[lxc-devel] lxc-start and lucid container
Hi all, I have a slight problem using a lucid container (on a lucid host): if I start the container via lxc-start, no console login starts up. I have to use lxc-console from a differnet terminal. If I use a lenny container, lxc-start shows the start up log messages and finally the getty/login. I'm using the lxc-packages from lucid: r...@ubuntu01:~# dpkg -l lxc Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/ Halb installiert/Trigger erWartet/Trigger anhängig |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: GROSS=schlecht) ||/ Name VersionBeschreibung +++-==-==- ii lxc 0.6.5-1Linux containers userspace tools The start trace is: r...@ubuntu01:/var/lib/lxc/lucid# lxc-start -n lucid --logfile=/dev/stderr --logpriority=TRACE -- /sbin/init --verbose lxc-start 1274106224.666 INFO lxc_conf - tty's configured lxc-start 1274106224.669 DEBUGlxc_start - sigchild handler set lxc-start 1274106224.669 INFO lxc_start - 'lucid' is initialized lxc-start 1274106224.681 DEBUGlxc_conf - instanciated macvlan 'mcwEvnvl', index is '8' and mode '0' lxc-start 1274106224.699 DEBUGlxc_cgroup - using cgroup mounted at '/lxc-cgroup' lxc-start 1274106224.699 DEBUGlxc_cgroup - '/lxc-cgroup/20474' renamed to '/lxc-cgroup/lucid' lxc-start 1274106224.711 DEBUGlxc_conf - move 'eth1' to '20474' lxc-start 1274106224.711 INFO lxc_conf - 'lucid' hostname has been setup lxc-start 1274106224.713 DEBUGlxc_conf - mac address '4a:49:43:49:79:bd' on 'eth0' has been setup lxc-start 1274106224.714 DEBUGlxc_conf - 'eth0' has been setup lxc-start 1274106224.714 INFO lxc_conf - network has been setup lxc-start 1274106224.715 DEBUGlxc_cgroup - using cgroup mounted at '/lxc-cgroup' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.deny' set to 'a' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 1:3 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 1:5 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 5:1 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 5:0 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 4:0 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 4:1 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 1:9 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 1:8 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 136:* rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 5:2 rwm' lxc-start 1274106224.716 DEBUGlxc_conf - cgroup 'devices.allow' set to 'c 254:0 rwm' lxc-start 1274106224.716 INFO lxc_conf - cgroup has been setup lxc-start 1274106224.716 INFO lxc_conf - mount points have been setup lxc-start 1274106224.716 INFO lxc_conf - console '/dev/pts/2' mounted to '/var/lib/lxc/lucid/rootfs/dev/console' lxc-start 1274106224.716 INFO lxc_conf - 4 tty(s) has been setup lxc-start 1274106224.717 DEBUGlxc_conf - temporary mountpoint for old rootfs is './lxc-oldrootfs-E19bcw' lxc-start 1274106224.717 DEBUGlxc_conf - pivot_root syscall to '/lxc-oldrootfs-E19bcw' successful lxc-start 1274106225.062 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/dev/pts' lxc-start 1274106225.091 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/dev/shm' lxc-start 1274106225.162 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/sys/fs/fuse/connections' lxc-start 1274106225.178 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/sys/kernel/debug' lxc-start 1274106225.194 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/sys/kernel/security' lxc-start 1274106225.210 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/proc' lxc-start 1274106225.226 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/var/run' lxc-start 1274106225.243 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/var/lock' lxc-start 1274106225.258 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/lib/init/rw' lxc-start 1274106225.274 DEBUGlxc_conf - umounted '/lxc-oldrootfs-E19bcw/boot' lxc-start 1274106225.290 DEBUGlxc_conf - umounted '/lxc-oldrootf
Re: [lxc-devel] [Lxc-users] lxc-start and lucid container
Am 17.05.2010 14:59, schrieb zitta.fr: > Hi, > > try this : > > cat > /path_to_lucid_root/etc/init/console.conf > # console - getty > # > # This service maintains a getty on stdin from the point the system is > # started until it is shut down again. > > start on stopped rc RUNLEVEL=[2345] > stop on runlevel [!2345] > > respawn > exec /sbin/getty -8 38400 console > this is exactly the contents of /etc/init/tty1.conf but it doesn't work > Regards, > > Guillaume ZITTA > > Le 17/05/2010 16:31, Wilhelm a écrit : >> Hi all, >> >> I have a slight problem using a lucid container (on a lucid host): if I >> start the container via lxc-start, no console login starts up. I have to >> use lxc-console from a differnet terminal. If I use a lenny container, >> lxc-start shows the start up log messages and finally the getty/login. >> >> I'm using the lxc-packages from lucid: >> >> r...@ubuntu01:~# dpkg -l lxc >> Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig Löschen/Halten >> | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/ >>Halb installiert/Trigger erWartet/Trigger anhängig >> |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: >> GROSS=schlecht) >> ||/ Name >> VersionBeschreibung >> +++-==-==- >> ii lxc >> 0.6.5-1Linux containers userspace tools >> >> >> The start trace is: >> >> r...@ubuntu01:/var/lib/lxc/lucid# lxc-start -n lucid >> --logfile=/dev/stderr --logpriority=TRACE -- /sbin/init --verbose >> lxc-start 1274106224.666 INFO lxc_conf - tty's configured >> lxc-start 1274106224.669 DEBUGlxc_start - sigchild handler set >> lxc-start 1274106224.669 INFO lxc_start - 'lucid' is initialized >> lxc-start 1274106224.681 DEBUGlxc_conf - instanciated macvlan >> 'mcwEvnvl', index is '8' and mode '0' >> lxc-start 1274106224.699 DEBUGlxc_cgroup - using cgroup >> mounted at '/lxc-cgroup' >> lxc-start 1274106224.699 DEBUGlxc_cgroup - >> '/lxc-cgroup/20474' renamed to '/lxc-cgroup/lucid' >> lxc-start 1274106224.711 DEBUGlxc_conf - move 'eth1' to '20474' >> lxc-start 1274106224.711 INFO lxc_conf - 'lucid' hostname has >> been setup >> lxc-start 1274106224.713 DEBUGlxc_conf - mac address >> '4a:49:43:49:79:bd' on 'eth0' has been setup >> lxc-start 1274106224.714 DEBUGlxc_conf - 'eth0' has been setup >> lxc-start 1274106224.714 INFO lxc_conf - network has been setup >> lxc-start 1274106224.715 DEBUGlxc_cgroup - using cgroup >> mounted at '/lxc-cgroup' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.deny' set to 'a' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 1:3 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 1:5 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 5:1 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 5:0 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 4:0 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 4:1 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 1:9 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 1:8 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 136:* rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 5:2 rwm' >> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >> 'devices.allow' set to 'c 254:0 rwm' >> lxc-start 1274106224.716 INFO lxc_conf - cgroup has been setup >> lxc-start 1274106224.716 INFO lxc_conf - mount points have >> been setup >> lxc-start 1274106224.716 INFO lxc_conf - console '/dev/pts/2' >> mounted to '/var/lib/lxc/lucid/rootfs/dev/console' >> lxc-start 1274106224.716 INFO lxc_conf - 4 tty(s) has been setup >> lxc-start 1274106224.717 DEBUGlxc_conf - temporary mountpoint >> for old rootfs is './lxc-oldrootfs-E19bcw' >> lxc-start 1274106224.717 DEBUGlxc_conf - pivot_root syscall >> to '/lxc-oldrootfs-E19bcw' successful >> lxc-start 1274106225.062 DEBUGlxc_conf - umounted >> '/lxc-oldrootfs-E19bcw/dev/pts' >> lxc-start 1274106225.091 DEBUGlxc_conf - umounted >> '/lxc-oldrootfs-E19bcw/dev/shm' >> lxc-start 1274106225.162 DEBUGlxc_conf - umounted >> '/lxc-oldrootfs-E19bcw/sys/fs/fuse/connections' >> lxc-start 127
Re: [lxc-devel] [Lxc-users] lxc-start and lucid container
Le 17/05/2010 18:09, Wilhelm a écrit : > > Am 17.05.2010 14:59, schrieb zitta.fr: >> Hi, >> >> try this : >> >> cat > /path_to_lucid_root/etc/init/console.conf >> # console - getty >> # >> # This service maintains a getty on stdin from the point the >> system is >> # started until it is shut down again. >> >> start on stopped rc RUNLEVEL=[2345] >> stop on runlevel [!2345] >> >> respawn >> exec /sbin/getty -8 38400 console >> > > this is exactly the contents of /etc/init/tty1.conf Sorry, I did let a comment that could makes you think it is tty1.conf But no, it is not. Look at this diff : --- tty1.conf2010-04-02 02:13:25.0 +0200 +++ console.conf2010-05-17 16:59:53.770083492 +0200 @@ -1,4 +1,4 @@ -# tty1 - getty +# console - getty # # This service maintains a getty on tty1 from the point the system is # started until it is shut down again. @@ -7,4 +7,4 @@ stop on runlevel [!2345] respawn -exec /sbin/getty -8 38400 tty1 +exec /sbin/getty -8 38400 console > but it doesn't work did you even try? > >> Regards, >> >> Guillaume ZITTA >> >> Le 17/05/2010 16:31, Wilhelm a écrit : >>> Hi all, >>> >>> I have a slight problem using a lucid container (on a lucid host): if I >>> start the container via lxc-start, no console login starts up. I >>> have to >>> use lxc-console from a differnet terminal. If I use a lenny container, >>> lxc-start shows the start up log messages and finally the getty/login. >>> >>> I'm using the lxc-packages from lucid: >>> >>> r...@ubuntu01:~# dpkg -l lxc >>> Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig >>> Löschen/Halten >>> | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/ >>>Halb installiert/Trigger erWartet/Trigger anhängig >>> |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: >>> GROSS=schlecht) >>> ||/ Name >>> VersionBeschreibung >>> +++-==-==- >>> >>> ii lxc >>> 0.6.5-1Linux containers userspace tools >>> >>> >>> The start trace is: >>> >>> r...@ubuntu01:/var/lib/lxc/lucid# lxc-start -n lucid >>> --logfile=/dev/stderr --logpriority=TRACE -- /sbin/init --verbose >>> lxc-start 1274106224.666 INFO lxc_conf - tty's configured >>> lxc-start 1274106224.669 DEBUGlxc_start - sigchild >>> handler set >>> lxc-start 1274106224.669 INFO lxc_start - 'lucid' is >>> initialized >>> lxc-start 1274106224.681 DEBUGlxc_conf - instanciated >>> macvlan >>> 'mcwEvnvl', index is '8' and mode '0' >>> lxc-start 1274106224.699 DEBUGlxc_cgroup - using cgroup >>> mounted at '/lxc-cgroup' >>> lxc-start 1274106224.699 DEBUGlxc_cgroup - >>> '/lxc-cgroup/20474' renamed to '/lxc-cgroup/lucid' >>> lxc-start 1274106224.711 DEBUGlxc_conf - move 'eth1' to >>> '20474' >>> lxc-start 1274106224.711 INFO lxc_conf - 'lucid' >>> hostname has >>> been setup >>> lxc-start 1274106224.713 DEBUGlxc_conf - mac address >>> '4a:49:43:49:79:bd' on 'eth0' has been setup >>> lxc-start 1274106224.714 DEBUGlxc_conf - 'eth0' has been >>> setup >>> lxc-start 1274106224.714 INFO lxc_conf - network has >>> been setup >>> lxc-start 1274106224.715 DEBUGlxc_cgroup - using cgroup >>> mounted at '/lxc-cgroup' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.deny' set to 'a' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:3 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:5 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 5:1 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 5:0 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 4:0 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 4:1 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:9 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:8 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 136:* rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 5:2 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 254:0 rwm' >>> lxc-start 1274106224.716 INFO lxc_conf - cgroup has been >>> setup >>> lxc-start 1274106224.716 INFO lxc_conf - mount points have >>> been setup >>> lxc-start 1274106224.716 INFO lxc_conf - console >>> '/dev/pts/2
Re: [lxc-devel] Containerized syslog
Quoting Matt Helsley (matth...@us.ibm.com): > On Wed, May 12, 2010 at 11:15:05PM +0200, Daniel Lezcano wrote: > > Jean-Philippe Menil wrote: > > > Hi, > > > > > > I'm playing with containers under debian (squeeze, 2.6.33.3) with the > > > lxc tools. > > > I'm really happy about all the features (attach veth on bridge, filter > > > with iptables inside the containers, etc ...), and i was thinking to > > > replace some of our vservers (and maybe some of our kvm) with this > > > solution. > > > > > > But actually, i experiment a problem with the iptables logs: > > > i've iptables on the host to filter some container, basically a squid > > > proxy. I've another container who act as router, and he has his own > > > iptables inside. > > > All the log are deported to a dedicated syslog server. > > > It appear that, the iptables log of the host are also deported by the > > > syslog container (proxy). > > > > > > Some of our guest (container, vserver, etc ) are administer by other > > > sys-admin, that should not have access to theses informations. > > > > > > This point is blocking me today, before going into production with > > > containers. > > > > > > I've seen some patch made by Jean-Marc Pigeon about this problem, > > > but they have not been commited. > > > > I thing a consensus was not reach. The big deal with syslog is netfilter > > logs in an interrupt context where it is difficult to find the right log > > buffer ring as we are not in the process context making possible to > > identify the namespace. > > > > IMHO, there are two parts to implement, (1) multiple instances of > > /dev/log with a new ring buffer each time attached to the file and > > Just for reference, here are some archived mailing list threads on the > subject of containerized syslog: > > http://www.mail-archive.com/de...@openvz.org/msg20104.html > http://thread.gmane.org/gmane.linux.kernel.containers/16526 > > > (2) > > add an iptables rules to specify the file to log. This approach allows > > to get rid of namespace (in all the cases the clone flags are exhausted > > now), and provides a generic mechanism for other use cases (eg. separate > > logs for iptables) different from a container specific problem. > > (3) Security implications. > > Depending on how the syslog is split off, whether the host > expects to be "Cc'd", etc. there could be some security > implications. More importantly, the syslog control syscalls need > to be modified to at least prevent containers from changing syslog > policy of the host. Serge could probably explain this much better > than I can (cc'd). Here's a thread on the subject: > > http://lwn.net/Articles/378472/ Yes, i think that's the first step. Then, as Oren and Matt were discussing on irc, we can talk about a userspace daemon on the host forwarding either syslog or audit msgs to containers as appropriate. This leaves that policy chunk in userspace, but we'd still have to decide on a way to mark messages (which is why audit would be easier). First question then is how do we identify a container? With pidns we can point to a definitive global pid for the container init task. For netns, no such thing. -serge -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
