[lxc-users] sshd-keygen fails during container boot
Peter Steele
pwsteele at gmail.com
Fri Dec 11 15:38:37 UTC 2015
On 12/10/2015 06:13 AM, Peter Steele wrote:
> On 12/09/2015 06:43 PM, Serge Hallyn wrote:
>
>> Ok, systemd does behave differently if it shouldn't be able
>>
>> to create devices. If you add
>>
>> lxc.cap.drop = mknod sys_rawio
>>
>> to your configs does that help?
>>
> This did not help. I took it a step further and did an install with the
> lxc capabilities configured to be as similar as possible to my libvirt
> containers and even with this I saw the systemd errors. The only
> difference between the cap sets of the two was cap_audit_control; the
> lxc containers would not start without this capability but libvirt
> containers didn't seem to need it.
>
I don't know if this is relevant, but we are running the 4.0.5 release
of the kernel-ml package set from elrepo. The stock CentOS 7.1 kernel
(3.10) has a bug that impacts bond modes 5 and 6 in containers, so we
had to find an alternative kernel. Other than a problem with RAID 1
mdadm volumes, the 4.0.5 kernel has been solid for us with libvirt based
containers.
I did another test this morning, installing six containers based on the
downloaded CentOS template. When these containers are started
simultaneously there are no errors reported with systemd. I then went
into each container and updated the set of CentOS packages making up the
template to include the additional rpms that we use in our containers.
The default template has something like 157 rpms. After installing the
additional rpms, the containers had 354 installed packages. I then did
another test of shutting down all the containers and restarting them
simultaneously using
for vm in `lxc-ls`; do lxc-start -n $vm; done
I hit the systemd errors on the very first try. This would seem to imply
the problem may be related to one of the additional CentOS rpms that we
use, although it certainly isn't clear which one (ones?) this might be.
I'm going to iteratively reduce the set of packages we use to try to
narrow down the cultprit.
Peter
More information about the lxc-users
mailing list