[Lxc-users] f16 update
Ramez Hanna
rhanna at informatiq.org
Fri Mar 2 19:24:00 UTC 2012
On Fri, Mar 2, 2012 at 4:21 PM, Serge Hallyn <serge.hallyn at canonical.com> wrote:
> Quoting Ramez Hanna (rhanna at informatiq.org):
>> hi,
>>
>> here is is how o got f16 to work
>> * use the shipped fedora template to create the container
>> * chroot into the container rootfs
>> * touch /etc/fstab
>> * ln -s /dev/null /etc/systemd/system/udev.service
>> * unlink /etc/systemd/system/default.target
>> * ln -s /lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
>> if you want to setup a getty
>> * ln -s /lib/systemd/system/getty at .service
>> /etc/systemd/system/getty.target.wants/getty at tty1.service
>> * exit the chroot
>>
>> if you had installed sshd in the rootfs then ssh is ready you can just ssh in
>>
>> the problem i am facing right now is that i am unable to stop systemd
>> from mounting /dev
>> which leads to not possible to access the lxc-console because the
>> container is using tty* from the host and not the ones created by lxc
>> which also means that if you pick a higher tty (above the ones used by
>> your host and allow it in the cgroup conf) then you can access your
>> container's tty using the ctrl-alt-Fx keys
>>
>> any one wants to contribute or comment please do
>> i will start working on the template now and soon send patches
>
> I've looked at that. It does it, unconditionally, during early startup
> while setting up selinux. There is no way you can ask systemd not to
> do it.
>
> I actually had an item in my todo list to ask you if you wanted to
> write a patch to fix that (preferably allowing a systemd.nodevmount
> or somesuch argument) and send it to the systemd list.
>
> Fortunately it doesn't check the return value, so until that patch gets
> written and sent to systemd, my plan is to have apparmor refuse the
> container's permission to mount /dev and /dev/pts. I should be able to
> test that in the next few days.
>
> -serge
what if the /dev is mounted in lxc.mount as a bind mount won't that
deny systemd from mounting it!
--
BR
RH
http://informatiq.org
More information about the lxc-users
mailing list