[lxc-devel] [PATCH 1/1] templates/lxc-fedora Rework for distro independence.
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Oct 4 01:49:55 UTC 2013
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Thu, 2013-10-03 at 16:58 -0500, Serge Hallyn wrote:
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > On Wed, 2013-10-02 at 23:39 -0500, Serge Hallyn wrote:
> > > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > > + mount -o loop ../LiveOS/squashfs.img squashfs
> > >
> > > > Heh, this is unfortunate - since I test things inside containers, now I
> > > > have to face the loop device in containers issue :)
> > >
> > > > For now I just added b 7:0 to my devices whitelist and loosened the
> > > > apparmor policy. Fedora build did its thing. Then I removed those
> > > > exceptions.
> > >
> > > > I did have to remove the devices whitelist entries for 4:0 and 4:1.
> > > > They are for /dev/tty{0,1} - the real ones, which we don't use
> > > > in containers. Since the ubuntu container in which I was testing
> > > > didn't have that, I couldn't grant it to the fedora container, but
> > > > it doesn't need it.
> > >
> > > > Other than that, it looks good!
> > >
> > > > There is a weird glitch, when i first start the container, i type
> > > > in username root, then have to hit return again before it shows
> > > > me the password prompt. It doesn't accept the password. Second
> > > > login attempt works fine. Yum also isn't finding any mirrors, but
> > > > that may be a problem local to me.
> > >
> > > Check to see if your network is running. Looks like it's not bringing
> > > up eth0 by default, at least not on F19. I'll have to look into that
> > > one further.
>
> > Hey Michael,
>
> > so as far as I'm concerned this is a huge improvement. I'm happy to ack
> > it so long as you agree with getting rid of the 4:0 and 4:1 device
> > whitelist entries.
>
> Nothing like a few challenges to spice up the act, hey.
Hm?
> Like I said, I think can eliminate the one by using unsquashfs, though
> it will take more disk space temporarily (~300 Meg that I can quickly
> recover).
>
> The second one, though, the ext4 image, is a lot more challenging. Is
> there an ext4 tool for extracting the file system without mounting it?
> If there is (Ted Tso might know) that would do the trick. But, then,
> that's another dependency we may or may not want.
>
> My target was to make this as distro agnostic as possible so it could
> run on anything (presumably on hard iron or a hypervisor). Running it
> in a container without loopback support complicates that immensely.
>
> Let me see what I can do. Sigh...
No, I didn't mean any of that. Actually I hadn't realized you don't
touch the devices whitelist setting at all anyway! So I'm going to
apply your patch and then another patch to remove those entries,
something like:
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 1386f23..560b171 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -369,8 +369,6 @@ lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
thanks,
-serge
More information about the lxc-devel
mailing list