[Lxc-users] Best way to shutdown a container

Clemens Perz cperz at gmx.net
Tue Aug 24 07:14:02 UTC 2010


Howdy! :)

I wasn't too happy with the solutions I saw, so I created another one -
not any better, but different :) Just wanted to share it, until we can
do it with lxc-attach.

- Take the little script below, put it into sbin, make it executable and
run it once inside the container. It creates an initial secret for the
container

- add it as a service to your containers inetd.conf (using port 5999):
5999 stream tcp nowait root /usr/sbin/tcpd /sbin/thecloser

- halt your container with this command from the host:
netcat 192.168.x.x 5999 < $container_path/etc/thecloser.secret

- you can add more security by adding this to /etc/host.allow:
5999: ADD_YOUR_HOSTS_IP_HERE
5999: ALL: DENY

It has some drawbacks though, as currently it will only run if you are
using veth for the containers net device. And some people would get bad
headaches because of security. I would only recommend it for your local
desktop :) I only use it to cleanly shutdown my dev and testing machines.

--------[ snip: thecloser ] ------------------
#!/bin/bash

SECFILE="/etc/thecloser.secret"

function setSecret()
{
  logger "TheCloser: Creating new secret"
  BSTRING=$(date)$1
  echo $BSTRING | md5sum | cut -d" " -f1 > $SECFILE
}

if [ ! -e $SECFILE ]; then
  logger "TheCloser: first launch"
  setSecret "First launch"
  exit
else
  SEC=$(cat $SECFILE)
fi

while read INPUT
do
  echo $INPUT
  setSecret $SEC
  if [ "$INPUT" == "$SEC" ]; then
    logger "TheCloser: Received shutdown request, OK"
    /sbin/halt
  else
    logger "TheCloser: Received shutdown request, NO MATCH"
  fi
done
--------[ snip: thecloser ] ------------------

Cheers,
Clemens




More information about the lxc-users mailing list