[Lxc-users] f16 update

Serge Hallyn serge.hallyn at canonical.com
Fri Mar 2 19:38:57 UTC 2012 

Quoting Ramez Hanna (rhanna at informatiq.org):
> On Fri, Mar 2, 2012 at 4:21 PM, Serge Hallyn <serge.hallyn at canonical.com> wrote:
> > Quoting Ramez Hanna (rhanna at informatiq.org):
> >> hi,
> >>
> >> here is is how o got f16 to work
> >> * use the shipped fedora template to create the container
> >> * chroot into the container rootfs
> >> * touch /etc/fstab
> >> * ln -s /dev/null /etc/systemd/system/udev.service
> >> * unlink /etc/systemd/system/default.target
> >> * ln -s  /lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
> >> if you want to setup a getty
> >> * ln -s /lib/systemd/system/getty at .service
> >> /etc/systemd/system/getty.target.wants/getty at tty1.service
> >> * exit the chroot
> >>
> >> if you had installed sshd in the rootfs then ssh is ready you can just ssh in
> >>
> >> the problem i am facing right now is that i am unable to stop systemd
> >> from mounting /dev
> >> which leads to not possible to access the lxc-console because the
> >> container is using tty* from the host and not the ones created by lxc
> >> which also means that if you pick a higher tty (above the ones used by
> >> your host and allow it in the cgroup conf) then you can access your
> >> container's tty using the ctrl-alt-Fx keys
> >>
> >> any one wants to contribute or comment please do
> >> i will start working on the template now and soon send patches
> >
> > I've looked at that.  It does it, unconditionally, during early startup
> > while setting up selinux.  There is no way you can ask systemd not to
> > do it.
> >
> > I actually had an item in my todo list to ask you if you wanted to
> > write a patch to fix that (preferably allowing a systemd.nodevmount
> > or somesuch argument) and send it to the systemd list.
> >
> > Fortunately it doesn't check the return value, so until that patch gets
> > written and sent to systemd, my plan is to have apparmor refuse the
> > container's permission to mount /dev and /dev/pts.  I should be able to
> > test that in the next few days.
> >
> > -serge
> 
> what if the /dev is mounted in lxc.mount as a bind mount won't that
> deny systemd from mounting it!

Hmm, what you literally said isn't true (it won't *deny* systemd
from mounting it if it wanted to), but what I think you meant, to
my surprise, is true :)

src/mount-setup.c:mount_one() won't mount a filesystem if its
stat.st_dev != its parent dir's stat.st_dev.  So yeah, mounting it from
lxc.mount should prevent that from happening.  Excellent!  That was the
only thing keeping me from pushing an updated fedora template that works
for f16.  Your list however looks a lot shorter than mine, so better I
wait and try out yours.

Looking forward to testing your new template!

thanks,
-serge

More information about the lxc-users mailing list