<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">>> systemd-journald had a bad propensity </span><span style="font-family:arial,sans-serif;font-size:13px">to run amok</span><br><div class="gmail_extra">
<br></div><div class="gmail_extra">I updated my system, updated lxc to 1.0.4, created a new container. (complete re-install) </div><div class="gmail_extra"><font face="arial, sans-serif">Unfortunately, systemd-journald was running on 100% CPU usage, as seen in previous versions.</font></div>
<div class="gmail_extra"><font face="arial, sans-serif">The bug is still there, ... but now the mask is not applied automatically.</font></div><div class="gmail_extra"><font face="arial, sans-serif"><br></font><br><div class="gmail_quote">
On Mon, Jun 30, 2014 at 3:46 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="">Quoting Michael H. Warfield (mhw@WittsEnd.com):<br>
> On Sat, 2014-06-28 at 20:12 +0530, Ajith Adapa wrote:<br>
> > Thanks @Michael<br>
><br>
> > I am running lxc 1.0.3 version in rawhide.<br>
><br>
> Ah. Ok... Understand that lxc-autostart is not fully functional in<br>
> 1.0.3 and will not autoboot containers on host boot. That's in 1.0.4<br>
> which should be in there rsn.<br>
><br>
> > My fedora 20 setup is a VM and hasn't got libvirtd running. As you<br>
> > mentioned earlier thats the reason why virbr0 is not created by<br>
> > default.<br>
><br>
> > Why doesn't lxc directly support creating virbr0 ? Might be one more<br>
> > option in the template.<br>
><br>
> For that, I think I'll have to defer to Serge or Stéphane for a<br>
> definitive answer but, IMHO, it's largely because libvirt is already<br>
> responsible for virbr0 and we could result in conflicts. Not saying we<br>
> would but just that there could be. Worse case would be a race<br>
> condition between us in lxc-autostart-helper and the libvirt service in<br>
> trying to create that bridge. It could result in a failure in one<br>
> service or the other.<br>
><br>
> It's also possible that we've just never really looked into it. Perhaps<br>
> there should be a run-time dependency on libvirt running that we could<br>
> detect and document better. The error message leaves a little bit to be<br>
> desired.<br>
<br>
</div>Right, the setup of host bridges is not for lxc-start to do, but for the<br>
distro-dependent init scripts. In Ubuntu we create lxcbr0 - perhaps the<br>
fedora/centos/oracle scripts should do the same? If they depend on virbr0<br>
then indeed they should depend on libvirt being started before proceeding<br>
to autostart containers.<br>
<br>
We're definately open to patches that make for clearer error messages,<br>
Stéphane pushed one like that recently. It'd be nice if you didn't have<br>
to understand every detail about container startup to debug why a<br>
container failed.<br>
<div class=""><div class="h5"><br>
> Given that, it's not a template issue at all and wouldn't (shouldn't)<br>
> require any container config changes. It would need to be some sort of<br>
> lxc service startup option to precreate the needed bridges or a helper.<br>
><br>
> Given all that, 1.0.4 may very well resolve (or may compound) the<br>
> problem as the lxc.service systemd service uses a script that waits for<br>
> virbr0 from libvirt to settle before autobooting containers (there's<br>
> where your race conditions would live). I'm not sure how that's going<br>
> to play out if libvirt is not running. It looks like we may need to add<br>
> code to /usr/libexec/lxc/lxc-autostart-helper to insure that the default<br>
> lxc network bridge is running. I'd be reluctant to adding it to the<br>
> lxc-start code as it would be difficult to insure it would always be<br>
> doing the right thing including cases like unpriv containers.<br>
><br>
> This is a corner case that, maybe, Dwight and I may need to address or<br>
> punt it over to Serge or Stéphane. It's complicated in that we don't<br>
> always know the bridges that are needed or even if they are need if a<br>
> site is using "macvlan" or "physical" network types. It definitely<br>
> needs to be tested.<br>
><br>
> > I will try out the steps given regarding password.<br>
><br>
> Cool.<br>
><br>
> > Regards,<br>
> > Ajith<br>
><br>
> Regards,<br>
> Mike<br>
><br>
> > On Sat, Jun 28, 2014 at 7:13 PM, Michael H. Warfield <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>
> > > On Sat, 2014-06-28 at 15:34 +0530, Ajith Adapa wrote:<br>
> > >> Hi,<br>
> > ><br>
> > >> lxc-start is failing in latest fedora 20 saying virbr0 is not found.<br>
> > ><br>
> > > What version of LXC? AFAIK, it's still 0.9.0 with 1.0.3 (hopefully<br>
> > > 1.0.4 real soon now) in rawhide.<br>
> > ><br>
> > >> 1. Is it madatory for the admin to create virbr0 interface before<br>
> > >> starting a container ?<br>
> > ><br>
> > > Yes. You have two ways to do this.<br>
> > ><br>
> > > 1) [Preferred] have libvirt running. That's the default bridge for<br>
> > > libvirt and it wills set it up and manage it for you.<br>
> > ><br>
> > > 2) Create the bridge manually.<br>
> > ><br>
> > > If you have another bridge already on the system, you can change the<br>
> > > bridge name in the configuration files and in /etc/lxc/default.conf.<br>
> > > Personally, I keep libvirt and virbr0 up and running for my nat'ed<br>
> > > bridge while I have a static lxcbr0 to which the primary interface has<br>
> > > been added for a true bridge to the outer network (but I have lots of<br>
> > > IPv4 addresses so I can allow them direct access to the address pool.<br>
> > ><br>
> > >> 2. How can I create a container with a default password for root<br>
> > >> rather than auto-generating the same ?<br>
> > ><br>
> > > It's a tuning knob in the template. Read the comments in<br>
> > > the /usr/share/lxc/templates/lxc-fedora file starting around line 32...<br>
> > ><br>
> > > --<br>
> > ><br>
> > > # Some combinations of the tunning knobs below do not exactly make sense.<br>
> > > # but that's ok.<br>
> > > #<br>
> > > # If the "root_password" is non-blank, use it, else set a default.<br>
> > > # This can be passed to the script as an environment variable and is<br>
> > > # set by a shell conditional assignment. Looks weird but it is what it is.<br>
> > > #<br>
> > > # If the root password contains a ding ($) then try to expand it.<br>
> > > # That will pick up things like ${name} and ${RANDOM}.<br>
> > > # If the root password contians more than 3 consecutive X's, pass it as<br>
> > > # a template to mktemp and take the result.<br>
> > > #<br>
> > > # If root_display_password = yes, display the temporary root password at exit.<br>
> > > # If root_store_password = yes, store it in the configuration directory<br>
> > > # If root_prompt_password = yes, invoke "passwd" to force the user to change<br>
> > > # the root password after the container is created.<br>
> > > #<br>
> > > # These are conditional assignments... The can be overridden from the<br>
> > > # preexisting environment variables...<br>
> > > #<br>
> > > # Make sure this is in single quotes to defer expansion to later!<br>
> > > # :{root_password='Root-${name}-${RANDOM}'}<br>
> > > : ${root_password='Root-${name}-XXXXXX'}<br>
> > ><br>
> > > # Now, it doesn't make much sense to display, store, and force change<br>
> > > # together. But, we gotta test, right???<br>
> > > : ${root_display_password='no'}<br>
> > > : ${root_store_password='yes'}<br>
> > > # Prompting for something interactive has potential for mayhem<br>
> > > # with users running under the API... Don't default to "yes"<br>
> > > : ${root_prompt_password='no'}<br>
> > ><br>
> > > --<br>
> > ><br>
> > > Stated plainly, create your container with the following:<br>
> > ><br>
> > > export root_store_password='no'<br>
> > > export root_password='my_root_password'<br>
> > > lxc-create -n container1 -t fedora<br>
> > > lxc-create -n container2 -t fedora<br>
> > ><br>
> > > etc, etc, etc... Each container will have the root password set to<br>
> > > "my_root_password".<br>
> > ><br>
> > > Or this:<br>
> > ><br>
> > > export root_prompt_password='yes'<br>
> > ><br>
> > > Then run lxc-create and it will then prompt you for the new root<br>
> > > password.<br>
> > ><br>
> > > NOTE: This only works for the Fedora and CentOS templates. It has not<br>
> > > been ported to any of the other templates at this time!<br>
> > ><br>
> > >><br>
> > >> # lxc-create -n test -t fedora<br>
> > >> Host CPE ID from /etc/os-release: cpe:/o:fedoraproject:fedora:20<br>
> > >> Checking cache download in /var/cache/lxc/fedora/x86_64/20/rootfs ...<br>
> > >> Cache found. Updating...<br>
> > >> No packages marked for update<br>
> > >> Update finished<br>
> > >> Copy /var/cache/lxc/fedora/x86_64/20/rootfs to /var/lib/lxc/test/rootfs ...<br>
> > >> Copying rootfs to /var/lib/lxc/test/rootfs ...<br>
> > >> Storing root password in '/var/lib/lxc/test/tmp_root_pass'<br>
> > >> Expiring password for user root.<br>
> > >> passwd: Success<br>
> > >> installing fedora-release package<br>
> > >> Package fedora-release-20-3.noarch already installed and latest version<br>
> > >> Nothing to do<br>
> > >><br>
> > >> Container rootfs and config have been created.<br>
> > >> Edit the config file to check/enable networking setup.<br>
> > >><br>
> > >> The temporary root password is stored in:<br>
> > >><br>
> > >> '/var/lib/lxc/test/tmp_root_pass'<br>
> > >><br>
> > >><br>
> > >> The root password is set up as expired and will require it to be changed<br>
> > >> at first login, which you should do as soon as possible. If you lose the<br>
> > >> root password or wish to change it without starting the container, you<br>
> > >> can change it from the host by running the following command (which will<br>
> > >> also reset the expired flag):<br>
> > >><br>
> > >> chroot /var/lib/lxc/test/rootfs passwd<br>
> > >><br>
> > >> # lxc-start -n test<br>
> > >> lxc-start: failed to attach 'vethKOT10G' to the bridge 'virbr0' : No such device<br>
> > >> lxc-start: failed to create netdev<br>
> > >> lxc-start: failed to create the network<br>
> > >> lxc-start: failed to spawn 'test'<br>
> > >><br>
> > >> ======================================================<br>
> > >> configuration<br>
> > >> ======================================================<br>
> > >><br>
> > >> # yum install lxc*<br>
> > >> Loaded plugins: langpacks<br>
> > >> Package lxc-extra-1.0.3-2.fc21.x86_64 already installed and latest version<br>
> > >> Package lxc-templates-1.0.3-2.fc21.x86_64 already installed and latest version<br>
> > >> Package lxc-libs-1.0.3-2.fc21.x86_64 already installed and latest version<br>
> > >> Package lxc-1.0.3-2.fc21.x86_64 already installed and latest version<br>
> > >> Package lxc-doc-1.0.3-2.fc21.noarch already installed and latest version<br>
> > >> Package lxc-devel-1.0.3-2.fc21.x86_64 already installed and latest version<br>
> > >><br>
> > >> -------------------------------------------<br>
> > >><br>
> > >> # lxc-checkconfig<br>
> > >> Kernel configuration not found at /proc/config.gz; searching...<br>
> > >> Kernel configuration found at /boot/config-3.14.5-200.fc20.x86_64<br>
> > >> --- Namespaces ---<br>
> > >> Namespaces: enabled<br>
> > >> Utsname namespace: enabled<br>
> > >> Ipc namespace: enabled<br>
> > >> Pid namespace: enabled<br>
> > >> User namespace: enabled<br>
> > >> Network namespace: enabled<br>
> > >> Multiple /dev/pts instances: enabled<br>
> > >><br>
> > >> --- Control groups ---<br>
> > >> Cgroup: enabled<br>
> > >> Cgroup clone_children flag: enabled<br>
> > >> Cgroup device: enabled<br>
> > >> Cgroup sched: enabled<br>
> > >> Cgroup cpu account: enabled<br>
> > >> Cgroup memory controller: enabled<br>
> > >> Cgroup cpuset: enabled<br>
> > >><br>
> > >> --- Misc ---<br>
> > >> Veth pair device: enabled<br>
> > >> Macvlan: enabled<br>
> > >> Vlan: enabled<br>
> > >> File capabilities: enabled<br>
> > >><br>
> > >> Note : Before booting a new kernel, you can check its configuration<br>
> > >> usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig<br>
> > >><br>
> > >> Regards,<br>
> > >> Ajith<br>
> > ><br>
> > > Regards,<br>
> > > Mike<br>
> > > --<br>
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw@WittsEnd.com<br>
> > > /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> > > NIC whois: MHW9 | An optimist believes we live in the best of all<br>
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > lxc-users mailing list<br>
> > > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> > > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
> > _______________________________________________<br>
> > lxc-users mailing list<br>
> > <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> > <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
><br>
> --<br>
> Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
> /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> NIC whois: MHW9 | An optimist believes we live in the best of all<br>
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
><br>
<br>
<br>
<br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">
<div style="text-align:left"><font size="4">Király </font><span style="font-size:large">István</span></div><div style="text-align:left"><font>+36 209 753 758</font></div><div style="text-align:left"><font><a href="mailto:LaKing@D250.hu" target="_blank">LaKing@D250.hu</a></font></div>
<div style="text-align:left"><a href="http://d250.hu" target="_blank"><img src="http://laking.d250.hu/lab.png"></a><br></div></div>
</div></div>