Re: [lxc-devel] [Lxc-users] Request for inclusion into mainline LXC utils
Le 01/02/2010 00:15, Daniel Lezcano a écrit : > Dominik Schulz wrote: > >> Am Samstag 30 Januar 2010 21:54:29 schrieb Guillaume ZITTA: >> >>> Sorry for the late response, I was on holidays. >>> I do think joining efforts is always a good thing. >>> I think some things needs to be defined : >>> - best practices for a good container is (no udev, syslog conf...) >>> - what minimal features we expect from container creation scripts. >>> - who works on it. >>> >> Hi, >> I'm rather new to LXC but I'm already working on improving the existing >> tools. >> >> My work is based on that of Nigel Mcnie [1]. Since he doesn't seem to be >> fully involved into LXC I'm looking for a place to contribute my patches to. >> >> I propose a clear separation of concerns. The core package "lxc" should only >> include the essential userland tools, mostly those written in C. >> > I agree. > me too. >> The fancy ones should go into a package of their own. Either separated by >> distribution >> (lxc-debian, lxc-redhat, ...) or all in one (lxc-utils). >> > > There is too much combination of containers configuration, IMO it should > be preferable to keep them separated: > lxc-debian (lenny, sid, ...) > lxc-fedora (f10, f11, ...) > lxc-opensuse (10.1, 11.0, 11.1, ...) > lxc-busybox (statically linked or not) > > That would be nice to identify clearly who handle a script(s). > > That do not prevent to build on top of these scripts a single one. > > There is also the sysvrc vs upstart configuration. > > We have to deal with the host vs container distro too. > > There is the container configuration itself (eg. macvlan, vlan, veth, > etc ... ) to be interactive or not, and the distros configuration (eg. > static ip or dhcp). > > Note people would be interested by templates which are not only distros > but also simple applications like sshd or apache+mysql. Why running a > full container to host a web browser ? > > I think we have 4 or 5 levels of configuration : - Common to all Linux example : /etc/resolv.conf - Distro family example for debian-like : /etc/network/interfaces - Distro ( useful? ) - Distro version example for Ubuntu karmic : upstart, mountall... - Application or user specific (a gentoo webserver, a debian mailserver, ...) We should make a modular program so that everybody can simply add a new distro or appliance. >> Further I propose not to separate tools which should be united in one. I'd >> like to see the a separation of the container-creation tools based on the >> lower level programs they use. Something like lxc-debootstrap for >> Debian-based >> distributions and something alike for the ones based on RPM. Because >> separating Debian and Ubuntu doesn't seem to support achieving our >> objectives. >> They are just to similar in terms of creating containers. >> > There is the febootstrap command. > > >> (Partly) in contrast to the proposal of Daniel Lezcano [2] I'd propose to >> keep >> the core utils small and simple (following the well known KISS principle) >> and >> don't go for templates which are called by lxc-create. Instead I'd keep lxc- >> create as small as possible and incorporate it into other tools, which I've >> mentioned above. >> > That makes senss. > > Should we have a separate project ? or shall we keep these scripts in > the lxc source tree in a different location in order to have the core > and the templates synced ? For example, Michael H. Warfield and Tony > Risinger are writing some useful scripts to shutdown / reboot the > containers, I hope that won't be a third package, so the user will be > totally lost. > > I agree. Dominik, you said that you started some work. anything visible? Regards, Guillaume ZITTA ---------- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] Request for inclusion into mainline LXC utils
Le 03/02/2010 12:02, Dominik Schulz a écrit : > Am Montag 01 Februar 2010 08:51:56 schrieb l...@zitta.fr: > >> Dominik, you said that you started some work. anything visible? >> > You can fetch my work from the "tex" branch at http://git.gauner.org/lxc- > debian.git/. > > It seems that we did not the same kind of utils. You have made init.d, start, stop and status scripts (for debian-like distro). It could proposed to the debian package maintainer. Talking about container creation, you've patched lxc-debian. Some parts could be integrated into the mainline lxc-debian and perhaps in lxc-provider (if I have your authorization). I think i will continue to develop my lxc-provider. If i succeed to make a good/clean container creation tool, i'll propose it for inclusion in mainline. Anyone is welcome to participate. Regards, Guillaume ZITTA French sysadmin gza on IRC -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] mounting a crypted volume in a container
hi,
I'm trying to provide a crypted volume to a container :
- So i have added it to the container's fstab :
r...@ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/fstab
/lxc/root/newzer.ovh2.p.zitta.fr
/var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs none rbind 0 0
/dev/mapper/crypt_newzer
/var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home ext4 defaults 0 0
- Looked which minor/major to allow
r...@ksxxx:~# ls -l /dev/mapper/
total 0
crw-rw 1 root root 10, 60 2010-02-13 14:22 control
brw-rw 1 root disk 252, 3 2010-03-02 12:51 crypt_newzer
brw-rw 1 root disk 252, 3 2010-03-02 12:51
crypt_newzer_unformatted
brw-rw 1 root disk 252, 1 2010-02-13 14:22 vg0-backup_restore
brw-rw 1 root disk 252, 2 2010-03-02 12:22 vg0-cr_newzer
brw-rw 1 root disk 252, 0 2010-02-13 14:22 vg0-lxc
- I have allowed it (i have deduced it from exemples)
r...@ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/config |
grep 252:3
lxc.cgroup.devices.allow = b 252:3 rwm
- And plouf, an error :(
r...@ksxxx:~# lxc-start -n newzer.ovh2.p.zitta.fr
lxc-start: Operation not permitted - failed to mount
'/dev/mapper/crypt_newzer' on
'/var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home'
lxc-start: failed to setup the mounts for 'newzer.ovh2.p.zitta.fr'
lxc-start: failed to setup the container
So I'm wondering if it is possible, if i have made a mistake... Voila
Any idea?
Thanks
Guillaume ZITTA
French sysadmin
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] mounting a crypted volume in a container
Le 02/03/2010 18:13, Daniel Lezcano a écrit : > > l...@zitta.fr wrote: >> hi, >> >> I'm trying to provide a crypted volume to a container : >> - So i have added it to the container's fstab : >> r...@ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/fstab >> /lxc/root/newzer.ovh2.p.zitta.fr >> /var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs none rbind 0 0 >> /dev/mapper/crypt_newzer >> /var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home ext4 defaults 0 0 >> - Looked which minor/major to allow >> r...@ksxxx:~# ls -l /dev/mapper/ >> total 0 >> crw-rw 1 root root 10, 60 2010-02-13 14:22 control >> brw-rw 1 root disk 252, 3 2010-03-02 12:51 crypt_newzer >> brw-rw 1 root disk 252, 3 2010-03-02 12:51 >> crypt_newzer_unformatted >> brw-rw 1 root disk 252, 1 2010-02-13 14:22 >> vg0-backup_restore >> brw-rw 1 root disk 252, 2 2010-03-02 12:22 vg0-cr_newzer >> brw-rw 1 root disk 252, 0 2010-02-13 14:22 vg0-lxc >> - I have allowed it (i have deduced it from exemples) >> r...@ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/config | >> grep 252:3 >> lxc.cgroup.devices.allow = b 252:3 rwm >> - And plouf, an error :( >> r...@ksxxx:~# lxc-start -n newzer.ovh2.p.zitta.fr >> lxc-start: Operation not permitted - failed to mount >> '/dev/mapper/crypt_newzer' on >> '/var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home' >> lxc-start: failed to setup the mounts for >> 'newzer.ovh2.p.zitta.fr' >> lxc-start: failed to setup the container >> >> So I'm wondering if it is possible, if i have made a mistake... Voila >> >> Any idea? >> Thanks >> > You want to use an image to mount the rootfs, right ? > This is partly implemented but disabled in the code right now. > Do you have an example of the image I can download somewhere in the > net, so I can finish this part and test ? > > In the meantime, you can mount the image somewhere in a directory and > use it as the rootfs - I know this is not what you want to do but > anyway ... :) > > > I have done a what you need, URL will follow in a private mail. For my problem, it is a crypted datadir for a backup server, not a rootfs. I wanted to use /var/lib/lxc/container/fstab to have the block device mounted at lxc startup whitout use any wrapper around lxc-start. For my education, is there any differences between these two solutions : - using /var/lib/lxc/container/fstab - mknod in the container + use his /etc/fstab Regards, Guillaume ZITTA -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Ubuntu Karmic container
Le 04/03/2010 19:27, Daniel Lezcano a écrit :
> Elias Olivares wrote:
>
>> Hi !
>>
>> Here a new bug installing ubuntu karmic into a container :
>>
>> I've installed karmic with debootstrap and when i try to run the container ,
>> it don't and this error message appears on the screen :
>>
>> mountall:/dev/ppp: Operation not permitted
>> mountall:/dev/net/tun: Operation not permitted
>> mountall:/dev/loop0: Operation not permitted
>>
>>
In order to "containerize" karmic, I disabled mountall.
Here my script to manage karmic's upstart stuff :
http://lxc-provider.git.sourceforge.net/git/gitweb.cgi?p=lxc-provider/lxc-provider;a=blob;f=libexec/cache_helpers/ubuntu.karmic.init.sh
I hope it could help
>> But the container seems to run :
>>
>> host# lxc-info -n karmic
>> 'karmictest.1g6.biz' is RUNNING
>>
>> The command lxc-ls seems to be broken : (it show 2 times the container)
>>
>> vms:/mnt/vz# lxc-ls
>> karmictest
>> karmictest
>>
>>
> Yes, that was reported one time, it's displayed twice because it is
> created and because it is running.
> I guess there is some polishing to do with this command.
>
>
>> My container configuration file :
>>
>> lxc.utsname = karmictest
>> lxc.tty = 4
>> lxc.pts = 1024
>> lxc.network.type = veth
>> lxc.network.flags = up
>> lxc.network.link = br0
>> lxc.network.name = eth0
>> lxc.network.mtu = 1500
>> #lxc.mount =
>> lxc.rootfs = /mnt/vz/karmictest
>>
>>
> Can you try by disabling the cgroup.devices section below and try to
> start the container ?
> If you can start it, it is probable you have to allow more devices to be
> created within the container, (eg : b 7 0 for the loop0)
>
>
>> lxc.cgroup.devices.deny = a
>> # /dev/null and zero
>> lxc.cgroup.devices.allow = c 1:3 rwm
>> lxc.cgroup.devices.allow = c 1:5 rwm
>> # consoles
>> lxc.cgroup.devices.allow = c 5:1 rwm
>> lxc.cgroup.devices.allow = c 5:0 rwm
>> lxc.cgroup.devices.allow = c 4:0 rwm
>> lxc.cgroup.devices.allow = c 4:1 rwm
>> # /dev/{,u}random
>> lxc.cgroup.devices.allow = c 1:9 rwm
>> lxc.cgroup.devices.allow = c 1:8 rwm
>> lxc.cgroup.devices.allow = c 136:* rwm
>> lxc.cgroup.devices.allow = c 5:2 rwm
>> # rtc
>> lxc.cgroup.devices.allow = c 254:0 rwm
>>
>>
>
> ------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] child setpgid [...] : No such process
Le 11/03/2010 19:47, Daniel Lezcano a écrit :
>
> l...@zitta.fr wrote:
>> I created a new container (karmic), then I type any command there is
>> curious message, but it works:
>>
>
> Do you mean you created a system container with karmic inside ?
Yes, I'm testing a new version of my provisioning scripts.
> Can you give the kernel version, the lxc version, the container
> configuration and the command used to spawn the container ?
config as attachment.
black provisioning # uname -a
Linux black 2.6.31-zen11-lxc-bt #1 ZEN SMP PREEMPT Tue Feb 23 09:13:02
CET 2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q9450 @ 2.66GHz GenuineIntel
GNU/Linux
black provisioning # eix -I lxc | grep Installed
Installed versions: 0.6.4-r2(22:25:37 04/01/2010)(doc -examples)
Container started with : lxc-start -d -n mycontainer
I access to it via ssh.
Just a question, config file is used at once at create?
>> r...@mycontainer:~# ls /
>> -bash: child setpgid (28212 to 28212): No such process
>> bin boot dev etc home lib lib64 media mnt opt proc root
>> sbin selinux srv sys tmp usr var
>>
>> As hallyn told me on IRC, I've tried to remount the /proc, no luck
>>
> First time I see this problem :o
>
>
#lxc-provider
lxc.utsname = mycontainer
lxc.tty = 4
lxc.pts = 1024
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.mount = /lxc/tmp/provisionning/mycontainer-config/fstab
lxc.rootfs = /lxc/root/mycontainer
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] child setpgid [...] : No such process
Le 12/03/2010 13:51, Daniel Lezcano a écrit : > > l...@zitta.fr wrote: >> Le 11/03/2010 19:47, Daniel Lezcano a écrit : >> >>> l...@zitta.fr wrote: >>> >>>> I created a new container (karmic), then I type any command there is >>>> curious message, but it works: >>>> >>> Do you mean you created a system container with karmic inside ? >>> >> Yes, I'm testing a new version of my provisioning scripts. >> >>> Can you give the kernel version, the lxc version, the container >>> configuration and the command used to spawn the container ? >>> >> >> config as attachment. >> >> black provisioning # uname -a >> Linux black 2.6.31-zen11-lxc-bt #1 ZEN SMP PREEMPT Tue Feb 23 09:13:02 >> CET 2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q9450 @ 2.66GHz GenuineIntel >> GNU/Linux >> >> black provisioning # eix -I lxc | grep Installed >> Installed versions: 0.6.4-r2(22:25:37 04/01/2010)(doc -examples) >> >> Container started with : lxc-start -d -n mycontainer >> >> I access to it via ssh. >> >> Just a question, config file is used at once at create? >> >>>> r...@mycontainer:~# ls / >>>> -bash: child setpgid (28212 to 28212): No such process >>>> bin boot dev etc home lib lib64 media mnt opt proc root >>>> sbin selinux srv sys tmp usr var >>>> > > When you are in the container, can you give the ouput of: > > echo $$ > ps axjf > > > yes, I can : r...@mycontainer:~# ls -bash: child setpgid (1905 to 1905): No such process r...@mycontainer:~# echo $$ 74 r...@mycontainer:~# ps axjf -bash: child setpgid (1907 to 1907): No such process PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 0 1 1 1 ? -1 Ss 0 0:00 /sbin/init 1131010 ? -1 Sl 101 0:00 rsyslogd -c4 1545454 ? -1 Ss 0 0:00 /usr/sbin/sshd 1686868 tty181 Ss 0 0:00 /bin/login -- 68747468 tty181 S0 0:00 \_ -bash 74818168 tty181 R+ 0 0:00 \_ ps axjf ------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] child setpgid [...] : No such process
Le 12/03/2010 14:15, Daniel Lezcano a écrit : > > l...@zitta.fr wrote: >> Le 12/03/2010 13:51, Daniel Lezcano a écrit : >> >>> l...@zitta.fr wrote: >>> >>>> Le 11/03/2010 19:47, Daniel Lezcano a écrit : >>>> >>>> >>>>> l...@zitta.fr wrote: >>>>> >>>>>> I created a new container (karmic), then I type any command there is >>>>>> curious message, but it works: >>>>>> >>>>> Do you mean you created a system container with karmic inside ? >>>>> >>>> Yes, I'm testing a new version of my provisioning scripts. >>>> >>>> >>>>> Can you give the kernel version, the lxc version, the container >>>>> configuration and the command used to spawn the container ? >>>>> >>>> config as attachment. >>>> >>>> black provisioning # uname -a >>>> Linux black 2.6.31-zen11-lxc-bt #1 ZEN SMP PREEMPT Tue Feb 23 09:13:02 >>>> CET 2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q9450 @ 2.66GHz >>>> GenuineIntel >>>> GNU/Linux >>>> >>>> black provisioning # eix -I lxc | grep Installed >>>> Installed versions: 0.6.4-r2(22:25:37 04/01/2010)(doc -examples) >>>> >>>> Container started with : lxc-start -d -n mycontainer >>>> >>>> I access to it via ssh. >>>> >>>> Just a question, config file is used at once at create? >>>> >>>> >>>>>> r...@mycontainer:~# ls / >>>>>> -bash: child setpgid (28212 to 28212): No such process >>>>>> bin boot dev etc home lib lib64 media mnt opt proc root >>>>>> sbin selinux srv sys tmp usr var >>>>>> >>> When you are in the container, can you give the ouput of: >>> >>> echo $$ >>> ps axjf >>> >>> >>> >>> >> yes, I can : >> >> r...@mycontainer:~# ls >> -bash: child setpgid (1905 to 1905): No such process >> r...@mycontainer:~# echo $$ >> 74 >> r...@mycontainer:~# ps axjf >> -bash: child setpgid (1907 to 1907): No such process >> PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND >> 0 1 1 1 ? -1 Ss 0 0:00 /sbin/init >> 1131010 ? -1 Sl 101 0:00 rsyslogd >> -c4 >> 1545454 ? -1 Ss 0 0:00 >> /usr/sbin/sshd >> 1686868 tty181 Ss 0 0:00 /bin/login >> -- 68747468 tty181 S0 >> 0:00 \_ -bash >>74818168 tty181 R+ 0 0:00 \_ >> ps axjf >> > > Very weird ... > > Another one :) > > strace -f -eclone,setpgid bash > and then /bin/true (or whatever). > > > At same time, I was upgrading my kernel from 2.6.31 to 2.6.33. And it works now. I have done a rollback to reproduce. Clearly, my old kernel is the issue. After some searches, it seems that my 2.6.31 kernel loosed 2 config items from my previous config : CONFIG_CGROUP_CPUACCT CONFIG_CGROUP_SCHED do you think this is the problem ? -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] child setpgid [...] : No such process
Le 12/03/2010 15:25, Cedric Le Goater a écrit : > >> At same time, I was upgrading my kernel from 2.6.31 to 2.6.33. >> And it works now. >> I have done a rollback to reproduce. Clearly, my old kernel is the >> issue. >> >> After some searches, it seems that my 2.6.31 kernel loosed 2 config >> items from my previous config : >> CONFIG_CGROUP_CPUACCT >> CONFIG_CGROUP_SCHED >> >> do you think this is the problem ? > > hmm, > > this looks like more a pid namespace leak to me. > > C. g...@black /etc/kernels $ cat kernel-config-x86_64-2.6.31-zen11-lxc-bt | grep CONFIG_PID_NS CONFIG_PID_NS=y g...@black /etc/kernels $ cat kernel-config-x86_64-2.6.33-zen1-lxc-bt | grep CONFIG_PID_NS CONFIG_PID_NS=y Perhaps kernel 2.6.31-zen11 have a bug. Now it works. Sorry for the noise on the ML -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] patch for lxc-checkconfig
Hi,
With a friend, we installed lxc on his server.
We spend 1 hour on the kernel config because we didn't knew :
- that lxc-checkconfig is a bash script and it can check a config before
running it
- which kernel config item whas not good
- that CONFIG_SECURITY_FILE_CAPABILITIES is obsolete since 2.6.33
So, here is a patch for lxc-checkconfig that could save time for lxc newbies
--- /usr/sbin/lxc-checkconfig2010-03-12 14:35:38.0 +0100
+++ /usr/local/bin/lxc-checkconfig2010-03-14 07:46:53.940193560 +0100
@@ -19,8 +19,10 @@
else
if [ ! -z "$mandatory" -a "$mandatory" = yes ]; then
$SETCOLOR_FAILURE && echo -e "disabled" && $SETCOLOR_NORMAL
+echo -e "\tmissing conf: $1"
else
$SETCOLOR_WARNING && echo -e "disabled" && $SETCOLOR_NORMAL
+echo -e "\tmissing conf: $1"
fi
fi
}
@@ -35,6 +37,7 @@
GREP=grep
if [ ! -f $CONFIG ]; then
echo
+echo "$CONFIG not found"
echo "The kernel configuration can not be retrieved"
echo "Please recompile with IKCONFIG_PROC or install the kernel
headers"
echo
@@ -66,4 +69,8 @@
echo -n "Veth pair device: " && is_enabled CONFIG_VETH
echo -n "Macvlan: " && is_enabled CONFIG_MACVLAN
echo -n "Vlan: " && is_enabled CONFIG_VLAN_8021Q
-echo -n "File capabilities: " && is_enabled
CONFIG_SECURITY_FILE_CAPABILITIES
+KVER_MINOR=$($GREP '^# Linux kernel version:' $CONFIG | sed -r
's/.*2.6.([0-9]{2}).*/\1/')
+[[ ${KVER_MINOR} < 33 ]] && echo -n "File capabilities: " && is_enabled
CONFIG_SECURITY_FILE_CAPABILITIES
+echo
+echo "Note : Before using a new kernel config, you could check it"
+echo "usage : CONFIG=/path/to/config $0"
Regards,
Guillaume ZITTA
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] a container can remount ro the host's mount point
Hi, When I create a full os container (for example a debian), I have to remove init script that remount / read only on halt example : umountfs for lenny If I don't do this, the container remounts readonly the mount point where rootfs are when it stops. Why a container is able to do this? If you store multiples containers on the same mount point, it could be very problematic. Regards, Guillaume ZITTA -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev_______ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] LXC Karmic
This script is a part of lxc-provider which is a provisioning tool for lxc.
You should not use this script alone, and it is a old version.
You could read the script to understand what it does or use the entire
product :
http://sourceforge.net/projects/lxc-provider/
regards,
Guillaume ZITTA
Le 15/03/2010 14:40, Elias Olivares a écrit :
> Hello !
>
> I've try to run your script but it doesn't work. Certainly a mistake
> from my part.
> Can you give me more précisions on how to run it ?
>
> Thank a lot
>
> Elias.
>
>
>
>
>
>
>
> Le 04/03/2010 19:27, Daniel Lezcano a écrit :
> > Elias Olivares wrote:
> >
> >> Hi !
> >>
> >> Here a new bug installing ubuntu karmic into a container :
> >>
> >> I've installed karmic with debootstrap and when i try to run the
> container , it don't and this error message appears on the screen :
> >>
> >> mountall:/dev/ppp: Operation not permitted
> >> mountall:/dev/net/tun: Operation not permitted
> >> mountall:/dev/loop0: Operation not permitted
> >>
> >>
> In order to "containerize" karmic, I disabled mountall.
> Here my script to manage karmic's upstart stuff :
> http://lxc-provider.git.sourceforge.net/git/gitweb.cgi?p=lxc-provider/lxc-provider;a=blob;f=libexec/cache_helpers/ubuntu.karmic.init.sh
> I hope it could help
> >> But the container seems to run :
> >>
> >> host# lxc-info -n karmic
> >> 'karmictest.1g6.biz' is RUNNING
> >>
> >> The command lxc-ls seems to be broken : (it show 2 times the
> container)
> >>
> >> vms:/mnt/vz# lxc-ls
> >> karmictest
> >> karmictest
> >>
> >>
> > Yes, that was reported one time, it's displayed twice because it is
> > created and because it is running.
> > I guess there is some polishing to do with this command.
> >
> >
> >> My container configuration file :
> >>
> >> lxc.utsname = karmictest
> >> lxc.tty = 4
> >> lxc.pts = 1024
> >> lxc.network.type = veth
> >> lxc.network.flags = up
> >> lxc.network.link = br0
> >> lxc.network.name = eth0
> >> lxc.network.mtu = 1500
> >> #lxc.mount =
> >> lxc.rootfs = /mnt/vz/karmictest
> >>
> >>
> > Can you try by disabling the cgroup.devices section below and try to
> > start the container ?
> > If you can start it, it is probable you have to allow more devices
> to be
> > created within the container, (eg : b 7 0 for the loop0)
> >
> >
> >> lxc.cgroup.devices.deny = a
> >> # /dev/null and zero
> >> lxc.cgroup.devices.allow = c 1:3 rwm
> >> lxc.cgroup.devices.allow = c 1:5 rwm
> >> # consoles
> >> lxc.cgroup.devices.allow = c 5:1 rwm
> >> lxc.cgroup.devices.allow = c 5:0 rwm
> >> lxc.cgroup.devices.allow = c 4:0 rwm
> >> lxc.cgroup.devices.allow = c 4:1 rwm
> >> # /dev/{,u}random
> >> lxc.cgroup.devices.allow = c 1:9 rwm
> >> lxc.cgroup.devices.allow = c 1:8 rwm
> >> lxc.cgroup.devices.allow = c 136:* rwm
> >> lxc.cgroup.devices.allow = c 5:2 rwm
> >> # rtc
> >> lxc.cgroup.devices.allow = c 254:0 rwm
> >>
> >>
> >
> >
> --
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > ___
> > Lxc-devel mailing list
> > Lxc-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
> >
>
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] a container can remount ro the host's mount point
Le 15/03/2010 15:05, Michael H. Warfield a écrit : > On Sun, 2010-03-14 at 08:33 +0100, l...@zitta.fr wrote: > >> Hi, >> >> When I create a full os container (for example a debian), I have to >> remove init script that remount / read only on halt >> example : umountfs for lenny >> >> If I don't do this, the container remounts readonly the mount point >> where rootfs are when it stops. >> >> Why a container is able to do this? >> If you store multiples containers on the same mount point, it could be >> very problematic. >> > Ah HA! So THAT'S the root cause of THAT problem. Several of us have > noticed that effect. Yeah, major PITA. Also explains just why I no > longer see it. Because of a practice I started using in setting up my > containers... > > As it so happens, because all of my containers are OpenVZ compatibility > containers, I use a bind mount in the fstab for the root fs. OpenVZ has > this concept of a "private" and a "rootfs" to aid in setting disk quotas > in the container and I'm hoping to also eventually use that with union > mounts / unionfs to do a linux-vservers style unify. But... That also > prevents this problem because the container's rootfs is NOT a real fs in > the host, it's the bind mount and that insulates the hosts fs and mount > points from any actions in the container. > > Example from one of my containers is like this: > > Config: > > == > lxc.rootfs = /srv/lxc/rootfs > lxc.mount = /srv/lxc/config/1004.fstab > = > > fstab: > > == > /srv/lxc/private/1004 /srv/lxc/rootfsnone bind 0 0 > > /export /srv/lxc/rootfs/exportnone bind 0 0 > /home/shared /srv/lxc/rootfs/srv/sharednone bind 0 0 > == > > Would be really NICE if that bind could be something like a fuse with > unionfs or, eventually, a union mount once those are mature and stable > in the kernel, but we're not there yet. > > Now, you won't actually see anything in /srv/lxc/rootfs because it's > private to the container and it's just a dummy mount point that can be > used by all of your containers. The only thing that varies between my > containers then is the location of the fstab (and the network stuff, > obviously). The container can screw up its mounts all it want's their > ALL isolated and private to the container, including the rootfs. > > >> Regards, >> > >> Guillaume ZITTA >> > Regards, > Mike > Thanks. I noticed that practice whas used by lxc-create in version 0.6.3 with lxc-0.6.3, lxc-create is a binary and it does this for you and other things in /var/lib/lxc with lxc-0.6.5, lxc-create is a shell script and it does less things than the binary one Is this a voluntary regression? If not I propose myself to update lxc-create script to propose the same kind of functionality than the C version. ------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] a container can remount ro the host's mount point
Le 15/03/2010 18:28, Michael H. Warfield a écrit : > On Mon, 2010-03-15 at 15:39 +0100, l...@zitta.fr wrote: > >> Le 15/03/2010 15:05, Michael H. Warfield a écrit : >> >>> On Sun, 2010-03-14 at 08:33 +0100, l...@zitta.fr wrote: >>> >>> >>>> Hi, >>>> >>>> When I create a full os container (for example a debian), I have to >>>> remove init script that remount / read only on halt >>>> example : umountfs for lenny >>>> >>>> If I don't do this, the container remounts readonly the mount point >>>> where rootfs are when it stops. >>>> >>>> Why a container is able to do this? >>>> If you store multiples containers on the same mount point, it could be >>>> very problematic. >>>> >>>> >>> Ah HA! So THAT'S the root cause of THAT problem. Several of us have >>> noticed that effect. Yeah, major PITA. Also explains just why I no >>> longer see it. Because of a practice I started using in setting up my >>> containers... >>> >>> As it so happens, because all of my containers are OpenVZ compatibility >>> containers, I use a bind mount in the fstab for the root fs. OpenVZ has >>> this concept of a "private" and a "rootfs" to aid in setting disk quotas >>> in the container and I'm hoping to also eventually use that with union >>> mounts / unionfs to do a linux-vservers style unify. But... That also >>> prevents this problem because the container's rootfs is NOT a real fs in >>> the host, it's the bind mount and that insulates the hosts fs and mount >>> points from any actions in the container. >>> >>> Example from one of my containers is like this: >>> >>> Config: >>> >>> == >>> lxc.rootfs = /srv/lxc/rootfs >>> lxc.mount = /srv/lxc/config/1004.fstab >>> = >>> >>> fstab: >>> >>> == >>> /srv/lxc/private/1004 /srv/lxc/rootfsnone bind 0 0 >>> >>> /export /srv/lxc/rootfs/exportnone bind 0 0 >>> /home/shared /srv/lxc/rootfs/srv/sharednone bind 0 0 >>> == >>> >>> Would be really NICE if that bind could be something like a fuse with >>> unionfs or, eventually, a union mount once those are mature and stable >>> in the kernel, but we're not there yet. >>> >>> Now, you won't actually see anything in /srv/lxc/rootfs because it's >>> private to the container and it's just a dummy mount point that can be >>> used by all of your containers. The only thing that varies between my >>> containers then is the location of the fstab (and the network stuff, >>> obviously). The container can screw up its mounts all it want's their >>> ALL isolated and private to the container, including the rootfs. >>> >>> >>> >>>> Regards, >>>> >>>> >>> >>> >>>> Guillaume ZITTA >>>> >>>> >>> Regards, >>> Mike >>> >>> >> Thanks. >> I noticed that practice whas used by lxc-create in version 0.6.3 >> > No, not exactly, and it wasn't being done by lxc-create. lxc-create was > merely creating the directory, it was not doing the bind mount and could > not do the bind mount. The actual mount was being done by lxc-start at > run time when starting that container. The code in lxc-create was > removed because the behavior of lxc-start was changed to no longer > require that directory. > > >> with lxc-0.6.3, lxc-create is a binary and it does this for you and >> other things in /var/lib/lxc >> with lxc-0.6.5, lxc-create is a shell script and it does less things >> than the binary one >> > Close but not quite. > > >> Is this a voluntary regression? >> > It was a change (and Daniel may chime in here an correct me at any > moment) coupled with the introduction of using pivot root to actually > improve the isolation of the containers from the host and prevent the > containers from breaking out of their chrooted jails. That was a > security fix. He did drop that additional bind mount at that time and > yes that did provide the additional functional isolation in this one > peculiar way that protected the host from random acts of terrorism by > the container on its rootfs. An unanticipated side
Re: [lxc-devel] [Lxc-users] lxc-start and lucid container
Le 17/05/2010 18:09, Wilhelm a écrit : > > Am 17.05.2010 14:59, schrieb zitta.fr: >> Hi, >> >> try this : >> >> cat > /path_to_lucid_root/etc/init/console.conf >> # console - getty >> # >> # This service maintains a getty on stdin from the point the >> system is >> # started until it is shut down again. >> >> start on stopped rc RUNLEVEL=[2345] >> stop on runlevel [!2345] >> >> respawn >> exec /sbin/getty -8 38400 console >> > > this is exactly the contents of /etc/init/tty1.conf Sorry, I did let a comment that could makes you think it is tty1.conf But no, it is not. Look at this diff : --- tty1.conf2010-04-02 02:13:25.0 +0200 +++ console.conf2010-05-17 16:59:53.770083492 +0200 @@ -1,4 +1,4 @@ -# tty1 - getty +# console - getty # # This service maintains a getty on tty1 from the point the system is # started until it is shut down again. @@ -7,4 +7,4 @@ stop on runlevel [!2345] respawn -exec /sbin/getty -8 38400 tty1 +exec /sbin/getty -8 38400 console > but it doesn't work did you even try? > >> Regards, >> >> Guillaume ZITTA >> >> Le 17/05/2010 16:31, Wilhelm a écrit : >>> Hi all, >>> >>> I have a slight problem using a lucid container (on a lucid host): if I >>> start the container via lxc-start, no console login starts up. I >>> have to >>> use lxc-console from a differnet terminal. If I use a lenny container, >>> lxc-start shows the start up log messages and finally the getty/login. >>> >>> I'm using the lxc-packages from lucid: >>> >>> r...@ubuntu01:~# dpkg -l lxc >>> Gewünscht=Unbekannt/Installieren/R=Entfernen/P=Vollständig >>> Löschen/Halten >>> | Status=Nicht/Installiert/Config/U=Entpackt/Fehlgeschl. Konfiguration/ >>>Halb installiert/Trigger erWartet/Trigger anhängig >>> |/ Fehler?=(kein)/R=Neuinstallation notwendig (Status, Fehler: >>> GROSS=schlecht) >>> ||/ Name >>> VersionBeschreibung >>> +++-==-==-======== >>> >>> ii lxc >>> 0.6.5-1 Linux containers userspace tools >>> >>> >>> The start trace is: >>> >>> r...@ubuntu01:/var/lib/lxc/lucid# lxc-start -n lucid >>> --logfile=/dev/stderr --logpriority=TRACE -- /sbin/init --verbose >>> lxc-start 1274106224.666 INFO lxc_conf - tty's configured >>> lxc-start 1274106224.669 DEBUG lxc_start - sigchild >>> handler set >>> lxc-start 1274106224.669 INFO lxc_start - 'lucid' is >>> initialized >>> lxc-start 1274106224.681 DEBUGlxc_conf - instanciated >>> macvlan >>> 'mcwEvnvl', index is '8' and mode '0' >>> lxc-start 1274106224.699 DEBUGlxc_cgroup - using cgroup >>> mounted at '/lxc-cgroup' >>> lxc-start 1274106224.699 DEBUGlxc_cgroup - >>> '/lxc-cgroup/20474' renamed to '/lxc-cgroup/lucid' >>> lxc-start 1274106224.711 DEBUGlxc_conf - move 'eth1' to >>> '20474' >>> lxc-start 1274106224.711 INFO lxc_conf - 'lucid' >>> hostname has >>> been setup >>> lxc-start 1274106224.713 DEBUGlxc_conf - mac address >>> '4a:49:43:49:79:bd' on 'eth0' has been setup >>> lxc-start 1274106224.714 DEBUGlxc_conf - 'eth0' has been >>> setup >>> lxc-start 1274106224.714 INFO lxc_conf - network has >>> been setup >>> lxc-start 1274106224.715 DEBUGlxc_cgroup - using cgroup >>> mounted at '/lxc-cgroup' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.deny' set to 'a' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:3 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 1:5 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 5:1 rwm' >>> lxc-start 1274106224.716 DEBUGlxc_conf - cgroup >>> 'devices.allow' set to 'c 5:0 rw
[lxc-devel] Pivotdir bugs
Hello, There is bug related to pivotdir from src/lxc/conf.c Old root is not unmounted if you accidentally put '/' at start of lxc.pivotdir. For example: lxc.pivotdir = /pivotdir This bug is critical as lxc silently starts container leaving old root mounted. I would check if nothing is unmounted and fail with error. -usr -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Anyone with some prebuilt templates laying around they could share?
This can do the job for archlinux: https://raw.github.com/tokland/arch-bootstrap/master/arch-bootstrap.sh On 06/02/13 23:06, Michael H. Warfield wrote: > A recent threat on the lxc-users reminded me that I'm lacking a few > templates for testing under LXC. OpenVZ has a number of prebuilt > containers (like CentOS) for download which some people (myself) have > used to create containers where we don't have prebuilt templates or the > lxc-templates we have do not function cross-distro. > > For example... > > On a Fedora host, I can create an Ubuntu container, thanks to deboot. > > On an Ubuntu host, I can create a Fedora container using feboot. > > I don't see an equivalent for Arch on either. I can tell you that > trying to create an Arch container on Fedora host will fail miserably > trying to use lxc-create. That template seems to be strictly > like-on-like, which is sad. There is no Arch template in OpenVZ to even > give me a start, so I'm out of luck there. How do we bootstrap an Arch > system with packman on a system which does not have packman? > > Anyone with an Arch container prebuilt template they could share? > > Regards, > Mike > -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Regression: lxc-0.8.0-rc2: lxc-execute crashes on long argument lists
Commit 0ae4f887 ("lxc: introduce lxc_execute()" - Greg Kurz) introduced
a regression with the use of lxc-execute for containers with large
argument lists. In lxc-0.7.5, the following command produced 10
lines of output:
lxc-execute -n test -- /usr/bin/printf '%s\n' {1..10}
In lxc-0.8.0-rc2, the same command produces no output. Running strace
reveals that a child of lxc-execute receives a segmentation fault before
it starts lxc-init. The crash occurs because the new function allocates
too few elements for the argv of the child, so a long argument list
causes it to trash the heap. Given a large enough argument list, it
will run off the end of the heap and access an unmapped page, causing a
segmentation fault.
I have a patch for this posted in my master branch on GitHub:
https://github.com/kevin-dot-pyle/lxc
The following changes since commit ed55bf5203aca88809d979b289d6b2280a18e79c:
lxc-0.8.0-rc2 (2012-03-20 23:27:47 +0100)
are available in the git repository at:
git://github.com/kevin-dot-pyle/lxc.git master
Kevin Pyle (4):
conf: make struct config const
network: make lxc_ipv{4,6}_addr_add const correct
log: make locinfo static const
execute: fix argument counting regression from 0ae4f887
src/lxc/confile.c | 8
src/lxc/execute.c | 5 -
src/lxc/log.h | 24 ++++----
src/lxc/network.c | 12 ++--
src/lxc/network.h | 10 +-
5 files changed, 31 insertions(+), 28 deletions(-)
--
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
