[Lxc-users] Libvirt-bin in lxc

Serge Hallyn serge.hallyn at canonical.com
Thu Nov 8 05:15:30 UTC 2012


Quoting 宣铭艺 (xuanmingyi at gmail.com):
> 2012/11/7 Serge Hallyn <serge.hallyn at canonical.com>
> 
> > Quoting 宣铭艺 (xuanmingyi at gmail.com):
> > > Hi
> > > I can't use libvirt-bin in lxc,who can tell me why and how to do it.
> > >
> > > I have mknod some devices such as kvm hpet
> > >
> > > this is the lxc config file
> > > http://paste.ubuntu.com/1338853/
> > >
> > > this is the strace message.(strace virsh start cflinux)
> > > http://paste.ubuntu.com/1338862/
> > >
> > > It report the message:
> > > error: Failed to start domain cflinux
> > > error: internal error cannot load AppArmor profile
> > > 'libvirt-85b4d415-244d-4719-a2da-843de0641373'
> >
> > Looks like you'll have to use lxc.aa_profile = unconfined.
> >
> > In raring we should have support for stacking apparmor profiles
> > which will allow you to have a confined container which can still
> > load profiles.
> >
> > -serge
> >
> 
> If I use lxc.aa_profile = unconfined.The lxc system can't install
> libvirt-bin.It said
> """
> Setting up cgroup-lite (1.1.2) ...
> start: Job failed to start
> invoke-rc.d: initscript cgroup-lite, action "start" failed.
> dpkg: error processing cgroup-lite (--configure):
>  subprocess installed post-installation script returned error exit status 1
> dpkg: dependency problems prevent configuration of libvirt-bin:
>  libvirt-bin depends on cgroup-lite | cgroup-bin; however:
>   Package cgroup-lite is not configured yet.
>   Package cgroup-bin is not installed.
> dpkg: error processing libvirt-bin (--configure):
>  dependency problems - leaving unconfigured
> """

No, that's likely a different problem.  Are you using the mountcgroups
pre-mount hook?

What should happen is the pre-mount hook pre-mounts /sys/fs/cgroup/*,
then when cgroup-lite is installed and starts, it sees that cgroups
are already mounted and quietly exits with success.  Then libvirt can
install, and it can load its own apparmor profiles because the container
is running unconfined.

> So I must use my own aa_profile.

No that won't help.

-serge




More information about the lxc-users mailing list