[lxc-devel] Fwd: [PATCH] add comments about running unconfined or nesting containers back to ubuntu.common.conf

S.Çağlar Onur caglar at 10ur.org
Mon Dec 9 21:29:11 UTC 2013 

[Forwarding to new lxc-devel as I replied to old sf list]


---------- Forwarded message ----------
From: S.Çağlar Onur <caglar at 10ur.org>
Date: Mon, Dec 9, 2013 at 4:26 PM
Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined
or nesting containers back to ubuntu.common.conf
To: Stéphane Graber <stgraber at ubuntu.com>
Cc: lxc-devel at lists.sourceforge.net


Hi Stéphane,

On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote:
>> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
>
> I'll reword the comment a bit to let them know to copy/paste the comment
> to the container's config instead of changing it in the common file
> which would get overwritten on upgrade and would also affect all
> containers.

Thanks for doing that.

On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups
hook seems to have some issues (but couldn't find some time to debug
further). I migrated my nested containers to the new style config
(that's how I realized those comments are gone :P) but now the first
start is always failing with "lxc-start: command get_cgroup failed to
receive response" error and one after just works.

[caglar at oOo:~] sudo lxc-ls --fancy
NAME    STATE    IPV4  IPV6
---------------------------
raring  STOPPED  -     -
saucy   STOPPED  -     -

[caglar at oOo:~] sudo cat /var/lib/lxc/raring/config
# Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template: --release raring
# For additional config options, please look at lxc.conf(5)

# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf

# Container specific configuration
lxc.rootfs = /var/lib/lxc/raring/rootfs
lxc.mount = /var/lib/lxc/raring/fstab
lxc.utsname = raring
lxc.arch = amd64

# Network configuration
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:2e:74:e4
lxc.network.flags = up
lxc.network.link = lxcbr0

lxc.aa_profile = unconfined
lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups

[caglar at oOo:~] sudo lxc-start -d -n raring
lxc-start: command get_cgroup failed to receive response

[caglar at oOo:~] sudo lxc-ls --fancy
NAME    STATE    IPV4  IPV6
---------------------------
raring  STOPPED  -     -
saucy   STOPPED  -     -

[caglar at oOo:~] sudo lxc-start -d -n raring

[caglar at oOo:~] sudo lxc-ls --fancy
NAME    STATE    IPV4                  IPV6
-------------------------------------------
raring  RUNNING  10.0.3.204, 10.0.4.1  -
saucy   STOPPED  -                     -
[caglar at oOo:~]

And also nothing cleans up the cgroup entries but I'm not sure whether
that was always the case or not.

[caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
/sys/fs/cgroup/systemd/lxc/raring
/sys/fs/cgroup/systemd/lxc/raring/raring.real
/sys/fs/cgroup/hugetlb/lxc/raring-1
/sys/fs/cgroup/hugetlb/lxc/raring
/sys/fs/cgroup/hugetlb/lxc/raring/raring.real
/sys/fs/cgroup/perf_event/lxc/raring-1
/sys/fs/cgroup/perf_event/lxc/raring
/sys/fs/cgroup/perf_event/lxc/raring/raring.real
/sys/fs/cgroup/blkio/lxc/raring-1
/sys/fs/cgroup/blkio/lxc/raring
/sys/fs/cgroup/blkio/lxc/raring/raring.real
/sys/fs/cgroup/freezer/lxc/raring-1
/sys/fs/cgroup/freezer/lxc/raring
/sys/fs/cgroup/freezer/lxc/raring/raring.real
/sys/fs/cgroup/devices/lxc/raring-1
/sys/fs/cgroup/devices/lxc/raring
/sys/fs/cgroup/devices/lxc/raring/raring.real
/sys/fs/cgroup/memory/lxc/raring-1
/sys/fs/cgroup/memory/lxc/raring
/sys/fs/cgroup/memory/lxc/raring/raring.real
/sys/fs/cgroup/cpuacct/lxc/raring-1
/sys/fs/cgroup/cpuacct/lxc/raring
/sys/fs/cgroup/cpuacct/lxc/raring/raring.real
/sys/fs/cgroup/cpu/lxc/raring-1
/sys/fs/cgroup/cpu/lxc/raring
/sys/fs/cgroup/cpu/lxc/raring/raring.real
/sys/fs/cgroup/cpuset/lxc/raring-1
/sys/fs/cgroup/cpuset/lxc/raring
/sys/fs/cgroup/cpuset/lxc/raring/raring.real

[caglar at oOo:~] sudo lxc-stop -n raring

[caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
/sys/fs/cgroup/systemd/lxc/raring
/sys/fs/cgroup/systemd/lxc/raring/raring.real
/sys/fs/cgroup/hugetlb/lxc/raring
/sys/fs/cgroup/hugetlb/lxc/raring/raring.real
/sys/fs/cgroup/perf_event/lxc/raring
/sys/fs/cgroup/perf_event/lxc/raring/raring.real
/sys/fs/cgroup/blkio/lxc/raring
/sys/fs/cgroup/blkio/lxc/raring/raring.real
/sys/fs/cgroup/freezer/lxc/raring
/sys/fs/cgroup/freezer/lxc/raring/raring.real
/sys/fs/cgroup/devices/lxc/raring
/sys/fs/cgroup/devices/lxc/raring/raring.real
/sys/fs/cgroup/memory/lxc/raring
/sys/fs/cgroup/memory/lxc/raring/raring.real
/sys/fs/cgroup/cpuacct/lxc/raring
/sys/fs/cgroup/cpuacct/lxc/raring/raring.real
/sys/fs/cgroup/cpu/lxc/raring
/sys/fs/cgroup/cpu/lxc/raring/raring.real
/sys/fs/cgroup/cpuset/lxc/raring
/sys/fs/cgroup/cpuset/lxc/raring/raring.real

> Acked-by: Stéphane Graber <stgraber at ubuntu.com>
>
>> ---
>>  config/templates/ubuntu.common.conf.in | 7 +++++++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
>> index 8c61033..1195175 100644
>> --- a/config/templates/ubuntu.common.conf.in
>> +++ b/config/templates/ubuntu.common.conf.in
>> @@ -17,6 +17,13 @@ lxc.pts = 1024
>>  # Default capabilities
>>  lxc.cap.drop = sys_module mac_admin mac_override sys_time
>>
>> +# When using LXC with apparmor, uncomment the next line to run unconfined:
>> +#lxc.aa_profile = unconfined
>> +
>> +# To support container nesting on an Ubuntu host, uncomment next two lines:
>> +#lxc.aa_profile = lxc-container-default-with-nesting
>> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
>> +
>>  # Default cgroup limits
>>  lxc.cgroup.devices.deny = a
>>  ## Allow any mknod (but not using the node)
>> --
>> 1.8.3.2
>>
>>
>> ------------------------------------------------------------------------------
>> Sponsored by Intel(R) XDK
>> Develop, test and display web and hybrid apps with a single code base.
>> Download it for free now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com


-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list