Hi, On Mon, Dec 9, 2013 at 4:44 PM, Stéphane Graber <[email protected]> wrote: > On Mon, Dec 09, 2013 at 04:29:11PM -0500, S.Çağlar Onur wrote: >> [Forwarding to new lxc-devel as I replied to old sf list] >> >> >> ---------- Forwarded message ---------- >> From: S.Çağlar Onur <[email protected]> >> Date: Mon, Dec 9, 2013 at 4:26 PM >> Subject: Re: [lxc-devel] [PATCH] add comments about running unconfined >> or nesting containers back to ubuntu.common.conf >> To: Stéphane Graber <[email protected]> >> Cc: [email protected] >> >> >> Hi Stéphane, >> >> On Mon, Dec 9, 2013 at 3:04 PM, Stéphane Graber <[email protected]> wrote: >> > On Sat, Dec 07, 2013 at 06:04:10PM -0500, S.Çağlar Onur wrote: >> >> Signed-off-by: S.Çağlar Onur <[email protected]> >> > >> > I'll reword the comment a bit to let them know to copy/paste the comment >> > to the container's config instead of changing it in the common file >> > which would get overwritten on upgrade and would also affect all >> > containers. >> >> Thanks for doing that. >> >> On a separate note, it looks like /usr/share/lxc/hooks/mountcgroups >> hook seems to have some issues (but couldn't find some time to debug >> further). I migrated my nested containers to the new style config >> (that's how I realized those comments are gone :P) but now the first >> start is always failing with "lxc-start: command get_cgroup failed to >> receive response" error and one after just works. > > Yeah, I've noticed that too... it seems to be related to the way LXC > sets up its cgroups. I believe I mentioned some issues like that to > Serge a while back but it's not very high on the todo since our goal is > to instead have LXC use the new cgroup manager and deprecate that hook > entirely by the time 1.0 is out.
Oh I wasn't aware of you planning to finish cgmanager before 1.0, that's great news! >> [caglar@oOo:~] sudo lxc-ls --fancy >> NAME STATE IPV4 IPV6 >> --------------------------- >> raring STOPPED - - >> saucy STOPPED - - >> >> [caglar@oOo:~] sudo cat /var/lib/lxc/raring/config >> # Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu >> # Parameters passed to the template: --release raring >> # For additional config options, please look at lxc.conf(5) >> >> # Common configuration >> lxc.include = /usr/share/lxc/config/ubuntu.common.conf >> >> # Container specific configuration >> lxc.rootfs = /var/lib/lxc/raring/rootfs >> lxc.mount = /var/lib/lxc/raring/fstab >> lxc.utsname = raring >> lxc.arch = amd64 >> >> # Network configuration >> lxc.network.type = veth >> lxc.network.hwaddr = 00:16:3e:2e:74:e4 >> lxc.network.flags = up >> lxc.network.link = lxcbr0 >> >> lxc.aa_profile = unconfined >> lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups >> >> [caglar@oOo:~] sudo lxc-start -d -n raring >> lxc-start: command get_cgroup failed to receive response >> >> [caglar@oOo:~] sudo lxc-ls --fancy >> NAME STATE IPV4 IPV6 >> --------------------------- >> raring STOPPED - - >> saucy STOPPED - - >> >> [caglar@oOo:~] sudo lxc-start -d -n raring >> >> [caglar@oOo:~] sudo lxc-ls --fancy >> NAME STATE IPV4 IPV6 >> ------------------------------------------- >> raring RUNNING 10.0.3.204, 10.0.4.1 - >> saucy STOPPED - - >> [caglar@oOo:~] >> >> And also nothing cleans up the cgroup entries but I'm not sure whether >> that was always the case or not. >> >> [caglar@oOo:~] find /sys/fs/cgroup/ -name "raring*" >> /sys/fs/cgroup/systemd/lxc/raring >> /sys/fs/cgroup/systemd/lxc/raring/raring.real >> /sys/fs/cgroup/hugetlb/lxc/raring-1 >> /sys/fs/cgroup/hugetlb/lxc/raring >> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real >> /sys/fs/cgroup/perf_event/lxc/raring-1 >> /sys/fs/cgroup/perf_event/lxc/raring >> /sys/fs/cgroup/perf_event/lxc/raring/raring.real >> /sys/fs/cgroup/blkio/lxc/raring-1 >> /sys/fs/cgroup/blkio/lxc/raring >> /sys/fs/cgroup/blkio/lxc/raring/raring.real >> /sys/fs/cgroup/freezer/lxc/raring-1 >> /sys/fs/cgroup/freezer/lxc/raring >> /sys/fs/cgroup/freezer/lxc/raring/raring.real >> /sys/fs/cgroup/devices/lxc/raring-1 >> /sys/fs/cgroup/devices/lxc/raring >> /sys/fs/cgroup/devices/lxc/raring/raring.real >> /sys/fs/cgroup/memory/lxc/raring-1 >> /sys/fs/cgroup/memory/lxc/raring >> /sys/fs/cgroup/memory/lxc/raring/raring.real >> /sys/fs/cgroup/cpuacct/lxc/raring-1 >> /sys/fs/cgroup/cpuacct/lxc/raring >> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real >> /sys/fs/cgroup/cpu/lxc/raring-1 >> /sys/fs/cgroup/cpu/lxc/raring >> /sys/fs/cgroup/cpu/lxc/raring/raring.real >> /sys/fs/cgroup/cpuset/lxc/raring-1 >> /sys/fs/cgroup/cpuset/lxc/raring >> /sys/fs/cgroup/cpuset/lxc/raring/raring.real >> >> [caglar@oOo:~] sudo lxc-stop -n raring >> >> [caglar@oOo:~] find /sys/fs/cgroup/ -name "raring*" >> /sys/fs/cgroup/systemd/lxc/raring >> /sys/fs/cgroup/systemd/lxc/raring/raring.real >> /sys/fs/cgroup/hugetlb/lxc/raring >> /sys/fs/cgroup/hugetlb/lxc/raring/raring.real >> /sys/fs/cgroup/perf_event/lxc/raring >> /sys/fs/cgroup/perf_event/lxc/raring/raring.real >> /sys/fs/cgroup/blkio/lxc/raring >> /sys/fs/cgroup/blkio/lxc/raring/raring.real >> /sys/fs/cgroup/freezer/lxc/raring >> /sys/fs/cgroup/freezer/lxc/raring/raring.real >> /sys/fs/cgroup/devices/lxc/raring >> /sys/fs/cgroup/devices/lxc/raring/raring.real >> /sys/fs/cgroup/memory/lxc/raring >> /sys/fs/cgroup/memory/lxc/raring/raring.real >> /sys/fs/cgroup/cpuacct/lxc/raring >> /sys/fs/cgroup/cpuacct/lxc/raring/raring.real >> /sys/fs/cgroup/cpu/lxc/raring >> /sys/fs/cgroup/cpu/lxc/raring/raring.real >> /sys/fs/cgroup/cpuset/lxc/raring >> /sys/fs/cgroup/cpuset/lxc/raring/raring.real >> >> > Acked-by: Stéphane Graber <[email protected]> >> > >> >> --- >> >> config/templates/ubuntu.common.conf.in | 7 +++++++ >> >> 1 file changed, 7 insertions(+) >> >> >> >> diff --git a/config/templates/ubuntu.common.conf.in >> >> b/config/templates/ubuntu.common.conf.in >> >> index 8c61033..1195175 100644 >> >> --- a/config/templates/ubuntu.common.conf.in >> >> +++ b/config/templates/ubuntu.common.conf.in >> >> @@ -17,6 +17,13 @@ lxc.pts = 1024 >> >> # Default capabilities >> >> lxc.cap.drop = sys_module mac_admin mac_override sys_time >> >> >> >> +# When using LXC with apparmor, uncomment the next line to run >> >> unconfined: >> >> +#lxc.aa_profile = unconfined >> >> + >> >> +# To support container nesting on an Ubuntu host, uncomment next two >> >> lines: >> >> +#lxc.aa_profile = lxc-container-default-with-nesting >> >> +#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups >> >> + >> >> # Default cgroup limits >> >> lxc.cgroup.devices.deny = a >> >> ## Allow any mknod (but not using the node) >> >> -- >> >> 1.8.3.2 >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Sponsored by Intel(R) XDK >> >> Develop, test and display web and hybrid apps with a single code base. >> >> Download it for free now! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> lxc-devel mailing list >> >> [email protected] >> >> https://lists.sourceforge.net/lists/listinfo/lxc-devel >> > >> > -- >> > Stéphane Graber >> > Ubuntu developer >> > http://www.ubuntu.com >> >> >> -- >> S.Çağlar Onur <[email protected]> >> _______________________________________________ >> lxc-devel mailing list >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-devel > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel > -- S.Çağlar Onur <[email protected]> _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
