Re: [lxc-users] Hint for CentOS 7 guests in Debian stretch with KAISER/KPTI kernel

2018-01-21 Thread Christoph Lechleitner 
Am 20.01.18 um 13:17 schrieb Harald Dunkel:
> On 01/11/18 17:19, Christoph Lechleitner wrote:
>> Hi everybody!
>>
>> After this cost me an afternoon I thought I should share the solution
>> here ;-)
>>
>> We are running multiple LXC hosts with Debian jessie resp. stretch,
>> using sysv-init over systemd in the host system.
>>
>> 99% of the guest systems are Debian too, but we also have guests with
>> CentOS 6 and 7 (one each) for development.
>>
>> After upgrading the host system from Debian Jessie (with kernel 4.0.x
>> from jessie-backports) to Debian stretch with kernel 4.9.65-3+deb9u2
>> (includes KAISER patches AKA KPTI against meltdown), our CentOS 7 guest
>> were half broken.
>>
> 
> I have a similar setup. My suggestion:
> 
> If systemd is not installed on the host, then you should consider to
> install the cgmanager package, together with a backport of lxc 2.0.9.
> I cannot recommend to add cgroup to your /etc/fstab.

Can you elaborate please`

LXC 2.0.9 would mean using something from Debian testing on our
production servers, I don't do that lightly.

What's the problem with satisfying stupid CentOS 7 with a cgroup mount?
That proposal is actually linked on Debian's wiki page on LXC btw.

Why cgroupmanager?
It is actually deprecated ac. https://linuxcontainers.org/

Regards, Christoph
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc 2.0: howto inherit ulimits from the host?

2018-01-21 Thread Dirk Geschke 
Hi Harald,

> I am running lxc 2.0.9 on Stretch. The (privileged) container
> runs Oracle Linux 7.4. Problem: I get some very restricted
> ulimits in the container (e.g. nofile hard 8192), even though
> the limits for root and "*" on the host are set to much higher
> values. On the host the limits are fine.
> 
> If I set the expected limits in lxc1:/etc/security/limits.d/\
> local.conf, then ssh to this container fails. ssh just says
> "Connection closed", exit value is 254. So apparently setting
> the limits in the container is not an option.
> 
> Is there some way to get around this mess? I saw that lxc 2.1
> provides new lxc.prlimit config options, but AFAIU *privileged*
> containers should inherit the limits and shoud be fine with a
> local limits.conf.

did you try to increase the limits via ulimit before starting the 
container? At least, this works with unpriviledged containers...

Best regards

Dirk
-- 
+--+
| Dr. Dirk Geschke   / Plankensteinweg 61/ 85435 Erding|
| Telefon: 08122-559448  / Mobil: 0176-96906350 / Fax: 08122-9818106   |
| d...@geschke-online.de / d...@lug-erding.de  / kont...@lug-erding.de |
+--+
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users