<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 12/03/2015 08:42 PM, Fajar A. Nugraha wrote:<br>
<blockquote
cite="mid:CAG1y0setyfZVXucZkd4Z6zk8ti6Fwbj+1_BXAukA4oiOizMUjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><tt>lxc.autodev = 1</tt>
<div><br>
</div>
<div>That is not common.conf (though I'm not sure whether it
matters)</div>
</div>
</div>
</div>
</blockquote>
I included this early on when I was encountering the funky udev
issue. it didn't help but I kept it in place, admittedly for no good
reason.<br>
<blockquote
cite="mid:CAG1y0setyfZVXucZkd4Z6zk8ti6Fwbj+1_BXAukA4oiOizMUjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div bgcolor="#FFFFFF" text="#000000"> <tt>lxc.kmsg = 0</tt></div>
<div><br>
</div>
<div>Neither is that. Though it should be the default value</div>
<div> </div>
</div>
</div>
</div>
</blockquote>
In my original tests with LXC 1.0.7 I hit an issue where systemd on
my containers was running at 100%. I did some research and found the
problem described with the solution suggested being to add this
lxc.kmsg line. This did in fact solve the problem. I just did a test
without this though and the CPU issue did not occur, so presumably
LXC 1.1.5 has fixed this problem.<br>
<blockquote
cite="mid:CAG1y0setyfZVXucZkd4Z6zk8ti6Fwbj+1_BXAukA4oiOizMUjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><tt># Remove
capabilities we don't want in containers</tt><span
class=""><tt><br>
</tt><tt>lxc.cap.drop = mac_admin mac_override
sys_time sys_module</tt><tt><br>
</tt><tt><br>
</tt></span></div>
</blockquote>
<div>centos.common.conf also has lxc.cap.drop = sys_nice
sys_pacct sys_rawio. You don't have that.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
I excluded this line because we need sys_nice enabled in our
containers. I wasn't sure about sys_pacct and sys_rawio and was
going to do more investigation on these later.<br>
<br>
<blockquote
cite="mid:CAG1y0setyfZVXucZkd4Z6zk8ti6Fwbj+1_BXAukA4oiOizMUjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""><tt>lxc.cgroup.devices.allow
= c 5:0 rwm</tt><tt><br>
</tt></span></div>
</blockquote>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""><tt>lxc.cgroup.devices.allow
= c 136:* rwm</tt><tt><br>
</tt></span><tt>## /dev/ptmx pty master</tt><span
class=""><tt><br>
</tt><tt>lxc.cgroup.devices.allow = c 5:2 rwm</tt><tt><br>
</tt><tt><br>
</tt></span></div>
</blockquote>
<div><br>
</div>
<div>you' re missing 5:1 (console), 10:229 (fuse). Both are
in common.conf.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
There was in fact no common.conf in the 1.0.7 release I originally
was using, and the centos.common.conf did not have the console and
fuse entries. When I switched to 1.1.5 common.conf was introduced
and these device definitions were moved there. I took a quick look
at these definitions and added the fuse entry but didn't notice
console had been added as well. Thanks for noticing this.<br>
<blockquote
cite="mid:CAG1y0setyfZVXucZkd4Z6zk8ti6Fwbj+1_BXAukA4oiOizMUjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
Is there a reason why you didn't test simply using the same
config, which also does the "includes" instead of copying
SOME of them? Is there a reason wht you don't copy ALL of
them? It should be easier to start with a known good setup,
then do incremental changes.<br>
</div>
</div>
</div>
</blockquote>
Well, as I said we need sys_nice and so that was one reason why I
didn't want to use the config files directly. I also noticed that
proc was mounted in mixed mode and we need at least some rw access
to a portion of /proc/sys, and I thought I'd probably need to change
this mixed entry. Since all of our work is based on centos, I also
didn't see the need to include the lxc-templates rpm in my package
set. Our server is based on a minimal centos config and I try to
avoid adding additional rpms if I can avoid it.<br>
<br>
That said, I did change my install framework this morning to include
lxc-templates and to use centos.common.conf and common.conf directly
rather rely on than my manually crafted version. This causes
sys_nice to be dropped, as I just mentioned above, and I need to
solve that problem. So, if I have this:<br>
<br>
lxc.include = /usr/share/lxc/config/centos.common.conf<br>
<br>
can I then add the entry<br>
<br>
lxc.cap.keep = sys_nice<br>
<br>
after this? Based on the description in the man page I assume this
will not just add this one capability but will instead remove
everything except this. So, what's the correct way to use
common.conf and to re-add dropped capabilities?<br>
<br>
</body>
</html>