[lxc-devel] [PATCH 1/1] templates/lxc-fedora Rework for distro independence.

Fri Oct 4 03:10:53 UTC 2013

On Thu, 2013-10-03 at 20:49 -0500, Serge Hallyn wrote: 
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > On Thu, 2013-10-03 at 16:58 -0500, Serge Hallyn wrote: 
> > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > On Wed, 2013-10-02 at 23:39 -0500, Serge Hallyn wrote: 
> > > > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > > > +    mount -o loop ../LiveOS/squashfs.img squashfs
> > > > 
> > > > > Heh, this is unfortunate - since I test things inside containers, now I
> > > > > have to face the loop device in containers issue :)
> > > > 
> > > > > For now I just added b 7:0 to my devices whitelist and loosened the
> > > > > apparmor policy.  Fedora build did its thing.  Then I removed those
> > > > > exceptions.
> > > > 
> > > > > I did have to remove the devices whitelist entries for 4:0 and 4:1.
> > > > > They are for /dev/tty{0,1} - the real ones, which we don't use
> > > > > in containers.  Since the ubuntu container in which I was testing
> > > > > didn't have that, I couldn't grant it to the fedora container, but
> > > > > it doesn't need it.
> > > > 
> > > > > Other than that, it looks good!
> > > > 
> > > > > There is a weird glitch, when i first start the container, i type
> > > > > in username root, then have to hit return again before it shows
> > > > > me the password prompt.  It doesn't accept the password.  Second
> > > > > login attempt works fine.  Yum also isn't finding any mirrors, but
> > > > > that may be a problem local to me.
> > > > 
> > > > Check to see if your network is running.  Looks like it's not bringing
> > > > up eth0 by default, at least not on F19.  I'll have to look into that
> > > > one further.
> > 
> > > Hey Michael,
> > 
> > > so as far as I'm concerned this is a huge improvement.  I'm happy to ack
> > > it so long as you agree with getting rid of the 4:0 and 4:1 device
> > > whitelist entries.
> > 
> > Nothing like a few challenges to spice up the act, hey.

> Hm?

> > Like I said, I think can eliminate the one by using unsquashfs, though
> > it will take more disk space temporarily (~300 Meg that I can quickly
> > recover).
> > 
> > The second one, though, the ext4 image, is a lot more challenging.  Is
> > there an ext4 tool for extracting the file system without mounting it?
> > If there is (Ted Tso might know) that would do the trick.  But, then,
> > that's another dependency we may or may not want.
> > 
> > My target was to make this as distro agnostic as possible so it could
> > run on anything (presumably on hard iron or a hypervisor).  Running it
> > in a container without loopback support complicates that immensely.
> > 
> > Let me see what I can do.  Sigh...

> No, I didn't mean any of that.  Actually I hadn't realized you don't
> touch the devices whitelist setting at all anyway!  So I'm going to
> apply your patch and then another patch to remove those entries,
> something like:

> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 1386f23..560b171 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -369,8 +369,6 @@ lxc.cgroup.devices.allow = c 1:5 rwm
>  # consoles
>  lxc.cgroup.devices.allow = c 5:1 rwm
>  lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -lxc.cgroup.devices.allow = c 4:1 rwm

Oh, crap...  I have GOT to read messages more carefully.  I throught you
were referring to those loop devices you had to enable for containerized
container creation testing.  But, damn where is my head at, those were
"b 7:0" and "b 7:1" not "c 4:0" and "c 4:1"...  You were referring to
the tty devices in the target container config...

Sigh...  Misunderstanding on my part.  My apologies.

>  # /dev/{,u}random
>  lxc.cgroup.devices.allow = c 1:9 rwm
>  lxc.cgroup.devices.allow = c 1:8 rwm

> thanks,
> -serge

Thanks!

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131003/20f23abe/attachment.pgp>