[lxc-users] Converting from libvirt lxc
Peter Steele
pwsteele at gmail.com
Tue Dec 1 21:32:39 UTC 2015
On 11/30/2015 06:38 PM, Serge Hallyn wrote:
> Hi Peter,
>
> my guess is that udev is starting because the container has
> the capabilities to start. If you look at stock containers
> created using the lxc templates, the tend to include files
> like /usr/share/lxc/config/common.conf, which has
>
> lxc.cap.drop = mac_admin mac_override sys_time sys_module
>
> Likewise, libvirt-lxc by default drops several capabilities,
> but your config file isn't doing that. (You also should probably
> configure the devices cgroup.)
>
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
Thanks Serge. I installed lxc-templates and got a copy of
centos.common.conf. I incorporated the definitions there into my own
scripts and an installed container's config file now looks something
like this:
lxc.mount.auto = proc:rw sys:rw
lxc.tty = 4
lxc.pts = 1024
lxc.devttydir = lxc
lxc.kmsg = 0
lxc.autodev = 1
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.utsname = vm-03
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.veth.pair = vm-03
lxc.network.hwaddr = fe:d6:e8:b7:ba:2e
lxc.rootfs = /hf/cs/vm-03/rootfs
lxc.cgroup.memory.limit_in_bytes = 1073741824
lxc.cgroup.memory.memsw.limit_in_bytes = 2147483648
My containers are coming up but things are running really slowly,
although CPU usage is low. I'm not entirely sure what's going on and
need to do some more digging.
The centos.common.conf file listed several cap.drop entries, but none
seemed particularly relevant to our needs:
lxc.cap.drop = mac_admin mac_override setfcap setpcap
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time
Our containers are privileged and our software is written with that in
mind, although we certainly don't need a full environment in our
containers. You suggested udev is starting due to capabilities that are
enabled but I'm not sure what ones I need to explicitly drop. I don't
drop any capabilities in my libvirt containers, although I think the
default for libvirt is to automatically drop a large predefined set.
It's clear libvirt has more trimmed from the base configuration than
LXC. My libvirt /dev directory has the following entries:
lrwxrwxrwx 1 root root 10 Nov 30 08:21 console -> /dev/pts/0
lrwxrwxrwx 1 root root 11 Nov 30 08:21 core -> /proc/kcore
lrwxrwxrwx 1 root root 13 Nov 30 08:21 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Nov 30 08:21 full
crwx------ 1 root root 10, 229 Nov 30 08:21 fuse
drwxr-xr-x 2 root root 0 Nov 30 08:21 hugepages
prw------- 1 root root 0 Nov 30 08:21 initctl
srw-rw-rw- 1 root root 0 Nov 30 08:21 log
drwxrwxrwt 2 root root 40 Nov 30 08:21 mqueue
crw-rw-rw- 1 root root 1, 3 Nov 30 08:21 null
-rw-r--r-- 1 root root 0 Nov 30 08:21 nulld
crw-rw-rw- 1 root root 5, 2 Dec 1 13:15 ptmx
drwxr-xr-x 2 root root 0 Nov 30 08:21 pts
crw-rw-rw- 1 root root 1, 8 Nov 30 08:21 random
drwxrwxrwt 2 root root 40 Nov 30 08:21 shm
lrwxrwxrwx 1 root root 15 Nov 30 08:21 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Nov 30 08:21 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Nov 30 08:21 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root 5, 0 Nov 30 08:21 tty
lrwxrwxrwx 1 root root 10 Nov 30 08:21 tty1 -> /dev/pts/0
crw-rw-rw- 1 root root 1, 9 Nov 30 08:21 urandom
crw-rw-rw- 1 root root 1, 5 Nov 30 08:21 zero
whereas under LXC /dev has the following:
crw------- 1 root root 10, 234 Dec 1 11:07 btrfs-control
drwxr-xr-x 2 root root 220 Dec 1 11:07 char
lrwxrwxrwx 1 root root 11 Dec 1 11:07 console -> lxc/console
lrwxrwxrwx 1 root root 11 Dec 1 11:07 core -> /proc/kcore
crw------- 1 root root 10, 203 Dec 1 11:07 cuse
lrwxrwxrwx 1 root root 13 Dec 1 11:07 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Dec 1 11:48 full
crw-rw-rw- 1 root root 10, 229 Dec 1 11:48 fuse
drwxr-xr-x 2 root root 0 Dec 1 11:07 hugepages
prw------- 1 root root 0 Dec 1 11:07 initctl
srw-rw-rw- 1 root root 0 Dec 1 11:07 log
crw------- 1 root root 10, 237 Dec 1 11:07 loop-control
drwxr-xr-x 2 root root 140 Dec 1 11:07 lxc
drwxr-xr-x 2 root root 60 Dec 1 11:07 mapper
drwxrwxrwt 2 root root 40 Dec 1 11:07 mqueue
drwxr-xr-x 2 root root 60 Dec 1 11:07 net
crw-rw-rw- 1 root root 1, 3 Dec 1 11:48 null
-rw-r--r-- 1 root root 0 Dec 1 11:08 nulld
crw------- 1 root root 108, 0 Dec 1 11:07 ppp
lrwxrwxrwx 1 root root 13 Dec 1 11:07 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 root root 0 Dec 1 11:07 pts
crw-rw-rw- 1 root root 1, 8 Dec 1 11:48 random
drwxrwxrwt 2 root root 40 Dec 1 11:07 shm
drwxr-xr-x 2 root root 80 Dec 1 11:07 snd
lrwxrwxrwx 1 root root 15 Dec 1 11:07 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Dec 1 11:07 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Dec 1 11:07 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty 5, 0 Dec 1 11:48 tty
lrwxrwxrwx 1 root root 8 Dec 1 11:07 tty1 -> lxc/tty1
lrwxrwxrwx 1 root root 8 Dec 1 11:07 tty2 -> lxc/tty2
lrwxrwxrwx 1 root root 8 Dec 1 11:07 tty3 -> lxc/tty3
lrwxrwxrwx 1 root root 8 Dec 1 11:07 tty4 -> lxc/tty4
crw------- 1 root root 10, 239 Dec 1 11:07 uhid
crw------- 1 root root 10, 223 Dec 1 11:07 uinput
crw-rw-rw- 1 root root 1, 9 Dec 1 11:48 urandom
drwxr-xr-x 2 root root 60 Dec 1 11:07 vfio
crw------- 1 root root 10, 137 Dec 1 11:07 vhci
crw------- 1 root root 10, 238 Dec 1 11:07 vhost-net
crw-rw-rw- 1 root root 1, 5 Dec 1 11:48 zero
I know how to trim the /dev/ttyN entries to match libvirt, but I'm not
sure what's needed for the others. For example, how do I get rid of
/dev/snd?
More information about the lxc-users
mailing list