[Lxc-users] f16 update

Serge Hallyn serge.hallyn at canonical.com
Sun Mar 4 04:38:09 UTC 2012


Quoting Ramez Hanna (rhanna at informatiq.org):
> On Fri, Mar 2, 2012 at 9:38 PM, Serge Hallyn <serge.hallyn at canonical.com> wrote:
> > Quoting Ramez Hanna (rhanna at informatiq.org):
> >> On Fri, Mar 2, 2012 at 4:21 PM, Serge Hallyn <serge.hallyn at canonical.com> wrote:
> >> > Quoting Ramez Hanna (rhanna at informatiq.org):
> >> >> hi,
> >> >>
> >> >> here is is how o got f16 to work
> >> >> * use the shipped fedora template to create the container
> >> >> * chroot into the container rootfs
> >> >> * touch /etc/fstab
> >> >> * ln -s /dev/null /etc/systemd/system/udev.service
> >> >> * unlink /etc/systemd/system/default.target
> >> >> * ln -s  /lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
> >> >> if you want to setup a getty
> >> >> * ln -s /lib/systemd/system/getty at .service
> >> >> /etc/systemd/system/getty.target.wants/getty at tty1.service
> >> >> * exit the chroot
> >> >>
> >> >> if you had installed sshd in the rootfs then ssh is ready you can just ssh in
> >> >>
> >> >> the problem i am facing right now is that i am unable to stop systemd
> >> >> from mounting /dev
> >> >> which leads to not possible to access the lxc-console because the
> >> >> container is using tty* from the host and not the ones created by lxc
> >> >> which also means that if you pick a higher tty (above the ones used by
> >> >> your host and allow it in the cgroup conf) then you can access your
> >> >> container's tty using the ctrl-alt-Fx keys
> >> >>
> >> >> any one wants to contribute or comment please do
> >> >> i will start working on the template now and soon send patches
> >> >
> >> > I've looked at that.  It does it, unconditionally, during early startup
> >> > while setting up selinux.  There is no way you can ask systemd not to
> >> > do it.
> >> >
> >> > I actually had an item in my todo list to ask you if you wanted to
> >> > write a patch to fix that (preferably allowing a systemd.nodevmount
> >> > or somesuch argument) and send it to the systemd list.
> >> >
> >> > Fortunately it doesn't check the return value, so until that patch gets
> >> > written and sent to systemd, my plan is to have apparmor refuse the
> >> > container's permission to mount /dev and /dev/pts.  I should be able to
> >> > test that in the next few days.
> >> >
> >> > -serge
> >>
> >> what if the /dev is mounted in lxc.mount as a bind mount won't that
> >> deny systemd from mounting it!
> >
> > Hmm, what you literally said isn't true (it won't *deny* systemd
> > from mounting it if it wanted to), but what I think you meant, to
> > my surprise, is true :)
> >
> > src/mount-setup.c:mount_one() won't mount a filesystem if its
> > stat.st_dev != its parent dir's stat.st_dev.  So yeah, mounting it from
> > lxc.mount should prevent that from happening.  Excellent!  That was the
> > only thing keeping me from pushing an updated fedora template that works
> > for f16.  Your list however looks a lot shorter than mine, so better I
> > wait and try out yours.
> >
> > Looking forward to testing your new template!
> >
> > thanks,
> > -serge
> 
> i tried to do the following
> in /var/lib/lxc/$container/fstab i added a line
> /var/lib/lxc/$container/ddd
> /var/lib/lxc/$container/rootfs/dev        ext4       defaults,bind 0 0
> where ddd is a dir that has the /dev needed files (pts/, tty*, nul, etc...)
> started the container still /dev is mounted for devtmpfs
> 
> did i do it wrong?

Yes I think so.

Remember the check done by systemd is whether the dir is on the same device
as its parent dir.  It sounds like you have them being the same dir, which
won't work.  You can make the container's rootfs be lvm, or create a tmpfs
/dev for the container on the fly before starting it, or something.  But
if /var/lib/lxc/$container/ddd and /var/lib/lxc/$container/rootfs/dev are
both on the host's root fs (or on the host's /dev), then systemd won't
detect it as being mounted.

-serge




More information about the lxc-users mailing list