[lxc-devel] Fwd: [PATCH] add comments about running unconfined or nesting containers back to ubuntu.common.conf

S.Çağlar Onur caglar at 10ur.org
Tue Dec 10 04:53:58 UTC 2013 

Hi,

On Mon, Dec 9, 2013 at 4:44 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On Mon, Dec 09, 2013 at 04:29:11PM -0500, S.Çağlar Onur wrote:
>> [Forwarding to new lxc-devel as I replied to old sf list]
>>
>>
>> ---------- Forwarded message ----------
>> From: S.Çağlar Onur <caglar at 10ur.org>
>> Date: Mon, Dec 9, 2013 at 4:26 PM
>> Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined
>> or nesting containers back to ubuntu.common.conf
>> To: Stéphane Graber <stgraber at ubuntu.com>
>> Cc: lxc-devel at lists.sourceforge.net
>>
>>
>> Hi Stéphane,
>>
>> On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
>> > On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote:
>> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
>> >
>> > I'll reword the comment a bit to let them know to copy/paste the comment
>> > to the container's config instead of changing it in the common file
>> > which would get overwritten on upgrade and would also affect all
>> > containers.
>>
>> Thanks for doing that.
>>
>> On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups
>> hook seems to have some issues (but couldn't find some time to debug
>> further). I migrated my nested containers to the new style config
>> (that's how I realized those comments are gone :P) but now the first
>> start is always failing with "lxc-start: command get_cgroup failed to
>> receive response" error and one after just works.
>
> Yeah, I've noticed that too... it seems to be related to the way LXC
> sets up its cgroups. I believe I mentioned some issues like that to
> Serge a while back but it's not very high on the todo since our goal is
> to instead have LXC use the new cgroup manager and deprecate that hook
> entirely by the time 1.0 is out.

Oh I wasn't aware of you planning to finish cgmanager before 1.0,
that's great news!

>> [caglar at oOo:~] sudo lxc-ls --fancy
>> NAME    STATE    IPV4  IPV6
>> ---------------------------
>> raring  STOPPED  -     -
>> saucy   STOPPED  -     -
>>
>> [caglar at oOo:~] sudo cat /var/lib/lxc/raring/config
>> # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
>> # Parameters passed to the template: --release raring
>> # For additional config options, please look at lxc.conf(5)
>>
>> # Common configuration
>> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>>
>> # Container specific configuration
>> lxc.rootfs = /var/lib/lxc/raring/rootfs
>> lxc.mount = /var/lib/lxc/raring/fstab
>> lxc.utsname = raring
>> lxc.arch = amd64
>>
>> # Network configuration
>> lxc.network.type = veth
>> lxc.network.hwaddr = 00:16:3e:2e:74:e4
>> lxc.network.flags = up
>> lxc.network.link = lxcbr0
>>
>> lxc.aa_profile = unconfined
>> lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
>>
>> [caglar at oOo:~] sudo lxc-start -d -n raring
>> lxc-start: command get_cgroup failed to receive response
>>
>> [caglar at oOo:~] sudo lxc-ls --fancy
>> NAME    STATE    IPV4  IPV6
>> ---------------------------
>> raring  STOPPED  -     -
>> saucy   STOPPED  -     -
>>
>> [caglar at oOo:~] sudo lxc-start -d -n raring
>>
>> [caglar at oOo:~] sudo lxc-ls --fancy
>> NAME    STATE    IPV4                  IPV6
>> -------------------------------------------
>> raring  RUNNING  10.0.3.204, 10.0.4.1  -
>> saucy   STOPPED  -                     -
>> [caglar at oOo:~]
>>
>> And also nothing cleans up the cgroup entries but I'm not sure whether
>> that was always the case or not.
>>
>> [caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
>> /sys/fs/cgroup/systemd/lxc/raring
>> /sys/fs/cgroup/systemd/lxc/raring/raring.real
>> /sys/fs/cgroup/hugetlb/lxc/raring-1
>> /sys/fs/cgroup/hugetlb/lxc/raring
>> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real
>> /sys/fs/cgroup/perf_event/lxc/raring-1
>> /sys/fs/cgroup/perf_event/lxc/raring
>> /sys/fs/cgroup/perf_event/lxc/raring/raring.real
>> /sys/fs/cgroup/blkio/lxc/raring-1
>> /sys/fs/cgroup/blkio/lxc/raring
>> /sys/fs/cgroup/blkio/lxc/raring/raring.real
>> /sys/fs/cgroup/freezer/lxc/raring-1
>> /sys/fs/cgroup/freezer/lxc/raring
>> /sys/fs/cgroup/freezer/lxc/raring/raring.real
>> /sys/fs/cgroup/devices/lxc/raring-1
>> /sys/fs/cgroup/devices/lxc/raring
>> /sys/fs/cgroup/devices/lxc/raring/raring.real
>> /sys/fs/cgroup/memory/lxc/raring-1
>> /sys/fs/cgroup/memory/lxc/raring
>> /sys/fs/cgroup/memory/lxc/raring/raring.real
>> /sys/fs/cgroup/cpuacct/lxc/raring-1
>> /sys/fs/cgroup/cpuacct/lxc/raring
>> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real
>> /sys/fs/cgroup/cpu/lxc/raring-1
>> /sys/fs/cgroup/cpu/lxc/raring
>> /sys/fs/cgroup/cpu/lxc/raring/raring.real
>> /sys/fs/cgroup/cpuset/lxc/raring-1
>> /sys/fs/cgroup/cpuset/lxc/raring
>> /sys/fs/cgroup/cpuset/lxc/raring/raring.real
>>
>> [caglar at oOo:~] sudo lxc-stop -n raring
>>
>> [caglar at oOo:~] find /sys/fs/cgroup/ -name "raring*"
>> /sys/fs/cgroup/systemd/lxc/raring
>> /sys/fs/cgroup/systemd/lxc/raring/raring.real
>> /sys/fs/cgroup/hugetlb/lxc/raring
>> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real
>> /sys/fs/cgroup/perf_event/lxc/raring
>> /sys/fs/cgroup/perf_event/lxc/raring/raring.real
>> /sys/fs/cgroup/blkio/lxc/raring
>> /sys/fs/cgroup/blkio/lxc/raring/raring.real
>> /sys/fs/cgroup/freezer/lxc/raring
>> /sys/fs/cgroup/freezer/lxc/raring/raring.real
>> /sys/fs/cgroup/devices/lxc/raring
>> /sys/fs/cgroup/devices/lxc/raring/raring.real
>> /sys/fs/cgroup/memory/lxc/raring
>> /sys/fs/cgroup/memory/lxc/raring/raring.real
>> /sys/fs/cgroup/cpuacct/lxc/raring
>> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real
>> /sys/fs/cgroup/cpu/lxc/raring
>> /sys/fs/cgroup/cpu/lxc/raring/raring.real
>> /sys/fs/cgroup/cpuset/lxc/raring
>> /sys/fs/cgroup/cpuset/lxc/raring/raring.real
>>
>> > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
>> >
>> >> ---
>> >>  config/templates/ubuntu.common.conf.in | 7 +++++++
>> >>  1 file changed, 7 insertions(+)
>> >>
>> >> diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
>> >> index 8c61033..1195175 100644
>> >> --- a/config/templates/ubuntu.common.conf.in
>> >> +++ b/config/templates/ubuntu.common.conf.in
>> >> @@ -17,6 +17,13 @@ lxc.pts = 1024
>> >>  # Default capabilities
>> >>  lxc.cap.drop = sys_module mac_admin mac_override sys_time
>> >>
>> >> +# When using LXC with apparmor, uncomment the next line to run unconfined:
>> >> +#lxc.aa_profile = unconfined
>> >> +
>> >> +# To support container nesting on an Ubuntu host, uncomment next two lines:
>> >> +#lxc.aa_profile = lxc-container-default-with-nesting
>> >> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
>> >> +
>> >>  # Default cgroup limits
>> >>  lxc.cgroup.devices.deny = a
>> >>  ## Allow any mknod (but not using the node)
>> >> --
>> >> 1.8.3.2
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> Sponsored by Intel(R) XDK
>> >> Develop, test and display web and hybrid apps with a single code base.
>> >> Download it for free now!
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> lxc-devel mailing list
>> >> lxc-devel at lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>> >
>> > --
>> > Stéphane Graber
>> > Ubuntu developer
>> > http://www.ubuntu.com
>>
>>
>> --
>> S.Çağlar Onur <caglar at 10ur.org>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>



-- 
S.Çağlar Onur <caglar at 10ur.org>

More information about the lxc-devel mailing list