[lxc-devel] lxc-debian creates containers that mess with real ttys

Daniel Lezcano daniel.lezcano at free.fr
Thu Jan 7 09:29:06 UTC 2010


Nigel McNie wrote:
> Hi,
> 
> I've been playing with containers quite a bit over the last few weeks,
> and have become a bit stumped by a strange behaviour I'm seeing. Every
> now and then, one of my ttys (tty1-6) will randomly switch to being a
> tty for a running container. This can happen when I'm logged in, and
> even in the middle of typing commands at them. It's kinda spooky
> actually :)

Ouch ! Will check.

> I'm building containers with a modified version of the lxc-debian
> script in your userspace utilities - though I haven't touched the
> lxc.conf other than to move where the rootfs is generated. Here is an
> example config from a container that takes over a tty:
> 
> lxc.utsname = test
> lxc.tty = 4
> lxc.pts = 1024
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.name = eth0
> lxc.network.mtu = 1500
> lxc.mount = /tmp/lxc.F9K9tT5JbS
> lxc.cgroup.devices.deny = a
> # /dev/null and zero
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> # consoles
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 4:0 rwm
> lxc.cgroup.devices.allow = c 4:1 rwm
> # /dev/{,u}random
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> lxc.cgroup.devices.allow = c 254:0 rwm
> 
> I have noticed many people running into problems that seem to point to
> the isolation of containers not being as good as, say, vserver (e.g.
> host machine halting when they halt a container). Is this simply a
> case of not denying/allowing the right devices, or is there more to
> it?

Hmm, well. Concerning the halt command, there are two problems:

  * the real host is halted : lxc handle this case like vserver, that is 
dropping the REBOOT capability, so that should not happen except if the 
drop of the capability fails.

  * when the container does a shutdow/halt, all the processes are killed 
but the pid 1 stays there, so the container has to be killed manually 
with the lxc-stop command. This is a lack of a kernel feature and I hope 
we can find a solution for that soon.

> BTW: my git server at http://git.nigel.mcnie.name/ holds an lxc-debian
> repo with a different lxc-debian script as well as some helpers (like
> an init.d script). You might be interested to have a look through it,
> maybe there are some ideas you'd like to take (e.g. mine automatically
> answers the debconf question for locales and sets the timezone to be
> that of the host too).

Sure, that may be interesting. The lxc-debian changed a bit, it is 
called via the lxc-create command with the '-t' parameter (template) now 
and it is not interactive except for the debconf questions.

eg. lxc-create -n debian -f lxc.conf -t debian

I will be happy to take any improvements for these templates (debian, 
busybox, sshd, or fedora).

Thanks
   -- Daniel





More information about the lxc-devel mailing list