Quoting Peter Steele (pwste...@gmail.com): > On 12/03/2015 08:42 PM, Fajar A. Nugraha wrote: > >lxc.autodev = 1 > > > >That is not common.conf (though I'm not sure whether it matters) > I included this early on when I was encountering the funky udev > issue. it didn't help but I kept it in place, admittedly for no good > reason. > >lxc.kmsg = 0 > > > >Neither is that. Though it should be the default value > In my original tests with LXC 1.0.7 I hit an issue where systemd on > my containers was running at 100%. I did some research and found the > problem described with the solution suggested being to add this > lxc.kmsg line. This did in fact solve the problem. I just did a test > without this though and the CPU issue did not occur, so presumably > LXC 1.1.5 has fixed this problem. > > > > # Remove capabilities we don't want in containers > > lxc.cap.drop = mac_admin mac_override sys_time sys_module > > > >centos.common.conf also has lxc.cap.drop = sys_nice sys_pacct > >sys_rawio. You don't have that. > > > I excluded this line because we need sys_nice enabled in our > containers. I wasn't sure about sys_pacct and sys_rawio and was > going to do more investigation on these later. > > > lxc.cgroup.devices.allow = c 5:0 rwm > > > > > > lxc.cgroup.devices.allow = c 136:* rwm > > ## /dev/ptmx pty master > > lxc.cgroup.devices.allow = c 5:2 rwm > > > > > >you' re missing 5:1 (console), 10:229 (fuse). Both are in common.conf. > > > There was in fact no common.conf in the 1.0.7 release I originally > was using, and the centos.common.conf did not have the console and > fuse entries. When I switched to 1.1.5 common.conf was introduced > and these device definitions were moved there. I took a quick look > at these definitions and added the fuse entry but didn't notice > console had been added as well. Thanks for noticing this. > > > >Is there a reason why you didn't test simply using the same > >config, which also does the "includes" instead of copying SOME of > >them? Is there a reason wht you don't copy ALL of them? It should > >be easier to start with a known good setup, then do incremental > >changes. > Well, as I said we need sys_nice and so that was one reason why I > didn't want to use the config files directly. I also noticed that > proc was mounted in mixed mode and we need at least some rw access > to a portion of /proc/sys, and I thought I'd probably need to change > this mixed entry. Since all of our work is based on centos, I also > didn't see the need to include the lxc-templates rpm in my package > set. Our server is based on a minimal centos config and I try to > avoid adding additional rpms if I can avoid it. > > That said, I did change my install framework this morning to include > lxc-templates and to use centos.common.conf and common.conf directly > rather rely on than my manually crafted version. This causes > sys_nice to be dropped, as I just mentioned above, and I need to > solve that problem. So, if I have this: > > lxc.include = /usr/share/lxc/config/centos.common.conf > > can I then add the entry > > lxc.cap.keep = sys_nice > > after this? Based on the description in the man page I assume this > will not just add this one capability but will instead remove > everything except this. So, what's the correct way to use > common.conf and to re-add dropped capabilities?
sadly there's no good way to do that purely through config. You can do it through the api by querying the current lxc.cap.drop value, pulling sys_nice out of it, then clearing lxc.cap.drop (set_config_item(lxc.cap.drop, "")) and re-setting it to the new full value. But not purely through config files. _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
