[lxc-devel] Fwd: [PATCH] add comments about running unconfined or nesting containers back to ubuntu.common.conf
Stéphane Graber
stgraber at ubuntu.com
Mon Dec 9 21:44:29 UTC 2013
On Mon, Dec 09, 2013 at 04:29:11PM -0500, S.Çağlar Onur wrote:
> [Forwarding to new lxc-devel as I replied to old sf list]
>
>
> ---------- Forwarded message ----------
> From: S.Çağlar Onur <caglar at 10ur.org>
> Date: Mon, Dec 9, 2013 at 4:26 PM
> Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined
> or nesting containers back to ubuntu.common.conf
> To: Stéphane Graber <stgraber at ubuntu.com>
> Cc: lxc-devel at lists.sourceforge.net
>
>
> Hi Stéphane,
>
> On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> > On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote:
> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
> >
> > I'll reword the comment a bit to let them know to copy/paste the comment
> > to the container's config instead of changing it in the common file
> > which would get overwritten on upgrade and would also affect all
> > containers.
>
> Thanks for doing that.
>
> On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups
> hook seems to have some issues (but couldn't find some time to debug
> further). I migrated my nested containers to the new style config
> (that's how I realized those comments are gone :P) but now the first
> start is always failing with "lxc-start: command get_cgroup failed to
> receive response" error and one after just works.
Yeah, I've noticed that too... it seems to be related to the way LXC
sets up its cgroups. I believe I mentioned some issues like that to
Serge a while back but it's not very high on the todo since our goal is
to instead have LXC use the new cgroup manager and deprecate that hook
entirely by the time 1.0 is out.
> [caglar at oOo:~] sudo lxc-ls --fancy
> NAME STATE IPV4 IPV6
> ---------------------------
> raring STOPPED - -
> saucy STOPPED - -
>
> [caglar at oOo:~] sudo cat /var/lib/lxc/raring/config
> # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: --release raring
> # For additional config options, please look at lxc.conf(5)
>
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>
> # Container specific configuration
> lxc.rootfs = /var/lib/lxc/raring/rootfs
> lxc.mount = /var/lib/lxc/raring/fstab
> lxc.utsname = raring
> lxc.arch = amd64
>
> # Network configuration
> lxc.network.type = veth
> lxc.network.hwaddr = 00:16:3e:2e:74:e4
> lxc.network.flags = up
> lxc.network.link = lxcbr0
>
> lxc.aa_profile = unconfined
> lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
>
> [caglar at oOo:~] sudo lxc-start -d -n raring
> lxc-start: command get_cgroup failed to receive response
>
> [caglar at oOo:~] sudo lxc-ls --fancy
> NAME STATE IPV4 IPV6
> ---------------------------
> raring STOPPED - -
> saucy STOPPED - -
>
> [caglar at oOo:~] sudo lxc-start -d -n raring
>
> [caglar at oOo:~] sudo lxc-ls --fancy
> NAME STATE IPV4 IPV6
> -------------------------------------------
> raring RUNNING 10.0.3.204, 10.0.4.1 -
> saucy STOPPED - -
> [caglar at oOo:~]
>
> And also nothing cleans up the cgroup entries but I'm not sure whether
> that was always the case or not.
>
> [caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
> /sys/fs/cgroup/systemd/lxc/raring
> /sys/fs/cgroup/systemd/lxc/raring/raring.real
> /sys/fs/cgroup/hugetlb/lxc/raring-1
> /sys/fs/cgroup/hugetlb/lxc/raring
> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real
> /sys/fs/cgroup/perf_event/lxc/raring-1
> /sys/fs/cgroup/perf_event/lxc/raring
> /sys/fs/cgroup/perf_event/lxc/raring/raring.real
> /sys/fs/cgroup/blkio/lxc/raring-1
> /sys/fs/cgroup/blkio/lxc/raring
> /sys/fs/cgroup/blkio/lxc/raring/raring.real
> /sys/fs/cgroup/freezer/lxc/raring-1
> /sys/fs/cgroup/freezer/lxc/raring
> /sys/fs/cgroup/freezer/lxc/raring/raring.real
> /sys/fs/cgroup/devices/lxc/raring-1
> /sys/fs/cgroup/devices/lxc/raring
> /sys/fs/cgroup/devices/lxc/raring/raring.real
> /sys/fs/cgroup/memory/lxc/raring-1
> /sys/fs/cgroup/memory/lxc/raring
> /sys/fs/cgroup/memory/lxc/raring/raring.real
> /sys/fs/cgroup/cpuacct/lxc/raring-1
> /sys/fs/cgroup/cpuacct/lxc/raring
> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real
> /sys/fs/cgroup/cpu/lxc/raring-1
> /sys/fs/cgroup/cpu/lxc/raring
> /sys/fs/cgroup/cpu/lxc/raring/raring.real
> /sys/fs/cgroup/cpuset/lxc/raring-1
> /sys/fs/cgroup/cpuset/lxc/raring
> /sys/fs/cgroup/cpuset/lxc/raring/raring.real
>
> [caglar at oOo:~] sudo lxc-stop -n raring
>
> [caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
> /sys/fs/cgroup/systemd/lxc/raring
> /sys/fs/cgroup/systemd/lxc/raring/raring.real
> /sys/fs/cgroup/hugetlb/lxc/raring
> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real
> /sys/fs/cgroup/perf_event/lxc/raring
> /sys/fs/cgroup/perf_event/lxc/raring/raring.real
> /sys/fs/cgroup/blkio/lxc/raring
> /sys/fs/cgroup/blkio/lxc/raring/raring.real
> /sys/fs/cgroup/freezer/lxc/raring
> /sys/fs/cgroup/freezer/lxc/raring/raring.real
> /sys/fs/cgroup/devices/lxc/raring
> /sys/fs/cgroup/devices/lxc/raring/raring.real
> /sys/fs/cgroup/memory/lxc/raring
> /sys/fs/cgroup/memory/lxc/raring/raring.real
> /sys/fs/cgroup/cpuacct/lxc/raring
> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real
> /sys/fs/cgroup/cpu/lxc/raring
> /sys/fs/cgroup/cpu/lxc/raring/raring.real
> /sys/fs/cgroup/cpuset/lxc/raring
> /sys/fs/cgroup/cpuset/lxc/raring/raring.real
>
> > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> >
> >> ---
> >> config/templates/ubuntu.common.conf.in | 7 +++++++
> >> 1 file changed, 7 insertions(+)
> >>
> >> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
> >> index 8c61033..1195175 100644
> >> --- a/config/templates/ubuntu.common.conf.in
> >> +++ b/config/templates/ubuntu.common.conf.in
> >> @@ -17,6 +17,13 @@ lxc.pts = 1024
> >> # Default capabilities
> >> lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >>
> >> +# When using LXC with apparmor, uncomment the next line to run unconfined:
> >> +#lxc.aa_profile = unconfined
> >> +
> >> +# To support container nesting on an Ubuntu host, uncomment next two lines:
> >> +#lxc.aa_profile = lxc-container-default-with-nesting
> >> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> >> +
> >> # Default cgroup limits
> >> lxc.cgroup.devices.deny = a
> >> ## Allow any mknod (but not using the node)
> >> --
> >> 1.8.3.2
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> Sponsored by Intel(R) XDK
> >> Develop, test and display web and hybrid apps with a single code base.
> >> Download it for free now!
> >> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> >> _______________________________________________
> >> lxc-devel mailing list
> >> lxc-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/lxc-devel
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
>
>
> --
> S.Çağlar Onur <caglar at 10ur.org>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131209/c91aa6df/attachment.pgp>
More information about the lxc-devel
mailing list