[lxc-users] using cgroups
rob e
redgerhoo at yahoo.com.au
Fri Jul 1 21:39:34 UTC 2016
On 02/07/16 01:02, Serge E. Hallyn wrote:
> Quoting rob e (redgerhoo at yahoo.com.au):
>> On 01/07/16 10:58, Serge E. Hallyn wrote:
>>> Quoting rob e (redgerhoo at yahoo.com.au):
>>> Let's address them one at a time. For starters,
>>>
>>> if you only leave in the
>>> lxc.cgroup.cpuset.cpus = 1-3
>>> does that now work? If not, please post the log output to show exactly
>>> how it fails.
>>> And if you only have
>>> lxc.cgroup.memory.limit_in_bytes = 4G
>>> how does that fail, exactly?
>>>
>>> Also, what is /proc/self/cgroup now when you login?
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> hi Serge,
>> thanks for the response, data follows
>>
> Wait, why is it still showing this error? You don't
> have any lxc.cgroup.deivces in the above config!
>
> Can you please show
>
> /usr/share/lxc/config/ubuntu.common.conf
> /usr/share/lxc/config/ubuntu.userns.conf
>
> ?
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
okey dokes, here they are (plus the direct "include" elements)
------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/ubuntu.common.conf
# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf
# Default mount entries
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none
bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue
rw,relatime,create=dir,optional 0 0
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
# Uncomment the following line to autodetect squid-deb-proxy
configuration on the
# host and forward it to the guest at start time.
#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or
loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/ubuntu.userns.conf
# This derives from the global userns config
lxc.include = /usr/share/lxc/config/userns.conf
# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars
none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none
bind,optional 0 0
------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/userns.conf
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/common.conf
# Default configuration shared by all containers
# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc
# Allow for 1024 pseudo terminals
lxc.pts = 1024
# Setup 4 tty devices
lxc.tty = 4
# Drop some harmful capabilities
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
# Set the pivot directory
lxc.pivotdir = lxc_putold
# Ensure hostname is changed on clone
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none
bind,optional 0 0
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
# Lastly, include all the configs from /usr/share/lxc/config/common.conf.d/
lxc.include = /usr/share/lxc/config/common.conf.d/
------------------------------------------------------------------------------------------
More information about the lxc-users
mailing list