[lxc-devel] [PATCH] ubuntu: Fix regression in post-process

Stéphane Graber stgraber at ubuntu.com
Thu Nov 28 03:18:44 UTC 2013


On Wed, Nov 27, 2013 at 09:14:24PM -0600, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > THe recent reorg of lxc-ubuntu introduced some package installation in
> > post-process but without first disabling service startup.
> > 
> > As a result, if the cache is a bit out of date and a ssh update is
> > available, post-process will apply that update (as it does apt-get
> > install ssh vim) which in turn will attemp to start sshd. This will
> > either lead to ssh on the host being restarted or if there's no sshd on
> > the host, will fail the container creation as the postinst will get an
> > error from upstart.
> > 
> > The fix is very simply to add the same policy-rc.d trick when running
> > post-process.
> 
> If we're on a new enough kernel we might want to do all apt-gets
> in the template by doing lxc-start -d and then lxc-attach.  Or
> we could just do it through lxc-execute I suppose, and always
> put lxc-init into the container.

Unfortunately upstart talks using an abstract unix socket, so the only
way to avoid those from messing with the host's upstart is to setup the
whole network stack for the container and put it in its network
namespace.

I very regularly lxc-create containers that won't start immediately
post-creation so I don't think relying on lxc-start is really a good
idea there. Instead we should just make sure to consistently block
service startup just like we would with a standard chroot (and so far
we've done that relatively well, I just missed that one case in my
review last week ...).

> > Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
> 
> Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> 
> > ---
> >  templates/lxc-ubuntu.in | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> > index ac39ed2..4e6a54f 100644
> > --- a/templates/lxc-ubuntu.in
> > +++ b/templates/lxc-ubuntu.in
> > @@ -467,6 +467,13 @@ post_process()
> >      release=$2
> >      packages=$3
> >  
> > +    # Disable service startup
> > +    cat > $rootfs/usr/sbin/policy-rc.d << EOF
> > +#!/bin/sh
> > +exit 101
> > +EOF
> > +    chmod +x $rootfs/usr/sbin/policy-rc.d
> > +
> >      if [ ! -f $rootfs/etc/init/container-detect.conf ]; then
> >          # Make sure we have a working resolv.conf
> >          cresolvonf="${rootfs}/etc/resolv.conf"
> > @@ -538,6 +545,9 @@ post_process()
> >          mv $rootfs/dev/shm $rootfs/dev/shm.bak
> >          ln -s /run/shm $rootfs/dev/shm
> >      fi
> > +
> > +    # Re-enable service startup
> > +    rm $rootfs/usr/sbin/policy-rc.d
> >  }
> >  
> >  do_bindhome()
> > -- 
> > 1.8.4.4
> > 
> > 
> > ------------------------------------------------------------------------------
> > Rapidly troubleshoot problems before they affect your business. Most IT 
> > organizations don't have a clear picture of how application performance 
> > affects their revenue. With AppDynamics, you get 100% visibility into your 
> > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Lxc-devel mailing list
> > Lxc-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131127/5e528356/attachment.pgp>


More information about the lxc-devel mailing list