[lxc-users] using cgroups

rob e redgerhoo at yahoo.com.au
Sat Jul 2 04:44:45 UTC 2016 


On 02/07/16 13:40, Serge E. Hallyn wrote:
> On Sat, Jul 02, 2016 at 01:24:44PM +1000, rob e wrote:
>> On 02/07/16 12:41, Serge E. Hallyn wrote:
>>> Quoting rob e (redgerhoo at yahoo.com.au):
>>>> On 02/07/16 12:14, Serge E. Hallyn wrote:
>>>>>> hi Serge,
>>>>>> with JUST those clauses (and no cgroup set clauses) ... it sort of
>>>>>> works. Initial messages are cleared from the console(?) leaving just
>>>>>> the shutdown messages. But it does get to a login prompt
>>>>> D'oh.  Thanks for your patience.  I see the bug.  I'll post a
>>>>> PR for a fix.  I'm surprised so few people run into this.  But
>>>>> as a workaround just add ",devices" to the end of the pam_cgfs
>>>>> line in /etc/pam.d/common-session.
>>>>>
>>>> sorry about this ... didn't work. Tried 2 forms of Pam clause & 2
>>>> forms of config
>>>>
>>>> ------------------------------------------------------
>>>> PAM line
>>>> session optional        pam_cgfs.so -c
>>>> freezer,memory,name=systemd,cpuset,devices
>>> Jus to make sure, did you log back in after this?  what does /proc/self/cgroup
>>> look like?
>>>
>>>
>> hmmm ... Now I tried the TAP TUN device (for openvpn & proxy server)
>> .... FAILED .. on CPUSET
> Nope, cpu and cpuset are actually two different controllers.  It's failing on
> cpu.shares in the cpu controller.
>
> Note, I think you'll be happiest if you just drop the "-c xxxxx" from
> /etc/pam.d/common-session.  That will tell pam_cgfs to use all controllers.
>
> -serge
>
That was Better !  CPU and Memory constraints now don't cause failure :)

-----------------------------------------------------------------------------------
Tried VPN ... TAP / TUN   FAILED. Container starts, but unable to create 
device (where this worked on Trusty)

openvpn will not start ... looks like an AppArmor issue. Is this your 
department ?

messages on host syslog.log

Jul  2 14:21:35 virt-host kernel: [111148.961739] IPv6: 
ADDRCONF(NETDEV_CHANGE): vethS3C86K: link becomes ready
Jul  2 14:21:35 virt-host kernel: [111148.961777] lxcbr0: port 
3(vethS3C86K) entered forwarding state
Jul  2 14:21:35 virt-host kernel: [111148.961785] lxcbr0: port 
3(vethS3C86K) entered forwarding state
Jul  2 14:21:35 virt-host kernel: [111149.061396] audit: type=1400 
audit(1467433295.584:1118): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxc-container-default-with-mounting" name="/" pid=25762 
comm="cgmanager" flags="rw, rprivate"
Jul  2 14:21:35 virt-host kernel: [111149.061437] audit: type=1400 
audit(1467433295.584:1119): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/blkio/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="blkio"
Jul  2 14:21:35 virt-host kernel: [111149.061447] audit: type=1400 
audit(1467433295.584:1120): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpu/" pid=25762 comm="cgmanager" fstype="cgroup" 
srcname="cpu"
Jul  2 14:21:35 virt-host kernel: [111149.061457] audit: type=1400 
audit(1467433295.584:1121): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpuacct/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="cpuacct"
Jul  2 14:21:35 virt-host kernel: [111149.061466] audit: type=1400 
audit(1467433295.584:1122): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpuset/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="cpuset"
Jul  2 14:21:35 virt-host kernel: [111149.061475] audit: type=1400 
audit(1467433295.584:1123): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/devices/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="devices"
Jul  2 14:21:35 virt-host kernel: [111149.061484] audit: type=1400 
audit(1467433295.584:1124): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/freezer/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="freezer"
Jul  2 14:21:35 virt-host kernel: [111149.061492] audit: type=1400 
audit(1467433295.584:1125): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/hugetlb/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="hugetlb"
Jul  2 14:21:35 virt-host kernel: [111149.061501] audit: type=1400 
audit(1467433295.584:1126): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/memory/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="memory"
Jul  2 14:21:35 virt-host kernel: [111149.061510] audit: type=1400 
audit(1467433295.584:1127): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/net_cls/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="net_cls"
Jul  2 14:21:35 virt-host libvirtd[32021]: Failed to open file 
'/sys/class/net/vethS3C86Kp/operstate': No such file or directory
Jul  2 14:21:35 virt-host libvirtd[32021]: unable to read: 
/sys/class/net/vethS3C86Kp/operstate: No such file or directory
Jul  2 14:21:37 virt-host avahi-daemon[1190]: Joining mDNS multicast 
group on interface vethS3C86K.IPv6 with address fe80::fc29:c4ff:fe45:3afa.
Jul  2 14:21:37 virt-host avahi-daemon[1190]: New relevant interface 
vethS3C86K.IPv6 for mDNS.
Jul  2 14:21:37 virt-host avahi-daemon[1190]: Registering new address 
record for fe80::fc29:c4ff:fe45:3afa on vethS3C86K.*.
Jul  2 14:21:50 virt-host kernel: [111164.003628] lxcbr0: port 
3(vethS3C86K) entered forwarding state
J
-----------------------------------------------------------------------------------

and will have to wait a while to test USB-DVB passthrough - currently 
allocated to kvm machine and in use, would prefer to use lxc / lxd

(didn't work too well with LXD .. passes through ok, Frontend device 
works but DMUX device inoperable, though it's present - will write a 
separate stream on this one. Possible it's also Apparmor mediated)

R

More information about the lxc-users mailing list