[lxc-users] Where can i find the causes of restart problems
Thouraya TH
thouraya87 at gmail.com
Sun Jun 21 12:13:38 UTC 2015
*You didn't tell it to use logging.*
-> Please, how can i tell it to use logging ?
* And you are using gmail to post to mailing list.*
--> yeah ! is there a problem to use gmail to post to the list ?
Thanks a lot.
Best Regards.
2015-06-21 13:00 GMT+01:00 <lxc-users-request at lists.linuxcontainers.org>:
> Send lxc-users mailing list submissions to
> lxc-users at lists.linuxcontainers.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.linuxcontainers.org/listinfo/lxc-users
> or, via email, send a message with subject or body 'help' to
> lxc-users-request at lists.linuxcontainers.org
>
> You can reach the person managing the list at
> lxc-users-owner at lists.linuxcontainers.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of lxc-users digest..."
>
> Today's Topics:
>
> 1. Re: Where can i find the causes of restart problems (Thouraya TH)
> 2. Re: Where can i find the causes of restart problems (Andrey Repin)
>
>
> ---------- Message transféré ----------
> From: Thouraya TH <thouraya87 at gmail.com>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Sat, 20 Jun 2015 13:19:14 +0100
> Subject: Re: [lxc-users] Where can i find the causes of restart problems
> i can't start the container and i have find 0 lines in the .log file !
>
>
> root at localhost:/var/log/lxc# lxc-start -n worker1
> ^C
> root at localhost:/var/log/lxc# vim worker1.log
> root at localhost:/var/log/lxc#
>
> Best Regards.
>
>
>
> 2015-06-20 13:00 GMT+01:00 <lxc-users-request at lists.linuxcontainers.org>:
>
>> Send lxc-users mailing list submissions to
>> lxc-users at lists.linuxcontainers.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> or, via email, send a message with subject or body 'help' to
>> lxc-users-request at lists.linuxcontainers.org
>>
>> You can reach the person managing the list at
>> lxc-users-owner at lists.linuxcontainers.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of lxc-users digest..."
>>
>> Today's Topics:
>>
>> 1. "mesh networking" for lxc containers (similar to weave)?
>> (Tomasz Chmielewski)
>> 2. Re: Nested container in unpriviledged container (Xavier Gendre)
>> 3. Re: "mesh networking" for lxc containers (similar to weave)?
>> (Christoph Lehmann)
>> 4. Re: "mesh networking" for lxc containers (similar to weave)?
>> (Tomasz Chmielewski)
>> 5. Re: "mesh networking" for lxc containers (similar to weave)?
>> (Janjaap Bos)
>> 6. Where can i find the causes of restart problems (Thouraya TH)
>> 7. Re: Where can i find the causes of restart problems (Janjaap Bos)
>>
>>
>> ---------- Message transféré ----------
>> From: Tomasz Chmielewski <mangoo at wpkg.org>
>> To: lxc-users at lists.linuxcontainers.org
>> Cc:
>> Date: Sat, 20 Jun 2015 01:15:23 +0900
>> Subject: [lxc-users] "mesh networking" for lxc containers (similar to
>> weave)?
>> Are there any solutions which would let one build "mesh networking" for
>> lxc containers, similar to what weave does for docker?
>>
>> Assumptions:
>>
>> - multiple servers (hosts) which are not in the same subnet (i.e. in
>> different DCs in different countries),
>> - containers share the same subnet (i.e. 10.0.0.0/8), no matter on which
>> host they are running
>> - if container is migrated to a different host, it is still reachable on
>> the same IP address without any changes in the networking
>>
>>
>> I suppose the solution would run only once on each of the hosts, rather
>> than in each container.
>>
>> Is there something similar for lxc?
>>
>> --
>> Tomasz Chmielewski
>> http://wpkg.org
>>
>>
>>
>>
>> ---------- Message transféré ----------
>> From: Xavier Gendre <gendre.reivax at gmail.com>
>> To: lxc-users at lists.linuxcontainers.org
>> Cc:
>> Date: Fri, 19 Jun 2015 18:44:14 +0200
>> Subject: Re: [lxc-users] Nested container in unpriviledged container
>> Le 18/06/2015 06:35, Serge Hallyn a écrit :
>>
>>> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>>>
>>>> Le 15/06/2015 17:17, Serge Hallyn a écrit :
>>>>
>>>>> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> i wanted to run a container in an unpriviledged container and i am
>>>>>> glad to succes in doing it. The point is that i am not sure if what
>>>>>> i did is acceptable from the security point of view or not...
>>>>>>
>>>>>> Here are the steps i did:
>>>>>>
>>>>>> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
>>>>>>
>>>>>> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
>>>>>> its config file:
>>>>>>
>>>>>> lxc.mount.auto = cgroup:mixed
>>>>>>
>>>>>> 3) create a basic container called 'p1' with the download template
>>>>>> as root in 'test'.
>>>>>>
>>>>>> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to
>>>>>> the user id mapped to the id 0 in 'test' (this id is 362144 in my
>>>>>> example),
>>>>>>
>>>>>> for T in `ls /sys/fs/cgroup`; do
>>>>>> chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
>>>>>> done
>>>>>>
>>>>>> 5) succesfully start the container 'p1' in 'test' :-)
>>>>>>
>>>>>> I am not an expert with cgroups and i am wondering if i am letting
>>>>>> the devil enters in my home with that...
>>>>>>
>>>>>> So, what is your opinion: is it a possible security break or is it
>>>>>> safe?
>>>>>>
>>>>>
>>>>> Two things to make this safer
>>>>>
>>>>> 1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
>>>>> its 'tasks' and 'cgroup.procs' files. That way the container can
>>>>> create
>>>>> sub-cgroups but cannot raise its own limits.
>>>>>
>>>>> 2. Only do this for the controllers you definately need. Freezer and
>>>>> memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf
>>>>> (see lxc.system.conf(5)).
>>>>>
>>>>> -serge
>>>>>
>>>>
>>>> Hello Serge,
>>>>
>>>> thank you for your advices. Indeed, chowning only the directories is
>>>> sufficient to start the nested container. I did not have to chown
>>>> 'tasks' and 'cgroup.procs' in order to simply start it.
>>>>
>>>> Your second point is more obscur for me... For now, i have to chown
>>>> all the controllers:
>>>>
>>>> 'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer'
>>>> 'net_cls,net_prio' 'perf_event'
>>>>
>>>> When you say 'need', it applies to the container 'test' or to 'p1'
>>>> in my example?
>>>>
>>>
>>> The child one, p1. With new enough lxc you should be able to
>>> use only freezer, setting that as lxc.cgroup.use in the
>>> system lxc.conf.
>>>
>>
>> Arf, for now, i am still working with Debian Jessie and LXC 1.0.7. I will
>> be able to try your suggestions when more recent version of LXC will appear
>> in Debian repositories. Thus, i continue to chown my whole list of
>> controllers :-°
>>
>> If i plan to allow quite general containers to run in
>>>> my unpriviledged container, all the controllers should be chowned or
>>>> is there some that are definitely not needed?
>>>>
>>>
>>> General containers are fine, it's only if you need the nested containers
>>> to be more finely restricted, i.e. if you simply must be able to
>>> allocated only a subset of test1's cpus or memory.
>>>
>>
>> Ok, thanks for this example, it is clearer for me now.
>>
>> Thank you for these explanations,
>> Xavier
>>
>>
>>
>> ---------- Message transféré ----------
>> From: Christoph Lehmann <post at christophlehmann.eu>
>> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
>> Cc:
>> Date: Fri, 19 Jun 2015 20:20:21 +0200
>> Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to
>> weave)?
>> There is no magic with lxcs networking. Its just a bridge and some
>> iptables rules for NAT and a dhcp server.
>>
>> You can setup a bridge on your public interface, configure the container
>> to use that bridge and do the same on your second host.
>>
>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski <
>> mangoo at wpkg.org>:
>>>
>>> Are there any solutions which would let one build "mesh networking" for
>>> lxc containers, similar to what weave does for docker?
>>>
>>> Assumptions:
>>>
>>> - multiple servers (hosts) which are not in the same subnet (i.e. in
>>> different DCs in different countries),
>>> - containers share the same subnet (i.e. 10.0.0.0/8), no matter on which
>>> host they are running
>>> - if container is migrated to a different host, it is still reachable on
>>> the same IP address without any changes in the networking
>>>
>>>
>>> I suppose the solution would run only once on each of the hosts, rather
>>> than in each container.
>>>
>>> Is there something similar for lxc?
>>>
>>>
>> --
>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
>> gesendet.
>>
>>
>> ---------- Message transféré ----------
>> From: Tomasz Chmielewski <mangoo at wpkg.org>
>> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
>> Cc:
>> Date: Sat, 20 Jun 2015 10:37:12 +0900
>> Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to
>> weave)?
>> I know this is just "normal networking", however, there are at least two
>> issues with your suggestions:
>>
>> - it assumes the hosts are in the same subnet (say, connected to the same
>> switch), so it won't work if the hosts have two different public IPs (i.e.
>> 46.1.2.3 and 124.8.9.10)
>>
>> - with just two hosts, you may overcome the above limitation with some
>> VPN magic; however, it becomes problematic as the number of hosts grows
>> (imagine 10 or more hosts, trying to set it up without SPOF / central VPN
>> server; ideally, the hosts should talk to themselves using the shortest
>> paths possible)
>>
>>
>> Therefore, I'm asking if there is any better "magic", as you say, for lxc
>> networking?
>> Possibly it could be achieved with tinc, running on hosts only -
>> http://www.tinc-vpn.org/ - but haven't really used it.
>> And maybe people have other ideas?
>>
>> --
>> Tomasz Chmielewski
>> http://wpkg.org
>>
>>
>> On 2015-06-20 03:20, Christoph Lehmann wrote:
>>
>>> There is no magic with lxcs networking. Its just a bridge and some
>>> iptables rules for NAT and a dhcp server.
>>>
>>> You can setup a bridge on your public interface, configure the
>>> container to use that bridge and do the same on your second host.
>>>
>>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski
>>> <mangoo at wpkg.org>:
>>>
>>> Are there any solutions which would let one build "mesh networking"
>>>> for
>>>> lxc containers, similar to what weave does for docker?
>>>>
>>>> Assumptions:
>>>>
>>>> - multiple servers (hosts) which are not in the same subnet (i.e. in
>>>>
>>>> different DCs in different countries),
>>>> - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter
>>>> on which
>>>> host they are running
>>>> - if container is migrated to a different host, it is still
>>>> reachable on
>>>> the same IP address without any changes in the networking
>>>>
>>>> I suppose the solution would run only once on each of the hosts,
>>>> rather
>>>> than in each container.
>>>>
>>>> Is there something similar for lxc?
>>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
>>> gesendet.
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>>
>>
>>
>> ---------- Message transféré ----------
>> From: Janjaap Bos <janjaapbos at gmail.com>
>> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
>> Cc:
>> Date: Sat, 20 Jun 2015 08:16:27 +0200
>> Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to
>> weave)?
>> Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud /
>> container / virtualiser agnostic. It will work anywhere and we use it for
>> connecting containers & vm's across clouds. Also to provide access to users
>> on Windows / OSX.
>>
>> Within the container you need access to the /dev/net/tun device and
>> depending on the flavour (lxc / lxd / docker) net_admin capabilities.
>>
>> You can download it at https://www.zerotier.com or build it from
>> https://github.com/zerotier/ZeroTierOne
>>
>> Since it is peer-to-peer there is very little overhead. Packets destined
>> for local peers will stay within the local net. You can create very large
>> distributed flat ether networks. Great for the type of cloud backplane you
>> described.
>>
>> Also, this enables you to live migrate instances while maintaining their
>> network configuration.
>>
>> 2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski <mangoo at wpkg.org>:
>>
>>> I know this is just "normal networking", however, there are at least two
>>> issues with your suggestions:
>>>
>>> - it assumes the hosts are in the same subnet (say, connected to the
>>> same switch), so it won't work if the hosts have two different public IPs
>>> (i.e. 46.1.2.3 and 124.8.9.10)
>>>
>>> - with just two hosts, you may overcome the above limitation with some
>>> VPN magic; however, it becomes problematic as the number of hosts grows
>>> (imagine 10 or more hosts, trying to set it up without SPOF / central VPN
>>> server; ideally, the hosts should talk to themselves using the shortest
>>> paths possible)
>>>
>>>
>>> Therefore, I'm asking if there is any better "magic", as you say, for
>>> lxc networking?
>>> Possibly it could be achieved with tinc, running on hosts only -
>>> http://www.tinc-vpn.org/ - but haven't really used it.
>>> And maybe people have other ideas?
>>>
>>> --
>>> Tomasz Chmielewski
>>> http://wpkg.org
>>>
>>>
>>> On 2015-06-20 03:20, Christoph Lehmann wrote:
>>>
>>>> There is no magic with lxcs networking. Its just a bridge and some
>>>> iptables rules for NAT and a dhcp server.
>>>>
>>>> You can setup a bridge on your public interface, configure the
>>>> container to use that bridge and do the same on your second host.
>>>>
>>>> Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski
>>>> <mangoo at wpkg.org>:
>>>>
>>>> Are there any solutions which would let one build "mesh networking"
>>>>> for
>>>>> lxc containers, similar to what weave does for docker?
>>>>>
>>>>> Assumptions:
>>>>>
>>>>> - multiple servers (hosts) which are not in the same subnet (i.e. in
>>>>>
>>>>> different DCs in different countries),
>>>>> - containers share the same subnet (i.e. 10.0.0.0/8 [1]), no matter
>>>>> on which
>>>>> host they are running
>>>>> - if container is migrated to a different host, it is still
>>>>> reachable on
>>>>> the same IP address without any changes in the networking
>>>>>
>>>>> I suppose the solution would run only once on each of the hosts,
>>>>> rather
>>>>> than in each container.
>>>>>
>>>>> Is there something similar for lxc?
>>>>>
>>>>
>>>> --
>>>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
>>>> gesendet.
>>>> _______________________________________________
>>>> lxc-users mailing list
>>>> lxc-users at lists.linuxcontainers.org
>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>>
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>>
>>
>> ---------- Message transféré ----------
>> From: Thouraya TH <thouraya87 at gmail.com>
>> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
>> Cc:
>> Date: Sat, 20 Jun 2015 12:56:03 +0100
>> Subject: [lxc-users] Where can i find the causes of restart problems
>> Hello all,
>>
>> Please, i try to run my container but it is blocked.
>>
>>
>> lxc-start -n worker1
>>
>>
>> Where can i find the causes of restart problems ? (logs?)
>>
>>
>> Thanks a lot.
>> Best Regards.
>>
>>
>> ---------- Message transféré ----------
>> From: Janjaap Bos <janjaapbos at gmail.com>
>> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
>> Cc:
>> Date: Sat, 20 Jun 2015 13:57:56 +0200
>> Subject: Re: [lxc-users] Where can i find the causes of restart problems
>> /var/log/lxc
>>
>> 2015-06-20 13:56 GMT+02:00 Thouraya TH <thouraya87 at gmail.com>:
>>
>>> Hello all,
>>>
>>> Please, i try to run my container but it is blocked.
>>>
>>>
>>> lxc-start -n worker1
>>>
>>>
>>> Where can i find the causes of restart problems ? (logs?)
>>>
>>>
>>> Thanks a lot.
>>> Best Regards.
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
>
> ---------- Message transféré ----------
> From: Andrey Repin <anrdaemon at yandex.ru>
> To: Thouraya TH <lxc-users at lists.linuxcontainers.org>
> Cc:
> Date: Sat, 20 Jun 2015 16:01:31 +0300
> Subject: Re: [lxc-users] Where can i find the causes of restart problems
> Greetings, Thouraya TH!
>
> > i can't start the container and i have find 0 lines in the .log file !
>
>
> > root at localhost:/var/log/lxc# lxc-start -n worker1
> > ^C
> > root at localhost:/var/log/lxc# vim worker1.log
> > root at localhost:/var/log/lxc#
>
> You didn't tell it to use logging.
> And you are using gmail to post to mailing list.
>
>
> --
> With best regards,
> Andrey Repin
> Saturday, June 20, 2015 16:00:23
>
> Sorry for my terrible english...
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150621/da2052c0/attachment-0001.html>
More information about the lxc-users
mailing list