[lxc-users] lxc-console not working on centos 7 container
CDR
venefax at gmail.com
Thu Feb 12 08:05:18 UTC 2015
What changes do I need to do at the host level so my provileged systemd
containers may work?
I am using Ubuntu 14.04, and there is systemd
On Thu, Feb 12, 2015 at 3:00 AM, Fajar A. Nugraha <list at fajar.net> wrote:
> You DID read that I asked for "lxc-start -F"?
>
> It's entirely possible that your container's systemd freeze, thus
> nothing is listening on its tty1. And if you don't have systemd cgroup
> mounted on the host (which is what cgroupfs-mount is for), it would
> certainly be the case.
>
> --
> Fajar
>
> On Thu, Feb 12, 2015 at 2:50 PM, CDR <venefax at gmail.com> wrote:
> > I cannot get past this
> > root at ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v
> >
> > Connected to tty 1
> > Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a
> itself
> >
> >
> > On Thu, Feb 12, 2015 at 2:41 AM, CDR <venefax at gmail.com> wrote:
> >>
> >> I cannot make this solution work.
> >> There are a lot of errors.
> >>
> >>
> >> On Thu, Feb 12, 2015 at 1:19 AM, CDR <venefax at gmail.com> wrote:
> >>>
> >>> Thanks. I think Serge may want to change permanently the config and
> >>> other in the on-line template so Centos 7 does work right away.
> >>>
> >>>
> >>> On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha <list at fajar.net>
> wrote:
> >>>>
> >>>> So after some expmeriments, this is what I have: http://goo.gl/7p3nUI
> >>>> - create c7 container, e.g.
> >>>> lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos
> >>>> -r 7 -a amd64
> >>>>
> >>>> - edit config file. See "config" on that gdrive link, look for
> >>>> "Manual additions"
> >>>>
> >>>> - place script/systemd_create_cgroup in the correct path (whatever you
> >>>> use the config file), chmod 700
> >>>>
> >>>> - start the container.
> >>>>
> >>>> This is similar with what I did for fedora20, on
> >>>>
> >>>>
> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html
> >>>>
> >>>> What works that previously doesn't:
> >>>> - lxc-console
> >>>> - default apparmor container profile (so, for example, you can't mess
> >>>> up host's cgroup allocation)
> >>>> - default lxc.cap.drop (although you might want to remove sys_nice if
> >>>> you have apps that depend on it)
> >>>> - rsyslogd now always start correctly (previously there could be stale
> >>>> PIDs on /var/run)
> >>>>
> >>>> What still does NOT work: unpriviledged container
> >>>> I tried backporting F22's systemd-218 plus ubuntu vivid's changes
> >>>> (RPMS and SPECS folder), but it wasn't enough to run unpriviledged
> >>>> container.
> >>>>
> >>>> It should be reasonably safer than allow-the-container-to-do-anything
> >>>> approach previously needed for c7.
> >>>>
> >>>> --
> >>>> Fajar
> >>>>
> >>>> On Fri, Feb 6, 2015 at 9:35 PM, CDR <venefax at gmail.com> wrote:
> >>>> > Thanks.
> >>>> > I love Ubuntu as a host for LXC. I just got addicted to systemctl
> and
> >>>> > writing *.service files. It is much more sophisticated than the
> older
> >>>> > way of
> >>>> > starting and stopping applications.
> >>>> >
> >>>> > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha <list at fajar.net>
> >>>> > wrote:
> >>>> >>
> >>>> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR <venefax at gmail.com> wrote:
> >>>> >> > Thanks for the response.
> >>>> >> > I disable selinux and a apparmor routinely. My containers are
> just
> >>>> >> > a way
> >>>> >> > to
> >>>> >> > separate applications, there are no users accessing them, nothing
> >>>> >> > bad
> >>>> >> > can
> >>>> >> > happen.
> >>>> >> > So basically you are saying that there is no way to run Centos 7
> >>>> >> > under
> >>>> >> > an
> >>>> >> > Ubuntu host.
> >>>> >>
> >>>> >> No. What I'm saying is when you use c7 container (and possible most
> >>>> >> newer-systemd-based distros) under ubuntu host:
> >>>> >> - you can't use lxc-console
> >>>> >> - root on your container can mess up the host
> >>>> >>
> >>>> >> It shouldn't really matter for your use case, since "lxc-attach"
> >>>> >> works
> >>>> >> just fine (you DO know about lxc-attach?), and you don't really
> care
> >>>> >> about user access anyway.
> >>>> >>
> >>>> >> This should improve in the future as debian/ubuntu is also moving
> >>>> >> towards systemd (lxcfs is supposed to help), however currently the
> >>>> >> required level of support/integration is just not there yet.
> >>>> >>
> >>>> >> Since your main use case is "separate applications", docker might
> be
> >>>> >> a
> >>>> >> better candidate. And when you use c7-based docker container under
> c7
> >>>> >> host, you might even get better protection since they integrate
> >>>> >> selinux.
> >>>> >>
> >>>> _______________________________________________
> >>>> lxc-users mailing list
> >>>> lxc-users at lists.linuxcontainers.org
> >>>> http://lists.linuxcontainers.org/listinfo/lxc-users
> >>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150212/50b34931/attachment.html>
More information about the lxc-users
mailing list