[lxc-users] Converting from libvirt lxc

Peter Steele pwsteele at gmail.com
Fri Dec 4 17:23:19 UTC 2015 

On 12/03/2015 08:42 PM, Fajar A. Nugraha wrote:
> lxc.autodev = 1
>
> That is not common.conf (though I'm not sure whether it matters)
I included this early on when I was encountering the funky udev issue. 
it didn't help but I kept it in place, admittedly for no good reason.
> lxc.kmsg = 0
>
> Neither is that. Though it should be the default value
In my original tests with LXC 1.0.7 I hit an issue where systemd on my 
containers was running at 100%. I did some research and found the 
problem described with the solution suggested being to add this lxc.kmsg 
line. This did in fact solve the problem. I just did a test without this 
though and the CPU issue did not occur, so presumably LXC 1.1.5 has 
fixed this problem.
>
>     # Remove capabilities we don't want in containers
>     lxc.cap.drop = mac_admin mac_override sys_time sys_module
>
> centos.common.conf also has  lxc.cap.drop = sys_nice sys_pacct 
> sys_rawio. You don't have that.
>
I excluded this line because we need sys_nice enabled in our containers. 
I wasn't sure about sys_pacct and sys_rawio and was going to do more 
investigation on these later.

>     lxc.cgroup.devices.allow = c 5:0 rwm
>
>
>     lxc.cgroup.devices.allow = c 136:* rwm
>     ## /dev/ptmx pty master
>     lxc.cgroup.devices.allow = c 5:2 rwm
>
>
> you' re missing 5:1 (console), 10:229 (fuse). Both are in common.conf.
>
There was in fact no common.conf in the 1.0.7 release I originally was 
using, and the centos.common.conf did not have the console and fuse 
entries. When I switched to 1.1.5 common.conf was introduced and these 
device definitions were moved there. I took a quick look at these 
definitions and added the fuse entry but didn't notice console had been 
added as well. Thanks for noticing this.
>
> Is there a reason why you didn't test simply using the same config, 
> which also does the "includes" instead of copying SOME of them? Is 
> there a reason wht you don't copy ALL of them? It should be easier to 
> start with a known good setup, then do incremental changes.
Well, as I said we need sys_nice and so that was one reason why I didn't 
want to use the config files directly. I also noticed that proc was 
mounted in mixed mode and we need at least some rw access to a portion 
of /proc/sys, and I thought I'd probably need to change this mixed 
entry. Since all of our work is based on centos, I also didn't see the 
need to include the lxc-templates rpm in my package set. Our server is 
based on a minimal centos config and I try to avoid adding additional 
rpms if I can avoid it.

That said, I did change my install framework this morning to include 
lxc-templates and to use centos.common.conf and common.conf directly 
rather rely on than my manually crafted version. This causes sys_nice to 
be dropped, as I just mentioned above, and I need to solve that problem. 
So, if I have this:

lxc.include = /usr/share/lxc/config/centos.common.conf

can I then add the entry

lxc.cap.keep = sys_nice

after this? Based on the description in the man page I assume this will 
not just add this one capability but will instead remove everything 
except this. So, what's the correct way to use common.conf and to re-add 
dropped capabilities?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151204/cff67373/attachment.html>

More information about the lxc-users mailing list