Re: [Lxc-users] start ubuntu in a lxc?
2012/3/6 陈竞 cj.mag...@gmail.com: I see that we can start a ubuntu in a lxc. So when ubuntu do block io operation, what does it really do, since it does not simulate hardware? All OS running in lxc containers shares the same kernel with the host. The kernel performs the necessary i/o operation. From the host perspective, the io operation is treated just like any normal io operation from a normal running process. And what the real difference between kvm and lxc, since we can start a os in lxc? I like to think of lxc as chroot with steroids. The host shares the same kernel and part of the filesystem with the guest (or rather, the host sees all guests' filesystem). It's different from normal chroot in: - guests can only see their own processes - guests has it's own ip address, can be on different logical subnet from the host - guests has some additional limits (e.g. memory, cpu share) imposed on them kvm is a full-blown virtualization setup, where each guest OS can have its own kernel, or even running non-linux OS (e.g. windows). -- Fajar -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04 linux-container package and init modifications
On Wed, Mar 7, 2012 at 10:45 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): # cat /etc/init/lxc-lo.conf start on startup env container pre-start script if [ x$container != xlxc -a x$container != xlibvirt ]; then stop; fi initctl start network-interface INTERFACE=lo exit 0; end script So now the modifications (both from lxcguest and my local addition) are all new .conf files, which would be ignored if it's not started in lxc environment. Might try 12.04 container later. If your guest is uptodate 12.04, you should have /etc/init/network-interface-container.conf from ifupdownpackage which emits that signal for you. You shouldn't need your own lxc-lo.conf any more. What is Canonical's plan for older guests? Will network-interface-container.conf be backported to lxc-guest, or will manual configuration still necessary? -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to configure lxc's route table without route cmd?
2012/3/7 陈竞 cj.mag...@gmail.com: i start a container with virtual network without configuring route, i wonder if i can configure route table according to lxc configure file or changing some file in host os. i dont want to execute route command in lxc. IMHO it's easier to: - create bridged networking + NAT on host - use dhcp on guest - use iptables on host to restrict guest access, if needed -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to start sshd service in application container?
2012/3/7 陈竞 cj.mag...@gmail.com: we know that we can start sshd in system container. You mean the host? However can we start sshd in application container? You mean the guest? Sure. since the application container has virtual network configuration. Just start it like you usually do from inside the container. In fact, if you're using Ubuntu (tested on 12.4 anyway) for the guest, and it was created with lxc-create, then it should have sshd enabled by default. If you're having problems look at the guest's log. Last time I was having problems with Centos5 guest and sshd it was because the guest's /dev/null is a FILE instead of a character device. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Upgrade distribution
2012/3/7 Miroslav Lednicky miroslav.ledni...@fnusa.cz: Hello, i have question about LXC in Ubuntu. Is it possible to do upgrade system inside LXC? From 10.04 to 12.04 for example. If you can upgrade it on a normal installation, then you should be able to do it inside lxc. Did somebody try it? IIRC last time I tested it was for natty - oneiric -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can we run Ubuntu template on RHEL6?
On Thu, Mar 8, 2012 at 9:07 AM, Allen Elliott allen303al...@gmail.com wrote: 在 2012年3月7日星期三,Mauras Olivier oliver.mau...@gmail.com 写道: On Wed, Mar 7, 2012 at 3:16 PM, Allen Elliott allen303al...@gmail.com It seems fine most of time, except the connection, I can't connect to the guest OS from the host with ssh, and also can't connect to the guest OS from other machine with putty nor winscp nor vnc(I set up a net bridge and can ping Ubuntu from outside, so the network is ok). It seems the guest OS itself refused the connections. What are your guest logs saying? I didn't find any useful information in /var/log/ , maybe the guest didn't record it? Haw can I get that log? I'd go another way. - try looking at selinux settings on the guest (just in case), make sure it's disabled - make sure firewall in the guest is disabled (again, just in case) - upgrade hosts' kernel to the latets stable: http://elrepo.org/tiki/kernel-ml -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] failed to rename cgroup ?
2012/3/8 陈竞 cj.mag...@gmail.com: i am running gentoo in my host What kernel are you using? Ubuntu precise uses 3.2, which works just fine. Gentoo should have latest stable available as well. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04 container non-root logins fail
On Fri, Mar 9, 2012 at 10:34 AM, Thaddeus Hogan thadd...@thogan.com wrote: When I start this container everything is working fine. However I don't want my containers in /var/lib/lxc (ext4 fs) so I copy the rootfs to a btrfs volume mounted to /vm, into a subvolume that shares its name with the container, test2. Sometimes it's the I want to make a small change, it should still work-stuff that's giving you a headache. Seriusly :) I ran strace on the su process and you can see that it proceeds fine all the way though to the setuid() call, but then cannot chdir() to /home/tjh, or even to /! setuid(1000) = 0 chdir(/home/tjh) = -1 EACCES (Permission denied) chdir(/) = -1 EACCES (Permission denied) write(2, Unable to cd to '/home/tjh'\n, 28Unable to cd to '/home/tjh') = 28 Any thoughts? I was banking on using a btrfs volume for my containers. I'm guessing you create a btrfs subvolume vor the container? If yes, check it's permission. By default, the new subvolume will only be accessible to root. A simple chmod 755 should fix it. I'm using btrfs subvols as well, but in my case /var/lib/lxc itself is a subvol, and the containers have their own subvols under it. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Installing Centos6 lxc guests under CentOS6 hosts
On Sat, Mar 10, 2012 at 6:57 PM, carlopmart carlopm...@gmail.com wrote: Hi all, I am trying to install a centos 6.2 container under centos 6.2 host using libvirt and virt-manager. I have selected OS Container option, but when I try to launch this guest virt-manager returns me this error: PATH=/sbin:/usr/sbin:/bin:/usr/bin LIBVIRT_DEBUG=3 LIBVIRT_LOG_OUTPUTS=3:stderr /usr/libexec/libvirt_lxc --name mysqlsrv --console 20 --handshake 23 --background --veth veth1 PATH=/bin:/sbin TERM=linux LIBVIRT_LXC_UUID=41bfb51b-294e-1ba9-16c9-fc2e3a345ff6 LIBVIRT_LXC_NAME=mysqlsrv /sbin/init 16:39:23.115: 1: info : libvirt version: 0.9.4, package: 23.el6_2.6 16:39:23.115: 1: error : lxcContainerChild:896 : cannot find init path '/sbin/init' relative to container root: No such file or directory Where is the container root? Do you have /sbin/init there? I have followed these instructions: http://libvirt.org/drvlxc.html and http://berrange.com/posts/2011/09/27/getting-started-with-lxc-using-libvirt/ I have tried to do the same using rhel6.2 instead of centos 6.2 and results are the same ... What am I doing wrong?? Do I need to copy all host files to this guest?? At minimum, the guest should have /sbin/init under its own root. On the last link you gave, see A private root filesystem with busybox for a very-simplified example. If you want a full-blown installation, then yes, you need to have a working OS installation in the guest. This can be created with yum, or copying from existing system, or using templates. If yes, then, how can I apply security updates to lxc guests?? The way you do on normal system: yum update. ON THE GUEST. FWIW, the upcoming Ubuntu 12.04 will have excellent lxc support for both host and guest, with lxc command line tools (lxc-create, lxc-start, lxc-console, etc). Other systems might require more effort to get a fully working container. And to be honest, I'm not sure how good Centos 6.2 would function as a host do to somewhat-old 2.6.32 kernel. I have a short howto on how to create Centos5 guest: http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/5 . Haven't had time to create one for Centos6 guest yet, but at least the above should give an idea of how to install a guest manually. You might also want to look at templates/lxc-fedora from the lattest userspace tools tarball (http://lxc.sourceforge.net/download/lxc/) -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Installing Centos6 lxc guests under CentOS6 hosts
On Sat, Mar 10, 2012 at 10:11 PM, carlopmart carlopm...@gmail.com wrote: Many thanks Fajar. I am trying to build a new CentOS 6 image, but when I try to launch my lxc guest via virt-manager stops in Enabling /etc/swaps: [OK] ... and no go. My lxc guest fstab is: rootfs / tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc nodev,noexec,nosuid 0 0 tmpfs /dev/shm tmpfs defaults 0 0 Try: - creating /etc/init/console.conf, which is bascially tty.conf but with device hardcoded to console - creating /etc/init/container-init.conf, which contains: start on startup pre-start script init 2 init 3 exit 0; end script It's a big hack, but if it works we can create a proper one -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Installing Centos6 lxc guests under CentOS6 hosts
On Sun, Mar 11, 2012 at 6:02 AM, Fajar A. Nugraha l...@fajar.net wrote: On Sat, Mar 10, 2012 at 10:11 PM, carlopmart carlopm...@gmail.com wrote: Many thanks Fajar. I am trying to build a new CentOS 6 image, but when I try to launch my lxc guest via virt-manager stops in Enabling /etc/swaps: [OK] ... and no go. My lxc guest fstab is: rootfs / tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc nodev,noexec,nosuid 0 0 tmpfs /dev/shm tmpfs defaults 0 0 Try: - creating /etc/init/console.conf, which is bascially tty.conf but with device hardcoded to console - creating /etc/init/container-init.conf, which contains: start on startup pre-start script init 2 init 3 exit 0; end script It's a big hack, but if it works we can create a proper one This is on the container's filesystem, in case it's not obvious already :) -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Sun, Mar 11, 2012 at 3:08 AM, Papp Tamas tom...@martos.bme.hu wrote: Are these questions or requests somehow not good? I'm really interested in them:) I'm guessing that while your suggestions are vallid, most of which are related to guest creation and the template scripts. Since the existing ones work, I imagine modifying them would be low priority on the dev's todo list. If you submit a patch, however, you might get a better response. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Wed, Mar 14, 2012 at 2:04 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Papp Tamas (tom...@martos.bme.hu): One more, I think very important question. Still there is no nice stop method in init configuration: for f in /etc/lxc/auto/*; do c=$(basename $f .conf) lxc-stop -n $c || true done Sorry, I don't understand. What you show is done in /etc/init/lxc.conf. What is your question about it? I think he means can you use something there that gracefully shuts down a container, instead of forcing it to stop. In xen there's xm shutdown vs xm destroy, while in lxc there's only lxc-stop, and no (e.g.) lxc-shutdown, -- Fajar -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Wed, Mar 14, 2012 at 1:49 PM, Daniel Baumann daniel.baum...@progress-technologies.net wrote: On 03/14/2012 02:37 AM, Serge Hallyn wrote: That unfortunately won't work with upstart in the host and guest. too bad then. since i have absolutely no clue about upstart at all.. i just hope there can be found/made an equivalent of telinit, otherwise that seems like quite a disadvantage of upstart, or, is running ubuntu with sysvinit still supported? Can the host send a signal to the init's container? If yes, sysvinit responds to SIGINT. Does upstart behave the same (e.g. process control-alt-delete.conf when the signal is received)? It's set to reboot by default, but perhaps there's some other signal than we can use for shutdown? -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Wed, Mar 14, 2012 at 1:58 PM, Fajar A. Nugraha l...@fajar.net wrote: On Wed, Mar 14, 2012 at 1:49 PM, Daniel Baumann daniel.baum...@progress-technologies.net wrote: On 03/14/2012 02:37 AM, Serge Hallyn wrote: That unfortunately won't work with upstart in the host and guest. too bad then. since i have absolutely no clue about upstart at all.. i just hope there can be found/made an equivalent of telinit, otherwise that seems like quite a disadvantage of upstart, or, is running ubuntu with sysvinit still supported? Can the host send a signal to the init's container? If yes, sysvinit responds to SIGINT. Does upstart behave the same (e.g. process control-alt-delete.conf when the signal is received)? It's set to reboot by default, but perhaps there's some other signal than we can use for shutdown? After some experiments, upstart ignores SIGPWR, but still listens to SIGINT, and killing the process from the host works. So modifying the containter's control-alt-delete.conf to run shutdown -h instead of shutdown -r can let the host tell the guest to shutdown cleanly. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Wed, Mar 14, 2012 at 3:17 PM, Jäkel, Guido g.jae...@dnb.de wrote: Dear Fajar, i just googled http://www.makelinux.net/man/7/P/power-status-changed . There's written: This event is not handled in the default Upstart configuration. For control-alt-delete, the corresponding sentence states: In the default Upstart configuration handling of this event is provided by the /etc/init/control-alt-delete.conf task which runs the shutdown(8) tool. This sounds to me like in the current version of upstart the suggested patches to add a SIGPWR handler are included and there's just a script missing. I don't have a Ubuntu available; maybe a simple power-status-changed.conf will already do all the magic??? Good catch :D $ cat power-status-changed.conf start on power-status-changed task exec shutdown -h now Power Down That, plus an lxc-ps and kill -PWR from the host, was able to shutdown the guest cleanly with minimal change to the guest. -- Fajar -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu template questions
On Thu, Mar 15, 2012 at 10:02 AM, Serge Hallyn serge.hal...@canonical.com wrote: On 03/14/2012 03:23 AM, Fajar A. Nugraha wrote: On Wed, Mar 14, 2012 at 3:17 PM, Jäkel, Guidog.jae...@dnb.de wrote: Dear Fajar, i just googled http://www.makelinux.net/man/7/P/power-status-changed . There's written: This event is not handled in the default Upstart configuration. For control-alt-delete, the corresponding sentence states: In the default Upstart configuration handling of this event is provided by the /etc/init/control-alt-delete.conf task which runs the shutdown(8) tool. This sounds to me like in the current version of upstart the suggested patches to add a SIGPWR handler are included and there's just a script missing. I don't have a Ubuntu available; maybe a simple power-status-changed.conf will already do all the magic??? Good catch :D $ cat power-status-changed.conf start on power-status-changed task exec shutdown -h now Power Down That, plus an lxc-ps and kill -PWR from the host, was able to shutdown the guest cleanly with minimal change to the guest. Thanks guys, this is great. I don't know if we can swing this this cxycle (it's possible) but an upstart package with your job added is at https://code.launchpad.net/~serge-hallyn/ubuntu/precise/upstart/upstart-handle-sigpwr Did you also have a chance to modify /etc/init/lxc.conf? A good shutdown script would probably goes something like this: - list all containers to autoshutdown. The existing one looks at /etc/lxc/auto/*, but IMHO it might be better to just list ALL runing containers using lxc-ls, since they're going to be dead anyway when the host is stopped. - get PID of init process in containers to shutdown. A combination of lxc-ls, grep, and/or awk would probably work. If the pid can't be determined, shutdown the container immediately using lxc-stop - send SIGPWR to all init PIDs in previous step - create a wait loop for a maximum of ... 30 seconds (?) which basically check whether all the process with PIDs above still exist or not. If it STILL exist at the end of the wait time, we assume the container can't be shutdown cleanly. - force-shutdown containers whose init PID hasn't disappear yet using lxc-stop. The maximum wait time is debatable, but IMHO 30 seconds should be a good start. Or perhaps we need to put it in /etc/default/lxc? -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] CPU cgroup starts by itself
On Thu, Mar 15, 2012 at 7:44 PM, Goran Cetusic goran.cetu...@gmail.com wrote: I have problems with starting containers in Linux Mint Debian Edition because /dev/cgroup/cpu is mounted by itself. lxc-start: cgroup is not mounted lxc-start: failed to setup the cgroups for 'imunes' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'imunes' I realize it's not mounted because I didn't mount...because I can't! I believe this generates the following error when trying to mount cgroups $ mount none -t cgroup /cgroup mount: none already mounted or /cgroup busy It's not in fstab so I have no idea what is mounting it. Any suggestions on A) How to solve the current mount problem? B) What is mount the cgroup? Not sure about mint (I don't use it), but Ubuntu has /lib/init/fstab: # /lib/init/fstab: static file system information. # # These are the filesystems that are always mounted on boot, you can # override any of these by copying the appropriate line from this file into # /etc/fstab and tweaking it as you see fit. See fstab(5). While in ubuntu it does NOT mount cgroup, mint might use something like that. Also, in ubuntu there's /etc/init/cgconfig.conf, which IS responsible for mounting cgroup. In my experince it doesn't work very well. Or rather, it STARTS very well, but once I add cpuset to /etc/cgconfig.conf, it won't to stop cleanly. So I override it with my own mount/umount commands. A similar upstart/service/inittab might do the same on mint. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] CPU cgroup starts by itself
On Thu, Mar 15, 2012 at 10:18 PM, Goran Cetusic goran.cetu...@gmail.com wrote: Found the culprit in...wait for it...rc.local! Also, there are commands in /etc/bash.bashrc that reference the mounted folders so an error pops up whenever you open bash: /etc/bash.bashrc: mkdir -p -m 0700 /dev/cgroup/cpu/user/$$ /dev/null 21 /etc/bash.bashrc: echo $$ /dev/cgroup/cpu/user/$$/tasks /etc/bash.bashrc: echo 1 /dev/cgroup/cpu/user/$$/notify_on_release /etc/rc.local: mkdir -p /dev/cgroup/cpu /etc/rc.local: mount -t cgroup cgroup /dev/cgroup/cpu -o cpu /etc/rc.local: mkdir -m 0777 /dev/cgroup/cpu/user /etc/rc.local: echo /usr/local/sbin/cgroup_clean /dev/cgroup/cpu/release_agent This is really strange, any ideas why only the cpu group is mounted and in such an unorthodox way? It looks like some settings to make each task more responsive: http://en.gentoo-wiki.com/wiki/Improve_responsiveness_with_cgroups You should be able to move the one in rc.local to somewhere standard (perhaps using /etc/init/cgconfig.conf, or whatever your system uses) that also mounts other cgroups subsystem. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-execute can not access to network
On Fri, Mar 16, 2012 at 9:58 AM, Sam Wang zhefw...@gmail.com wrote: First,I add a bridge in my computer,and the bridge IP is 10.0.2.15 How? lxc.network.link=br0 Is this the correct brige? lxc.network.ipv4=10.0.2.16/24 Not sure about this one. Personally I just run a dhcp server on the host (e.g. dnsmasq) and let the guest use dhcp. finally,I use lxc-execute to ping 10.0.2.2 which is the gateway of my computer,using lxc-execute -n nettest ping 10.0.2.2.but it does not wok where am I wrong?please help me Have you enabled the necessary firewall rules, if any? Also, lxc-execute might not work (e.g. it's possible the guest has not configure its network device yet). I'd run lxc-start first, and test networking from there. At least that way you can be sure whether the problem is in the bridge, lxc networking, or lxc-execute. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container shutdown
On Mon, Mar 19, 2012 at 7:05 AM, Daniel Lezcano daniel.lezc...@free.fr wrote: On 03/19/2012 12:00 AM, Serge Hallyn wrote: Hi, Thanks to Jäkel's and Fajar's great ideas, we can now cleanly shut down a container by sending it SIGPWR. I'm attaching two ways to do that. In-line is a patch which modifies lxc-stop to take optional -s and -t args - -s for shutdown (meaning send SIGPWR), and -t for a timeout, after sending SIGPWR, to hard-kill the container. That may make more sense to implement a lxc-reboot | lxc-shutdow script on top of on lxc-kill. IMHO, I don't think adding a timeout is a good idea because the shutdown process may take more than the timeout to stop the services and the container could be killed while the services are doing some cleanup or flush or whatever. If this option is present, people will tend to use it instead of investigating if a service is stuck, or working, or flushing. I would recommend to let the shutdown script to handle the timeout by themselves. IIRC xen's xm shutdown command does something like this, which can be a starting design point: - check whether the container can handle a clean shutdown, by checking whether anything on the guest is listening on xenbus. If something is listening, then it's assumed the guest has PV drivers that can do clean shutdown. - if yes, issue clean shutdown command. The shutdown command returns immediately unless a -w is specified - if no, then it does xm destroy (i.e. force kill) The problem with lxc is that AFAIK there's nothing standard on the guest that can tell the host I can do clean shutdown, don't kill me! (the equivalent of xenbus listener check). Personally I like the timeout (so that the guest container will be shutdown in the end, no matter what). But then again the timeout can be ommited from lxc-shutdown if: - it's assumed the user knows what it's doing (i.e. they will manually force-kill the guest if needed) - if clean shutdown will be the default action, there will be additional modification in init/upstart config that can force-kill guests after a timeout. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can I use lxc-execute to execute an application with network configured
2012/3/19 Sam Wang zhefw...@gmail.com: My need is that I want to use lxc-execute to start an application container to execute an application which need a unique IP address. Most applications can bind to a specific IP address only :) I have tried using bridge but the application can only communicate to my host ,but cann't ping to any other computer. can someone help me ? Others might answer your question about lxc-execute better. I will, however, suggest you try this since you only want a separate network namespace: http://lxc.sourceforge.net/index.php/about/kernel-namespaces/network/configuration/ (choose Method 2: Using ethernet bridges) It's not exactly what you want (you still need to setup some stuff manually), but if you're familiar with C it should be possible to write something to automate the process. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Ubuntu 12.04 - apparmor problem (WAS: Ubuntu 12.04 linux-container package and init modifications)
On Thu, Mar 8, 2012 at 1:16 AM, Stéphane Graber stgra...@ubuntu.com wrote: I hope this helped explain what we're doing in 12.04. I'm planning on a generic what's new in LXC for 12.04 blog post in the next few days, once we've turned apparmor back on and have somewhat secure containers again (hopefully later today). Again, please try an up to date Ubuntu 12.04 system and report any bug that you see, we're trying to closely look at LXC bugs and fix them as soon as possible. Hi Stephane, I just updated lxc on 12.04 to 0.7.5-3ubuntu40, which reenables apparmor profile. My previously-working lxc containers now refused to start. $ sudo lxc-start -n precise lxc-start: Permission denied - failed to mount 'proc' on '/usr/lib/lxc/root//proc' lxc-start: failed to setup the mounts for 'precise' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'precise' lxc-start: Device or resource busy - failed to remove cgroup '/sys/fs/cgroup/cpu//lxc/precise' Disabling the profile (symlink ../usr.bin.lxc-start on /etc/apparmor.d/disable, and force-reloading apparmor) made it work again. Any ideas? -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] does lxc support controlling network io?
2012/3/20 陈竞 cj.mag...@gmail.com: lxc can support control block io, cpu and memory, can lxc support controlling network io? If by control you mean throttle the bandwidth, then AFAIK no. As in, no, cgroups (and thus lxc) can't throttle network I/O. However since the most common implementation is using veth + bridge, you should be able to implement traffic shaping using things like tc (or with the help of frontend script wondershaper) on veth interface in the host side (i.e. the one you set using lxc.network.veth.pair). It's not perfect, but a good start. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu 12.04 - apparmor problem (WAS: Ubuntu 12.04 linux-container package and init modifications)
On Tue, Mar 20, 2012 at 8:11 PM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): I just updated lxc on 12.04 to 0.7.5-3ubuntu40, which reenables apparmor profile. My previously-working lxc containers now refused to start. It's possible you're not on the latest kernel. The mount restrictions stuff is new, and a few bugs needed to be shaken out. In fact there may still be one or two, but last night I was definately able (on an uptodate cloud instance) to create containers with apparmor enabled. Yup, turns out I was still on 3.2.0-18-generic. Updating to 3.2.0-19-generic fixed it. Thanks! -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-execute fails to exec lxc-init
On Tue, Mar 27, 2012 at 6:16 PM, Peter Gillard-Moss pgill...@thoughtworks.com wrote: Hello, I wondered if you could help. I have installed lxc-init from the Ubuntu package repos for both Natty and Oneiric and both fail on lxc-execute with the same error. Versions used are 0.7.4-0ubuntu7.2 (Natty) and 0.7.5-0ubuntu8.5 (Oneiric) I wondered if you could help me understand what I am doing wrong? I start by creating a container: sudo lxc-create -n test -t natty -f /etc/lxc/lxc.conf I then run lxc-execute like so: sudo lxc-execute --name test 'echo Hello' And I get the following response: lxc-execute: No such file or directory - failed to exec /usr/lib/lxc/lxc-init lxc-execute: invalid sequence number 1. expected 2 lxc-execute: failed to spawn 'test' IMHO lxc-execute should come with a BIG warning DON'T USE UNLESS YOU REALLY KNOW WHAT YOU'RE DOING! :P Anyway, to answer you question, if you want to use lxc-execute, you need to have lxc installed in the guets container as well. To be accurate, you need /usr/lib/lxc/lxc-init inside the guest container. lxc-create does NOT install lxc in guest container because it's not needed for nornal operation (e.g. lxc-start). -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Multiple lxc containers with same IP/ethernet address
On Fri, Mar 30, 2012 at 2:30 AM, Arun M arunmahadevai...@gmail.com wrote: Hello, I have a set up where there are multiple short lived containers (sharing the same IP address) in a host. Why? Don't do that. When a TCP connection is established from the container to an outside host (in a different network in the LAN), the connection establishment takes a long time (around 3 secs). I am suspecting that since multiple containers have different (generated) ethernet addresses, the initial reply contains the eth address of once of the previous containers that established connection. (some kind of arp caching). Is this possible? exactly. Are there any work arounds for this? Depends on what you need. If you simply want some kind of load-balancing setup, try http://www.linuxvirtualserver.org/ The documentation is somewhat old, but AFAIK the required kernel support should be in the kernel already. One option I am considering is to specify a fixed hwaddr via the conf. That is always necessary no matter which approach you take. Will multiple containers having same IP and ethernet address work? No In that case how will the packets be routed to the correct container? It won't. Will bridge device take care of this? No. -- Fajar -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] problem starting a container
On Wed, Apr 18, 2012 at 2:43 AM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Daniel Stefaniuk (daniel.stefan...@gmail.com): Then the container seems to bu up and running. However, if I try to login to that container using lxc-console I get only this message Type Ctrl+a q to exit the console. Any clues as to why this happens? Sounds like your container ttys are not set up right. ... for example because it's waiting for a trigger (e.g. loopback network interface up), and since the trigger is not available in a containter, the console never got configured. Let me guess, you're running some old linux distro (i.e. not ubuntu 12.04) and haven't setup the necessary workarounds for lxc. Is that correct? If yes, see these links for examples of lxc-specific modification needed in guest containers: http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/5#Lxc-specific_modification http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6#Lxc-specific_modification http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03301.html -- Fajar -- Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] problem starting a container
On Thu, Apr 19, 2012 at 7:36 PM, Daniel Stefaniuk daniel.stefan...@gmail.com wrote: I use Ubuntu 10.04 LTS amd64 server (custom kernel 3.3.2) for the host and containers. That would probably be one source of your problem :) The upcoming ubuntu 12.04 pretty much works out-of-the-box as lxc host and guest. Enough for me to justify using it on my laptop since its beta days. As for other guests, I wrote what I did on my wiki. Centos5 and 6 should be good example of what customizations needed for sysvinit and upstart-based distros. I haven't been able to get systemd-based (e.g. Fedora16) to work though. Sorry to say that, I came across a lot of scripts and manuals but non of them works out of the box for me (hard-coded paths!? or bits of code working only in customized environments). Again, that's why I use ubuntu 12.04, even if it's not officially relased yet. It is very difficult to get it working without a really good understanding what you're doing. Is there any plan to improve the documentation or perhaps create one? I can't speak for the developers, but from my experience with other software usually this is one of the cases where users like you can contribute, and patches are welcome :P -- Fajar -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] dropped packets on bridged interface
On Fri, Apr 20, 2012 at 3:05 PM, Papp Tamas tom...@martos.bme.hu wrote: hi, There is this bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/986043 Has anybody meet it ever? Does anybody have an idea? Not in my setup. $ ifconfig br0 br0 Link encap:Ethernet HWaddr e6:d8:67:1d:87:f5 inet addr:192.168.124.1 Bcast:192.168.124.255 Mask:255.255.255.0 inet6 addr: fe80::e4d8:67ff:fe1d:87f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:158504 errors:0 dropped:0 overruns:0 frame:0 TX packets:181564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:26966008 (26.9 MB) TX bytes:98786371 (98.7 MB) $ uname -a Linux precise 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- FAN -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] dropped packets on bridged interface
On Fri, Apr 20, 2012 at 3:05 PM, Papp Tamas tom...@martos.bme.hu wrote: hi, There is this bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/986043 Has anybody meet it ever? Does anybody have an idea? Not in my setup. $ ifconfig br0 br0 Link encap:Ethernet HWaddr e6:d8:67:1d:87:f5 inet addr:192.168.124.1 Bcast:192.168.124.255 Mask:255.255.255.0 inet6 addr: fe80::e4d8:67ff:fe1d:87f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:158504 errors:0 dropped:0 overruns:0 frame:0 TX packets:181564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:26966008 (26.9 MB) TX bytes:98786371 (98.7 MB) $ uname -a Linux precise 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- FAN -- For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Is there a Redhat template?
2012/4/25 Sam Wang zhefw...@gmail.com: In lxc templates directory,I've found lxc-ubuntu,lxc-fedora...but there is no Redhat template. who can tell me where can I find a Redhat template? thanks a lot. I don't think there is one. Mainly because you can only download software from RHN if you have a valid RH support contract, thus downloading in from other OS is not an easy task. See what I've wrote here to do it manually (the insctructions also applies to RHEL): http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/5 http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6 -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start via ssh
On Fri, Apr 27, 2012 at 5:31 PM, István Király - LaKing d...@yahoo.com wrote: Hi folks. I know lxc-start is sensitive from where it is called. Like for example, it doesn't like to be called from mc's shell. .. I'm am trying to start a container via ssh. .. Somehow I managed to create a shell script that can start it, but for some reason executing the command directly via ssh does not work. lxc-start -n fc14 -o /temp/fc14.log -s lxc.console=/temp/fc14.sys lxc-start -n fc14 -o /temp/fc14.log -s lxc.console=/temp/fc14.sys /temp/fc14.log No error message when called via ssh it just doesent work. From root shell these commands work. Which distro is this? I suspect it's selinux problem or such. lxc-start from root's ssh session works for me on Ubuntu 12.0.4. Try disabling selinux first and see if it works. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start via ssh
On Fri, Apr 27, 2012 at 5:36 PM, Matthijs Kooijman matth...@stdin.nl wrote: Hi István, Somehow I managed to create a shell script that can start it, but for some reason executing the command directly via ssh does not work. lxc-start -n fc14 -o /temp/fc14.log -s lxc.console=/temp/fc14.sys lxc-start -n fc14 -o /temp/fc14.log -s lxc.console=/temp/fc14.sys /temp/fc14.log Not sure if this is the cause of the problem, but you should probably be using lxc-start -d instead of backgrounding it using your shells operator. ... or use screen :D http://wiki.1tux.org/wiki/Lxc/Running#Starting_a_container_in_new_screen_session It doesn't create a log file of the console output though. Perhaps using script -f and playing with SHELL variable will work. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] current status of LXC in Ubuntu precise? (WAS: Problem mounting Host directory in guest)
On Tue, May 8, 2012 at 12:28 PM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): Hi Serge, Quick confirmation: does this mean that currently the default ubuntu lxc combo (userland, kernel, apparmor, etc) in ubuntu precise is broken, but are being worked on/tested? The bug page still says fix committed, not released. Right, we're waiting on the next kernel upload. I don't know when that will happen. Thanks for the confirmation. I was partially confused since my version is my kernel version is 3.2.0-24-generic, newer than the one mentioned in the bug, so I thought perhaps that particular bug was fixed already. Also, a quick test on my setup (ubuntu precise amd64, linux-image-3.2.0-24-generic 3.2.0-24.37, lxc 0.7.5-3ubuntu53) shows freshly created container from templates (e.g. lxc-create -t ..., tested with sshd and ubuntu templates) will fail to start with the same error message that Xavier mentioned: lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default I don't get that problem. Is your host a stock precise image? yes. # uname -r 3.2.0-24-generic # apt-cache policy linux-image-3.2.0-24-generic linux-image-3.2.0-24-generic: Installed: 3.2.0-24.37 Candidate: 3.2.0-24.37 Version table: *** 3.2.0-24.37 0 500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status Uncommenting this line in the config file (which is commented-out by default) make it work again: lxc.aa_profile = unconfined I'm not sure if the root cause is the same, as this is fresh containers, without any modifications. Can you add '-l DEBUG -o output' to the lxc-start arguments and email me the results? I've made a few changes today to how the apparmor stuff works (which won't make their way through the SRU pipeline for a little over a week) but those *should* only affect lxc-execute. On a stock precise image, I've had no trouble with lxc-start on freshly created containers... compressed file attched. This container was created with lxc-create -n host1 -t sshd. -- Fajar output.gz Description: GNU Zip compressed data -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] starting container requires re-login?
On Wed, May 9, 2012 at 4:26 PM, 张章 zhang_zh...@live.com wrote: hello i have configured the lxc with basic settings like this: lxc.ustname = lxc1 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.ipv4 = 192.168.1.122/24 lxc.rootfs = /lxc/rootfs lxc.mount = /lxc/fstab and the filesystem to be mount is fresh using debootstrap --arch amd64 lucid /lxc/rootfs http://archive.ubuntu.com/ubuntu After typing command: lxc-create and lxc-start, the host system requires me to re-login. Then I do it and try to connect the just lauched container using ssh,but i get the following error: PTY allocation request failed on channel 0 stdin:is not a tty could anyone offer some help? you are warmly welcome! Thanks a lot! My guess is you somehow mixed up the host and container's tty. Possibly due to incomplete container config file. You didn't mention what your host is. If it's not ubuntu precise, better upgrade. As for the guest container, there are other modifications needed, so ONLY using debootstrap is not enough. I suggest you create it using lxc-create -n name_of_your_container -t ubuntu -- -r lucid instead, or look at /usr/lib/lxc/templates/lxc-ubuntu to see what modifications are needed. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] starting container requires re-login?
On Thu, May 10, 2012 at 8:17 AM, 张章 zhang_zh...@live.com wrote:
Many thanks
I switch to Ubuntu 12.04 and use lxc-ubuntu to prepare my filesystem. Then I
add the network part to config file like:
lxc.utsname = amd64
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = /lxc/rootfs
lxc.mount = /lxc/fstab
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = 10.5.0.122/24
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
And now container can start , but the network fails to be configured with
the ip i assigned.
After i login to container, and get the ip like inet addr:69.69.69.23
Do i miss something?
First of all, make sure you've configured br0 bridge properly.
Second, the ip address configured in lxc config file can be overide
inside the container (e.g. when you have static ip in
/etc/network/interfaces), so I think that's what happened.
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] current status of LXC in Ubuntu precise? (WAS: Problem mounting Host directory in guest)
On Tue, May 8, 2012 at 12:40 PM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, May 8, 2012 at 12:28 PM, Serge Hallyn serge.hal...@canonical.com wrote: Also, a quick test on my setup (ubuntu precise amd64, linux-image-3.2.0-24-generic 3.2.0-24.37, lxc 0.7.5-3ubuntu53) shows freshly created container from templates (e.g. lxc-create -t ..., tested with sshd and ubuntu templates) will fail to start with the same error message that Xavier mentioned: lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default I don't get that problem. Is your host a stock precise image? yes. I think I found the problem. Depending on what you meant by stock precise image, then my host might not be one, since it's not installed using the live cd installer. It was created using debootstrap, and later apt-get install ubuntu-desktop lxc. The problem with that approach is: - the default lxc guest container setup created using templates will try to change apparmor profile to lxc-container-default. That operation apparently requires apparmor package to be installed - neither ubuntu-desktop, lxc, or the packages it depends on has any dependecy for apparmor. lxc only depends on libapparmor1, which apparently is not enough - using lxc.aa_profile = unconfined removes the need to change apparmor profile, thus removes the need for apparmor package So I'm guessing the correct fix would be to either: - include apparmor as dependecy for lxc, OR - use lxc.aa_profile = unconfined uncommented by default for template-created containers. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Current status of lxc on ubuntu lucid and red hat 6
On Fri, May 11, 2012 at 9:54 AM, 张章 zhang_zh...@live.com wrote: hello,all I have tried starting linux container(lxc 0.7.5) on lucid and red hat 6, but both failed (succeeded in ubuntu precise) If a linux environment has recent-enough kernel and lxc userland tools, it should work. So if you're willing to manually install both (possibly compiliing from source), it should work. If it doesn't work, usualy it's because either one or both component is too old. That being said, I say don't bother. Seriously. Just use something that's known to work for your host (e.g. precise), and use whatever your application needs (lucid, rhel/centos6, whatever) as guest container. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Network interface isolation
On Mon, May 14, 2012 at 11:48 PM, jeetu.gol...@gmail.com jeetu.gol...@gmail.com wrote: Are there other similar instances where I should make specific mention in the config file in order to prevent accidental and inadvertent sharing of resources between host and container? Try creating a container using templates. e.g: lxc-create -n test1 -t busybox then look at the resulting config file. It provides a good starting point. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Network interface isolation
On Tue, May 15, 2012 at 10:22 AM, jeetu.gol...@gmail.com
jeetu.gol...@gmail.com wrote:
Hi Fajar,
Thanks for your response.
I used the debian template and the config file does not (as far as I
can tell) have any network related stanzas. Unfortunately this default
behaviour lead to the network stack being shared between the host and
the container as pointed out by Matthijs.
In Ubuntu host at least, AFAIK using lxc templates will include
network configuration from /etc/lxc/lxc.conf, which includes these
lines
lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.flags=up
Therefore, I was wondering if there are any other namespaces I should
explicitly isolate so as to prevent them being inadvertently shared
between host and container.
Again, the resulting config file provides a good starting point. On
ubuntu precise host, using ubuntu template denies ALL devices (which
should include host's eth) from the guest container except from ones
specifically allowed
#==
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm
#full
lxc.cgroup.devices.allow = c 1:7 rwm
#hpet
lxc.cgroup.devices.allow = c 10:228 rwm
#kvm
lxc.cgroup.devices.allow = c 10:232 rwm
#==
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] kernel.shmmax in LXC
On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano daniel.lezc...@free.fr wrote: On 06/07/2012 12:45 PM, Jan Den Ouden wrote: Hi, About a week ago I posted exactly the same question on this list, but I didn't get any responses. I have googled high and low for the answer to this, but no result. It's not related to capabilities, because you can only drop capabilities, not add them. It's not related to the cgroup memory controller, because that seems to deal with total memory, not shared memory. Therefore, I think it's a bug. I tried on a 3.0.0 kernel version and that works. Isn't possible this is related to app armor ? Yep, that should be it, as testing with apparmor disabled the following works on guest container in my test system # cat /proc/sys/kernel/shmmax 33554432 # echo 335544320 /proc/sys/kernel/shmmax # cat /proc/sys/kernel/shmmax 335544320 However the apparmor problem might not seem obvious because there's no apparmor warning on syslog when you try to set shmmax with apparmor enabled. Also: (1) If you ONLY uncomment lxc.aa_profile=unconfined (with apparmor still enabled), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to unconfined (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to /etc/apparmor.d/disable, you'd still get permission denied error (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor teardown), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default (4) Combining (1) and (2), or (1) and (3), you can set shmmax from inside the guest container so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] kernel.shmmax in LXC
On Fri, Jun 8, 2012 at 8:47 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 06/08/2012 04:27 AM, Fajar A. Nugraha wrote: On Fri, Jun 8, 2012 at 2:58 PM, Daniel Lezcano daniel.lezc...@free.fr wrote: On 06/07/2012 12:45 PM, Jan Den Ouden wrote: Hi, About a week ago I posted exactly the same question on this list, but I didn't get any responses. I have googled high and low for the answer to this, but no result. It's not related to capabilities, because you can only drop capabilities, not add them. It's not related to the cgroup memory controller, because that seems to deal with total memory, not shared memory. Therefore, I think it's a bug. I tried on a 3.0.0 kernel version and that works. Isn't possible this is related to app armor ? Yep, that should be it, as testing with apparmor disabled the following works on guest container in my test system # cat /proc/sys/kernel/shmmax 33554432 # echo 335544320 /proc/sys/kernel/shmmax # cat /proc/sys/kernel/shmmax 335544320 However the apparmor problem might not seem obvious because there's no apparmor warning on syslog when you try to set shmmax with apparmor enabled. Also: (1) If you ONLY uncomment lxc.aa_profile=unconfined (with apparmor still enabled), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to unconfined (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to /etc/apparmor.d/disable, you'd still get permission denied error (3) If you ONLY disable apparmor entirely (/etc/init.d/apparmor teardown), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to lxc-container-default (4) Combining (1) and (2), or (1) and (3), you can set shmmax from inside the guest container so there's probably still a bug (or more) in ubuntu's apparmor-lxc combo. Please reboot your machine ;) the unconfined profile problem (giving you the No such file or directory) was a kernel bug and was fixed a couple of weeks ago, letting me think you're running an out of date kernel. Probably. Although there's no please restart to complete update warning on my desktop. It's not really urgent for me though, so I'll just reboot later when possible. Thanks for letting me know that this is a fixed issue. As for shmmax, it's simply not whitelisted at the moment as it wasn't in the list of known-safe container aware proc entries, we probably should whitelist it (after doing some extra checking). BTW, I thought that all blockings done by selinux would show up on syslog? Am I looking at the wrong place? If there were a warning on syslog, the OP would've probably been able to solve their problem by themselves earlier. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv4 container in a non-IPv4 main system ?
On Sat, Jun 9, 2012 at 7:39 PM, Sébastien Montagne sebastien.monta...@gmail.com wrote: Hi dears, do you think it would be easy/hard/not possible to setup a container with an IPv4 address (optionnaly with an IPv6 address as well) in a IPv6-only (i.e. without an IPv4 address) main system ? Should be easy. The default containers created from templates uses veth and bridged networking. If setup correctly, that would mean the host (main system, as you call it) behaves pretty much similar to an L2 switch. Which means that there's no requirement that the host should be connected (IP-wise) to the guest. They only need to be connected on ethernet level. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC on ubuntu precise and dhclient/net config
Please keep cc to the list On Sun, Jun 10, 2012 at 1:42 PM, Vasiliy Molostov molost...@gmail.com wrote: On Sun, Jun 10, 2012 at 3:24 AM, Vasiliy Molostov molost...@gmail.com wrote: It shouldn't be related to apparmor. It MIGHT be related to bridge forwarding delay though. You didn't say which bridge the containter is connected to. I'd suggest connecting it to lxcbr0 first (should be created already by default). I have disabled lxcbr0 since br0 already exists and preconfigured. Also I have disabled dnsmaq since I have already dhcp server running config. my br0 settings: auto br0 iface br0 inet static address 192.168.0.2 gateway 192.168.0.1 network 192.168.0.0 broadcast 192.168.0.255 netmask 255.255.255.0 bridge_ports all bridge_stp on bridge_waitport 0 all bridge_fd 0 bridge_maxwait 0 do you refer to bridge_fd? should I set it to 5? If the problem isn't related to apparmor or lx*(allow,deny) rules - why I can not see login prompt from starting container? IMHO you made too many changes at once. Ubuntu precise will NOT display login prompt if it doesn't get any IP address. At least not until five minutes or so (forgot the exact time). You can work around that, but that's the default. Start with small changes: - use lxcbr0, with its dnsmasq (which should already be configured by default). If it DOESN'T work, then you either change something (e.g. kill dnsmasq manually), or something wrong with your container creation process - create your own bridge, but still use dnsmasq. You need to change its command line accordingly (either see current dnsmasq command line, or see my /etc/network/interfaces example). If that one DOESN'T work, you know for sure the problem is in your bridge - create your own bridge, and use your own dhcp server. If that one DOESN'T work, you know for sure the problem is in your dhcp server. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv4 container in a non-IPv4 main system ?
On Tue, Jun 12, 2012 at 2:16 AM, Sébastien Montagne sebastien.monta...@gmail.com wrote: Now trying to setup it correctly ;) Sorry for annoying you again, but I couldn't make it work... Maybe someone could help ? My problem : I can't ping my gateway 91.121.99.254 from my container 91.121.99.167. In host I try to tcpdump pings from container, but nothing interesting is listed. I tried to add a specific host route to host 91.121.99.254 in container. The command works, but still can't ping it. # ping 91.121.99.254 PING 91.121.99.254 (91.121.99.254) 56(84) bytes of data. From 91.121.99.167 icmp_seq=1 Destination Host Unreachable From 91.121.99.167 icmp_seq=2 Destination Host Unreachable From 91.121.99.167 icmp_seq=3 Destination Host Unreachable # route add -host 91.121.99.254 eth0 # ping 91.121.99.254 PING 91.121.99.254 (91.121.99.254) 56(84) bytes of data. From 91.121.99.167 icmp_seq=1 Destination Host Unreachable From 91.121.99.167 icmp_seq=2 Destination Host Unreachable From 91.121.99.167 icmp_seq=3 Destination Host Unreachable Host configuration : cat /etc/network/interfaces auto lo iface lo inet loopback auto br0 iface br0 inet6 static bridge_ports eth0 bridge_fd 0 address 2001:41d0:1:98a7::1 netmask 64 gateway 2001:41d0:1:98FF:FF:FF:FF:FF Container configuration : grep network config lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.hwaddr = 00:1C:C0:17:8B:44 lxc.network.ipv4 = 91.121.99.167/24 First of all, make sure the host's link actually works. The easiest way is to put the guest's IPv4 address on host's eth0 (if without bridge) or br0 (if the bridge is active). Next, do: - brctl show on the host - netstat -nr on the guest - tcpdump -n -i eth0 host 91.121.99.254 on the guest and the host, and tcpdump -n -i br0 host 91.121.99.254 on the host, to see where the packets start gone missing. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv4 container in a non-IPv4 main system ?
On Tue, Jun 12, 2012 at 12:23 PM, Sébastien Montagne sebastien.monta...@gmail.com wrote: It seems that ARP reply is not seen in guest's eth0... Well, fix that :) Guest netstat -nr : # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 91.121.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 Running route add -host 91.121.99.254 eth0 You shouldn't need to execute that command. Ever. Running route del -net 91.121.99.0/24 gw 0.0.0.0 eth0 ... and neither does that command. Ever. Guest tcpdump -n -i eth0 host 91.121.99.254 : # tcpdump -n -i eth0 host 91.121.99.254 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 07:13:35.725768 ARP, Request who-has 91.121.99.254 tell 91.121.99.167, length 28 07:13:36.741762 ARP, Request who-has 91.121.99.254 tell 91.121.99.167, length 28 Host tcpdump -n -i br0 host 91.121.99.254 : # tcpdump -n -i br0 host 91.121.99.254 tcpdump: WARNING: br0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes 07:15:09.221773 ARP, Request who-has 91.121.99.254 tell 91.121.99.167, length 28 07:15:09.222176 ARP, Reply 91.121.99.254 is-at 00:00:0c:07:ac:01, length 46 Try tcpdump on your container's veth interface on host side (from your example, it was vethZkMxv3). This can help isolate whether the problem is in the host (e.g. host firewall) or veth pair (unlikely, but worth to try). Also: - disable firewall (e.g. iptables) in the host temporarily, if active - try simple setup first, with IPv4 in both host and guest - make sure the switch/router your server connected to supports multiple MAC on the same port If you're using a hosted server, the last one might be the source of problem as many provider doesn't allow that. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv4 container in a non-IPv4 main system ?
On Tue, Jun 12, 2012 at 12:59 PM, Sébastien Montagne sebastien.monta...@gmail.com wrote: No firewall on my system. Are you sure? :) RHEL-derivates have iptables turned-on by default, and the default setup also filters bridged traffic. It is a hosted server ; I have only 1 available IPv4 address for now. - make sure the switch/router your server connected to supports multiple MAC on the same port I think I use only *one* MAC address : the one my provider gave for my host. It is the same in Here is the information the provider gave : IP : 91.121.99.167 IPv6 : 2001:41d0:1:98a7::/64 MAC : 00:1C:C0:17:8B:44 if you already setup ipv6 in the host, I actually think it'd be easier if you first try setting up the guest with ONLY ipv6 as well. If it works, then you can rule out MAC, bridge, and veth problems. If it DOESN'T work, then you need to get back at those three. Also, what OS/distro do you use? Or, do you mean the host veth generated interface seems to have created one of its own ? In bridged mode, the guest's MAC also travel to the switch. If your provider only allows one MAC, or specifically map your IP address to your hosts's MAC, then you can't use bridge. There are ways around this (e.g. with ebtables), but it's complicated. It's easier if you try tcpdump on the veth interface, and try ipv6 only on both host and guest first. Do you think it would be possible to solve the problem with e.g. information in /etc/ethers ? Nope. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] kernel.shmmax in LXC
On Wed, Jun 13, 2012 at 6:46 PM, Jan Den Ouden jan...@denouden.info wrote: I can confirm that using (1) and (2) together solves the problem. Many thanks again for your help! FWIW, linux-image-3.2.0-25-generic is released, and from my test you now only need (1), like Stéphane mentioned earlier. -- Fajar On Sat, Jun 9, 2012 at 6:56 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 06/09/2012 06:38 AM, Fajar A. Nugraha wrote: However the apparmor problem might not seem obvious because there's no apparmor warning on syslog when you try to set shmmax with apparmor enabled. Also: (1) If you ONLY uncomment lxc.aa_profile=unconfined (with apparmor still enabled), lxc-start failed with lxc-start: No such file or directory - failed to change apparmor profile to unconfined (2) If you ONLY add /etc/apparmor.d/usr.bin.lxc-start symlink to /etc/apparmor.d/disable, you'd still get permission denied error Actually I was wrong, the fixed kernel hasn't been pushed to -updates yet, it's still in -proposed. So unconfined will be working whenever you get the next kernel update (should be released in a few days.) -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] IPv4 container in a non-IPv4 main system ?
On Wed, Jun 13, 2012 at 2:00 PM, Fajar A. Nugraha l...@fajar.net wrote: I suggest you try ubuntu precise (with its kernel 2.6.32). Possibly on your workstation first (e.g. with virtualbox/kvm). I meant kernel 3.2 -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] containers always seem to lock the host's X session
On Fri, Jun 15, 2012 at 7:26 PM, John Maclean jaye...@gmail.com wrote:
Hello all,
I have built lxc from the git hub repo and have been able to create
containers using the stock templates for fedora. However, whenever I
start a container it always locks the hosts, X session.
a - How can i diagnose this?
b - How can i prevent this?
The easy way would be just to use ubuntu precise for your host. Seriously :)
The hard way, I think your guest is accessing your hosts's tty. You
can probably prevent that by something like this on your guests'
config file:
#==
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm
#full
lxc.cgroup.devices.allow = c 1:7 rwm
#hpet
lxc.cgroup.devices.allow = c 10:228 rwm
#kvm
lxc.cgroup.devices.allow = c 10:232 rwm
#==
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Maverick Template Issues with a Ubuntu Precise Host
On Tue, Jun 19, 2012 at 10:16 AM, Ken Elkabany k...@elkabany.com wrote: Hello, I have a Ubuntu Precise host, where I created a few test containers using the following commands: lxc-create -n env3 -t ubuntu -- -r precise lxc-create -n env4 -t ubuntu -- -r natty lxc-create -n env5 -t ubuntu -- -r maverick lxc-create -n env6 -t ubuntu -- -r lucid Every distribution besides Maverick works straight after installation with no additional configuration! This is a welcome change compared to when I first tried LXC a year or two ago, and nothing worked out of the box. Running lxc-start with the Maverick container results in the whole process becoming unresponsive: I don't think maverick is supported anymore, so even if you found the problem no fix will be made upstream. However I'd start by looking whether lxcguest is installed in maverick's container. If not, then look at the lucid's package, and possibly copy the files manually. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] linkedin
On Tue, Jun 19, 2012 at 8:43 PM, Papp Tamas tom...@martos.bme.hu wrote: On 06/19/2012 03:30 PM, Jonathan Carter (highvoltage) wrote: Hi Papp On 19/06/2012 08:52, Papp Tamas wrote: I created a group for LXC on linkedin. If I see well, there is no other group, like this. Is a project logo available? Should an invitation be sent to this list? It's never a good idea to send an invitation from a networking site to a mailing list. Rather post the URL to the group and people can instead visit it if they'd like to join. What is the difference? The difference is, many people (like me) when getting at invitation to linkedin, will simply delete it or mark it as spam. Cause there's just too many people who sends invitation to everyone in their address book. Sending the link, with a personal background message like you did, is MUCH more polite. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Authoritative CentOS 6.2 template?
On Mon, Jun 25, 2012 at 11:41 PM, Johannes Graumann johannes_graum...@web.de wrote: Hello, Is there an authoritative lxc-template repository somewhere Authoritative? Not that I lnow of and/or does a template for the latest incarnation of CentOS exist? You can easily make one yourself: http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6 -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC and openvpn Tun/Tap
On Mon, Jul 2, 2012 at 4:50 PM, zorg z...@probesys.com wrote:
Hello
I seem that it is possible to use openvpn in a container
But can't make it work
I try this
DEV=${CONTAINER_ROOT}/dev
mkdir ${DEV}/net
mknod -m 666 c 10 200 ${DEV}/net/tun
But I get this error
mknod: invalid device type `10'
Did you try man mknod?
SYNOPSIS
mknod [OPTION]... NAME TYPE [MAJOR MINOR]
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] new containers doesn't start well after fresh creation.
On Tue, Jul 3, 2012 at 7:13 PM, Stefan Schlesinger s...@ono.at wrote:
Hello,
yesterday we did some testing of LXC on wheezy as well and got the
same results.
Seems like the necessary device nodes aren't created (/dev/tty*)
and /etc/inittab needs to be modified.
Example:
c1:2345:respawn:/sbin/getty 38400 tty1 linux
I wonder how that can happen. For example, both Ubuntu's lxc-debian
and lxc's git source has this already, so the problem you're
experiencing shouldn't happen if the template is up to date
#=
configure_debian()
{
rootfs=$1
hostname=$2
# squeeze only has /dev/tty and /dev/tty0 by default,
# therefore creating missing device nodes for tty1-4.
for tty in $(seq 1 4); do
if [ ! -e $rootfs/dev/tty$tty ]; then
mknod $rootfs/dev/tty$tty c 4 $tty
fi
done
# configure the inittab
cat EOF $rootfs/etc/inittab
id:3:initdefault:
si::sysinit:/etc/init.d/rcS
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux
EOF
#=
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] container hostname not visible to host, ubuntu 12.04
On Fri, Jul 6, 2012 at 5:50 PM, Li, Zeyang a.bankn...@gmail.com wrote: I remember reading post that says that in order to run lxc-execute, I have to have lxc installed on the client. Do you use lxc-execute, or lxc-start? There's a BIG difference. You don't need lxc on the guest for lxc-start to work. In fact, you shouldn't. Or at least you need to turn off the bridge lxcbr0 manually on the guest. If you use lxc-execute, then you shouldn't get lxcbr0 at all on the guest side. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Remedy for centos base installation failing operations on /sys?
On Thu, Jul 19, 2012 at 2:03 PM, Johannes Graumann johannes_graum...@web.de wrote: Hi, The filesystem package is part of a centos base installation and is uninstallable in an lxc container (see pasted output below) due to lacking access rights to /sys ... I'm not sure that this is even crucial, as the container seems to work just fine, but downstream installations fail and I want to exclude that it may be traceable to this ... So: how may this be circumventable? Should I be posting this on a centos list? What is your host? If it's ubuntu, most likely selinux plays a part here. You can disable it in container config file. Also, how do you create your container? If you use templates, yum --installroot, or similar, then the package should already be installed. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Remedy for centos base installation failing operations on /sys?
On Fri, Jul 20, 2012 at 2:27 AM, Johannes Graumann johannes_graum...@web.de wrote: Also, how do you create your container? If you use templates, yum --installroot, or similar, then the package should already be installed. I modified the debian-supplied fedora template (and posted it to this list: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03761.html) ... That might explain it. The script installs yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils. You might want to add basesystem there (which should install filesystem as a dependency). What I usually do is yum --installroot=/t groupinstall base plus yum --installroot=/t install dhclient Anyway, an easy workaround is to stop your container and yum --installroot=/var/lib/lxc/... filesystem from the host. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Remedy for centos base installation failing operations on /sys?
On Mon, Jul 23, 2012 at 3:40 PM, Johannes Graumann johannes_graum...@web.de wrote: Thanks for your hints ... I have investigated this some more and the problem is that filesystem actually get's installed via the host, but once the guest is running it is missing the yum data base on what is installed and what not, so any installation afterwards that has the dependency filesystem is reinstalling it (among many other things). Not on my setup. I can remove filesystem just fine and still have a working system. This is RHEL6 btw. = Package Arch Version Repository Size = Removing: filesystem x86_64 2.4.30-3.el6 @updates 0.0 Removing for dependencies: basesystem noarch 10.0-4.el6 @anaconda-RedHatEnterpriseLinux-201009221801.x86_64/6.0 0.0 dracut noarch 004-256.el6_2.1 @updates 232 k dracut-kernel noarch 004-256.el6_2.1 @updates 202 kexec-tools x86_64 2.0.0-209.el6 @updates 655 k Transaction Summary = Remove5 Package(s) Well, working for a container anyway, as a native system needs dracut for initramfs. Is it possible to transplant the yum state information to the guest - rsyncing the corresponding /var/cache directory to the guest does not seem to do the trick ... Usually it's simply a matter of removing /var/lib/rpm/__db*, which should be recreated automatically next time you run rpm/yum. It's the same case during some OS upgrades. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Remedy for centos base installation failing operations on /sys?
On Mon, Jul 23, 2012 at 6:15 PM, Johannes Graumann johannes_graum...@web.de wrote: On the container /var/lib/rpm is now empty That is not right. It might be the source of your problem. Try yum --installroot=/some/path/of/your/choice groupinstall base ... and verify whether /var/lib/rpm under that path has some files (it should). Just to check whether the problem is in your template, or in your version of yum. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Remedy for centos base installation failing operations on /sys?
On Tue, Jul 24, 2012 at 4:20 AM, Fajar A. Nugraha l...@fajar.net wrote: On Mon, Jul 23, 2012 at 6:15 PM, Johannes Graumann johannes_graum...@web.de wrote: On the container /var/lib/rpm is now empty That is not right. It might be the source of your problem. Try yum --installroot=/some/path/of/your/choice groupinstall base ... and verify whether /var/lib/rpm under that path has some files (it should). Just to check whether the problem is in your template, or in your version of yum. I think I know what happens. Debian/Ubuntu's version of yum stores rpm database in /root/.rpm (when run as root). RHEL/Centos expects the db to be on /var/lib/rpm. Thus the problem. You can simply (in chroot or container) move all content in /root/.rpm to /var/lib/rpm, and the run rpm --rebuilddb . Strangely enough, eventhough your install process installs filesystem as a dependency, yum won't complain much if you can run yum erase filesystem inside the chroot environment :P. Not recommended though. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc headeache on debian wheezy
On Mon, Jul 30, 2012 at 2:52 AM, Daniel Baumann daniel.baum...@progress-technologies.net wrote: I cannot believe that lxc is that immature. I may surely be missing a lot of things, or is the Debian packaging of lxc such a pity? you are using debian testing, it's not called testing without purpose. if you're not prepared to deal with temporary glitches, use debian stable. ... or latest Ubuntu LTS, which is recent-enough and stable-enough for lxc. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc clone onto the host
On Mon, Jul 30, 2012 at 9:59 AM, calerius D'Souza caler...@gmail.com wrote: I have a service that is running inside container perfectly. I had deployed it using node.js package manager (npm). Now I wanted to run the service on the host itself instead of the container due to some disk space issues I am running into. Why don't you simply add disk space to the container? Is there a way like lxc-clone that clones the container to the host itself, instead of cloning to another container. It wouldn't make sense, since cloning would overwrite everything. It's like asking can I format my currently running root filesystem? -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC no connectivity after first boot of the guest
On Fri, Aug 10, 2012 at 9:13 PM, Klemens Rauch klemens.ra...@rolmail.net wrote: as it looks know, wheezy will not get live-debconfig due to bureaucratic unwillingness of some debian people, i tried, but nothing i can do further about that i'm afraid. so, wheezy will as it looks like not be a host system nor container system for/with lxc :( which brings me to the point that there is nothing I can do, right? xD At this point I'd recommend you try ubuntu 12.04 as your host. I've tested that at least it can install debian guest, boot, and reboot the guest while still maintaining connectivity (haven't tried other functionality, sorry). -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC questions
On Mon, Aug 13, 2012 at 3:17 PM, Xia Li x...@suse.com wrote: Hi, I'm a beginner with LXC and I have two questions about LXC. I hope someone can help... 1. If all LXC containers are running inside the host system's Kernel and not with a different Kernel? Yes. I am now use LXC to do some tests and I hope the LXC containers have different kernel. I want to know that are there any solutions can isolate the kernel and how to do ? If you want that, don't use lxc. Use xen/kvm/virtualbox/whatever 2. If all LXC containers can share storage through iscsi? And what do I need to do? uh ... probably yes. What do you want to achieve? An easier way to get shared storage with lxc is to just mount the storage as a directory on the host, and share it to the containers. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc-ubuntu: lefotover cached package files
Creating a container with lxc-create -t ubuntu on ubuntu 12.04 amd64 currently results in over 300MB root filesystem. However, almost 100MBs of it are cached package files (/var/cache/apt/archives/*). Running apt-get clean freed it. Is there a particular reason to keep the package files after container creation? -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: lefotover cached package files
On Thu, Aug 16, 2012 at 8:57 PM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): Creating a container with lxc-create -t ubuntu on ubuntu 12.04 amd64 currently results in over 300MB root filesystem. However, almost 100MBs of it are cached package files (/var/cache/apt/archives/*). Running apt-get clean freed it. Is there a particular reason to keep the package files after container creation? Hm. Well I personally actually do end up using those often - I create a container; quickly build a new version of a package; do a test; re-install from /var/cache/apt/archives to do another test; etc. But that's not to say mine shouldn't be a special case, with the default being to save space. Yup. Special cases like that can be catered using a private proxy or something similar. Do you mind opening a bug against the ubuntu package for that? (http://pad.lv/u/lxc) I've got another small template fix to push anyway. (I'll post the patch to lxc-devel when done.) Thanks for the suggestion. Done. FWIW, for those interested in having the smallest ubuntu container, my test result is: - original lxc-ubuntu: 386M disk space used - apt-get clean: reduced to 242M - install and use localepurge, keeping en and en_US only: reduced to 233M - change debootstrap command to include --variant=minbase while adding iputils-ping,isc-dhcp-client,sudo to list of packages, followed the above three: reduced to 216M IMHO space reduction from the last two doesn't warrant the additional hassle, so the bug report only suggests running apt-get clean like my original mail. Using a backstore with gzip compression (e.g. btrfs, zfs) also provides good space saving. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Fri, Aug 24, 2012 at 7:00 AM, Dan Kegel d...@kegel.com wrote: Hi folks, has anyone written a /usr/lib/lxc/templates/lxc-rhel yet? AFAIK no. But see : - http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03761.html and http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03848.html - http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6 Would it be reasonable to base one on rinse, as lxc-ubuntu is based on debootstrap? IMHO yum --installroot is enough. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC in production envivroment
On Fri, Aug 24, 2012 at 6:12 PM, István Király - LaKing d...@yahoo.com wrote: Hello users, and mainly developers, .. My question is, how reliable, how stable is LXC in a production environment? .. how far is LXC from being released as stabile 1.0? As a user, I'd say lxc is usable for either: - dev purposes - production environment, where you control all the containers, and using it for programs that works, and basically using lxc for resource cap and network isolation purposes Note that while most programs will work as-is on a container, some might not work at all (e.g. those that loads and use their own custom kernel module), while some needs special treatment (e.g. oracle db and others that use large shared memory might need apparmor and friends turned off, which results in the container being capable of doing dangerous things to the host). I would not use lxc for shared vps setup (like openvz) at this moment due to some unsolved security issues. .. what OS is recommended for a stable environment with LXC? I'd say latest Ubuntu stable. It works fine as-is, and uses apparmor to workaround some lxc security issues. .. what kernel version is recommended? Generally whatever version that comes with the distro that supports lxc. Do NOT force yourself to use lxc with an ancient distro (e.g. RHEL/centos6, or debian stable). Instead, if you have a program that only works on those distros, use newer distro for the host, while running the stable distro as guest container. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] High SLAB
On Fri, Aug 24, 2012 at 6:37 PM, China ch...@email.it wrote: Often, after some hours, the containers occupy a lot of SLAB cache (over 100~200MB), specially dentry and ext3_inode_cache. Try this: http://www.linuxinsight.com/proc_sys_vm_vfs_cache_pressure.html I set mine at 1000 for a system with lots of files ( 1M) and relatively small memory (2GB). Not an lxc system though. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC in production envivroment
On Fri, Aug 24, 2012 at 8:27 PM, István Király - LaKing d...@yahoo.com wrote: I would rather like to have a virtual-server farm or better said lxc container-farm, as soon as possible. .. If you control all the VPS in the farm, lxc might be usable. Otherwise, openvz might be a better choice. And who knows, later versions of openvz might use lxc at its core. http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ .. felt that something is not right with PHP, and this post nailed it to the point. I realized PHP is, .. how to say gently, not right for me .. ( + I use weird scripting techniques if the language allows) Hey, for me, if it works, use it :) Should LXC be used directly, You could. or is there an API like libvirt necessery / handy in setting up networking for example? IIRC libvirt only has limited lxc support. Definitely no GUI (virt-manager) support (yet). Try http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03736.html Got also hacked once or twice (via PHP) and I really want a stable isolated environment, Well, php now has php-fpm. IIRC you can have multiple application pools (e.g. one for each user), each can run in a chroot environment, with unique user for each pool. I don't really see a major difference between Ubuntu and Fedora, .. however if you say that Ubuntu is probably more stable or secure, I may switch to it. Try it :) Sometimes all it takes is some kernel boot command line to have ubuntu boot on very new hardware. Also note that latest stable is now at 12.04.1, so there might be some changes (e.g. drivers) compared to 12.04 that allows it to work on your hardware now. I want to put together the right tool set, the right software environment now, so I can create a container farm, with two or more physical servers, and a nice GUI that I can present even for normal users. If your users only use php, php-fpm might be less painful. If you don't trust your users, better stick with known working solutions (e.g. openvz, xen, whatever). You might find better frontends for them (even when some frontends are commercial ones) -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Sat, Aug 25, 2012 at 4:26 AM, Dan Kegel d...@kegel.com wrote: lxc-start: failed to rename vethMR2TXx-eth0 : File exists What does your config file looks like? It looks like you're telling lxc to label the container's network device in the HOST (lxc.network.veth.pair) as eth0. Which (obviously) won't work, since the host already has an eth0. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Sat, Aug 25, 2012 at 8:48 AM, Dan Kegel d...@kegel.com wrote: On Fri, Aug 24, 2012 at 6:23 PM, Fajar A. Nugraha l...@fajar.net wrote: On Sat, Aug 25, 2012 at 4:26 AM, Dan Kegel d...@kegel.com wrote: lxc-start: failed to rename vethMR2TXx-eth0 : File exists What does your config file looks like? It looks like you're telling lxc to label the container's network device in the HOST (lxc.network.veth.pair) as eth0. Which (obviously) won't work, since the host already has an eth0. I'm not using any specific config file. /etc/lxc/lxc.conf contains lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up and I don't see any reference to eth0 there. Aren't the default templates supposed to work with the default config file? It should. Which is why I thought you edit the config file. Try: - adding lxc.network.veth.pair=test-e0 - run ip link show on the host, and for every interface that starts with a veth, do ip link del on that interface. That is, assuming you don't currently have any containers or anything that uses veth running. - try the second link, which create the rootfs and config file by hand instead of using a script. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Sat, Aug 25, 2012 at 9:22 AM, Dan Kegel d...@kegel.com wrote: On Fri, Aug 24, 2012 at 7:00 PM, Fajar A. Nugraha l...@fajar.net wrote: Aren't the default templates supposed to work with the default config file? It should. Which is why I thought you edit the config file. Try: - adding lxc.network.veth.pair=test-e0 No change. I think I figure out what's wrong. Short version is upstream template (even the fedora one) needs modification. At least it does on Ubuntu :) - try the second link, which create the rootfs and config file by hand instead of using a script. Well, foo. I need to end up with a debugged script, Had you tried creating it manually, you'd have a working centos container AND understand more deeply how it works. In case you haven't figure it out already, I wrote that wiki page :) and I was hoping that since lxc-create -t centos had worked for someone recently (and lxc-create -t fedora works for me now), success wouldn't be far off. Not sure how Johannes got his template working and what his environment is, but I've written mine. See https://github.com/fajarnugraha/lxc/blob/centos-template/templates/lxc-centos.in Tested on Ubuntu 12.04 host to install centos guest container (centos 6 only for now). Based on lxc-fedora, it mostly automates the manual process on my wiki page, plus rpmdb fix to allow it to work on non-centos host. If you're not familiar with github, raw button downloads that file only, while history button shows changes to that file. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Sun, Aug 26, 2012 at 3:06 AM, Dan Kegel d...@kegel.com wrote: Trying the same thing with your centos template: cd /usr/lib/lxc/templates/ wget https://raw.github.com/fajarnugraha/lxc/centos-template/templates/lxc-centos.in mv lxc-centos.in lxc-centos lxc-create -t centos -n democ6 lxc-start -n democ6 resulted in a session without working network. What host are you using? An ubuntu host will automatically add a networking section like this, which works lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up The default networking config section from lxc-fedora (upstream version), when used in Ubuntu host would add an additional interface in the container (because it's basically a separate, additional networking section) and will result in failed to rename vethXX-eth0 : File exists error, so I commented it out. Which is why I'm surprised if you say lxc-fedora works for you, because its default networking section should be the same (i.e. should also cause eth0: File exists error). According to ifconfig inside the Centos session, eth0 didn't have an ip address. I dimly recall that the network doesn't start by default on Centos desktops, so I did /etc/init.d/network start inside the centos session. That at least got eth0 an ip address, Weird. I tested it on my ubuntu host, and guest container networking is up automatically. Try replacing your container config networking section (lxc.network.*) with the ones from your working ubuntu container, or the one I pasted earlier (i.e. you should NOT have any line that says lxc.network.name = eth0, only those three lines above for lxc.network.*). but dns still wasn't working. And it looks like part of the machinery is missing: # ls -l /etc/resolv.conf lrwxrwxrwx 1 root root 29 Mar 12 12:45 /etc/resolv.conf - ../run/resolvconf/resolv.conf Adding a real file there made dns work, and I was able to do simple networking. This one is partly my fault. Ones a template is used, the resulting rootfs is cached on /var/lib/lxc, and in the case of centos/fedora, it will be updated (yum update) every time you use it to install new containers with that template. Doing yum --installroot for update is bad, since the host's yum version may do bad stuff (e.g. uses incompatible rpmdb version), so I changed it to chroot ... yum. However for that to work, I need a working resolv.conf inside the rootfs, so I simply do a cp -a from the host's resolv.conf, which works for me because I uninstalled resolvconf. In your case it resulted in a non-working resolv.conf :) Since you already have a working /etc/resolv.conf (i.e. NOT a symlink) inside the container, can you try rebooting the container? If it works (i.e. got networking on boot), I can push a simple fix (which basically would just change cp -a to just cp). -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc template for RHEL?
On Sun, Aug 26, 2012 at 11:09 AM, Dan Kegel d...@kegel.com wrote: The default networking config section from lxc-fedora (upstream version), when used in Ubuntu host would add an additional interface in the container (because it's basically a separate, additional networking section) and will result in failed to rename vethXX-eth0 : File exists error, so I commented it out. Which is why I'm surprised if you say lxc-fedora works for you, because its default networking section should be the same (i.e. should also cause eth0: File exists error). Works here. The resulting concatenated config file for fedora is lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up That's because you use ubuntu's version of lxc-fedora. The upstream version would've caused an error. Since you already have a working /etc/resolv.conf (i.e. NOT a symlink) inside the container, can you try rebooting the container? If it works (i.e. got networking on boot), I can push a simple fix (which basically would just change cp -a to just cp). It does seem to have networking on boot now, so I think you're on to something there. Please re-download lxc-centos.in and try again. You need to remove the cache first (rm -rf /var/cache/lxc/centos/x86_64/6/rootfs) so that it will be recreated. ... or if you just want new containers to work, just replace /etc/resolv.conf in /var/cache/lxc/centos/x86_64/6/rootfs with a working version. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-net.conf on ubuntu
On Sun, Sep 2, 2012 at 4:56 PM, groupie stopmakingse...@gmx.de wrote:
Hi list!
I just came over the fact that the iptables config set in the lxc-net
upstart job does also rewrite connections between hosts on the bridge. I
added a rule before the masquerade to prevent this and make sure, that
hosts on the same net bound to the bridge can talk without rewriting.
iptables -A POSTROUTING -s ${LXC_NETWORK} -d ${LXC_NETWORK} -t nat -j ACCEPT
Is that something that should be added in general? Dunno, maybe some
people want rewriting here?
When you create new wireless network on ubuntu host (e.g. for sharing
the wired connection), network-manager would setup a nat like this:
Sep 2 17:37:18 DELL NetworkManager[2118]: info Executing:
/sbin/iptables --table nat --insert POSTROUTING --source
10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump
MASQUERADE
IMHO it should also be applicable for lxc: only setup MASQ nat if the
packet is going to external network. Following the same principal. the
rule on lxc-net.conf should probably be something like
iptables -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -t nat
-j MASQUERADE
--
Fajar
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Using VMware as a test-bed for hosting lxc containers.
On Fri, Sep 7, 2012 at 11:29 AM, Peter-Frank Spierenburg spier...@hotmail.com wrote: Anyway, I am having trouble convincing the lxc guests to talk to the network outside the box hosting the vm hosting the container. If you use latest ubuntu it'll work out of the box. I've also got iptables configured to do the masquerading for the br0 device: I usually just let lxc or libvirt create lxcbr0/virbr0, with the necessary rules. Much simpler that way. Finally, one of the lxc containers: eth0 Link encap:Ethernet HWaddr 00:16:3e:38:88:bb inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 192.168.2.1 0.0.0.0 UG0 00 eth0 And you're wondering why it DOESN't work? seriusly? Hint: check the ip address on eth0 and the gateway. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Piping output of lxc-monitor to a file without buffering
On Fri, Sep 7, 2012 at 7:46 AM, Ken Elkabany k...@elkabany.com wrote: Hi, The following outputs container state changes to the terminal as expected: $ lxc-monitor -n container-1 However, the following outputs the same state changes to a file only after a certain buffer size has been reached: $ lxc-monitor -n container-1 output This is problematic because it means that live monitoring cannot be done by a separate program. The buffering delays messages, potentially indefinitely. Is there a way around this? (optional: start a screen session) $ script -f /path/to/your-logfile.txt $ lxc-monitor -n container-1 ... and on other terminal $ tail -f /path/to/your-logfile.txt -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problem ssh-ing into lxc container under Ubuntu 12.04
On Fri, Sep 14, 2012 at 9:27 PM, Peter-Frank Spierenburg spier...@hotmail.com wrote: Greetings, Whenever I try to ssh into an lxc container on Ubuntu 12.04, I get: ssh_exchange_identification: Connection closed by remote host using lxc-console to access the container, and checking the /var/log/auth.log file: Sep 14 14:13:47 dnsmasq sshd[174]: fatal: Missing privilege separation directory: /var/run/sshd Fair enough. If I use lxc-console to create /var/run/sshd manually, everything is fine. I restart the ssh server and can then ssh in without problem... However, my goal is to build containers automatically using python scripts, so navigating the username/password login is too difficult. Does anyone have any suggestions as to how I can create the /var/run/sshd directory inside an lxc container automatically? How did you create the container? The default ubuntu template on ubuntu 12.04 should've done the right thing. At least it does last time I check. However if you're asking how do I create a directory instead a container when I have access to the host, then just do so under the container's rootfs. By default it's on /var/lib/lxc/CONTAINER_NAME/rootfs. No need to login into the container. -- Fajar -- Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] problem in start lxc container
On Thu, Sep 20, 2012 at 10:02 AM, Binknight zheng_hua...@163.com wrote: hi all, After searching for a while, I found there are many different introductions to install lxc container, but do not find a step by step tutorial that works for general purpose. At this moment using Ubuntu 12.04 would probably be easier. It just works. https://help.ubuntu.com/12.04/serverguide/lxc.html ... or see simplified instructions on my wiki: http://wiki.1tux.org/wiki/Lxc/Installation I have a host running fedora 16, and I want to install a lxc container that I can run some apps in it. The reason i need such a container is that 1) I will limit the resource usage of these apps, and 2) the apps' running environment is different with the host's. Those are good reasons to use lxc. However AFAIK you can't (yet?) have a container which uses systemd, so even when you can use F16 as host, you can't use it as guest container. I tried the following steps: 1) install libcgroup, 2) install lxc, both the two are downloaded from sf.net. By run the lxc-fedora under the lxc's templates directory(/usr/local/lib/lxc/templates), it seems that the container is installed successfully. It says: container is configured for lxc.network.type=veth and lxc.network.link=virbr0 (which is default if you have libvirt runnig) then i checked the libvirt by : service --status-all libvirtd.service - LSB: daemon for libvirt virtualization API Loaded: loaded (/etc/rc.d/init.d/libvirtd) Active: active (running) since Thu, 20 Sep 2012 10:18:20 +0800; 23min ago but when i try to start my container by lxc-start -n test1 -f test1/conf,it logout my host. After i login again, all is the same as before start container. So i am confused about how i can start my container or is there something i have skipped in the install process? I'm not sure about F16. I'm guessing the problem is that your container accesses the same tty as the host. Again, I recommend to use ubuntu for host. You can then have fedora (up to f14), rhel/centos, ubuntu, and other sysvinit-or-upstart-based-OS as guest, -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] problem in start lxc container
On Fri, Sep 21, 2012 at 9:16 PM, Binknight zheng_hua...@163.com wrote: many thanks, I edit the container's /etc/rc.d/rc.sysinit and add : route add default gw 192.168.122.1 # address of virbr0 echo /etc/resolv.conf nameserver 10.2.0.41 #name server the same as that in HOST's /etc/resolv.conf then i can ping google successfully . libvirt SHOULD create the bridge as well as start dnsmasq, which functions as DHCP and dns. So if you had to do that manually you either: - don't use dhcp on the guest, or - your libvirt installation is broken -- Fajar -- Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc macvlan bridge problem
Why not just use veth + bridge, which is the default (at least the default on Ubuntu)? -- Fajar On Mon, Sep 24, 2012 at 1:48 PM, 宣铭艺 xuanmin...@gmail.com wrote: Hi guys I have a host machine and want to create 3 containers on it. Containers should can ping each other,but can't communicate with the host. All containers shoud surf the Internet. Should I use macvlan bridge mode?And how to set the host's and containers' network environment the goal blow My Host: eth0 192.168.1.23 gateway 192.168.1.1 It connects to the Internet lxcbr0?? bridge? need it? Containers: c1: 192.168.2.45 ? how to configure c2: 192.168.2.46 ? how to configure c3: 192.168.2.47 ? how to configure -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc macvlan bridge problem
Please keep to/cc to the list On Tue, Sep 25, 2012 at 2:42 PM, 宣铭艺 xuanmin...@gmail.com wrote: hi guys I use veth mode now container-left and container-right can ping each other left ip is 10.0.0.2 right ip is 10.0.0.3 did you use static IP host: br0 10.0.2.15 Did you know that if you use netmask /24, 10.0.0.x and 10.0.2.x is on different network? eth0 0.0.0.0 and how to configure containers let container ping www.google.com? short version: if you don't know much about networking or bridge, better use the default lxcbr0 or virbr0 (whichever you have on your system) and use DHCP on the guest container. -- Fajar 2012/9/24 Fajar A. Nugraha l...@fajar.net Why not just use veth + bridge, which is the default (at least the default on Ubuntu)? -- Fajar On Mon, Sep 24, 2012 at 1:48 PM, 宣铭艺 xuanmin...@gmail.com wrote: Hi guys I have a host machine and want to create 3 containers on it. Containers should can ping each other,but can't communicate with the host. All containers shoud surf the Internet. Should I use macvlan bridge mode?And how to set the host's and containers' network environment the goal blow My Host: eth0 192.168.1.23 gateway 192.168.1.1 It connects to the Internet lxcbr0?? bridge? need it? Containers: c1: 192.168.2.45 ? how to configure c2: 192.168.2.46 ? how to configure c3: 192.168.2.47 ? how to configure -- 樱宝宝: http://www.xuanmingyi.com -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc macvlan bridge problem
On Wed, Sep 26, 2012 at 7:59 PM, 宣铭艺 xuanmin...@gmail.com wrote: yes I used static ip. I seted the static ip 10.0.0.2 in the config file. It can't ping www.google.com Read my previous response about don't know much about networking or bridge. Today I don't set the static ip?Will that use dhcp? Depends on how you create and configure the container. If you use templates, and your host environment and lxc installation is sane-enough, and you don't configure any networking settings inside the container, then yes, it will use DHCP. Now It can ping each other and ping www.google.com In containers: Then I traceroute the packages I find a gateway.I think it's a dhcp and router That's how dhcp works. -- Fajar -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] problem in start lxc container
On Mon, Oct 8, 2012 at 11:04 AM, Binknight zheng_hua...@163.com wrote: I want to setup nginx service on the container, so the container should be visible to other hosts as well as the HOST it lives. The HOST machine's ip is 10.2.132.110. so is it possible to setup an ip for container that's visible to other hosts by configuring libvirt? Yes, setup a bridge on your physical interface. It will be just like any other host on your network. Note that in only works for wired interface though, not for wireless. My wiki has examples for several types of bridge for Debian/Ubuntu, but for F16 you can try Google fedora bridge howto -- Fajar -- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Template for Oracle Linux 6.3
On Sat, Oct 20, 2012 at 8:12 PM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, Somebody knows where can I found an Oracle Linux 6.3 template to use with a OL6.3 host using UEK2 kernel?? Short answer: No Or can I re-use OL5 template?? ... and No. Long answer: See this thread: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03936.html You SHOULD be able to customize my centos template for OL (untested). Start with the line that says [base], and change it to OL's public yum repository. PS: (1) it doesn't matter (in lxc template context) whether you use RH's kernel or UEK2. The container doesn't really need a kernel package installed (and in most cases, it doesn't care which kernel is installed, cause it's only used to resolve dependency). What matters is what kernel you use on the host. (2) UEK2 is pretty old (3.0+?). If your focus is lxc, you might have better luck using kernel-ml (http://elrepo.org/tiki/kernel-ml) -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems starting OL6.3 lxc container
On Sun, Oct 21, 2012 at 3:42 PM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I have setup my first OL6 container but it doesn't starts. How? lxc-start 1350808610.466 WARN lxc_conf - rootfs specified but no console found at '/usr/lib64/lxc/rootfs/dev/console' Does /usr/lib64/lxc/rootfs/dev/console exists? I highly suggest you try my centos template first. It definitely creates that file. If it works for you, modify it for OL. Somebody knows where can it be the problem?? Bad container setup? Missing necessary files? -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems starting OL6.3 lxc container
On Sun, Oct 21, 2012 at 3:46 PM, Fajar A. Nugraha l...@fajar.net wrote: lxc-start 1350808610.466 WARN lxc_conf - rootfs specified but no console found at '/usr/lib64/lxc/rootfs/dev/console' Does /usr/lib64/lxc/rootfs/dev/console exists? Sorry. It should be does /dev/console exists under your container rootfs? Also, you might not need this line: lxc.console = /vmdata/ol6vmserver/dev/console In fact, I'd say remove it, and see if it solves your problem. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems starting OL6.3 lxc container
On Sun, Oct 21, 2012 at 4:14 PM, C. L. Martinez carlopm...@gmail.com wrote: On Sun, Oct 21, 2012 at 8:51 AM, Fajar A. Nugraha l...@fajar.net wrote: On Sun, Oct 21, 2012 at 3:46 PM, Fajar A. Nugraha l...@fajar.net wrote: lxc-start 1350808610.466 WARN lxc_conf - rootfs specified but no console found at '/usr/lib64/lxc/rootfs/dev/console' Does /usr/lib64/lxc/rootfs/dev/console exists? Sorry. It should be does /dev/console exists under your container rootfs? Also, you might not need this line: lxc.console = /vmdata/ol6vmserver/dev/console In fact, I'd say remove it, and see if it solves your problem. -- No, problem continues ... I have used this template to create my lxc container: In that I says use the unmodified config file first. For example, it says lxc.devttydir = lxc (which you commented out). If you HAVE used the default config file created by the template, but it still doesn't work, you should probably contact the template creator directly (it's on top of the template file) and ask them how to use the template. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems starting OL6.3 lxc container
On Sun, Oct 21, 2012 at 4:23 PM, C. L. Martinez carlopm...@gmail.com wrote: On Sun, Oct 21, 2012 at 9:20 AM, Fajar A. Nugraha l...@fajar.net wrote: -- No, problem continues ... I have used this template to create my lxc container: In that I says use the unmodified config file first. For example, it says lxc.devttydir = lxc (which you commented out). If you HAVE used the default config file created by the template, but it still doesn't work, you should probably contact the template creator directly (it's on top of the template file) and ask them how to use the template. -- Fajar Yes, I have commented out because when I launch lxc-start, returns me this error: lxc-start 1350810587.498 ERRORlxc_confile - unknow key lxc.devttydir lxc-start 1350810587.498 ERRORlxc_start_ui - failed to read configuration file Looks like an old version problem. Did you know that the staging git repo on github is newer than released lxc version? I wouldn't be surprised if you need to recompile lxc -- using sources from that repo --- to get the template to work. Personally I just use Ubuntu as the host :) It already supports devttydir configuration item. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problems starting OL6.3 lxc container
On Sun, Oct 21, 2012 at 4:41 PM, C. L. Martinez carlopm...@gmail.com wrote: If you HAVE used the default config file created by the template, but it still doesn't work, you should probably contact the template creator directly (it's on top of the template file) and ask them how to use the template. -- Thanks Fajar, I will try to use centos6 instead of OL6 ... Are these your instructions?? http://wiki.1tux.org/wiki/Centos6/Installation/Minimal_installation_using_yum http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6 Yes, those are the manual way of creating them. You can also try the centos template from the link I sent earlier, rename it as lxc-centos, chmod 755, and put it on your templates directory (usually /usr/lib/lxc/templates). Tested on Ubuntu host, should work for other hosts as well. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] ssh'ing in the container ( ioctl operation not permitted /dev/tty failed - no such device or address )
On Mon, Oct 22, 2012 at 5:11 PM, swair shah swairs...@gmail.com wrote: I have a container running centos 6, on a host system also running centos 6. I have allocated a different subnet for containers and I'm able to ping the container. Now when I try to ssh into the container from another console, it prompts me for password. This is the log on the host system. Oct 22 14:00:25 localhost sshd[264]: Accepted password for root from 192.168.0.2 port 38355 ssh2 Oct 22 14:00:25 localhost sshd[264]: pam_unix(sshd:session): session opened for user root by (uid=0) Oct 22 14:00:25 localhost sshd[266]: error: ioctl(TIOCSCTTY): Operation not permitted Oct 22 14:00:25 localhost sshd[266]: error: open /dev/tty failed - could not set controlling tty: No such device or address That's odd. My centos container has no /dev/tty and it works just fine. My host has one though. I should also mention that my host machine is a remote one and I have ssh'd into that. It shouldn't matter. Do I need to make any specific changes to the tty conf in the container? Do you have /dev/pts directory inside the container? What files are in there? Do you have /dev/tty inside the host? -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] ssh'ing in the container ( ioctl operation not permitted /dev/tty failed - no such device or address )
On Mon, Oct 22, 2012 at 5:26 PM, swair shah swairs...@gmail.com wrote: Do I need to make any specific changes to the tty conf in the container? Do you have /dev/pts directory inside the container? What files are in there? /dev/pts has crw--w 1 roottty 136, 0 Oct 22 15:54 0 crw--w 1 swair tty 136, 7 Oct 22 15:52 7 c- 1 rootroot 5, 2 Oct 22 15:25 ptmx Do you have /dev/tty inside the host? Host has /dev/tty. Try http://osdir.com/ml/lxc-chroot-linux-containers/2012-03/msg00050.html -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to limit disk space in lxc
On Thu, Oct 25, 2012 at 4:11 PM, 宣铭艺 xuanmin...@gmail.com wrote: Dear all: The problem is that,how can we limit the disk space in lxc.Now I use the default config. And the container can access all space in host.can we use lvm or other tools to limit it? And how :) simplest solution: place the container rootfs in an LV. You need to create and format the LV and move the rootfs MANUALLY after the container is created though, as AFAIK no template has the ability to create a rootfs in an LV of this size. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to limit disk space in lxc
On Thu, Oct 25, 2012 at 9:07 PM, Serge Hallyn serge.hal...@canonical.com wrote: Quoting Fajar A. Nugraha (l...@fajar.net): On Thu, Oct 25, 2012 at 4:11 PM, 宣铭艺 xuanmin...@gmail.com wrote: Dear all: The problem is that,how can we limit the disk space in lxc.Now I use the default config. And the container can access all space in host.can we use lvm or other tools to limit it? And how :) simplest solution: place the container rootfs in an LV. You need to create and format the LV and move the rootfs MANUALLY after the container is created though, as AFAIK no template has the ability to create a rootfs in an LV of this size. -B option to lxc-create specifies the backing store type. sudo lxc-create -t ubuntu -B lvm -n u1 will default to 500M rootfs with ext4, or sudo lxc-create -t ubuntu -B lvm -n u1 --fssize 2G --fstype xfs Ah, thanks for pointing that out. I was (mistakenly) looking at the template (/usr/share/lxc/templates/lxc-ubuntu --help), while in fact the option belongs to lxc-create. -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Converting existing CentOS 6.x to container within Ubuntu 12.04 - can that be simple?
On Sun, Oct 28, 2012 at 1:36 AM, Whit Blauvelt w...@transpect.com wrote: I have this notion that it might be simple indeed to set this up. Sure it is. Well, kindof :) But that notion is admittedly foggy. If it is simple, is there a guide to this sort of thing somewhere? I see a template for a fresh CentOS 6 guest here on the list I could try, but if there's a way to more directly just use the already configured backup rather than build a fresh instance that would be even better. Did your search brought you to http://wiki.1tux.org/wiki/Lxc/Installation/Guest/Centos/6 ? :D If yes, that guide assumes you have a working centos 6 setup already, in the form of one created using yum install --installroot. You could change that to a filesystem-level backup of a working centos installation, and pretty much do the same modifications. In particular, lxc-sysinit.conf and fstab. There might be other modifcations required (I forgot which ones, try looking at http://wiki.1tux.org/wiki/Centos6/Installation/Minimal_installation_using_yum#Post-install_configuration and see which ones is relevant), just try it and see how it goes. As usual, create backups before you modify anything. Just in case. -- Fajar -- WINDOWS 8 is here. Millions of people. Your app in 30 days. Visit The Windows 8 Center at Sourceforge for all your go to resources. http://windows8center.sourceforge.net/ join-generation-app-and-make-money-coding-fast/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Regarding connecting containers to vlan
On Mon, Oct 29, 2012 at 5:22 PM, Kalyana sundaram kalyan...@gmail.com wrote: Hi I am pretty new to lxc I have set up lxc centos containers on centos host. The centos host is connected to our private network (vlan id 211) What do you use on the host? eth0, or eth0.211? How could I make these containers also to connect to the same private network Simply put: create a bridge for that interface (Google centos bridge howto), and set the container to use that bridge (lxc.network.link) -- Fajar -- The Windows 8 Center - In partnership with Sourceforge Your idea - your app - 30 days. Get started! http://windows8center.sourceforge.net/ what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Regarding connecting containers to vlan
On Wed, Oct 31, 2012 at 12:39 AM, brian mullan bmullan.m...@gmail.com wrote: Kalyana Fajar I know this answer isn't about VLAN specifically but it might interest you. I'd stumbled upon it a few weeks ago and the title was Connecting containers on several hosts with Open vSwitch http://s3hh.wordpress.com/2012/05/28/connecting-containers-on-several-hosts-with-open-vswitch/ There was also a newer post regarding Open vSwitch and LXC: http://s3hh.wordpress.com/ Last time I tested, openvswicth is more powerful, but kinda complicated for new users who are used to linux bridge. Anyway, back to Kalyana's requirement, you can either: - bridge the trunk (eth0) to the container, and create vlan on the interface in container side (i.e. create eth0.100 in the container) - bridge the vlan interface (eth0.100) to the container, and use the interface on container side (eth0) directly as regular interface -- Fajar -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
