[Lxc-users] Ubuntu Lucid containers on Ubuntu Natty

Elliot Pahl elliot.pahl at gmail.com
Tue Jun 21 11:00:11 UTC 2011


There are a few issues with creating a lucid container, then adding the
updates and security repositories.

If you add them later, you'll get problems that prevent your container from
fully starting if you upgrade the following:
  mountall (2.14 => 2.15.3) and
  ifupdown (0.6.8ubuntu29 => 0.6.8ubuntu29.2)

mountall will override <container>/lib/init/fstab to look like:
>>>

# /lib/init/fstab: static file system information.
#
# These are the filesystems that are always mounted on boot, you can
# override any of these by copying the appropriate line from this file into
# /etc/fstab and tweaking it as you see fit.  See fstab(5).
#
# <file system> <mount point>             <type>          <options>
           <dump> <pass>
/dev/root       /                         rootfs          defaults
               0 1
none            /proc                     proc
 nodev,noexec,nosuid               0 0
none            /proc/sys/fs/binfmt_misc  binfmt_misc
nodev,noexec,nosuid,optional      0 0
none            /sys                      sysfs
nodev,noexec,nosuid               0 0
none            /sys/fs/fuse/connections  fusectl         optional
               0 0
none            /sys/kernel/debug         debugfs         optional
               0 0
none            /sys/kernel/security      securityfs      optional
               0 0
none            /spu                      spufs           gid=spu,optional
               0 0
none            /dev                      devtmpfs,tmpfs  mode=0755
                0 0
none            /dev/pts                  devpts
 noexec,nosuid,gid=tty,mode=0620   0 0
none            /dev/shm                  tmpfs           nosuid,nodev
               0 0
none            /tmp                      none            defaults
               0 0
none            /var/run                  tmpfs
mode=0755,nosuid,showthrough      0 0
none            /var/lock                 tmpfs
nodev,noexec,nosuid,showthrough   0 0
none            /lib/init/rw              tmpfs
mode=0755,nosuid,optional         0 0

>>>

Instead of:
>>>

# /lib/init/fstab: lxc system fstab
none            /spu                      spufs           gid=spu,optional
               0 0
none            /tmp                      none            defaults
               0 0
none            /var/lock                 tmpfs
nodev,noexec,nosuid,showthrough   0 0
none            /lib/init/rw              tmpfs
mode=0755,nosuid,optional         0 0

>>>

I note that other versions of ubuntu don't seem to require this stripped
down /lib/init/fstab, can anyone explain why?

If you replace it with the old version, you'll be good to go, but...
ifupdown has these changes (though I don't quite understand why they're an
issue, seems like they should just work..):
>>>

diff -u -r
ifupdown-0.6.8ubuntu29/debian/ifupdown.network-interface-security.upstart
ifupdown-0.6.8ubuntu29.2/debian/ifupdown.network-interface-security.upstart
---
ifupdown-0.6.8ubuntu29/debian/ifupdown.network-interface-security.upstart
2010-02-20 17:30:21.000000000 +1300
+++
ifupdown-0.6.8ubuntu29.2/debian/ifupdown.network-interface-security.upstart
2011-01-05 07:48:34.000000000 +1300
@@ -13,14 +13,22 @@
           or starting network-manager
           or starting networking)

+# In order to handle the lack of upstart feature LP: #568860, we need to
+# run multiple times, for each of the above "starting" service instances,
or
+# else another one might run while we're running, and not wait for us to
+# finish.
+instance $JOB${INTERFACE:+/}${INTERFACE:-}
+
 # Since we need these profiles to be loaded before any of the above
services
 # begin running, this service must be a pre-start so that its pre-start
 # script finishes before the above services' start scripts begin.
 pre-start script
+    [ -f /var/run/network-interface-security ] && exit 0 # already ran
     [ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load on liveCD
     [ -d /sys/module/apparmor ]  || exit 0 # do not load without AppArmor
     [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
     for link in /etc/apparmor/init/network-interface-security/* ; do
         [ -L $link ] && /sbin/apparmor_parser -r -W $link || true
     done
+    > /var/run/network-interface-security
 end script
diff -u -r ifupdown-0.6.8ubuntu29/debian/ifupdown.network-interface.upstart
ifupdown-0.6.8ubuntu29.2/debian/ifupdown.network-interface.upstart
--- ifupdown-0.6.8ubuntu29/debian/ifupdown.network-interface.upstart
 2010-02-20 17:30:21.000000000 +1300
+++ ifupdown-0.6.8ubuntu29.2/debian/ifupdown.network-interface.upstart
 2011-01-05 07:48:34.000000000 +1300
@@ -10,8 +10,15 @@
 stop on net-device-removed INTERFACE=$INTERFACE

 instance $INTERFACE
+export INTERFACE

 pre-start script
+    if [ "$INTERFACE" = lo ]; then
+       # bring this up even if /etc/network/interfaces is broken
+       ifconfig lo 127.0.0.1 up || true
+       initctl emit -n net-device-up \
+           IFACE=lo LOGICAL=lo ADDRFAM=inet METHOD=loopback || true
+    fi
     mkdir -p /var/run/network
     exec ifup --allow auto $INTERFACE
 end script
diff -u -r ifupdown-0.6.8ubuntu29/debian/ifupdown.upstart.if-up
ifupdown-0.6.8ubuntu29.2/debian/ifupdown.upstart.if-up
--- ifupdown-0.6.8ubuntu29/debian/ifupdown.upstart.if-up        2010-02-20
17:30:21.000000000 +1300
+++ ifupdown-0.6.8ubuntu29.2/debian/ifupdown.upstart.if-up      2010-07-23
00:59:07.000000000 +1200
@@ -2,6 +2,10 @@

 set -e

+if [ "$IFACE" = lo ]; then
+       exit 0 # emission handled by /etc/init/network-interface.conf
+fi
+
 initctl emit -n net-device-up \
        "IFACE=$IFACE" \
        "LOGICAL=$LOGICAL" \

>>>

If you comment out the additions to /etc/network/if-up.d/upstart like so:
>>>

#if [ "$IFACE" = lo ]; then
#       exit 0 # emission handled by /etc/init/network-interface.conf
#fi

>>>

Then your lxc will start again, but I'd really prefer not to have to do it
every time I create a lucid container.

Is there a good solution for these issues?  Is the solution to modify the
debootstrap template, or does it lie elsewhere?

Cheers,

Elliot Pahl

--
Elliot Pahl
elliot.pahl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110621/14796442/attachment.html>


More information about the lxc-users mailing list