[Lxc-users] systemd inside LXC

[Serge Hallyn]

Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Sun, 2012-10-21 at 14:49 -0500, Serge Hallyn wrote:
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > Serge,
> > > 
> 
> ...
> 
> > > Short of building a custom systemd, I don't know how to fix that problem
> > > and I suspect this OP is going to run into this same thing (container
> > > taking over host's console) and might explain some of what he's seeing.
> > > Several of these look like they could cause problems (like /dev/pts in
> > > there).  I've really reached an impasse at getting systemd (at least
> > > Fedora 16 and 17) to work in a container without screwing up the host.
> > > Prohibiting mounts entirely in the container might work but I suspect
> > > (having read some systemd error messages) systemd is going to have some
> > > serious heartburn there.
> > > 
> > > Thoughts?
> > 
> > IIRC, simply having apparmor(/selinux) refuse the mount of /dev by the
> > container should work, i.e. systemd was not going to fail as a result.
> 
> Hopefully, you've seen the message from Kay Sievers cc'ed to this list
> from my post to the systemd-devel list.  Looks like they have a
> mechanism in place to do this...
> 
> http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface

Saw the email, haven't yet read the page, thanks.

> First step appears to be to set a container=LXC (or some other short
> string) before invoking init in the container.  Is there a mechanism to
> do this?

We've been setting 'container=lxc' since before system existed :)  It's
hardcoded in lxc_start.c using putenv.c.  I don't think we want to make
it runtime configurable, but a build-time (configure) flag would be fine.

> Might look over the rest of their recommendation and see if there's
> anything else we need to do.  Looks like there might be some additional
> mounts (some read-only) in there that need to be handled in lxc-start as
> well.

Thanks, Michael!

-serge