[lxc-users] Live Migration of a Container (Tycho Andersen)

Thouraya TH thouraya87 at gmail.com
Wed Feb 4 13:13:10 UTC 2015


Yes, i haven't modified the script, as it's on this url:
http://tycho.ws/blog/2014/09/container-migration.html

Bests.

2015-02-04 12:54 GMT+01:00 <lxc-users-request at lists.linuxcontainers.org>:

> Send lxc-users mailing list submissions to
>         lxc-users at lists.linuxcontainers.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.linuxcontainers.org/listinfo/lxc-users
> or, via email, send a message with subject or body 'help' to
>         lxc-users-request at lists.linuxcontainers.org
>
> You can reach the person managing the list at
>         lxc-users-owner at lists.linuxcontainers.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of lxc-users digest..."
>
> Today's Topics:
>
>    1. Live Migration of a Container (Thouraya TH)
>    2. Re: Live Migration of a Container (Tycho Andersen)
>    3. Unprivileged containers on Debian Jessie (Xavier Gendre)
>    4. unprivileged container with zfs backing (Adam Gold)
>    5. Re: unprivileged container with zfs backing (Fajar A. Nugraha)
>    6. Re: unprivileged container with zfs backing (Adam Gold)
>    7. Re: [Marketing Mail] Re: unprivileged container with zfs
>       backing (Jäkel)
>    8. Re: unprivileged container with zfs backing (Fajar A. Nugraha)
>    9. Re: unprivileged container with zfs backing (Fajar A. Nugraha)
>
>
> ---------- Message transféré ----------
> From: Thouraya TH <thouraya87 at gmail.com>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Tue, 3 Feb 2015 13:06:56 +0100
> Subject: [lxc-users] Live Migration of a Container
> Hello,
>
> *1)* Please, can you explain details of these command:
>
> $ sudo ./migrate u1 ubuntu at criu2.local
>
> i try :
> ./migrate u1 root at g-3.xxx.yyyyy.zz
> Bad number of args.
> -bash container user at host.to.migrate.to
>
> *2) *
> Is there a tutorial that specifies the data that will be imported during
> a migration of a container? only CRIU images?
>
> Thanks a lot for help.
>
> Best Regards.
>
> Thouraya.
>
>
>
> ---------- Message transféré ----------
> From: Tycho Andersen <tycho.andersen at canonical.com>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Tue, 3 Feb 2015 14:12:17 +0200
> Subject: Re: [lxc-users] Live Migration of a Container
> On Tue, Feb 03, 2015 at 01:06:56PM +0100, Thouraya TH wrote:
> > Hello,
> >
> > *1)* Please, can you explain details of these command:
> >
> > $ sudo ./migrate u1 ubuntu at criu2.local
> >
> > i try :
> > ./migrate u1 root at g-3.xxx.yyyyy.zz
> > Bad number of args.
> > -bash container user at host.to.migrate.to
>
> Hmm. Are you using the migrate script unmodified?
>
> > *2) *
> > Is there a tutorial that specifies the data that will be imported during
> > a migration of a container? only CRIU images?
>
> Both the CRIU images and the container disk will be moved; you can see
> this because there are two calls to do_rsync in the script.
>
> Tycho
>
> > Thanks a lot for help.
> >
> > Best Regards.
> >
> > Thouraya.
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
>
> ---------- Message transféré ----------
> From: Xavier Gendre <gendre.reivax at gmail.com>
> To: lxc-users at lists.linuxcontainers.org
> Cc:
> Date: Wed, 04 Feb 2015 10:34:07 +0100
> Subject: [lxc-users] Unprivileged containers on Debian Jessie
> Hi,
>
> following the hints given by Serge Hallyn on the lxc-devel list, I managed
> to run an unprivileged container on my Debian Jessie \o/
>
> Now, I want to avoid handlings and get it works on startup. Thus, I set
> permanently kernel.unprivileged_userns_clone to 1 and I create a systemd
> service to run the following script:
>
> #!/bin/bash
>
> echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
>
> # Allowed users
> lxc_users="user1 user2"
>
> for u in $lxc_users; do
>   for d in /sys/fs/cgroup/*; do
>     mkdir -p $d/$u
>     chown -R $u: $d/$u
>   done
> done
>
> The only thing that I need now is to put a 'good' PID in the tasks files
> in order to be allowed to start my unprivileged containers. I can do that
> by login as an allowed user and by putting the PID of the current shell in
> my tasks file. But this solution is volatile and has to be done on each
> startup for each container :-/
>
> Is my approach good? Maybe there is a simpler solution to my problem... If
> this is the way, how can I put a valid PID in the tasks files of the
> allowed users on startup in order, for example, to autostart some
> unprivileged containers?
>
> Thanks,
> Xavier
>
>
>
> ---------- Message transféré ----------
> From: Adam Gold <awg1 at gmx.com>
> To: lxc-users at lists.linuxcontainers.org
> Cc:
> Date: Wed, 04 Feb 2015 09:58:04 +0000
> Subject: [lxc-users] unprivileged container with zfs backing
> I'm trying to set up an unprivileged container with user lxcd using a
> zfs filesystem (equivalent of btrfs sub volume) for each container.  I'm
> aware that for unprivilged container creation, zfs has to be manually
> created.  My zfs file system is:
>
> zfs (the pool)
> zfs/lxc
> zfs/lxc/containers
>
>
> The above has been created using the 'zfs create ...' and I have run
> chown -R lxcd:lxcd ./lxc.  The umask is the default 022.
>
> In ~/.config/lxc/lxc.conf I have: 'lxc.lxcpath = /zpool1/lxc/containers'
> In ~/.config/lxc/default.conf I have:
> lxc.id_map = u 0 100000 65536
> lxc.id_map = g 0 100000 65536
> lxc.network.type = veth
> lxc.network.link = lxcbr0
> lxc.network.flags = up
> lxc.network.name = eth0
> lxc.network.hwaddr = 00:16:3e:xx:xx:xx
>
> Here's the problem: I try to create a container c1 with the zfs
> filesystem already in place so the first thing I do is run, as root,
> 'zfs create zfs/lxc/containers/c1' and then chown -R lxcd:lxcd ./c1.
>
> I then run 'lxc-create -t download -n c1 -B dir -- -dist ubuntu -release
> trusty -arch amd64' and get the following error:
> lxc_container: lxccontainer.c: create_partial: 164 Permission denied -
> Erorr creating partial file
> lxc_container: lxc_create.c: main: 271 Error creating container c1
>
> When I check, c1 directory is empty.
>
> I think this is zfs-lxc related (as opposed to just lxc) because if I
> remove the zfs/lxc/containers/c1 filesystem and run the same command
> which now attempts to create the container on a simple dir backing store
> there is no problem.
>
> I've also tried manually creating the directory rootfs underneath c1 and
> then running 'lxc-create -t download -n c1 -B dir --dir
> /zfs/lxc/containers/c1/rootfs -- -dist ubuntu -release trusty -arch
> amd64' but I get the same error messages.
>
> I guess then, the only time it works in zfs, is when the location for
> creating containers is specified in ~/.config/lxc/lxc.conf and the
> rootfs directory of the new container is two dirs down from the root of
> the nearest zfs filesystem (in my example which works:
> zfs/lxc/containers is the specified location, the container rootfs is
> zfs/lxc/containers/c1/rootfs).
>
> In summary, I would like each unprivileged container to run on top of a
> new zfs filesystem which I create as root and assign relevant ownership
> to. Is this possible?
>
>
>
> ---------- Message transféré ----------
> From: "Fajar A. Nugraha" <list at fajar.net>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Wed, 4 Feb 2015 17:10:36 +0700
> Subject: Re: [lxc-users] unprivileged container with zfs backing
> On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <awg1 at gmx.com> wrote:
>
>> In summary, I would like each unprivileged container to run on top of a
>> new zfs filesystem which I create as root and assign relevant ownership
>> to. Is this possible?
>>
>
> should be possible, BUT not with lxc-create.
>
> The easiest method would probably be to create a "template" container for
> that particular user, and clone it manually (e.g. using zfs snapshot/clone,
> plus edit the config file manually). You already create the fs manually, so
> this workaround might be acceptable.
>
> It might be a bug in lxc-create code which is beyond my abilities.
>
> --
> Fajar
>
>
> ---------- Message transféré ----------
> From: Adam Gold <awg1 at gmx.com>
> To: lxc-users at lists.linuxcontainers.org
> Cc:
> Date: Wed, 04 Feb 2015 10:46:06 +0000
> Subject: Re: [lxc-users] unprivileged container with zfs backing
>
>
> On 04/02/2015 10:10, Fajar A. Nugraha wrote:
> > On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <awg1 at gmx.com
> > <mailto:awg1 at gmx.com>> wrote:
> >
> >     In summary, I would like each unprivileged container to run on top
> of a
> >     new zfs filesystem which I create as root and assign relevant
> ownership
> >     to. Is this possible?
> >
> >
> > should be possible, BUT not with lxc-create.
> >
> > The easiest method would probably be to create a "template" container
> > for that particular user, and clone it manually (e.g. using zfs
> > snapshot/clone, plus edit the config file manually). You already create
> > the fs manually, so this workaround might be acceptable.
>
> I've only ever created containers using lxc-create.  Are you saying that
> I should manually create a template container at the root of a
> particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply
> use zfs clone to create each new container (and, of course, tweak the
> config)?  If so, what's the best way to manually create a template in
> unprivileged mode to ensure all the subuids and subgids are assigned
> correctly.
>
> Also, for the additional containers that I get from zfs cloning, will
> they be recognised by 'lxc-* -n' commands?
>
> Thanks for your interest in this!
>
>
>
>
>
>
> ---------- Message transféré ----------
> From: "Jäkel, Guido" <G.Jaekel at dnb.de>
> To: "'lxc-users at lists.linuxcontainers.org'" <
> lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Wed, 4 Feb 2015 10:59:07 +0000
> Subject: Re: [lxc-users] [Marketing Mail] Re: unprivileged container with
> zfs backing
> Dear Adam,
>
> >From: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] On
> Behalf Of Adam Gold
> >
> >I've only ever created containers using lxc-create.  Are you saying that
> >I should manually create a template container at the root of a
> >particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply
> >use zfs clone to create each new container (and, of course, tweak the
> >config)?  If so, what's the best way to manually create a template in
> >unprivileged mode to ensure all the subuids and subgids are assigned
> >correctly.
> >
> >Also, for the additional containers that I get from zfs cloning, will
> >they be recognised by 'lxc-* -n' commands?
>
> You also have to clone and tweak the Container's configuration file, usual
> located at /etc/lxc/ . You'll see what is obvious to change - like the
> (nearly arbitrary) location of the containers rootfs.
>
> Guido
>
>
> ---------- Message transféré ----------
> From: "Fajar A. Nugraha" <list at fajar.net>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Wed, 4 Feb 2015 18:01:50 +0700
> Subject: Re: [lxc-users] unprivileged container with zfs backing
> On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <awg1 at gmx.com> wrote:
>
>>
>>
>> On 04/02/2015 10:10, Fajar A. Nugraha wrote:
>> > On Wed, Feb 4, 2015 at 4:58 PM, Adam Gold <awg1 at gmx.com
>> > <mailto:awg1 at gmx.com>> wrote:
>> >
>> >     In summary, I would like each unprivileged container to run on top
>> of a
>> >     new zfs filesystem which I create as root and assign relevant
>> ownership
>> >     to. Is this possible?
>> >
>> >
>> > should be possible, BUT not with lxc-create.
>> >
>> > The easiest method would probably be to create a "template" container
>> > for that particular user, and clone it manually (e.g. using zfs
>> > snapshot/clone, plus edit the config file manually). You already create
>> > the fs manually, so this workaround might be acceptable.
>>
>> I've only ever created containers using lxc-create.  Are you saying that
>> I should manually create a template container at the root of a
>> particular zfs filesystem (e.g. zfs/lxc/containers/c1) and then I simply
>> use zfs clone to create each new container (and, of course, tweak the
>> config)?
>
>
> That is the best way that I know of.
>
>
>
>>   If so, what's the best way to manually create a template in
>> unprivileged mode to ensure all the subuids and subgids are assigned
>> correctly.
>>
>
> Create it using any normal method known to work. It should be OK when
> .local/share/lxc is on the same filesystem as $HOME, right?
> After that, copy it manually to your template dataset (zfs/lxc/containers/template
> ?) using "rsync -avP" or whatever tool of your choice. When you clone the
> template to a new directory, don't forget to change these settings manually
> in the new container config:
>
> lxc.rootfs
> lxc.utsname
> lxc.network.hwaddr
> lxc.network.veth.pair (if you use this)
>
>
>>
>> Also, for the additional containers that I get from zfs cloning, will
>> they be recognised by 'lxc-* -n' commands?
>>
>>
> AFAIK most lxc commands simply reads whatever is under the directory, and
> doesn't really care what fs they are on.
>
> --
> Fajar
>
>
>
> ---------- Message transféré ----------
> From: "Fajar A. Nugraha" <list at fajar.net>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Wed, 4 Feb 2015 18:54:06 +0700
> Subject: Re: [lxc-users] unprivileged container with zfs backing
> On Wed, Feb 4, 2015 at 6:01 PM, Fajar A. Nugraha <list at fajar.net> wrote:
>
>> On Wed, Feb 4, 2015 at 5:46 PM, Adam Gold <awg1 at gmx.com> wrote:
>>
>>>
>>>   If so, what's the best way to manually create a template in
>>> unprivileged mode to ensure all the subuids and subgids are assigned
>>> correctly.
>>>
>>
>> Create it using any normal method known to work. It should be OK when
>> .local/share/lxc is on the same filesystem as $HOME, right?
>> After that, copy it manually to your template dataset (zfs/lxc/containers/template
>> ?) using "rsync -avP" or whatever tool of your choice. When you clone the
>> template to a new directory, don't forget to change these settings manually
>> in the new container config:
>>
>>
>
> This is what I just tested. Environment:
> - there's a system container called "template"
> - user "user" is allowed to create its own container (including setting
> /etc/subuid)
> - I want to copy the system container to user container
>
> Current permissions:
> # grep user /etc/subuid
> user:100000:65537
>
> # grep user /etc/subgid
> user:100000:65537
>
> # ls -la /var/lib/lxc/template/
> total 6
> drwxr-xr-x  3 root root   4 Jul 10  2014 .
> drwxr-xr-x  4 root root   4 Jan 22 19:26 ..
> -rw-r--r--  1 root root 691 Jul 10  2014 config
> drwxr-xr-x 21 root root  21 Feb  4 18:32 rootfs
>
> # ls -la /home/user/.local/share/lxc/template/
> total 6
> drwxr-xr-x  3 user   user     4 Feb  4 18:39 .
> drwxr-xr-x  3 user   user     4 Feb  4 18:37 ..
> drwxr-xr-x 21 100000 100000  21 Feb  4 18:32 rootfs
>
> # df -h /home/user/.local/share/lxc/template/
> Filesystem               Size  Used Avail Use% Mounted on
> rpool/lxc/user/template   46G  164M   46G   1%
> /home/user/.local/share/lxc/template
>
> Note that /home/user/.local/share/lxc/template/rootfs is EMPTY. The zfs
> datasets, owner, and permission were created/set by root.
> I can then run this command to copy system's rootfs to users's rootfs,
> with the correct permissions:
>
> # tar -C /var/lib/lxc/template/rootfs -cf - . | su - user -c
> "lxc-usernsexec -- tar -C /home/user/.local/share/lxc/template/rootfs -xf -
> --exclude ./dev/*"
>
> WARN: could not reopen tty: No such file or directory
> tar: ./dev/log: socket ignored
>
> Ignore the warning messages. Next step is to create
> /home/user/.local/share/lxc/template/config, like so:
> ###
> # Template used to create this container:
> /usr/share/lxc/templates/lxc-download
> # Parameters passed to the template: -d ubuntu -r trusty -a amd64
> # For additional config options, please look at lxc.conf(5)
>
> # Distribution configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> lxc.arch = x86_64
>
> # Container specific configuration
> lxc.id_map = u 0 100000 65536
> lxc.id_map = g 0 100000 65536
> lxc.rootfs = /home/user/.local/share/lxc/template/rootfs
> lxc.utsname = template
>
> # Network configuration
> lxc.network.type = veth
> lxc.network.veth.pair = veth-u-te-0
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.hwaddr = 00:16:3E:3A:53:E7
> ###
>
> Note that I use br0, where the default bridge created by lxc is lxcbr0, so
> you need to make sure it's correct.
>
> When creating another container for the same user "user", I can simply use
> zfs clone rpool/lxc/user/template. If I wanted to create container for
> another user (e.g. "user2"), then I need to repeat the "tar" method above
> as a different user (e.g. "| su - user2 -c ...")
>
>
>>
>>> Also, for the additional containers that I get from zfs cloning, will
>>> they be recognised by 'lxc-* -n' commands?
>>>
>>>
>> AFAIK most lxc commands simply reads whatever is under the directory, and
>> doesn't really care what fs they are on.
>>
>>
>
> After doing the above steps I can do this:
>
> $ id
> uid=1000(user) gid=1000(user) groups=1000(user),4(adm),6(disk),27(sudo)
>
> $ lxc-ls -f
> NAME      STATE    IPV4  IPV6  GROUPS  AUTOSTART
> ------------------------------------------------
> template  STOPPED  -     -     -       NO
>
> $ lxc-start -d -n template
>
> $ lxc-ls -f
> NAME      STATE    IPV4             IPV6  GROUPS  AUTOSTART
> -----------------------------------------------------------
> template  RUNNING  192.168.124.104  -     -       NO
>
> $ lxc-attach -n template id
> uid=0(root) gid=0(root) groups=0(root)
>
> $ lxc-attach -n template ip ad li eth0
> 25: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>     link/ether 00:16:3e:3a:53:e7 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.124.104/24 brd 192.168.124.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::216:3eff:fe3a:53e7/64 scope link
>        valid_lft forever preferred_lft forever
>
> $ lxc-stop -n template
>
> $ lxc-ls -f
> NAME      STATE    IPV4  IPV6  GROUPS  AUTOSTART
> ------------------------------------------------
> template  STOPPED  -     -     -       NO
>
> --
> Fajar
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150204/32c3b088/attachment-0001.html>


More information about the lxc-users mailing list