[lxc-users] Converting from libvirt lxc
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Dec 4 21:43:49 UTC 2015
Quoting Peter Steele (pwsteele at gmail.com):
> On 12/03/2015 08:42 PM, Fajar A. Nugraha wrote:
> >lxc.autodev = 1
> >
> >That is not common.conf (though I'm not sure whether it matters)
> I included this early on when I was encountering the funky udev
> issue. it didn't help but I kept it in place, admittedly for no good
> reason.
> >lxc.kmsg = 0
> >
> >Neither is that. Though it should be the default value
> In my original tests with LXC 1.0.7 I hit an issue where systemd on
> my containers was running at 100%. I did some research and found the
> problem described with the solution suggested being to add this
> lxc.kmsg line. This did in fact solve the problem. I just did a test
> without this though and the CPU issue did not occur, so presumably
> LXC 1.1.5 has fixed this problem.
> >
> > # Remove capabilities we don't want in containers
> > lxc.cap.drop = mac_admin mac_override sys_time sys_module
> >
> >centos.common.conf also has lxc.cap.drop = sys_nice sys_pacct
> >sys_rawio. You don't have that.
> >
> I excluded this line because we need sys_nice enabled in our
> containers. I wasn't sure about sys_pacct and sys_rawio and was
> going to do more investigation on these later.
>
> > lxc.cgroup.devices.allow = c 5:0 rwm
> >
> >
> > lxc.cgroup.devices.allow = c 136:* rwm
> > ## /dev/ptmx pty master
> > lxc.cgroup.devices.allow = c 5:2 rwm
> >
> >
> >you' re missing 5:1 (console), 10:229 (fuse). Both are in common.conf.
> >
> There was in fact no common.conf in the 1.0.7 release I originally
> was using, and the centos.common.conf did not have the console and
> fuse entries. When I switched to 1.1.5 common.conf was introduced
> and these device definitions were moved there. I took a quick look
> at these definitions and added the fuse entry but didn't notice
> console had been added as well. Thanks for noticing this.
> >
> >Is there a reason why you didn't test simply using the same
> >config, which also does the "includes" instead of copying SOME of
> >them? Is there a reason wht you don't copy ALL of them? It should
> >be easier to start with a known good setup, then do incremental
> >changes.
> Well, as I said we need sys_nice and so that was one reason why I
> didn't want to use the config files directly. I also noticed that
> proc was mounted in mixed mode and we need at least some rw access
> to a portion of /proc/sys, and I thought I'd probably need to change
> this mixed entry. Since all of our work is based on centos, I also
> didn't see the need to include the lxc-templates rpm in my package
> set. Our server is based on a minimal centos config and I try to
> avoid adding additional rpms if I can avoid it.
>
> That said, I did change my install framework this morning to include
> lxc-templates and to use centos.common.conf and common.conf directly
> rather rely on than my manually crafted version. This causes
> sys_nice to be dropped, as I just mentioned above, and I need to
> solve that problem. So, if I have this:
>
> lxc.include = /usr/share/lxc/config/centos.common.conf
>
> can I then add the entry
>
> lxc.cap.keep = sys_nice
>
> after this? Based on the description in the man page I assume this
> will not just add this one capability but will instead remove
> everything except this. So, what's the correct way to use
> common.conf and to re-add dropped capabilities?
sadly there's no good way to do that purely through config. You can
do it through the api by querying the current lxc.cap.drop value,
pulling sys_nice out of it, then clearing lxc.cap.drop
(set_config_item(lxc.cap.drop, "")) and re-setting it to the new
full value. But not purely through config files.
More information about the lxc-users
mailing list