[Lxc-users] connecting lxc-console is impossible after deny cgroup by default activated
Thierry
mysolo at cynetek.com
Mon Nov 5 18:21:55 UTC 2012
My understanding was that you manually set lxc.cgroup.devices.deny = a
after starting up the container. Is that right, or not? If not, please
give your full config files for working and not working cases. -serge
Using only configuration file. Not manually change cgroup after starting.
join config file working and not working.
tigra debian-dev # diff config_working config_notworking
10c10
< #lxc.cgroup.devices.deny = a
---
> lxc.cgroup.devices.deny = a
A config file working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_working -d
tigra debian-dev # lxc-console -n debian-dev
Type <Ctrl+a q> to exit the console
Debian GNU/Linux 6.0 debian-dev tty1
debian-dev login:
----------------------
config file not working:
tigra debian-dev # lxc-start -l DEBUG -o /var/log/lxc/debian-dev.log -n
debian-dev -f /etc/lxc/debian-dev/config_notworking -d
tigra debian-dev # lxc-console -n debian-dev
Type <Ctrl+a q> to exit the console
not prompt for login
* Anglais - détecté
* Anglais
* Français
* Anglais
* Français
<javascript:void(0);>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20121105/d06957f3/attachment.html>
-------------- next part --------------
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev
#lxc.console = /dev/console
# Device configuration:
# Deny access to all devices:
lxc.cgroup.devices.deny = a
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid 0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc proc defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs defaults 0 0
# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created
# device nodes inside the container from being used to access the host's
# hardware:
# lxc.cap.drop = mknod
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1
-------------- next part --------------
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-dev
#lxc.console = /dev/console
# Device configuration:
# Deny access to all devices:
#lxc.cgroup.devices.deny = a
# Allow only the following devices to be opened:
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 5:0 rwm # /dev/tty - allows ssh-add/password input
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console - allows lxc-start output
lxc.cgroup.devices.allow = c 254:0 rwm # rtc
#
## # TTYs - we create only 3 TTYs: tty0, tty1, tty2, tty3 - you can create up to 12 (see lxc.tty = 12)
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 4:2 rwm # /dev/tty2
lxc.cgroup.devices.allow = c 4:3 rwm # /dev/tty3
#
## pts namespaces
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
#
#
lxc.rootfs = /dev/vg1/debian-dev
#lxc.rootfs.mount = /usr/lib/lxc/rootfs
#lxc.rootfs.mount = /etc/lxc/debian-dev/rootfs
# mounts point
#lxc.mount.entry=proc /etc/lxc/debian-dev/rootfs/proc proc nodev,noexec,nosuid 0 0
#lxc.mount.entry=sysfs /etc/lxc/debian-dev/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=devpts /usr/lib/lxc/rootfs/dev/pts devpts defaults 0 0
#lxc.mount.entry=proc /usr/lib/lxc/rootfs/proc proc defaults 0 0
#lxc.mount.entry=sysfs /usr/lib/lxc/rootfs/sys sysfs defaults 0 0
#lxc.mount.entry=tmpfs /usr/lib/lxc/rootfs/dev/shm tmpfs defaults 0 0
# restrict capabilities:
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
#lxc.cap.drop = mac_admin
#lxc.cap.drop = mac_override
#lxc.cap.drop = setpcap
##lxc.cap.drop = sys_admin
#lxc.cap.drop = sys_boot
#lxc.cap.drop = sys_module
#lxc.cap.drop = sys_rawio
#lxc.cap.drop = sys_time
# By default, don't use lxc.cap.drop = mknod. This will allow mknod to create
# device nodes so build scripts and other things don't fail. Then, we'll
# rely on the devices.deny settings (default deny) to prevent any created
# device nodes inside the container from being used to access the host's
# hardware:
# lxc.cap.drop = mknod
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.ipv4=10.0.1.1
lxc.network.veth.pair=veth-10.0.1.1
More information about the lxc-users
mailing list