<div dir="ltr"><div class="gmail_default" style="font-size:small">What changes do I need to do at the host level so my provileged systemd containers may work?<br></div><div class="gmail_default" style="font-size:small">I am using Ubuntu 14.04, and there is systemd<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 12, 2015 at 3:00 AM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You DID read that I asked for "lxc-start -F"?<br>
<br>
It's entirely possible that your container's systemd freeze, thus<br>
nothing is listening on its tty1. And if you don't have systemd cgroup<br>
mounted on the host (which is what cgroupfs-mount is for), it would<br>
certainly be the case.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Fajar<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Thu, Feb 12, 2015 at 2:50 PM, CDR <<a href="mailto:venefax@gmail.com">venefax@gmail.com</a>> wrote:<br>
> I cannot get past this<br>
> root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v<br>
><br>
> Connected to tty 1<br>
> Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself<br>
><br>
><br>
> On Thu, Feb 12, 2015 at 2:41 AM, CDR <<a href="mailto:venefax@gmail.com">venefax@gmail.com</a>> wrote:<br>
>><br>
>> I cannot make this solution work.<br>
>> There are a lot of errors.<br>
>><br>
>><br>
>> On Thu, Feb 12, 2015 at 1:19 AM, CDR <<a href="mailto:venefax@gmail.com">venefax@gmail.com</a>> wrote:<br>
>>><br>
>>> Thanks. I think Serge may want to change permanently the config and<br>
>>> other in the on-line template so Centos 7 does work right away.<br>
>>><br>
>>><br>
>>> On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha <<a href="mailto:list@fajar.net">list@fajar.net</a>> wrote:<br>
>>>><br>
>>>> So after some expmeriments, this is what I have: <a href="http://goo.gl/7p3nUI" target="_blank">http://goo.gl/7p3nUI</a><br>
>>>> - create c7 container, e.g.<br>
>>>> lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos<br>
>>>> -r 7 -a amd64<br>
>>>><br>
>>>> - edit config file. See "config" on that gdrive link, look for<br>
>>>> "Manual additions"<br>
>>>><br>
>>>> - place script/systemd_create_cgroup in the correct path (whatever you<br>
>>>> use the config file), chmod 700<br>
>>>><br>
>>>> - start the container.<br>
>>>><br>
>>>> This is similar with what I did for fedora20, on<br>
>>>><br>
>>>> <a href="https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html" target="_blank">https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html</a><br>
>>>><br>
>>>> What works that previously doesn't:<br>
>>>> - lxc-console<br>
>>>> - default apparmor container profile (so, for example, you can't mess<br>
>>>> up host's cgroup allocation)<br>
>>>> - default lxc.cap.drop (although you might want to remove sys_nice if<br>
>>>> you have apps that depend on it)<br>
>>>> - rsyslogd now always start correctly (previously there could be stale<br>
>>>> PIDs on /var/run)<br>
>>>><br>
>>>> What still does NOT work: unpriviledged container<br>
>>>> I tried backporting F22's systemd-218 plus ubuntu vivid's changes<br>
>>>> (RPMS and SPECS folder), but it wasn't enough to run unpriviledged<br>
>>>> container.<br>
>>>><br>
>>>> It should be reasonably safer than allow-the-container-to-do-anything<br>
>>>> approach previously needed for c7.<br>
>>>><br>
>>>> --<br>
>>>> Fajar<br>
>>>><br>
>>>> On Fri, Feb 6, 2015 at 9:35 PM, CDR <<a href="mailto:venefax@gmail.com">venefax@gmail.com</a>> wrote:<br>
>>>> > Thanks.<br>
>>>> > I love Ubuntu as a host for LXC. I just got addicted to systemctl and<br>
>>>> > writing *.service files. It is much more sophisticated than the older<br>
>>>> > way of<br>
>>>> > starting and stopping applications.<br>
>>>> ><br>
>>>> > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha <<a href="mailto:list@fajar.net">list@fajar.net</a>><br>
>>>> > wrote:<br>
>>>> >><br>
>>>> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR <<a href="mailto:venefax@gmail.com">venefax@gmail.com</a>> wrote:<br>
>>>> >> > Thanks for the response.<br>
>>>> >> > I disable selinux and a apparmor routinely. My containers are just<br>
>>>> >> > a way<br>
>>>> >> > to<br>
>>>> >> > separate applications, there are no users accessing them, nothing<br>
>>>> >> > bad<br>
>>>> >> > can<br>
>>>> >> > happen.<br>
>>>> >> > So basically you are saying that there is no way to run Centos 7<br>
>>>> >> > under<br>
>>>> >> > an<br>
>>>> >> > Ubuntu host.<br>
>>>> >><br>
>>>> >> No. What I'm saying is when you use c7 container (and possible most<br>
>>>> >> newer-systemd-based distros) under ubuntu host:<br>
>>>> >> - you can't use lxc-console<br>
>>>> >> - root on your container can mess up the host<br>
>>>> >><br>
>>>> >> It shouldn't really matter for your use case, since "lxc-attach"<br>
>>>> >> works<br>
>>>> >> just fine (you DO know about lxc-attach?), and you don't really care<br>
>>>> >> about user access anyway.<br>
>>>> >><br>
>>>> >> This should improve in the future as debian/ubuntu is also moving<br>
>>>> >> towards systemd (lxcfs is supposed to help), however currently the<br>
>>>> >> required level of support/integration is just not there yet.<br>
>>>> >><br>
>>>> >> Since your main use case is "separate applications", docker might be<br>
>>>> >> a<br>
>>>> >> better candidate. And when you use c7-based docker container under c7<br>
>>>> >> host, you might even get better protection since they integrate<br>
>>>> >> selinux.<br>
>>>> >><br>
>>>> _______________________________________________<br>
>>>> lxc-users mailing list<br>
>>>> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
>>>> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
>>><br>
>>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br></div>