On Thu, 2013-10-03 at 20:49 -0500, Serge Hallyn wrote:
> Quoting Michael H. Warfield (m...@wittsend.com):
> > On Thu, 2013-10-03 at 16:58 -0500, Serge Hallyn wrote:
> > > Quoting Michael H. Warfield (m...@wittsend.com):
> > > > On Wed, 2013-10-02 at 23:39 -0500, Serge Hallyn wrote:
> > > > > Quoting Michael H. Warfield (m...@wittsend.com):
> > > > > > + mount -o loop ../LiveOS/squashfs.img squashfs
> > > >
> > > > > Heh, this is unfortunate - since I test things inside containers, now
> > > > > I
> > > > > have to face the loop device in containers issue :)
> > > >
> > > > > For now I just added b 7:0 to my devices whitelist and loosened the
> > > > > apparmor policy. Fedora build did its thing. Then I removed those
> > > > > exceptions.
> > > >
> > > > > I did have to remove the devices whitelist entries for 4:0 and 4:1.
> > > > > They are for /dev/tty{0,1} - the real ones, which we don't use
> > > > > in containers. Since the ubuntu container in which I was testing
> > > > > didn't have that, I couldn't grant it to the fedora container, but
> > > > > it doesn't need it.
> > > >
> > > > > Other than that, it looks good!
> > > >
> > > > > There is a weird glitch, when i first start the container, i type
> > > > > in username root, then have to hit return again before it shows
> > > > > me the password prompt. It doesn't accept the password. Second
> > > > > login attempt works fine. Yum also isn't finding any mirrors, but
> > > > > that may be a problem local to me.
> > > >
> > > > Check to see if your network is running. Looks like it's not bringing
> > > > up eth0 by default, at least not on F19. I'll have to look into that
> > > > one further.
> >
> > > Hey Michael,
> >
> > > so as far as I'm concerned this is a huge improvement. I'm happy to ack
> > > it so long as you agree with getting rid of the 4:0 and 4:1 device
> > > whitelist entries.
> >
> > Nothing like a few challenges to spice up the act, hey.
> Hm?
> > Like I said, I think can eliminate the one by using unsquashfs, though
> > it will take more disk space temporarily (~300 Meg that I can quickly
> > recover).
> >
> > The second one, though, the ext4 image, is a lot more challenging. Is
> > there an ext4 tool for extracting the file system without mounting it?
> > If there is (Ted Tso might know) that would do the trick. But, then,
> > that's another dependency we may or may not want.
> >
> > My target was to make this as distro agnostic as possible so it could
> > run on anything (presumably on hard iron or a hypervisor). Running it
> > in a container without loopback support complicates that immensely.
> >
> > Let me see what I can do. Sigh...
> No, I didn't mean any of that. Actually I hadn't realized you don't
> touch the devices whitelist setting at all anyway! So I'm going to
> apply your patch and then another patch to remove those entries,
> something like:
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 1386f23..560b171 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -369,8 +369,6 @@ lxc.cgroup.devices.allow = c 1:5 rwm
> # consoles
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -lxc.cgroup.devices.allow = c 4:1 rwm
Oh, crap... I have GOT to read messages more carefully. I throught you
were referring to those loop devices you had to enable for containerized
container creation testing. But, damn where is my head at, those were
"b 7:0" and "b 7:1" not "c 4:0" and "c 4:1"... You were referring to
the tty devices in the target container config...
Sigh... Misunderstanding on my part. My apologies.
> # /dev/{,u}random
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> thanks,
> -serge
Thanks!
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
