[Lxc-users] On clean reboot of Ubuntu 10.04 containers
Trent W. Buck
twb at cybersource.com.au
Tue Dec 7 03:46:09 UTC 2010
twb at cybersource.com.au (Trent W. Buck)
writes:
> I might revise that opinion after trying to handle rebooting manually --
> particularly since I've decided to administratively prohibit sys_admin
> inside containers.
OK, so I got it working. The sticking points are:
- I *MUST* drop CAP_SYS_ADMIN or otherwise prevent mountall from
mounting a tmpfs on /var/run/.
- I *MUST NOT* drop CAP_KILL, or the shutdown script silently fails
to stop rsyslogd, and lxc-start waits forever for the pid count to
go from 2 to 1.
- I *MUST* have the workaround upstart job /etc/init/lxc.conf delete
everything from /var/run on startup. At the very least, it's
critical to delete ifstate, otherwise upstart waits forever for
the network stack to come up.
After doing these things, "reboot" and "halt" DTRT within the Ubuntu
10.04 container (with lxc 0.7.2 and Ubuntu 10.04 in the dom0).
Actual patch follows. Thanks to all correspondents for encouraging me
to do it this way, I think it's better than what I had.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tmp.diff
Type: text/x-diff
Size: 4244 bytes
Desc: Actual change
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20101207/dd7e22cb/attachment.diff>
More information about the lxc-users
mailing list