.conf contains these two lines: lxc.utsname = test2 lxc.rootfs = /srv/lxc/test When I start the container in LXC, all that happens is that my X session dies (this is running in another container). The X session re-starts but the keyboard does not work. I have to connect using another machine to kill the test container and re-start my desktop container. I can't see anything starting inside the test container. I'd be grateful for any help and/or pointers in the right direction so I can complete this transition to systemd. Many thanks, John -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-execute-ephemeral?
Hello, I am trying to ascertain what the up to date kernel configuration options are for LXC and which of those are mandatory and which are optional. The most reliable information I can find is on the LXC sourceforge site, http://lxc.sourceforge.net/man/lxc.htm, and at http://lxc.teegra.net/#_configuration_options. However the two sites list different options and there are options that I think have been deprecated in the kernel. I have done a quick review and comparison with some running systems and pasted my notes at http://pastebin.com/Pj9KPQJp Would it be possible to get a definitive statement of what the required options are ? If I can assist in any way with updating the man page I'd be happy to help. All the best, John -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] LXC Kernel Options
Hello, I am trying to ascertain what the up to date kernel configuration options are for LXC and which of those are mandatory and which are optional. The most reliable information I can find is on the LXC sourceforge site, http://lxc.sourceforge.net/man/lxc.htm, and at http://lxc.teegra.net/#_configuration_options. However the two sites list different options and there are options that I think have been deprecated in the kernel. I have done a quick review and comparison with some running systems and pasted my notes at http://pastebin.com/Pj9KPQJp Would it be possible to get a definitive statement of what the required options are ? If I can assist in any way with updating the man page I'd be happy to help. All the best, John -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] linkedin
How about a g+ group or similar? Regards, John On 19 Jun 2012, at 13:52, Papp Tamas tom...@martos.bme.hu wrote: hi, I created a group for LXC on linkedin. If I see well, there is no other group, like this. Is a project logo available? Should an invitation be sent to this list? Thanks, tamas -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] containers always seem to lock the host's X session
Hello all, I have built lxc from the git hub repo and have been able to create containers using the stock templates for fedora. However, whenever I start a container it always locks the hosts, X session. a - How can i diagnose this? b - How can i prevent this? Regards, John -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] start a debian in lxc with keyboard no response
I start a debian os in lxc, the debian has X server. when the debian login window shows, i found that my keyboard and mouse don't work, i have nothing to do but to reboot my computer. what's wrong with it? See if ssh works from a different machine and look at the xorg log. I think this is an xorg problem not lxc. I expect in the log for xorg you will see a line that says disabling keyboard .. John -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] nilfs
Some people have been testing btrfs on 3.1/3.2 kernels (in ubuntu precise) with good results. I am using 3.1 / 3.2 kernels on 64 bit gentoo with btrfs at work on 2 production severs since ~ November of last year. One holds my lxc containers for a samba bdc while the other container is a secondary dns server. John -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] mounting usbfs inside a container
I am trying to mount /proc/bus/usb inside a container. I have the following entry inside my config file: lxc.mount.entry = none /srv/lxc/mycontainer/proc/bus/usb usbfs auto,listuid=0,listgid=95,listmode=0660,busuid=0,busgid=95,busmode=0770,devuid=0,devgid=95,devmode=0660 0 0 It mounts fine and it works fine except I do not get the permissions that I intended. The top level at /proc/bus/usb is correct but the lower levels e.g. /proc/bus/usb/001/046 are set to root:root and 644 or 666. Is this a limitation of LXC, or am I doint something wrong? Many thanks in advance. John -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Problems on ArchLinix
Hello, has anyone experienced problems with LXC on Archlinux in the past few days? I use LXC quite a bit and I have scripted builds for my containers. This weekend I rebuilt one of my containers (basically builds with up to date stuff using mkinitcpio and pacman) and now when I try to start it it clobbers the host. I have to log on from another machine and reboot. I have been trying to find out what is wrong and thought I'd post here to see if anyone else has experenced problems in the last week. Everything else is up to date (host updated yesterday, etc). Other containers that have not been rebuilt work fine. I think it must be a change to boot scripts but I don't know what. Both my older container which works and the new one that doesn't have an identical cutdown rc.sysinit. I'm going to keep digging but if anyone has noticed problems recently please let me know. I would appreciate it. Thanks. -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Fuse inside container on Arch Linux
Hi, has anyone got Fuse working within a container, ideally on Arch Linux but guidance from anyone appreciated :) Firstly, I have an Arch Linux container that is a really old test container and many things have been added/removed on the fly over time. The container's a mess and I don't know for sure what's been installed on it. But, in this container, fuse works fine. I have a new container that I am trying to build in a controlled manner. It contains fuse on a base Arch Linux container. In this container fuse does not work. The error I get is fusermount: mount failed: Operation not permitted. In both cases I am testing as root to avoid permissioning problems. Both the above containers are on the same host. I have the same lxc.conf arguments in both containers for fuse: lxc.cgroup.devices.allow = c 10:229 rwm I also added the below (but it made no difference, so not sure if needed): lxc.mount.entry = fusectl /srv/lxc/mycontainer/sys/fs/fuse/connections fusectl rw,relatime 0 0 In the container, device node exists: # ls -l /dev/fuse crw-rw-rw- 1 root root 10, 229 Sep 16 13:23 /dev/fuse I expect i need to install something else, something that my older container has but I can't quite see. If anyone has this working and there is anything obvious missing from the above please let me know what I've missed... Thanks, John -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Startup scripts [Was: Re: security question]
On 21/08/11 18:01, Gordon Henderson wrote: I've been using the file-rc boot script mechanisms rather than the sysv-rc system for LXC containers. That might seem like a step backwards, but actually, it's fine and gives you much finer ( easier IMO) control over what gets started and stopped when a container is booted. Y Have you tried Arch Linux Gordon? it uses a BSD-Style init which is what I think you mean. I think it's much cleaner and easier to work with. All switches are in rc.conf, there isn't loads of rc.runlevel directories full of symlinks and you can point your inittab at a lxc-specific rc.sysinit and rc.shutdown. This is what I have and it works well. My point was about the fact that using a stock rc.shutdown, for example, will shut down the host. -- Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] security question
On 20/08/11 00:42, Stéphane Graber wrote: On 08/19/2011 03:54 PM, Ulli Horlacher wrote: On Fri 2011-08-19 (15:38), Dong-In David Kang wrote: We've found out that inside of an LXC instance, root can insert/remove modules of the host. Is it normal? If it is doable, an LXC image may corrupt the host system, which is not good in terms of security. Put: lxc.cap.drop = sys_module to your LXC container config file. And by the way: lxc.cap.drop = sys_admin is also a good idea, to prevent that the container root can modify mount options, for example set the container filesystem to read-only, which can effect ALL containers! So, for a more generic answer: LXC doesn't pretend to be secure when you run stuff as root inside the container. The proposed solutions above will restrict what root can do and so may solve a good part of your issues. Stuff like echo b /proc/sysrq-trigger will still be possible until we get the user namespaces (that specific example could be blocked by some of the security modules though). Last week during the LXC/container hackfest in Austin, there's been some good progress being done on the user namespace and so we can hope to have these eventually implemented in the kernel. Until then, I'd recommend not running untrusted software as root in a container. It's perfectly safe to run something as a user though. For cases where you trust your container user, like development environments, it's of course fine running stuff as root and I do that everyday. Hope that clarifies the current situation :) Hi, very interested in this. I've been using LXC for a while but only to segregate functions on my own servers. I am well aware of how delicate the LXC setup is when considering security. For example, unless I customise the init scripts a container can bring down the host. The above options are new to me and I've just added them to my config (not tested yet). I would be interested in reading anything that further describes best practices with respect to security to help me understand and make my host more immune to a container's rogue or mistaken activities. I come from prior experience with OpenVZ which was more robust in this respect. However I do prefer LXC's simplicity. -- Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc-console over ssh
Hi, quick one that is puzzling me. Do the lxc commands work over ssh ? I am trying to open a console on a remote host. I try this: $ ssh remote_host lxc-console -n vps_on_remote_host But I get an error: lxc-console: '0' is not a tty lxc-console: failed to setup tios Other commands work fine like this $ ssh remote_host lxc-ls works fine. $ ssh remote_host lxc-start -n vps_on_remote_host also works fine but the output (boot messages) don't appear in the ssh session. The ssh session appears to hang until the container is closed down. What am I missing? In case you're wondering... I can't ssh vps_on_remote_host because it isn't set up. The remote_host is in another room making the ssh more convenient. Thanks, John -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problem with network start on Arch Linux (with revised rc.conf)
On 11/07/11 22:24, Joerg Gollnick wrote: Hope that helps, best regards Joerg Thank you Joerg. This forced me do do a bit more checking because your rc.sysinit seems to predate the change to the networking (it uses ifconfig). I decided to try removing the line lxc.network.ipv4 from my container config and found that this allowed it all to work fine. So, I guess that line causes the network address to be added which caused the conflct with the container trying to do the same thing. I hope removing that line has no other side effects but it seems to work for me. -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on Lean Startup Secrets Revealed. This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problem with network start on Arch Linux (with revised rc.conf)
On 29/06/11 10:29, l...@jelmail.com wrote: Hi list, I've just updated my container config to use the new way of configuring the network on Arch Linux. This does not use the net-tools (ifconfig) package any more but instead uses ip. The container rc.conf file contains the simple static network setup: # Static IP example interface=eth0 address=192.168.0.2 netmask=255.255.255.0 gateway=192.168.0.1 The problem I have is that when /etc/rc.d/network tries to add the ip address to the network this fails with a RTNETLINK answers: file exists and bails out. It would appear that the IP address is already added when the script tries to do it. This causes it to fail and, therefore, not bother doing anything else. This means the routes (default gatweay) don't get set up so the network is left half-baked. Trying to shut down the network (/etc/rc.d/network stop) then fails because it can't delete the route that wasn't added (RTNETLINK answers: file not found). If I comment out the line from /etc/rc.d/network that adds the IP address (ip addr add...) everything then works fine when I start the container. However, If I manually stop the network, and then manually start the network it won't start because the IP address does not get added (due to that line being commented out). Very strange. I wondered if the LXC environment is adding the IP address when the container starts and if there is a way to stop this so it just lets the container do it ? I'm looking for some advice on how to get the network setup working correctly on Arch Linux. I may need new init scripts (rc.sysinit, rc.shutdown) also. Thanks in advance, John. Hello, would anyone please be able to help with my query? I am stuck on this and would appreciate guidance... -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv6 Stateless Autoconfig with radvd running on the lxc host
that's a weird BOOLEAN On Sun, 22 May 2011 15:52:23 +0200 Daniel Lezcano daniel.lezc...@free.fr wrote: On 05/22/2011 07:27 AM, Marc Haber wrote: On Sat, May 21, 2011 at 10:53:56PM +0200, Daniel Lezcano wrote: On 05/21/2011 10:11 PM, Marc Haber wrote: On Sat, May 21, 2011 at 10:07:03PM +0200, Daniel Lezcano wrote: Is the guest's /proc/sys/net/ipv6/conf/eth0/accept_ra set ? It is. Can you check by setting the value to '2' and then ifdown/ifup the interface ? Ok, this is interesting. Two results: (1) With neither setting does the lxc container actively send out Router Solicitations. It just sits there waiting for the next Router Advertisement, which is only sent out by the radvd every 600 seconds. The documentation says: accept_ra - BOOLEAN Accept Router Advertisements; autoconfigure using them. Possible values are: 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled. Functional default: enabled if local forwarding is disabled. disabled if local forwarding is enabled. (2) Only with 2 in /proc/sys/net/ipv6/conf/eth0/accept_ra, the lxc container acts on an incoming Router Advertisement, which can be forced by restarting the radvd. With accept_ra=2, it accepts the RA and properly acts on it, while with accept_ra=1, it just ignores the RA. Greetings Marc -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] local routing
Hallo, Maybe I misunderstand your question, please tell me so. It seems to me you want to just script this routing stuff, this is possible in lxc on the host (use lxc.network.script.up), then all you need is configure properly the network interface in the guest os (in debian /etc/network/interfaces) hth John ps. I don't want to seem to be agressively advertising my site, but i have a similar setup described on http://j.9souldier.org/trunk/lxc/net/ -- The Excuse: TCP/IP UDP alarm threshold is set too low. On Wed, 11 May 2011 14:40:05 +0200 Ulli Horlacher frams...@rus.uni-stuttgart.de wrote: On Wed 2011-05-11 (11:29), Daniel Lezcano wrote: If you create a bridge, attach the physical interface to it, give the bridge the ip address you usually give to eth0, (make sure ifconfig eth0 0.0.0.0) and then give an IP address to the container on the same network than eth0, that will allow to have your container to communicate on the network and the host without passing through a gateway. This is already working. Example (vms2 is the host): root@vms2:~# lxc -l container size (MB) start-PIDstatus flupp 332025251 running ubuntu 490 0 stopped vmtest8 4905664 running root@vms2:~# host vms2 vms2.rus.uni-stuttgart.de has address 129.69.1.68 root@vms2:~# host flupp flupp.rus.uni-stuttgart.de has address 129.69.1.219 root@vms2:~# traceroute flupp traceroute to flupp (129.69.1.219), 30 hops max, 60 byte packets 1 flupp.rus.uni-stuttgart.de (129.69.1.219) 16.533 ms 16.537 ms 16.538 ms But I have other containers on other networks, too. Example: root@vms2:~# host vmtest8 vmtest8.rus.uni-stuttgart.de has address 129.69.8.6 root@vms2:~# traceroute vmtest8 traceroute to vmtest8 (129.69.8.6), 30 hops max, 60 byte packets 1 ar30a-y2g-rus-1.rus.uni-stuttgart.de (129.69.1.251) 0.674 ms 0.734 ms 0.793 ms 2 * * * vmtest8 has no internet connection so far, because the VLAN setup is not correct. But this is another problem :-} Nevertheless the host vms2 should reach the container vmtest8 directly (internaly) without using an external router. I can obtain this by setting host routes on vms2 and vmtest8, as I have described in my first mail. Then host and container can reach each other directly. What I now want is some kind of automatism. I do not want to set such host routes manually, every time I use lxc-start. -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] native (non-NAT) routing?
Hi Ulli, I have managed to set up routed networking with lxc, it isn't very different from xen or qemu. I've created a webpage explaining how I did it: http://j.9souldier.org/trunk/lxc/ Comments are welcome. John ps. I think your setup is wrong in that you need to route through the host and not your router, the host will take care of routing through the routes that are relevant (i.e. communication between guests don't need to go through the router). -- Current excuse: network down, IP packets delivered via UPS On Mon, 4 Apr 2011 19:35:09 +0200 Ulli Horlacher frams...@rus.uni-stuttgart.de wrote: My first Ubuntu 10.04 container is up and running on a Ubuntu 10.04 host, but the container can only connect to the host (and vice versa), but not to the world outside. I saw a lot of configurations for NAT, but I want native routing for my containers. My setup is: host zoo 129.69.1.39 container LXC 129.69.1.219 router129.69.1.254 In LXC.conf is: lxc.utsname = LXC lxc.network.type = veth lxc.network.link = br0 lxc.network.flags = up lxc.network.name = eth0 lxc.network.mtu = 1500 lxc.network.ipv4 = 129.69.1.219/24 root@LXC:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 129.69.1.0 0.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 129.69.1.254 0.0.0.0 UG0 00 eth0 root@LXC:~# ping -c 1 129.69.1.39 PING 129.69.1.39 (129.69.1.39) 56(84) bytes of data. 64 bytes from 129.69.1.39: icmp_seq=1 ttl=64 time=11.5 ms --- 129.69.1.39 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.547/11.547/11.547/0.000 ms root@LXC:~# ping -c 1 129.69.1.254 PING 129.69.1.254 (129.69.1.254) 56(84) bytes of data. From 129.69.1.219 icmp_seq=1 Destination Host Unreachable --- 129.69.1.254 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms root@zoo:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 129.69.1.0 0.0.0.0 255.255.255.0 U 0 00 br0 0.0.0.0 129.69.1.2540.0.0.0 UG10000 br0 root@zoo:~# ping -c 1 129.69.1.219 PING 129.69.1.219 (129.69.1.219) 56(84) bytes of data. 64 bytes from 129.69.1.219: icmp_seq=1 ttl=64 time=0.058 ms --- 129.69.1.219 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.058/0.058/0.058/0.000 ms root@zoo:~# ping -c 1 129.69.1.254 PING 129.69.1.254 (129.69.1.254) 56(84) bytes of data. 64 bytes from 129.69.1.254: icmp_seq=1 ttl=255 time=0.509 ms --- 129.69.1.254 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.509/0.509/0.509/0.000 ms root@zoo:~# iptables -n -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@zoo:~# sysctl -a | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.br0.forwarding = 1 net.ipv4.conf.br0.mc_forwarding = 0 net.ipv4.conf.virbr0.forwarding = 1 net.ipv4.conf.virbr0.mc_forwarding = 0 net.ipv4.conf.vethMx2A0v.forwarding = 1 net.ipv4.conf.vethMx2A0v.mc_forwarding = 0 net.ipv4.ip_forward = 1 Any debugging hints? -- Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] updated lxc template for debian squeeze - with attachedscript ; )
Hi,
i have tried to find an rfc about this but have failed, instead, the
only (serious/credible) documentation i could find was
http://wiki.xen.org/xenwiki/XenNetworking#head-d5446face7e308f577e5aee1c72cf9d156903722
,
so i updated the script accordingly, here is the updated patch.
again,
Signed-off-by: John Soros joh...@r0x0r.me
--
the router thinks its a printer.
On Fri, 25 Feb 2011 09:03:55 +0100
Jäkel, Guido g.jae...@dnb.de wrote:
Dear John,
- generate random mac address for the guest so it gets always the
same lease from a dhcp server
You suggest doing this by
macaddr=$(echo -n 00; hexdump -n 5 -v -e '/1
:%02X' /dev/urandom)
I think this is a little bit to random. The german Wikipedia tells
at http://de.wikipedia.org/wiki/MAC-Adresse about a reserved MAC
range for private use (sorry, it's not in corresponding the English
article):
[Neben der OUI existiert auch ein kleiner Adressbereich (IAB
- Individual Address Block), der für Privatpersonen und kleine Firmen
und Organisationen vorgesehen ist, die nicht so viele Adressen
benötigen. Die Adresse beginnt mit 00-50-C2 und wird von drei
weiteren Hex-Ziffern gefolgt (12 Bits), die für jede Organisation
vergeben werden. Damit verbleibt der Adressbereich innerhalb der Bits
11 bis 0 nutzbar wodurch 212 = 4096 individuelle Adressen möglich
sind.]
Maybe we should take respect to this and we should use
macaddr=$(echo -n 00:50:C2; hexdump -n 3 -v -e '/1
:%02X' /dev/urandom)
for this. Another approach is to derive it from the designated name
of the container (i.e. $hostname in terms of the script). Because
there might be typical clustering naming schemes based on a name and
some digits, I suggest to select the first and the last two
characters of the hostname (filled by random for the unlikely case of
a hostname shorter than 3 chars)
echo -n 00:50:C2; echo ${hostname:0:1}${hostname: -2}
$(head -c 3 /dev/urandom) | hexdump -n 3 -v -e '/1 :%02X'
- 00:50:C2:first:nextlast:last filled by random
@Daniel: Because this will have a common use for all, it might be
included into the lxc-conf parser
[lxc.network.hwaddr: the interface mac address is
dynamically allocated by default to the virtual interface ...]
We maybe should have a special keyword for a derived semi-static
MAC that would not change at every startup of the container but may
be calculated by the formula given above.
Guido
--
Free Software Download: Index, Search Analyze Logs and other IT
data in Real-Time with Splunk. Collect, index and harness all the
fast moving IT data generated by your applications, servers and
devices whether physical, virtual or in the cloud. Deliver compliance
at lower cost and gain new business insights.
http://p.sf.net/sfu/splunk-dev2dev
___ Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
--- /usr/lib/lxc/templates/lxc-debian 2010-08-04 19:27:58.0 +0200
+++ lxc-debian 2011-03-01 18:15:12.895043450 +0100
@@ -66,10 +66,10 @@
# reconfigure some services
if [ -z $LANG ]; then
chroot $rootfs locale-gen en_US.UTF-8
- chroot $rootfs update-locale LANG=en_US.UTF-8
+ chroot $rootfs update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
else
chroot $rootfs locale-gen $LANG
- chroot $rootfs update-locale LANG=$LANG
+ chroot $rootfs update-locale LANG=$LANG LC_ALL=$LANG
fi
# remove pointless services in a container
@@ -77,6 +77,12 @@
chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove
chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove
+# do some adjustment for the final image
+mknod -m 666 $rootfs/dev/tty1 c 4 1
+mknod -m 666 $rootfs/dev/tty2 c 4 2
+mknod -m 666 $rootfs/dev/tty3 c 4 3
+mknod -m 666 $rootfs/dev/tty4 c 4 4
+
echo root:root | chroot $rootfs chpasswd
echo Root password is 'root', please change !
@@ -90,7 +96,7 @@
locales,\
libui-dialog-perl,\
dialog,\
-dhcp-client,\
+isc-dhcp-client,\
netbase,\
net-tools,\
iproute,\
@@ -110,7 +116,7 @@
echo Downloading debian minimal ...
debootstrap --verbose --variant=minbase --arch=$arch \
--include $packages \
- lenny $cache/partial-$arch http://ftp.debian.org/debian
+ squeeze $cache/partial-$arch http://ftp.debian.org/debian
if [ $? -ne 0 ]; then
echo Failed to download the rootfs, aborting.
return 1
@@ -130,13 +136,13 @@
# make a local copy of the minidebian
echo -n Copying rootfs to $rootfs...
-cp -a $cache/rootfs-$arch $rootfs || return 1
+cp -a $cache/rootfs-$arch/* $rootfs || return 1
return 0
}
install_debian()
{
-cache=/var/cache/lxc/debian
+cache=/var/cache/lxc/debian-squeeze
rootfs=$1
mkdir -p /var/lock/subsys/
(
@@ -182,8 +188,19
[Lxc-users] updated lxc template for debian squeeze - with attached script ; )
Hello list, I have edited the lxc-debian script found in the lxc package in squeeze to install squeeze guests. I have done a few modifications aswell, as the script had a few minor problems (imho) I'll document the additions i did here (apart from the update from lenny to squeeze): - mknod first four tty devices of the guest - generate random mac address for the guest so it gets always the same lease from a dhcp server - add the network configuration to the guest configuration (otherwise the host's network interface is used, which is quite confusing) - require a hostname - i don't see what use is a machine that has the same hostname as the host os. Hope this helps someone (sorry for the repost, i forgot the attachment..) -- Increased sunspot activity. lxc-debian-squeeze Description: Binary data -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] updated lxc template for debian squeeze
Hello list, I have edited the lxc-debian script found in the lxc package in squeeze to install squeeze guests. I have done a few modifications aswell, as the script had a few minor problems (imho) I'll document the additions i did here (apart from the update from lenny to squeeze): - mknod first four tty devices of the guest - generate random mac address for the guest so it gets always the same lease from a dhcp server - add the network configuration to the guest configuration (otherwise the host's network interface is used, which is quite confusing) - require a hostname - i don't see what use is a machine that has the same hostname as the host os. -- Increased sunspot activity. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] single root io virtualization
Many hypervisor based virtualization technologies can use single root IO virtualization(SR-IOV) to improve isolation and performance of virtual machine. Does Linux container also support this? There is no virtulization with LXC. LXC does runs at full host disk performance. With that said you can simulate what you want by assigning a separate filesystem per container. John -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container Filesystem in a file (loopback mount)
btrfs isn't stable. When it is, you'll need that kernel (e.g. 2.6.38), not just a new btrfs-tools userland. So basically for production you should just be waiting until 12.04 LTS. I would expect it to be 2.6.42 to 2.6.46. Since 2.6.38 is just 3 months away. John -- Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container Filesystem in a file (loopback mount)
Sorry, I pulled .38 out of my arse; I didn't mean to imply it was a meaningful number. I would be happy if it becomes stable by your other guess. I mean ubuntu 12-04. We shall see. John -- Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fwd: NFS and SaMBa servers
Do you have linux client for your samba server container? I have not tried mounting the lxc based samba server in any linux machine. Do you have users home directories from this server? Yes. But this is a test box. I have done a little testing but user shares from this are not in production. John -- Nokia and ATT present the 2010 Calling All Innovators-North America contest Create new apps games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems after udev upgrade
On 26/09/10 22:29, Papp Tamás wrote: John Lewis wrote, On 2010. 09. 26. 22:49: No I'm not sure. Mountall was updated at the same time among other things. I noticed the fstab in /lib/init got changed and I copied that back from the backup on the basis of another post on the list too. I'm hoping you guys can tell me where the problem lies. It looks like something to do with init as the only services that will start before I telinit are the ones that have conf files in /etc/init i.e. mysql and ssh. I can fully update all of my Lucid container with no problem except ifupdown. I had to downgrade it. The problem is with the /etc/network/pre-up.d/upstart script. Try it please. tamas Tamas aptitude install ifupdown=0.6.8ubuntu29 did the trick and held the package back with echo ifupdown hold | dpkg --set-selections Do you think it will be fixed with a future version of ifupdown? Thanks for the help, John. -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems after udev upgrade
On 27/09/10 10:17, Papp Tamás wrote: John Lewis wrote, On 2010. 09. 27. 11:13: On 26/09/10 22:29, Papp Tamás wrote: John Lewis wrote, On 2010. 09. 26. 22:49: No I'm not sure. Mountall was updated at the same time among other things. I noticed the fstab in /lib/init got changed and I copied that back from the backup on the basis of another post on the list too. I'm hoping you guys can tell me where the problem lies. It looks like something to do with init as the only services that will start before I telinit are the ones that have conf files in /etc/init i.e. mysql and ssh. I can fully update all of my Lucid container with no problem except ifupdown. I had to downgrade it. The problem is with the /etc/network/pre-up.d/upstart script. Try it please. tamas Tamas aptitude install ifupdown=0.6.8ubuntu29 did the trick and held the package back with echo ifupdown hold | dpkg --set-selections Do you think it will be fixed with a future version of ifupdown? I already sent a patch, but there was no feedback:/ tamas Ok I've added my own comment to https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/632764 If anyone else reads this perhaps they could add their own comment, click the this bug affects me too bit and we'll get it fixed sooner rather than later. Any idea how I might fix the lxc-console: console denied by 'server' error? John. -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems after udev upgrade.
On 27/09/10 13:57, Serge E. Hallyn wrote: Quoting John Lewis (jle...@johnlewis.ie): Hi All, I created a new container the other week using the template script bundled with the latest stable version of LXC. I figured it would probably be ok to do that even though I only have the userspace tools that come with Ubuntu 10.04 (0.6.5 or there abouts). I couldn't understand why nothing was getting upgraded after a week or two when running apt-get update and found that the updates repository wasn't enabled in sources.list. I duly enabled same and the next apt-get upgrade installed new versions of udev, mountall, etc. and of course failed configuring udev. I got around that issue by using http://www.emanuelis.eu/2010/09/15/mknod-lib-udev-devices-ppp-operation-not-permitted-when-updating-ubuntu-10-04-on-virtual-lxc-machine/ but did not come to reboot the container till last night. While it'll likely cause problems at some point, I think the lxc-ubuntu template should pin the versions of those packages. There's probably a more maintainable way of handling this - like either having our own post-upgrade hooks which undo badness from those packages, or just keep a set of lxc package archives. After reboot I get lxc-console: console denied by 'server' when trying to get console access. I also got a pty error trying to SSH in which was fixed by copying an older /etc/init from backup. The main problem I have now is that init isn't booting the runlevel properly and I have to type telinit 2 from inside the container to get all the services come up. Can anyone help me please? Search the archives for udev, someone had this problem before and documented the fix. -serge And FYI: echo udev hold | dpkg --set-selections as per http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00670.html wouldn't hold udev back for me I used Emanuelis' method from http://www.emanuelis.eu/2010/09/15/mknod-lib-udev-devices-ppp-operation-not-permitted-when-updating-ubuntu-10-04-on-virtual-lxc-machine/ to get around the udev upgrade problem. John. -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems after udev upgrade.
Thanks for the reply Serge, but Tamas told me how to work around the init issue by downgrading ifupdown. John. On 27/09/10 13:57, Serge E. Hallyn wrote: Quoting John Lewis (jle...@johnlewis.ie): Hi All, I created a new container the other week using the template script bundled with the latest stable version of LXC. I figured it would probably be ok to do that even though I only have the userspace tools that come with Ubuntu 10.04 (0.6.5 or there abouts). I couldn't understand why nothing was getting upgraded after a week or two when running apt-get update and found that the updates repository wasn't enabled in sources.list. I duly enabled same and the next apt-get upgrade installed new versions of udev, mountall, etc. and of course failed configuring udev. I got around that issue by using http://www.emanuelis.eu/2010/09/15/mknod-lib-udev-devices-ppp-operation-not-permitted-when-updating-ubuntu-10-04-on-virtual-lxc-machine/ but did not come to reboot the container till last night. While it'll likely cause problems at some point, I think the lxc-ubuntu template should pin the versions of those packages. There's probably a more maintainable way of handling this - like either having our own post-upgrade hooks which undo badness from those packages, or just keep a set of lxc package archives. After reboot I get lxc-console: console denied by 'server' when trying to get console access. I also got a pty error trying to SSH in which was fixed by copying an older /etc/init from backup. The main problem I have now is that init isn't booting the runlevel properly and I have to type telinit 2 from inside the container to get all the services come up. Can anyone help me please? Search the archives for udev, someone had this problem before and documented the fix. -serge -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Problems after udev upgrade.
Hi All, I created a new container the other week using the template script bundled with the latest stable version of LXC. I figured it would probably be ok to do that even though I only have the userspace tools that come with Ubuntu 10.04 (0.6.5 or there abouts). I couldn't understand why nothing was getting upgraded after a week or two when running apt-get update and found that the updates repository wasn't enabled in sources.list. I duly enabled same and the next apt-get upgrade installed new versions of udev, mountall, etc. and of course failed configuring udev. I got around that issue by using http://www.emanuelis.eu/2010/09/15/mknod-lib-udev-devices-ppp-operation-not-permitted-when-updating-ubuntu-10-04-on-virtual-lxc-machine/ but did not come to reboot the container till last night. After reboot I get lxc-console: console denied by 'server' when trying to get console access. I also got a pty error trying to SSH in which was fixed by copying an older /etc/init from backup. The main problem I have now is that init isn't booting the runlevel properly and I have to type telinit 2 from inside the container to get all the services come up. Can anyone help me please? -- John Lewis -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems after udev upgrade
On 26/09/10 15:07, Papp Tamás wrote: John Lewis wrote, On 2010. 09. 26. 15:46: Hi All, I created a new container the other week using the template script bundled with the latest stable version of LXC. I figured it would probably be ok to do that even though I only have the userspace tools that come with Ubuntu 10.04 (0.6.5 or there abouts). I couldn't understand why nothing was getting upgraded after a week or two when running apt-get update and found that the updates repository wasn't enabled in sources.list. I duly enabled same and the next apt-get upgrade installed new versions of udev, mountall, etc. and of course failed configuring udev. I got around that issue by using http://www.emanuelis.eu/2010/09/15/mknod-lib-udev-devices-ppp-operation-not-permitted-when-updating-ubuntu-10-04-on-virtual-lxc-machine/ but did not come to reboot the container till last night. After reboot I get lxc-console: console denied by 'server' when trying to get console access. I also got a pty error trying to SSH in which was fixed by copying an older /etc/init from backup. The main problem I have now is that init isn't booting the runlevel properly and I have to type telinit 2 from inside the container to get all the services come up. Can anyone help me please? Are you sure, the problem is with udev? tamas No I'm not sure. Mountall was updated at the same time among other things. I noticed the fstab in /lib/init got changed and I copied that back from the backup on the basis of another post on the list too. I'm hoping you guys can tell me where the problem lies. It looks like something to do with init as the only services that will start before I telinit are the ones that have conf files in /etc/init i.e. mysql and ssh. -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] udev
On Fri, Jul 30, 2010 at 7:50 PM, Osvaldo Filho arquivos...@gmail.com wrote:
Environment:
===
Host:
Ubuntu 10.04 x64
Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
lxc 0.7.1-1
r...@srvltsp01:/home/lxc/lucid64# cat config.lucid-64
lxc.utsname = lucid64
lxc.tty = 4
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 192.168.10.0/24
lxc.rootfs = ./rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/pts/* - pts namespaces are coming soon
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
Guest:
Ubuntu 10.04 x64
Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
# df:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 134574116 19345080 108392980 16% /
varrun 3056840 20 3056820 1% /var/run
varlock 3056840 0 3056840 0% /var/lock
none 3056840 0 3056840 0% /dev/shm
none 3056840 0 3056840 0% /lib/init/rw
===
When i do a system upgrade on container i have problems:
--- Problems --
r...@localhost:/# apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up udev (151-12) ...
mknod: `/lib/udev/devices/ppp': Operation not permitted
dpkg: error processing udev (--configure):
subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of plymouth:
plymouth depends on udev (= 149-2); however:
Package udev is not configured yet.
dpkg: error processing plymouth (--configure):
dependency problems - leaving unconfigured
No apport report written because the error message indicates its a
followup error from a previous failure.
Errors were encountered while processing:
udev
plymouth
E: Sub-process /usr/bin/dpkg returned an error code (1)
On gentoo, I completely remove udev from the guest and go with static
/dev. Not sure how to do that on other systems.
--
John M. Drescher
--
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Reboot from container
I gave a reboot command (accidently) from container. Although it did not reboot the system, it made it less functional. All the vtys were closed and could not open any new terminal. Had to reboot the system to make it functional again. Have any one seen such behavior ? This is with 2.6.32 kernel. I believe that was fixed with the latest lxc-0.7.0 release. John -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Best way to move a container
I'll tell you what I've found by looking through the list archives and this time I won't include my signature ;) The mtab of the container had the root filesystem from the host in. This appeared to be causing at least 1 issue in that files would have incorrect ownership (perhaps because looking at hosts /etc/passwd rather than containers?). Maybe this is the cause of the problems? On 07/05/10 11:12, Papp Tamás wrote: John Lewis wrote, On 2010. 05. 07. 11:28: Hi Guys, I am trying to move an LXC container from one machine to another. Can you recommend the best way to do that. I have tried rsyncing but some strange things seem to be happening like mysql being available on localhost but the wordpress sites on the same machine trying to connect to localhost can't :( hi John, What rsync options did you use? tamas -- ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] NON-VT Hardware vs VT Hardware
NON-VT Hardware vs VT Hardware Any advantage? Not with this type of virtualization. Guests run at near 100% native on either. John -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
