[lxc-users] using cgroups

rob e redgerhoo at yahoo.com.au
Fri Jul 1 21:39:34 UTC 2016


On 02/07/16 01:02, Serge E. Hallyn wrote:
> Quoting rob e (redgerhoo at yahoo.com.au):
>> On 01/07/16 10:58, Serge E. Hallyn wrote:
>>> Quoting rob e (redgerhoo at yahoo.com.au):
>>> Let's address them one at a time.  For starters,
>>>
>>> if you only leave in the
>>> 	lxc.cgroup.cpuset.cpus = 1-3
>>> does that now work?  If not, please post the log output to show exactly
>>> how it fails.
>>> And if you only have
>>> 	lxc.cgroup.memory.limit_in_bytes = 4G
>>> how does that fail, exactly?
>>>
>>> Also, what is /proc/self/cgroup now when you login?
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> hi Serge,
>> thanks for the response, data follows
>>
> Wait, why is it still showing this error?  You don't
> have any lxc.cgroup.deivces in the above config!
>
> Can you please show
>
> /usr/share/lxc/config/ubuntu.common.conf
> /usr/share/lxc/config/ubuntu.userns.conf
>
> ?
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
okey dokes, here they are (plus the direct "include" elements)

------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/ubuntu.common.conf
# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf

# Default mount entries
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none 
bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue 
rw,relatime,create=dir,optional 0 0

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined

# Uncomment the following line to autodetect squid-deb-proxy 
configuration on the
# host and forward it to the guest at start time.
#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or 
loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting

# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/ubuntu.userns.conf
# This derives from the global userns config
lxc.include = /usr/share/lxc/config/userns.conf

# Extra fstab entries as mountall can't mount those by itself
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars 
none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none 
bind,optional 0 0

------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/userns.conf
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =

# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =

# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0

------------------------------------------------------------------------------------------
$ cat /usr/share/lxc/config/common.conf
# Default configuration shared by all containers

# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc

# Allow for 1024 pseudo terminals
lxc.pts = 1024

# Setup 4 tty devices
lxc.tty = 4

# Drop some harmful capabilities
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio

# Set the pivot directory
lxc.pivotdir = lxc_putold

# Ensure hostname is changed on clone
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname

# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm

# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none 
bind,optional 0 0

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp

# Lastly, include all the configs from /usr/share/lxc/config/common.conf.d/
lxc.include = /usr/share/lxc/config/common.conf.d/

------------------------------------------------------------------------------------------



More information about the lxc-users mailing list