[lxc-devel] [PATCH 1/1] templates/lxc-fedora Rework for distro independence.
Michael H. Warfield
mhw at WittsEnd.com
Fri Oct 4 03:10:53 UTC 2013
On Thu, 2013-10-03 at 20:49 -0500, Serge Hallyn wrote:
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > On Thu, 2013-10-03 at 16:58 -0500, Serge Hallyn wrote:
> > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > On Wed, 2013-10-02 at 23:39 -0500, Serge Hallyn wrote:
> > > > > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > > > > + mount -o loop ../LiveOS/squashfs.img squashfs
> > > >
> > > > > Heh, this is unfortunate - since I test things inside containers, now I
> > > > > have to face the loop device in containers issue :)
> > > >
> > > > > For now I just added b 7:0 to my devices whitelist and loosened the
> > > > > apparmor policy. Fedora build did its thing. Then I removed those
> > > > > exceptions.
> > > >
> > > > > I did have to remove the devices whitelist entries for 4:0 and 4:1.
> > > > > They are for /dev/tty{0,1} - the real ones, which we don't use
> > > > > in containers. Since the ubuntu container in which I was testing
> > > > > didn't have that, I couldn't grant it to the fedora container, but
> > > > > it doesn't need it.
> > > >
> > > > > Other than that, it looks good!
> > > >
> > > > > There is a weird glitch, when i first start the container, i type
> > > > > in username root, then have to hit return again before it shows
> > > > > me the password prompt. It doesn't accept the password. Second
> > > > > login attempt works fine. Yum also isn't finding any mirrors, but
> > > > > that may be a problem local to me.
> > > >
> > > > Check to see if your network is running. Looks like it's not bringing
> > > > up eth0 by default, at least not on F19. I'll have to look into that
> > > > one further.
> >
> > > Hey Michael,
> >
> > > so as far as I'm concerned this is a huge improvement. I'm happy to ack
> > > it so long as you agree with getting rid of the 4:0 and 4:1 device
> > > whitelist entries.
> >
> > Nothing like a few challenges to spice up the act, hey.
> Hm?
> > Like I said, I think can eliminate the one by using unsquashfs, though
> > it will take more disk space temporarily (~300 Meg that I can quickly
> > recover).
> >
> > The second one, though, the ext4 image, is a lot more challenging. Is
> > there an ext4 tool for extracting the file system without mounting it?
> > If there is (Ted Tso might know) that would do the trick. But, then,
> > that's another dependency we may or may not want.
> >
> > My target was to make this as distro agnostic as possible so it could
> > run on anything (presumably on hard iron or a hypervisor). Running it
> > in a container without loopback support complicates that immensely.
> >
> > Let me see what I can do. Sigh...
> No, I didn't mean any of that. Actually I hadn't realized you don't
> touch the devices whitelist setting at all anyway! So I'm going to
> apply your patch and then another patch to remove those entries,
> something like:
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 1386f23..560b171 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -369,8 +369,6 @@ lxc.cgroup.devices.allow = c 1:5 rwm
> # consoles
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> -lxc.cgroup.devices.allow = c 4:0 rwm
> -lxc.cgroup.devices.allow = c 4:1 rwm
Oh, crap... I have GOT to read messages more carefully. I throught you
were referring to those loop devices you had to enable for containerized
container creation testing. But, damn where is my head at, those were
"b 7:0" and "b 7:1" not "c 4:0" and "c 4:1"... You were referring to
the tty devices in the target container config...
Sigh... Misunderstanding on my part. My apologies.
> # /dev/{,u}random
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> thanks,
> -serge
Thanks!
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131003/20f23abe/attachment.pgp>
More information about the lxc-devel
mailing list