<div dir="ltr"><div class="gmail_default" style="font-size:small">I cannot make this solution work.<br></div><div class="gmail_default" style="font-size:small">There are a lot of errors.<br></div><div class="gmail_default" style="font-size:small"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 12, 2015 at 1:19 AM, CDR <span dir="ltr"><<a href="mailto:venefax@gmail.com" target="_blank">venefax@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">Thanks. I think Serge may want to change permanently the config and other in the on-line template so Centos 7 does work right away.<br><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So after some expmeriments, this is what I have: <a href="http://goo.gl/7p3nUI" target="_blank">http://goo.gl/7p3nUI</a><br>
- create c7 container, e.g.<br>
lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos<br>
-r 7 -a amd64<br>
<br>
- edit config file. See "config" on that gdrive link, look for<br>
"Manual additions"<br>
<br>
- place script/systemd_create_cgroup in the correct path (whatever you<br>
use the config file), chmod 700<br>
<br>
- start the container.<br>
<br>
This is similar with what I did for fedora20, on<br>
<a href="https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html" target="_blank">https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html</a><br>
<br>
What works that previously doesn't:<br>
- lxc-console<br>
- default apparmor container profile (so, for example, you can't mess<br>
up host's cgroup allocation)<br>
- default lxc.cap.drop (although you might want to remove sys_nice if<br>
you have apps that depend on it)<br>
- rsyslogd now always start correctly (previously there could be stale<br>
PIDs on /var/run)<br>
<br>
What still does NOT work: unpriviledged container<br>
I tried backporting F22's systemd-218 plus ubuntu vivid's changes<br>
(RPMS and SPECS folder), but it wasn't enough to run unpriviledged<br>
container.<br>
<br>
It should be reasonably safer than allow-the-container-to-do-anything<br>
approach previously needed for c7.<br>
<span><font color="#888888"><br>
--<br>
Fajar<br>
</font></span><div><div><br>
On Fri, Feb 6, 2015 at 9:35 PM, CDR <<a href="mailto:venefax@gmail.com" target="_blank">venefax@gmail.com</a>> wrote:<br>
> Thanks.<br>
> I love Ubuntu as a host for LXC. I just got addicted to systemctl and<br>
> writing *.service files. It is much more sophisticated than the older way of<br>
> starting and stopping applications.<br>
><br>
> On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha <<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>> wrote:<br>
>><br>
>> On Fri, Feb 6, 2015 at 8:15 PM, CDR <<a href="mailto:venefax@gmail.com" target="_blank">venefax@gmail.com</a>> wrote:<br>
>> > Thanks for the response.<br>
>> > I disable selinux and a apparmor routinely. My containers are just a way<br>
>> > to<br>
>> > separate applications, there are no users accessing them, nothing bad<br>
>> > can<br>
>> > happen.<br>
>> > So basically you are saying that there is no way to run Centos 7 under<br>
>> > an<br>
>> > Ubuntu host.<br>
>><br>
>> No. What I'm saying is when you use c7 container (and possible most<br>
>> newer-systemd-based distros) under ubuntu host:<br>
>> - you can't use lxc-console<br>
>> - root on your container can mess up the host<br>
>><br>
>> It shouldn't really matter for your use case, since "lxc-attach" works<br>
>> just fine (you DO know about lxc-attach?), and you don't really care<br>
>> about user access anyway.<br>
>><br>
>> This should improve in the future as debian/ubuntu is also moving<br>
>> towards systemd (lxcfs is supposed to help), however currently the<br>
>> required level of support/integration is just not there yet.<br>
>><br>
>> Since your main use case is "separate applications", docker might be a<br>
>> better candidate. And when you use c7-based docker container under c7<br>
>> host, you might even get better protection since they integrate<br>
>> selinux.<br>
>><br>
</div></div><div><div>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>