Re: [lxc-users] using cgroups

Fri, 01 Jul 2016 21:45:07 -0700 


On 02/07/16 13:40, Serge E. Hallyn wrote:

On Sat, Jul 02, 2016 at 01:24:44PM +1000, rob e wrote:

On 02/07/16 12:41, Serge E. Hallyn wrote:

Quoting rob e (redger...@yahoo.com.au):

On 02/07/16 12:14, Serge E. Hallyn wrote:

hi Serge,
with JUST those clauses (and no cgroup set clauses) ... it sort of
works. Initial messages are cleared from the console(?) leaving just
the shutdown messages. But it does get to a login prompt

D'oh.  Thanks for your patience.  I see the bug.  I'll post a
PR for a fix.  I'm surprised so few people run into this.  But
as a workaround just add ",devices" to the end of the pam_cgfs
line in /etc/pam.d/common-session.


sorry about this ... didn't work. Tried 2 forms of Pam clause & 2
forms of config

------------------------------------------------------
PAM line
session optional        pam_cgfs.so -c
freezer,memory,name=systemd,cpuset,devices

Jus to make sure, did you log back in after this?  what does /proc/self/cgroup
look like?



hmmm ... Now I tried the TAP TUN device (for openvpn & proxy server)
.... FAILED .. on CPUSET

Nope, cpu and cpuset are actually two different controllers.  It's failing on
cpu.shares in the cpu controller.

Note, I think you'll be happiest if you just drop the "-c xxxxx" from
/etc/pam.d/common-session.  That will tell pam_cgfs to use all controllers.

-serge


That was Better !  CPU and Memory constraints now don't cause failure :)

-----------------------------------------------------------------------------------

Tried VPN ... TAP / TUN   FAILED. Container starts, but unable to create 
device (where this worked on Trusty)



openvpn will not start ... looks like an AppArmor issue. Is this your 
department ?


messages on host syslog.log


Jul  2 14:21:35 virt-host kernel: [111148.961739] IPv6: 
ADDRCONF(NETDEV_CHANGE): vethS3C86K: link becomes ready
Jul  2 14:21:35 virt-host kernel: [111148.961777] lxcbr0: port 
3(vethS3C86K) entered forwarding state
Jul  2 14:21:35 virt-host kernel: [111148.961785] lxcbr0: port 
3(vethS3C86K) entered forwarding state
Jul  2 14:21:35 virt-host kernel: [111149.061396] audit: type=1400 
audit(1467433295.584:1118): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 
profile="lxc-container-default-with-mounting" name="/" pid=25762 
comm="cgmanager" flags="rw, rprivate"
Jul  2 14:21:35 virt-host kernel: [111149.061437] audit: type=1400 
audit(1467433295.584:1119): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/blkio/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="blkio"
Jul  2 14:21:35 virt-host kernel: [111149.061447] audit: type=1400 
audit(1467433295.584:1120): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpu/" pid=25762 comm="cgmanager" fstype="cgroup" 
srcname="cpu"
Jul  2 14:21:35 virt-host kernel: [111149.061457] audit: type=1400 
audit(1467433295.584:1121): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpuacct/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="cpuacct"
Jul  2 14:21:35 virt-host kernel: [111149.061466] audit: type=1400 
audit(1467433295.584:1122): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/cpuset/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="cpuset"
Jul  2 14:21:35 virt-host kernel: [111149.061475] audit: type=1400 
audit(1467433295.584:1123): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/devices/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="devices"
Jul  2 14:21:35 virt-host kernel: [111149.061484] audit: type=1400 
audit(1467433295.584:1124): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/freezer/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="freezer"
Jul  2 14:21:35 virt-host kernel: [111149.061492] audit: type=1400 
audit(1467433295.584:1125): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/hugetlb/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="hugetlb"
Jul  2 14:21:35 virt-host kernel: [111149.061501] audit: type=1400 
audit(1467433295.584:1126): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/memory/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="memory"
Jul  2 14:21:35 virt-host kernel: [111149.061510] audit: type=1400 
audit(1467433295.584:1127): apparmor="DENIED" operation="mount" 
info="failed type match" error=-13 
profile="lxc-container-default-with-mounting" 
name="/run/cgmanager/fs/net_cls/" pid=25762 comm="cgmanager" 
fstype="cgroup" srcname="net_cls"
Jul  2 14:21:35 virt-host libvirtd[32021]: Failed to open file 
'/sys/class/net/vethS3C86Kp/operstate': No such file or directory
Jul  2 14:21:35 virt-host libvirtd[32021]: unable to read: 
/sys/class/net/vethS3C86Kp/operstate: No such file or directory
Jul  2 14:21:37 virt-host avahi-daemon[1190]: Joining mDNS multicast 
group on interface vethS3C86K.IPv6 with address fe80::fc29:c4ff:fe45:3afa.
Jul  2 14:21:37 virt-host avahi-daemon[1190]: New relevant interface 
vethS3C86K.IPv6 for mDNS.
Jul  2 14:21:37 virt-host avahi-daemon[1190]: Registering new address 
record for fe80::fc29:c4ff:fe45:3afa on vethS3C86K.*.
Jul  2 14:21:50 virt-host kernel: [111164.003628] lxcbr0: port 
3(vethS3C86K) entered forwarding state

J
-----------------------------------------------------------------------------------


and will have to wait a while to test USB-DVB passthrough - currently 
allocated to kvm machine and in use, would prefer to use lxc / lxd



(didn't work too well with LXD .. passes through ok, Frontend device 
works but DMUX device inoperable, though it's present - will write a 
separate stream on this one. Possible it's also Apparmor mediated)


R
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


























					Reply via email to