[lxc-users] lxc-console not working on centos 7 container
CDR
venefax at gmail.com
Thu Feb 12 06:19:33 UTC 2015
Thanks. I think Serge may want to change permanently the config and other
in the on-line template so Centos 7 does work right away.
On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> So after some expmeriments, this is what I have: http://goo.gl/7p3nUI
> - create c7 container, e.g.
> lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos
> -r 7 -a amd64
>
> - edit config file. See "config" on that gdrive link, look for
> "Manual additions"
>
> - place script/systemd_create_cgroup in the correct path (whatever you
> use the config file), chmod 700
>
> - start the container.
>
> This is similar with what I did for fedora20, on
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html
>
> What works that previously doesn't:
> - lxc-console
> - default apparmor container profile (so, for example, you can't mess
> up host's cgroup allocation)
> - default lxc.cap.drop (although you might want to remove sys_nice if
> you have apps that depend on it)
> - rsyslogd now always start correctly (previously there could be stale
> PIDs on /var/run)
>
> What still does NOT work: unpriviledged container
> I tried backporting F22's systemd-218 plus ubuntu vivid's changes
> (RPMS and SPECS folder), but it wasn't enough to run unpriviledged
> container.
>
> It should be reasonably safer than allow-the-container-to-do-anything
> approach previously needed for c7.
>
> --
> Fajar
>
> On Fri, Feb 6, 2015 at 9:35 PM, CDR <venefax at gmail.com> wrote:
> > Thanks.
> > I love Ubuntu as a host for LXC. I just got addicted to systemctl and
> > writing *.service files. It is much more sophisticated than the older
> way of
> > starting and stopping applications.
> >
> > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> >>
> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR <venefax at gmail.com> wrote:
> >> > Thanks for the response.
> >> > I disable selinux and a apparmor routinely. My containers are just a
> way
> >> > to
> >> > separate applications, there are no users accessing them, nothing bad
> >> > can
> >> > happen.
> >> > So basically you are saying that there is no way to run Centos 7 under
> >> > an
> >> > Ubuntu host.
> >>
> >> No. What I'm saying is when you use c7 container (and possible most
> >> newer-systemd-based distros) under ubuntu host:
> >> - you can't use lxc-console
> >> - root on your container can mess up the host
> >>
> >> It shouldn't really matter for your use case, since "lxc-attach" works
> >> just fine (you DO know about lxc-attach?), and you don't really care
> >> about user access anyway.
> >>
> >> This should improve in the future as debian/ubuntu is also moving
> >> towards systemd (lxcfs is supposed to help), however currently the
> >> required level of support/integration is just not there yet.
> >>
> >> Since your main use case is "separate applications", docker might be a
> >> better candidate. And when you use c7-based docker container under c7
> >> host, you might even get better protection since they integrate
> >> selinux.
> >>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150212/ba42dc29/attachment.html>
More information about the lxc-users
mailing list