[Lxc-users] mknod inside systemd container

Michael H. Warfield mhw at WittsEnd.com
Wed Apr 3 22:15:23 UTC 2013 

On Wed, 2013-04-03 at 23:03 +0100, John wrote:
> On 02/04/13 23:59, Michael H. Warfield wrote:
> > On Tue, 2013-04-02 at 16:02 +0100, John wrote:
> >> If my understanding is correctl, to stop systemd trying to launch udev
> >> and generally make a mess of everything inside a container, you need to
> >> remove the mknod capability from the container.
> > Ah...  That's kind of old information and not really effective.
> >
> >> But what if I want
> >> (need) to be able to use mknod inside a container, how can I do that
> >> with a systemd container?
> > 1) Get the latest lxc.  lxc 0.8 might suffice for systemd in a container
> > but not with systemd in the host and I wouldn't recommend it.  0.9.0 is
> > being pulled and bundled now.  It's not up yet but 0.9.0.rc1 is.
> >
> > 2) You'll have to add "lxc.autodev = 1" to your configuration file.

> I already do that. I am running "lxc version: 0.9.0.alpha3"

That's strange.  What stops systemd from mounting devtmpfs and firing up
udev is having a tmpfs mounted on /dev.  That's part of what autodev = 1
is doing.

What distro is running in the container and what version of systemd?
I've seen this with Fedora 16 but the latest systemd and Fedora 17 in
the container are fine.

> I found that, without the removal of mknod capability, everything went 
> crazy. I have working containers with systemd both on host and inside 
> the container (I even run my full desktop inside a container). To get a 
> systemd container working I found I needed three things:

> lxc.autodev = 1
> lxc.cap.drop = mknod

I'm not having to do that but I'm avoiding F15 and F16 because they
don't seem to play nice and start reliably.  F17 is doing well for me.

> lxc.pts = 1024
> 
> It's alll working well except for the fact that I might need to allow a 
> container to have mknod capability. Are you saying that with 0.9.0 there 
> are changes that negate the requirement for "lxc.cap.drop = mknod"? The 
> way I understood it was that it was systemd that behaved differently 
> based on the availability of that capability...
> 
> 
> > I have found that this works to get recent systemd containers (Fedora
> > 17) to work but Fedora 15 and Fedora 16 (neither of which are supported
> > any longer) work due to udev / systemd interaction.
> >
> > I would recommend waiting a couple of days until 0.9.0 is up and then
> > pulling it down and building it.  That's your best shot with systemd.
> >
> >> I have this container that is a builder of system images for other nodes
> >> (containers and/or metal boxes). In order to correctly do this it needs
> >> to execute mknod inside the image as it builds it. (note, device nodes
> >> created doesn't need to be usable in the context of the image being
> >> built - the builder just needs to be able to create it).
> >>
> >> I've been doing this for ages under sysvinit and it's been fine. I have
> >> just migrated this builder container to systemd and hit this problem...
> >> Is there another way to keep systemd in line other than removing the
> >> mknod capability ?
> >>
> >> Thanks,
> >> John
> >>
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> Own the Future-Intel(R) Level Up Game Demo Contest 2013
> >> Rise to greatness in Intel's independent game demo contest. Compete
> >> for recognition, cash, and the chance to get your game on Steam.
> >> $5K grand prize plus 10 genre and skill prizes. Submit your demo
> >> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
> >> _______________________________________________
> >> Lxc-users mailing list
> >> Lxc-users at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/lxc-users
> >>
> 
> 
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire 
> the most talented Cisco Certified professionals. Visit the 
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130403/ceddd82d/attachment.pgp>

More information about the lxc-users mailing list