[lxc-devel] lxc-debian creates containers that mess with real ttys
Daniel Lezcano
daniel.lezcano at free.fr
Thu Jan 7 09:29:06 UTC 2010
Nigel McNie wrote:
> Hi,
>
> I've been playing with containers quite a bit over the last few weeks,
> and have become a bit stumped by a strange behaviour I'm seeing. Every
> now and then, one of my ttys (tty1-6) will randomly switch to being a
> tty for a running container. This can happen when I'm logged in, and
> even in the middle of typing commands at them. It's kinda spooky
> actually :)
Ouch ! Will check.
> I'm building containers with a modified version of the lxc-debian
> script in your userspace utilities - though I haven't touched the
> lxc.conf other than to move where the rootfs is generated. Here is an
> example config from a container that takes over a tty:
>
> lxc.utsname = test
> lxc.tty = 4
> lxc.pts = 1024
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.name = eth0
> lxc.network.mtu = 1500
> lxc.mount = /tmp/lxc.F9K9tT5JbS
> lxc.cgroup.devices.deny = a
> # /dev/null and zero
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> # consoles
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 4:0 rwm
> lxc.cgroup.devices.allow = c 4:1 rwm
> # /dev/{,u}random
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> lxc.cgroup.devices.allow = c 254:0 rwm
>
> I have noticed many people running into problems that seem to point to
> the isolation of containers not being as good as, say, vserver (e.g.
> host machine halting when they halt a container). Is this simply a
> case of not denying/allowing the right devices, or is there more to
> it?
Hmm, well. Concerning the halt command, there are two problems:
* the real host is halted : lxc handle this case like vserver, that is
dropping the REBOOT capability, so that should not happen except if the
drop of the capability fails.
* when the container does a shutdow/halt, all the processes are killed
but the pid 1 stays there, so the container has to be killed manually
with the lxc-stop command. This is a lack of a kernel feature and I hope
we can find a solution for that soon.
> BTW: my git server at http://git.nigel.mcnie.name/ holds an lxc-debian
> repo with a different lxc-debian script as well as some helpers (like
> an init.d script). You might be interested to have a look through it,
> maybe there are some ideas you'd like to take (e.g. mine automatically
> answers the debconf question for locales and sets the timezone to be
> that of the host too).
Sure, that may be interesting. The lxc-debian changed a bit, it is
called via the lxc-create command with the '-t' parameter (template) now
and it is not interactive except for the debconf questions.
eg. lxc-create -n debian -f lxc.conf -t debian
I will be happy to take any improvements for these templates (debian,
busybox, sshd, or fedora).
Thanks
-- Daniel
More information about the lxc-devel
mailing list