[lxc-users] using cgroups
rob e
redgerhoo at yahoo.com.au
Sat Jul 2 05:16:21 UTC 2016
On 02/07/16 13:40, Serge E. Hallyn wrote:
> On Sat, Jul 02, 2016 at 01:24:44PM +1000, rob e wrote:
>> On 02/07/16 12:41, Serge E. Hallyn wrote:
>>> Quoting rob e (redgerhoo at yahoo.com.au):
>>>> On 02/07/16 12:14, Serge E. Hallyn wrote:
>>>>>> hi Serge,
>>>>>> with JUST those clauses (and no cgroup set clauses) ... it sort of
>>>>>> works. Initial messages are cleared from the console(?) leaving just
>>>>>> the shutdown messages. But it does get to a login prompt
>>>>> D'oh. Thanks for your patience. I see the bug. I'll post a
>>>>> PR for a fix. I'm surprised so few people run into this. But
>>>>> as a workaround just add ",devices" to the end of the pam_cgfs
>>>>> line in /etc/pam.d/common-session.
>>>>>
>>>> sorry about this ... didn't work. Tried 2 forms of Pam clause & 2
>>>> forms of config
>>>>
>>>> ------------------------------------------------------
>>>> PAM line
>>>> session optional pam_cgfs.so -c
>>>> freezer,memory,name=systemd,cpuset,devices
>>> Jus to make sure, did you log back in after this? what does /proc/self/cgroup
>>> look like?
>>>
>>>
>> hmmm ... Now I tried the TAP TUN device (for openvpn & proxy server)
>> .... FAILED .. on CPUSET
> Nope, cpu and cpuset are actually two different controllers. It's failing on
> cpu.shares in the cpu controller.
>
> Note, I think you'll be happiest if you just drop the "-c xxxxx" from
> /etc/pam.d/common-session. That will tell pam_cgfs to use all controllers.
>
> -serge
>
ok, tried to pass through USB-DVB devices. This worked in Trusty using
the same config, but not on Xenial. Again, Apparmor is intervening. The
container starts ok, but doesn't map the /dev/dvb devices in (even tho I
had previously bind mounted /dev/dvb into the container, as was working
in Trusty)
sudo mount --bind /dev/dvb
/mnt/lxc_images/containers/trusty-mythserver/rootfs/dev/dvb/
sudo chown -R xxx:xxx
/mnt/lxc_images/containers/trusty-mythserver/rootfs/dev/dvb/
then look for devices in the container - nothing found :(
$ lxc-start -n trusty-mythserver
$ lxc-attach -n trusty-mythserver
root at trusty-mythserver:~#
root at trusty-mythserver:~# ls /dev/dvb
root at trusty-mythserver:~#
---------------------------------------------------------------------------------------
Syslog elements
Jul 2 15:09:17 virt-host libvirtd[32021]: Failed to open file
'/sys/class/net/veth1XDS50p/operstate': No such file or directory
Jul 2 15:09:17 virt-host libvirtd[32021]: unable to read:
/sys/class/net/veth1XDS50p/operstate: No such file or directory
Jul 2 15:09:17 virt-host kernel: [114010.904958] audit_printk_skb: 47
callbacks suppressed
Jul 2 15:09:17 virt-host kernel: [114010.904960] audit: type=1400
audit(1467436157.402:1273): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28339 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs"
Jul 2 15:09:17 virt-host kernel: [114010.904994] audit: type=1400
audit(1467436157.402:1274): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28339 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs" flags="ro"
Jul 2 15:09:17 virt-host kernel: [114011.015576] audit: type=1400
audit(1467436157.514:1275): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28498 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs"
Jul 2 15:09:17 virt-host kernel: [114011.015604] audit: type=1400
audit(1467436157.514:1276): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28498 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs" flags="ro"
Jul 2 15:09:17 virt-host kernel: [114011.053063] audit: type=1400
audit(1467436157.550:1277): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28552 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs"
Jul 2 15:09:17 virt-host kernel: [114011.053100] audit: type=1400
audit(1467436157.550:1278): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28552 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs" flags="ro"
Jul 2 15:09:17 virt-host kernel: [114011.077650] audit: type=1400
audit(1467436157.574:1279): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28584 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs"
Jul 2 15:09:17 virt-host kernel: [114011.077686] audit: type=1400
audit(1467436157.574:1280): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28584 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs" flags="ro"
Jul 2 15:09:17 virt-host kernel: [114011.089934] audit: type=1400
audit(1467436157.590:1281): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28609 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs"
Jul 2 15:09:17 virt-host kernel: [114011.089968] audit: type=1400
audit(1467436157.590:1282): apparmor="DENIED" operation="mount"
info="failed type match" error=-13
profile="lxc-container-default-with-mounting" name="/run/rpc_pipefs/"
pid=28609 comm="mount" fstype="rpc_pipefs" srcname="rpc_pipefs" flags="ro"
Jul 2 15:09:18 virt-host avahi-daemon[1190]: Joining mDNS multicast
group on interface veth1XDS50.IPv6 with address fe80::fca3:d7ff:fe0c:a9d8.
Jul 2 15:09:18 virt-host avahi-daemon[1190]: New relevant interface
veth1XDS50.IPv6 for mDNS.
Jul 2 15:09:18 virt-host avahi-daemon[1190]: Registering new address
record for fe80::fca3:d7ff:fe0c:a9d8 on veth1XDS50.*.
Jul 2 15:09:32 virt-host kernel: [114025.529956] rebr0: port
2(veth1XDS50) entered forwarding state
---------------------------------------------------------------------------------------
Container config (tried with and without the apparmor profile )
# Template used to create this container:
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
# ------- Replaced -------#
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.rootfs = /mnt/lxc_images/containers/trusty-mythserver/rootfs
lxc.utsname = trusty-mythserver
## Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = rebr0
lxc.network.hwaddr = xx.xx.xx.....
## devices - set profile to allow mounting block devices (constrained by
default)
lxc.aa_profile = lxc-container-default-with-mounting
## Allow access to USB devices (major part # 189), see
##
https://wiki.archlinux.org/index.php/Linux_Containers#Cgroups_device_configuration
## Use "ls -la /dev/bus/usb/003/" or "ls -la /dev/dvb/adapter0" to find
the major / minor numbers to permit
## DVB
lxc.cgroup.devices.allow = c 212:* rwm
## Set resource limits
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500
---------------------------------------------------------------------------------------
on the plus side, the container starts ok.
I have not checked CPU and Memory limits yet ie. do they apply as expected
Are these Apparmor conditions your department ?
R
More information about the lxc-users
mailing list