[lxc-devel] Fwd: [PATCH] add comments about running unconfined or nesting containers back to ubuntu.common.conf
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Dec 10 19:41:03 UTC 2013
Quoting S.Çağlar Onur (caglar at 10ur.org):
> Hi,
>
> On Mon, Dec 9, 2013 at 4:44 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> > On Mon, Dec 09, 2013 at 04:29:11PM -0500, S.Çağlar Onur wrote:
> >> [Forwarding to new lxc-devel as I replied to old sf list]
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: S.Çağlar Onur <caglar at 10ur.org>
> >> Date: Mon, Dec 9, 2013 at 4:26 PM
> >> Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined
> >> or nesting containers back to ubuntu.common.conf
> >> To: Stéphane Graber <stgraber at ubuntu.com>
> >> Cc: lxc-devel at lists.sourceforge.net
> >>
> >>
> >> Hi Stéphane,
> >>
> >> On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> >> > On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote:
> >> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
> >> >
> >> > I'll reword the comment a bit to let them know to copy/paste the comment
> >> > to the container's config instead of changing it in the common file
> >> > which would get overwritten on upgrade and would also affect all
> >> > containers.
> >>
> >> Thanks for doing that.
> >>
> >> On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups
> >> hook seems to have some issues (but couldn't find some time to debug
> >> further). I migrated my nested containers to the new style config
> >> (that's how I realized those comments are gone :P) but now the first
> >> start is always failing with "lxc-start: command get_cgroup failed to
> >> receive response" error and one after just works.
> >
> > Yeah, I've noticed that too... it seems to be related to the way LXC
> > sets up its cgroups. I believe I mentioned some issues like that to
> > Serge a while back but it's not very high on the todo since our goal is
> > to instead have LXC use the new cgroup manager and deprecate that hook
> > entirely by the time 1.0 is out.
>
> Oh I wasn't aware of you planning to finish cgmanager before 1.0,
> that's great news!
Currently create, chown, getvalue, gitpidcgroup, and movepid work, on
host and in user namespaces. I'll implement setvalue today. I need to
write a proxy to send scm creds for unprivileged users in non-init
pidns. Then I'll need to think on whether to keep the current
get/setvalue behavior - which accept the filename and values directly -
or put in a slight abstraction (i.e. 'memory limit:x').
Then we're ready to start testing lxc against it.
In the meantime, if you see the problem with the existing cgroup code, a
patch is of course very welcome :)
thanks,
-serge
More information about the lxc-devel
mailing list