Re: [Lxc-users] New Kernel 2.6.35 from Ubuntu PPA
Quoting Osvaldo Filho (arquivos...@gmail.com): This is a question. It is? -serge -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] port numbers for containers
Quoting Nirmal Guhan (vavat...@gmail.com): Hi, Want to know if port numbers are virtualized for containers or do the containers and host share the port space ? Please let me know. Wrong layer. If the container shares a network namespace with the host, then it shares its networking. If it has its own network namespace, then it has its own entire network stack. So no, 'port space' isn't virtualized.vs.shared, but the network devices are. -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't restart container without rebooting entire host, because can't delete cgroups files, tasks is 0
Quoting Brian K. White (br...@aljex.com): But also, since upgrading to kernel 2.6.36 (and already using lxc 0.7.2) I haven't had to delete any cgroups manually anyways. It's probably not my release_agent because I just noticed I didn't have a working release_agent (no output in it's log, probably because the script wasn't chmod 755) It's only been a couple days and only a few starts/stops while working on a new start/stop/status init script though. Hm, really? Can you please let me know if that continues to be the case? If it is, then I won't bother with a patch for lxc. Really, since it'll drop ns cgroup support anyway, I suppose the patch might not be worthwhile anyway. (I ran my test on a 2.6.35 kernel) -- The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book Blueprint to a Billion shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc.mount and mount.entry not working
Quoting Geordy Korte (gko...@gmail.com): This basically tells me that pivot_root is umounting the mount I just made. Can anyone help me with this??? I have also tried putting the mount inside the fstab for the container but same problem. Have you entered the container to verify? I would have guessed that the unmounting is just a part of unmounting the *old* fs tree. You have /var/lib/lxc, under which is the container's rootfs, and the debug tells you that the original / is left under /var/lib/lxc/mnt. Meaning that after the pivot_root, you have '/' as the container's root (the old /var/lib/lxc), and '/mnt' containing the old '/'. Now lxc recursively unmounts /mnt. It's just a part of the pivot_root procedure. (see man 8 pivot_root) -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc.mount.entry denied mount permission for -t ext4?
You have: lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 4:* rwm lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 254:0 rm is your /dev/omega/squid device perhaps a blacklisted device? -- Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] How make top, meminfo etc. to show the limits of the container?
Quoting atp (andrew.phill...@lmax.com): Hi, Its not as simple as it seems. What you're asking for is to selectively hide or modify what gets shown to container processes by the /proc file system. In other words making /proc container aware. /proc is already partially there - with the pid namespace, but not for ram and cpus. We've tried a couple of approaches - FUSE based overlay file system etc - and at the last lxc dev call the way forward was proposed as being an in kernel file system integrated with the cgroups subsystem, bind mounted to the containers /proc. At the moment, the containers I'm running adopt a far more hacky solution to this by patching the /proc filesystem itself. Patch for cpu limiting proc stat is at; http://www.tinola.com/lxc/ Sentiments in kernel community tend to change profoundly over any 3 year period. I think it's worth floating patches like your proc patch on lkml for review. -serge -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 1/1] Update ubuntu templates
Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 01/21/2011 06:10 PM, Serge Hallyn wrote: Rename 'ubuntu' template to 'lucid' Add new maverick and natty templates, which do much less tweaking of the environment. These should only be used on a kernel which supports sysfs tagging for /sys/class/net, as udev will be running in the container. The natty template needed to slightly change the installed packages for dhclient to be correclty installed. Signed-off-by: Serge Hallynserge.hal...@canonical.com --- While playing with natty and maverick containers I noticed at startup the udev events are broadcast to all the udev daemons running on the host and the containers. IMO that should not occur. I am looking at the lib/kobject_udev.c and net/af_netlink.c and I suspect there is a bug with the broadcast filtering of the events ... When I was testing on natty I was pretty sure i only saw syslog entries for the container, not the host - but I may not have been looking for the right thing. What exactly did you see? thanks, -serge -- Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] native (non-NAT) routing?
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): On Mon 2011-04-04 (19:35), Ulli Horlacher wrote: My first Ubuntu 10.04 container is up and running on a Ubuntu 10.04 host, but the container can only connect to the host (and vice versa), but not to the world outside. I found a workaround: I have added an extra ethernet card dedicated to the container. If you're happy with what you've got, great. If you'd like to figure out what went wrong originally, I suspect the answer might lie in the results of 'brctl show'. -serge -- Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can't execute lxc-execute /bin/bash
Quoting Krzysztof Karwacki (krzys...@motokirc.pl): Hi! I Compiled procfs from lxc sources, but when i want to lxc-execute –n vm0 /bin/bash I’ve got error. root@debian:~# lxc-execute -n vm0 /bin/bash lxc-execute: No such file or directory - failed to exec /usr/lib/lxc/lxc-init Does /usr/lib/lxc/lxc-init exist on the host? When I've played with custom templates based of the ssh template, I've had similar troubles, and I think I usually ended up trying putting lxc-init onto the guest. -serge -- Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start eats eth1
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): On Tue 2011-04-12 (09:19), Ulli Horlacher wrote: I use lxc with physical eth1. I can start the container, connect to it, etc. Everything looks ok. But when I stop the container and try to restart it, eth1 is no more availble. Looks lxc eats this interface. How can I free it (without rebooting the host (zoo))? Addon: This was with kernel 2.6.35-25-virtual Could you try a newer kernel? 2.6.32 is expected to fail entirely because it did not support physical NICs in containers. I seem to recall some churn about how to handle devices when a netns is destroyed. At one point they were moved back to the initial netns. If the behavior you're seeing with 2.6.35-25-virtual is still happening with 2.6.39, then lxc will need to work around that by moving the nic back to the host netns before shutting down the container (or kernel behavior fixed/changed). thanks, -serge -- Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Quoting sanjay (genacct...@gmail.com): Hi! I am new to the technology and thread. I have two basic questions, hope you can provide some guidance. 1. UID Privilege Isolation. ~ If I understand it right, currently if a host-uid and guest-uid have the same numerical value, they essentially have the same file access privilege. Posting from 01/14/11 indicated that a patchset related to 'user namespace' is in works to address this issue. Link in the LXC home/user indicated two possible approach are being considered. I was wondering if there has been any conclusion in this front ? I don't know what link you mean. There is a clear roadmap, there is plenty of work to be done. 2. Guest modifying its own cgroup It appears that from a guest one can mount the cgroup and modify its own constraints specified in the cgroup. Is there a way, I can prevent a guest from doing so? LSM -serge -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container inside an ESX VM
Quoting Mauras Olivier (oliver.mau...@gmail.com): Hello, I'm struggling for two days now with some completely weird network behaviours. My host is a virtual machine hosted on an ESX farm. I planned to deploy several containers on it to achieve various tasks. Host is running Scientific Linux 6 with default kernel (2.6.32), and my container is an Oracle Linux 6. I discovered that i had to change ESX vswitch settings to allow promiscuous mode in order to make the host bridge correctly behave, but it still gives me weird results. Most of the time after having started the container, network inside the container is erratic. I can ping or ssh from the host to the container, but nothing gets out of the container or in the container from the LAN. While the container is still running, if i issue a network restart on the host, the container start behaving correctly and network works again as expected. The problem is that it's not reliable at all. If i stop/restart the container several times, it starts losing network again that i can only get back by issuing the network restart on the host... Just a thought, advised by previous libvirt troubles. Can you look at the mac addresses on the VMWare guest? Check that the eth0 on the vmware guest (i.e. container host) is always lower than that of the veths in the guests. -serge -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-attach status update?
Quoting Christoph Mitasch (cmita...@thomas-krenn.com): Hi, I would really love to see the patch applied to latest Ubuntu natty kernel to have lxc-attach working again. Is this on the way? Natty is closed. This patch isn't going into natty. If Daniel resends the patchset, I'll happily post a natty kernel with the patch in a ppa. -serge -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-attach status update?
Quoting Greg Kurz (gk...@fr.ibm.com): On Wed, 2011-04-27 at 08:47 -0500, Serge Hallyn wrote: Quoting Christoph Mitasch (cmita...@thomas-krenn.com): Hi, I would really love to see the patch applied to latest Ubuntu natty kernel to have lxc-attach working again. Is this on the way? Natty is closed. This patch isn't going into natty. If Daniel resends the patchset, I'll happily post a natty kernel with the patch in a ppa. -serge I think Daniel is on vacations (spring break in France). The latest patches for setns can be found here AFAIK: http://kernel.ubuntu.com/git?p=dlezcano/ubuntu-natty.git/.git Thanks, Greg, I'll create a package based on that and put it into my lxc-natty ppa. -serge -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-attach status update?
Quoting Christoph Mitasch (cmita...@thomas-krenn.com): Hi Serge, great if you can create packages for Natty. Kernel is built in ppa:serge-hallyn/lxc-natty (https://launchpad.net/~serge-hallyn/+archive/lxc-natty) I've not tested it, but it should be precisely the same as Daniel's. -serge -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mapping host PID - container PID
Quoting Greg Kurz (gk...@fr.ibm.com): On Thu, 2011-04-28 at 09:41 -0500, Serge Hallyn wrote: Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): Is there a way to get the corresponding host PID for a container PID? For example: inside the the container the process init has always PID 1. But what PID has this process in the host process table? ps aux | grep ... is not what I am looking for, I want more robust solution. There is nothing that gives you a 100% guaranteed correct race-free correspondence right now. You can look under /proc/pid/root/proc/ to see the pids valid in the container, and you can relate output of lxc-ps --forest to ps --forest output. But nothing under /proc that I know of tells you this task is the same as that task. You can't even look at /proc/pid inode numbers since they are different filesystems for each proc mount. It's tempting to say that we should put a per-task unique id under /proc/pid for each task. However that would likely be nacked because it introduces a new namespace of its own. An alternative could be to expose the container pid in /proc/pid/status. Could such a patch make it to mainline ? Potentially. With the seccomp+ftrace patchset there was some pushback against adding its info to /proc/pid/status, but that tossed potentially much more info in (a list of filters). Anyway, if there is is a complaint about that with this patch, then we can just find somewhere else to put it. The nice thing about this is that it avoids introducing a new namespace - Since we should only see this value for or own or child pid namespaces, and those will be preserved accross c/r, this is actually a safe thing to export. So let's try to push this Acked-by: Serge Hallyn serge.hal...@ubuntu.com Thanks, Greg. -serge --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -337,6 +337,12 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task) seq_putc(m, '\n'); } +static void task_vpid(struct seq_file *m, struct task_struct *task) +{ + struct pid_namespace *ns = task_active_pid_ns(task); + seq_printf(m, Vpid:\t%d\n, ns ? task_pid_nr_ns(task, ns) : 0); +} + int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { @@ -354,6 +360,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, task_cpus_allowed(m, task); cpuset_task_status_allowed(m, task); task_context_switch_counts(m, task); + task_vpid(m, task); return 0; } Signed-off-by: Greg Kurz gk...@fr.ibm.com -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mapping host PID - container PID
Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 05/03/2011 05:36 PM, Greg Kurz wrote: On Thu, 2011-04-28 at 09:41 -0500, Serge Hallyn wrote: Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): Is there a way to get the corresponding host PID for a container PID? For example: inside the the container the process init has always PID 1. But what PID has this process in the host process table? ps aux | grep ... is not what I am looking for, I want more robust solution. There is nothing that gives you a 100% guaranteed correct race-free correspondence right now. You can look under /proc/pid/root/proc/ to see the pids valid in the container, and you can relate output of lxc-ps --forest to ps --forest output. But nothing under /proc that I know of tells you this task is the same as that task. You can't even look at /proc/pid inode numbers since they are different filesystems for each proc mount. It's tempting to say that we should put a per-task unique id under /proc/pid for each task. However that would likely be nacked because it introduces a new namespace of its own. An alternative could be to expose the container pid in /proc/pid/status. Could such a patch make it to mainline ? --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -337,6 +337,12 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task) seq_putc(m, '\n'); } +static void task_vpid(struct seq_file *m, struct task_struct *task) +{ +struct pid_namespace *ns = task_active_pid_ns(task); +seq_printf(m, Vpid:\t%d\n, ns ? task_pid_nr_ns(task, ns) : 0); +} + int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task) { @@ -354,6 +360,7 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns, task_cpus_allowed(m, task); cpuset_task_status_allowed(m, task); task_context_switch_counts(m, task); +task_vpid(m, task); return 0; } Signed-off-by: Greg Kurzgk...@fr.ibm.com I think we should propose this patch for mainline inclusion. The vpid does not give, by its own, enough information for the pid namespace. How can we rebuild a pid ns tree ? I guess we can look for the vpid 1 as the root node of the process tree no ? You mean find pid 1 for the task's container, and print out it's pid in current's pid_ns, i.e. Container_init: pid That'd be very useful, and, again, does not AFAICS risk introducing a new namespace. Otherwise: Acked-by: Daniel Lezcano daniel.lezc...@free.fr -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mapping host PID - container PID
Quoting Daniel Lezcano (daniel.lezc...@free.fr): Yes. And I think the positive side effect is we can determine if the pid belongs to the same pid namespace than the current one when the container_init is 1, no ? Yup. (Presumably if one happens to access a /proc for a non-descendent pid-namespace, we'll print 0 for both the vpid and the container_init pid) Sounds great, thanks guys. -serge -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Making LXC accept an already open network interface—or other options
Quoting David Serrano (dserra...@gmail.com): Hi, At $work we're currently using KVM and setting it up so that it uses a previously opened TAP interface: 'kvm -net tap,fd=3'. This way, we are able to create the interface a set up a couple of ebtables filters on it before going on. Now, we would like to do the same with LXC. After taking a look to the documentation I don't think LXC is able to get the interface from a given FD, so I guess I should look for a workaround. I see there's a message in the LXC log that says «instanciated veth 'vethC1zCUS/vethtCn0zY'» but the relevant container doesn't appear in the same line. Yes it's in the previous line but relying on that is prone to race conditions. Moreover, reading from a debug log isn't elegant at all... Do I have other options I haven't considered? Best would be to patch the LXC code to do this, and send the patch upstream. But for first, for testing and $firebrigade purposes, the way to do this by hand would be to write your own our_lxc_start.sh script which does something like #!/bin/sh devs=`ls /sys/class/net/veth*` ip link add type veth newdevs=`ls /sys/class/net/veth*` # Get the intersection of $devs and $newdevs # Attach $dev1 to your bridge lxc-start -n mycontainer # mycontainer has no network # get PID as the init pid of mycontainer ip link set $dev2 netns $PID # now from your mycontainer console, configure $dev2 which is now in the container # you can rename it to eth0 in the container as ip link set $dev2 name eth0 Something like that. Patching lxc-start to take an extra command line argument saying 'use this fd' shouldn't be a big deal. -serge -- WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Making LXC accept an already open network interface—or other options
Quoting David Serrano (dserra...@gmail.com): On Mon, May 9, 2011 at 14:52, Serge Hallyn serge.hal...@canonical.com wrote: Thanks for your response. Before scripting it, let's try manually first: devs=`ls /sys/class/net/veth*` ip link add type veth newdevs=`ls /sys/class/net/veth*` # Get the intersection of $devs and $newdevs I assume you mean difference instead of intersection, since the Hah, yeah. first execution of ls gives an emtpy output, and the purpose of this is obtaining the new devices, right? host# ls /sys/class/net/ eth0 eth1 lo br0 host# ip link add type veth host# ls /sys/class/net/ eth0 eth1 lo br0 veth0 veth1 host# _ # Attach $dev1 to your bridge Assuming $dev1 is the first of the new devices: host# brctl addif br0 veth0 host# _ lxc-start -n mycontainer # mycontainer has no network After this, the container sees the same interfaces as the host and it Oh, no. So it thought you didn't want your own network namespace. I don't know if there is a way to tell it to give you a new netns, without new devices. Of course you can trivially patch it to do that, but for now since we're testing it shouldn't hurt to just 1. tell it to give you a normal network interface lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=down 2. bring up the container 3. bring down the normal interface 4. Continue here with passing veth1 into the container. -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] ignore non-lxc configuration line
Quoting Daniel Lezcano (dlezc...@fr.ibm.com): From: Daniel Lezcano daniel.lezc...@free.fr We ignore the line of in the configuration file not beginning by lxc. So we can mix the configuration file with another information used for another component through the lxc library. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com Acked-by: Serge Hallyn serge.hal...@canonical.com I'm curious, whatcha got in mind? --- src/lxc/confile.c | 12 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 791f04f..d632404 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -799,7 +799,7 @@ static int parse_line(char *buffer, void *data) char *dot; char *key; char *value; - int ret = -1; + int ret = 0; if (lxc_is_line_empty(buffer)) return 0; @@ -815,10 +815,14 @@ static int parse_line(char *buffer, void *data) } line += lxc_char_left_gc(line, strlen(line)); - if (line[0] == '#') { - ret = 0; + + /* martian option - ignoring it, the commented lines beginning by '#' + * fall in this case + */ + if (strncmp(line, lxc., 4)) goto out; - } + + ret = -1; dot = strstr(line, =); if (!dot) { -- 1.7.1 -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LVM in LXC
Quoting Daniel Lezcano (dlezc...@fr.ibm.com): On 05/13/2011 12:13 AM, Benjamin Kiessling wrote: Hi, under Debian (and in general I think) LVM requires udev to work at all which makes it unusable in a container environment. Has anybody tried to get it working in a container? You can use udev inside a container. It is not optimal because that trigger events everywhere but it is possible. What is your host? Which OS/release and which kernel version? My setup consists of a logical volume that's mapped in the container which the container user should be able to subdivide into partitions (i.e. in the end I'd have a chain like pg-vg-lv-pg-vg-lv or LVM on an logical volume if that's more clear). Is there another way to achieve this kind of setup? I thought about letting users just partition the raw logical volume like any other hard disk but this doesn't seem to be supported by the kernel. Maybe Serge can help you on that. It works fine for me. I've got a natty host with natty guest (itself backed on an lvm partition :). I did apt-get install lvm2, powered down, edit /var/lib/lvmtest/config and deleted all lxc.cgroup.devices lines, started the container back up, and all my lvm partitions appeared under /dev/lxc/. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] ignore non-lxc configuration line
Quoting David Serrano (dserra...@gmail.com): On Sat, May 14, 2011 at 00:15, Serge Hallyn serge.hal...@canonical.com wrote: I'm curious, whatcha got in mind? I don't think you have to have something in mind to implement this. Just that old motto Be lenient in what you accept :). So if I type 'lcx.' instead of 'lxc.', as I often do, it'll silently ignore it? No, that's a bad idea. In any case I wasn't (until now) doubting Daniel's motivations, rather I was pretty sure he had something neat in mind. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc container messing with hosts networking
Quoting arkai...@gmail.com (arkai...@gmail.com): I've setup a web server and do requests each 5 seconds from my laptop. Then start tcpdump in the host machine and after a while I do lxc-start. Inspecting later with wireshark, it looks like once the lxc guest finishes DHCP negotiation and setups the local IP address(10.0.2.17) any request to the host IP(10.0.2.15) is identified by the system as Unicast to another host and it sends the packet again trying to forward it, previous to the lxc guest dhcp it used to identify them as Unicast to us and answered them. The hosts br0 doesn't change the MAC at all as I can see it the same through ifconfig br0 in the kvm console window, besides, I'm setting the hosts eth mac address to very low so that it does not trigger any bridge mac update. Any hints? Make sure stp is on on the bridge inside your kvm guest. If that doesn't work, I'll just have to try and reproduce, but you'll probably need someone more network-savvy than me to look into it. I'll set up a test environment later this weekend. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LVM in LXC
Quoting Benjamin Kiessling (mittages...@l.unchti.me): Hi, That's still doable, just a bit more work. Take a look at ls -l /dev/lxc (or whatever is the vg you're looking at). It has symlinks to the real devices. When you look at the link targets, you can find their maj:min. For me, serge@sergelap:~$ ls -l /dev/lxc total 0 lrwxrwxrwx 1 root root 7 2011-05-13 17:26 build1 - ../dm-1 lrwxrwxrwx 1 root root 7 2011-05-13 17:26 delme - ../dm-4 lrwxrwxrwx 1 root root 7 2011-05-13 17:26 nattylvm - ../dm-0 serge@sergelap:~$ ls -l /dev/dm-1 brw-rw 1 root disk 252, 1 2011-05-13 17:26 /dev/dm-1 So if I only wanted /dev/lxc/build1 to be available to container nattylvm, then in it's config I would keep the existing lxc.cgroup.devices entries, and add lxc.cgroup.devices.allow = b 252:1 rwm To actually give the container access to the vg so it can create LVM devices, I'm afraid I don't know enough about how lvcreate to be sure. But here's my guess (based on a quick read of strace -f lvcreate output): Use a different physical partition for each container's pv, and give the container full access to that partition. Then pvscan/pvcreate will have access to the full drive, and all metadata is on there. vgscan/vgcreate and lvscan/lvcreate likewise I believe will then be able to create vgs and lvs on that partition. That's what I was basically trying to do (and doesn't work this way as far as I can see). Currently I'm granting access to specific /dev/dm-* files to the container. For example: /dev/dm-2 is the partition/logical volume of vm0 with maj:min 252:2. So I set lxc.cgroup.devices.allow = b 252:2 rwm. In the container I create a vg on /dev/dm-2 (works so far) with name vg-vm0. Then I create a logical volume on vg-vm0 in the container. This pseudo-fails as the container doesn't have the rights to create any /dev/dm-* (or else an container could just create /dev/dm-n and access data on other logical volumes). On the host system the corresponding /dev/dm-7 of the new container lv has been created and I grant access to create the device node to the container: lxc.cgroup.devices.allow = b 252:7 rwm. vm0 is now able to create the device node and access the new lv. So either users have to contact me each time they want to create a new logical volume in their vm (so I can enable device node access) or they can create arbitrary /dev/dm-* nodes and access data from other users. Ah yeah. Of course. I wonder if there is a not-too-hacky way that we could prealloc certain dm-N ranges to containers, and get those to be used at lvcreate. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc container messing with hosts networking
Quoting arkai...@gmail.com (arkai...@gmail.com): On Sat, May 14, 2011 at 2:39 PM, Serge Hallyn serge.hal...@canonical.comwrote: Make sure stp is on on the bridge inside your kvm guest. If that doesn't work, I'll just have to try and reproduce, but you'll probably need someone more network-savvy than me to look into it. I'll set up a test environment later this weekend. -serge Tried enabling stp but nothing improved. I'm trying to come up with a script that automates the env setup, will send it later on. Hm, I just did this on natty (natty host, natty kvm VM, with a natty container inside that) and could actually not reproduce your problem. Just a normal bridge on the kvm VM: root@lxc-natty-amd64:~# brctl show bridge name bridge id STP enabled interfaces br0 8000.001636dd34bc no eth0 And the lxc container was created with a minimal normal config: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up So I guess I may have to try to reproduce on debian. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] ignore non-lxc configuration line
Quoting Brian K. White (br...@aljex.com): On 5/14/2011 9:20 AM, Serge Hallyn wrote: Quoting David Serrano (dserra...@gmail.com): On Sat, May 14, 2011 at 00:15, Serge Hallynserge.hal...@canonical.com wrote: I'm curious, whatcha got in mind? I don't think you have to have something in mind to implement this. Just that old motto Be lenient in what you accept :). So if I type 'lcx.' instead of 'lxc.', as I often do, it'll silently ignore it? No, that's a bad idea. In any case I wasn't (until now) doubting Daniel's motivations, rather I was pretty sure he had something neat in mind. I like it but I can't think of anything off hand that I'd use it for that I couldn't just as easily use either comments or a separate file to do. And obviously as you point out there's an argument for enforcing only known options as a basic sanity check. On the other hand there have been plenty of times where I wished something would gracefully ignore options it didn't recognize which came from newer versions or from distribution patched versions. It gets in Note that this patch won't make a difference for unrecognized, newer lxc.* options anyway :) It would however allow for interspersed 'libvirt.*' options, for instance, to support inline hints for a new libvirt-lxc2 driver. Probably not what Daniel is looking to, but not impossible :) -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc container messing with hosts networking
Quoting arkai...@gmail.com (arkai...@gmail.com): On Sat, May 14, 2011 at 4:06 PM, Serge Hallyn serge.hal...@canonical.comwrote: Hm, I just did this on natty (natty host, natty kvm VM, with a natty container inside that) and could actually not reproduce your problem. Just a normal bridge on the kvm VM: root@lxc-natty-amd64:~# brctl show bridge name bridge id STP enabled interfaces br0 8000.001636dd34bc no eth0 And the lxc container was created with a minimal normal config: lxc.network.type=veth lxc.network.link=br0 lxc.network.flags=up Well, as I said it has to be something from the setup I do because I keep having those problems even with laptop(natty)-kvm(natty)-host(natty) I recorded this screencast that shows the issue: http://www.screencast-o-matic.com/watch/cXhD2hbLM Got it! It's the user networking. When I start a debian vm with libvirt (using the default tap interfaces) I don't get the hang. When I start the same vm by hand using -net user the way you do in your script, I do get the hang. -serge -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] disk limit?
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): Is there an easy way to set up a disk limit for a container? I could create a LVM partition for each container, but this is not what I call easy :-} (Not trying to argue, just probe) Why do you call it not easy? Because you don't have spare partitions to dedicate to a pv? Or because you're not used to using lvm? If the former, then you could use a loopback filesystem instead of an LVM. I assume that'll impact performance, but I've not tested it to see by how much. If the latter, then in the next few months I intend to push some stuff to lxc to integrate LVM usage. Daniel had had comments to my first patches so it'll likely change, but what I'm using right now let's me just do lxc-lvmcreate in place of lxc-create to create a lvm-backed lxc partition, and 'lxc-clone -s -o c1 -n c2' lets me create container c2 with a lvm snapshot of c1's rootfs. (See http://s3hh.wordpress.com/2011/03/30/lxc-lvm-clone/ and http://s3hh.wordpress.com/2011/03/30/one-more-lxc-clone-update/) There's no cgroup to do what you want, though. -serge -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] disk limit?
Quoting Corin Langosch (cor...@gmx.de): On 19.05.2011 11:18, Ulli Horlacher wrote: After some time users install data on their vservers and so the snapshots grow over time. disc: 500 GB (one big lvm partition) lvm volume: 10 GB (has vserver base system installation) snapshot 1: 5 GB (a lot of individual data written so far) snapshot 2: 10 GB (ups, no space left on device) snapshot 3: 1 GB (not so much individual data written so far) = free space on disk: 474 GB Otherwise Serge's suggestion wouldn't make any sense to me. Right - it'll let you overcommit like mad to create the containers to begin with. But it won't enforce the limit. You can use a script on the host to watch the actual usage and kindly ask the users to be careful. I've tried enforcing a smaller limit by doing lvcreate -L 2G -n delme1 lxc mkfs.xfs /dev/lxc/delme1 lvcreate -s /dev/lxc/delme1 -L 100M -n delme2 but /dev/lxc/delme2 does not get a 100M limit, unfortunately. -serge -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Cannot see a login console on start
Quoting Roberto (prof...@gmail.com): Hi all, I'm new to LXC and I've been following the following instructions on how to setup a container: http://www.phenona.com/blog/using-lxc-linux-containers-in-amazon-ec2/ Unfortunately, it seems I cannot start a container. In fact, after I run the following: lxc-start -n vm0 I cannot see any login prompt. I'm trying the procedure on a local VM running Ubuntu 10.04. Any help would be very appreciated. Not sure exactly what that tutorial is doing. Didn't see anything obviously wrong with it. You might try verifying it by doing lxc-create -f /usr/share/doc/lxc/examples/lxc-macvlan.conf -t ubuntu -n u1 lxc-start -n u1 and see if that is giving you a console. If not, then perhaps something in your VM isn't right, for instance no support for multiple devpts. In fact, what does sudo lxc-config give you? -serge -- What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Cannot see a login console on start
Quoting Roberto (prof...@gmail.com): Not sure exactly what that tutorial is doing. Didn't see anything obviously wrong with it. You might try verifying it by doing lxc-create -f /usr/share/doc/lxc/examples/lxc-macvlan.conf -t ubuntu -n u1 lxc-start -n u1 Except the lxc-ubuntu script is not present on my machine :S What version is installed? If you don't have the lxc-ubuntu or lxc-lucid templates, then get them from the package... Without an idea of whether the known-good formulas work, I'll only say that since lxc-checkconfig shows everything enabled, without looking at the details, what you're doing should work. -- vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on Fedora 15
Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 05/31/2011 01:44 PM, Ramez Hanna wrote: On Tue, May 31, 2011 at 2:07 PM, Daniel Lezcanodaniel.lezc...@free.frwrote: On 05/31/2011 12:33 PM, Ramez Hanna wrote: it seems that lxc cannot handle cgroups when capabilities are not all in the same mount it fails now because it cannot write the devices.deny in the cgroup if i comment out all the lxc.cgroup.devices lines in the config of the container then i can actually start it I would think that the way lxc identifies the cgroup mount might be the part that needs patching Thanks for investigating. The main problem is lxc is cgroup agnostic, so we should find a solution where we don't break that. Maybe one solution would be to collect all the mount points found for the cgroup and try to find the right path when writing or reading from one cgroup file. that is what i had in mind, tried looking into the code but my C skills are next to zero Does systemd run lxc within a cgroup which is not the root cgroup ? the lxc-start command would run under $user/master/ (/sys/fs/cgroup/systemd/$user/$master) and the container itself would run under $container_name (/sys/fs/cgroup/systemd/$container_name) so it would run the container in the root cgroup ouch ! I have to install systemd on a test machine to check how systemd plays with the cgroup. I don't think the cgroup created by lxc should escape the cgroup the command is assigned to. Another similar - and easier to setup - thing we need to address is running on a system with libcgroup installed. For both, I assume it'll basically come down to: 1. figure out the path of the cgroup we are in for each cgroup we care about 2. create new child cgroup for ourselves in each of the above paths whic is unique 3. track those through the lifetime of the container So it just slightly complicates what's being done now. -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on Fedora 15
Jinkeys. Could you please file a bug against 'linux (Ubuntu)' about this? Or file it against lxc and I'll retarget it. thanks, -serge Quoting Clemens Perz (cp...@gmx.net): Hi! Just hit something similar today. Ubuntu Lucid had a kernel update to 2.6.32-32 and now my dev container refuses to start. lxc tools are still at 0.7.1. On 05/28/2011 02:33 PM, Ramez Hanna wrote: lxc-start 1306584262.161 ERROR lxc_namespace - failed to clone(0x6c02): Operation not permitted lxc-start 1306584262.161 ERROR lxc_start - Operation not permitted - failed to fork into a new namespace lxc-start 1306584262.161 ERROR lxc_start - failed to spawn 'boss' lxc-start 1306854843.605 ERRORlxc_namespace - failed to clone(0x6c02): Invalid argument lxc-start 1306854843.605 ERRORlxc_start - Bad file descriptor - failed to fork into a new namespace Going back to kernel 2.6.32-31 makes it work again. Cheers, Clemens -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on Fedora 15
Quoting Ramez Hanna (rha...@informatiq.org): On Tue, May 31, 2011 at 5:38 PM, Serge Hallyn serge.hal...@canonical.comwrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 05/31/2011 01:44 PM, Ramez Hanna wrote: On Tue, May 31, 2011 at 2:07 PM, Daniel Lezcanodaniel.lezc...@free.fr wrote: On 05/31/2011 12:33 PM, Ramez Hanna wrote: it seems that lxc cannot handle cgroups when capabilities are not all in the same mount it fails now because it cannot write the devices.deny in the cgroup if i comment out all the lxc.cgroup.devices lines in the config of the container then i can actually start it I would think that the way lxc identifies the cgroup mount might be the part that needs patching Thanks for investigating. The main problem is lxc is cgroup agnostic, so we should find a solution where we don't break that. Maybe one solution would be to collect all the mount points found for the cgroup and try to find the right path when writing or reading from one cgroup file. that is what i had in mind, tried looking into the code but my C skills are next to zero Does systemd run lxc within a cgroup which is not the root cgroup ? the lxc-start command would run under $user/master/ (/sys/fs/cgroup/systemd/$user/$master) and the container itself would run under $container_name (/sys/fs/cgroup/systemd/$container_name) so it would run the container in the root cgroup ouch ! I have to install systemd on a test machine to check how systemd plays with the cgroup. I don't think the cgroup created by lxc should escape the cgroup the command is assigned to. Another similar - and easier to setup - thing we need to address is running on a system with libcgroup installed. For both, I assume it'll basically come down to: 1. figure out the path of the cgroup we are in for each cgroup we care about 2. create new child cgroup for ourselves in each of the above paths whic is unique 3. track those through the lifetime of the container So it just slightly complicates what's being done now. -serge how does libcgroup change things? does it also mount cgroup on different points ? Yes, in whatever way you ask it to. -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] trying to bridge wireless
Quoting matthew byers (faintstlsa...@gmail.com): Hey i am trying to run lxc on my laptop but am having problem setting up bridge. My internet connection consist of a WAN that i have absolutely no control over. I connect my tablet to the network and then tether it to my laptop. I followed directions from this site: http://s3hh.wordpress.com/2011/05/17/lxc-containers-on-a-host-with-wireless/ up until the point of running: ifup br0 #in which i get the Ignoring Uknown Interface.as shown below stlsaint@stlsaint-devcore:~$ cat /etc/network/interfaces auto lo iface lo inet loopback auto lxcbr0 iface lxcbr0 inet static address 192.168.42.8 netmask 255.255.255.0 post-up /opt/bin/lxcbr0-up stlsaint@stlsaint-devcore:~$ cat /opt/bin/lxcbr0-up #!/bin/sh # This is the address we assigned to our bridge in /etc/network/interfaces braddr=192.168.42.8 # ip address range for containers brrange=192.168.42.9,192.168.42.230 iptables -A FORWARD -i lxcbr0 -s /24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE dnsmasq --bind-interfaces --conf-file= --listen-address --except-interface lo --dhcp-range --dhcp-lease-max=253 --dhcp-no-override stlsaint@stlsaint-devcore:~$ sudo ifup br0 Ignoring unknown interface br0=br0. D'oh! Halfway through writing the post I changed br0 to lxcbr0. Apparently not completely. What happens if you do: sudo ifup lxcbr0 ? -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] trying to bridge wireless
Weird. You have bridge-utils installed? Does brctl addbr lxcbr0 ifconfig lxcbr0 192.168.42.8 netmask 255.255.255.0 /opt/bin/lxcbr0-up work? Quoting matthew byers (faintstlsa...@gmail.com): stlsaint@stlsaint-devcore:~$ sudo ifup lxcbr0 SIOCSIFADDR: No such device lxcbr0: ERROR while getting interface flags: No such device SIOCSIFNETMASK: No such device lxcbr0: ERROR while getting interface flags: No such device Failed to bring up lxcbr0. On Fri, Jun 3, 2011 at 6:14 PM, Serge Hallyn serge.hal...@canonical.comwrote: Quoting matthew byers (faintstlsa...@gmail.com): Hey i am trying to run lxc on my laptop but am having problem setting up bridge. My internet connection consist of a WAN that i have absolutely no control over. I connect my tablet to the network and then tether it to my laptop. I followed directions from this site: http://s3hh.wordpress.com/2011/05/17/lxc-containers-on-a-host-with-wireless/up until the point of running: ifup br0 #in which i get the Ignoring Uknown Interface.as shown below stlsaint@stlsaint-devcore:~$ cat /etc/network/interfaces auto lo iface lo inet loopback auto lxcbr0 iface lxcbr0 inet static address 192.168.42.8 netmask 255.255.255.0 post-up /opt/bin/lxcbr0-up stlsaint@stlsaint-devcore:~$ cat /opt/bin/lxcbr0-up #!/bin/sh # This is the address we assigned to our bridge in /etc/network/interfaces braddr=192.168.42.8 # ip address range for containers brrange=192.168.42.9,192.168.42.230 iptables -A FORWARD -i lxcbr0 -s /24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE dnsmasq --bind-interfaces --conf-file= --listen-address --except-interface lo --dhcp-range --dhcp-lease-max=253 --dhcp-no-override stlsaint@stlsaint-devcore:~$ sudo ifup br0 Ignoring unknown interface br0=br0. D'oh! Halfway through writing the post I changed br0 to lxcbr0. Apparently not completely. What happens if you do: sudo ifup lxcbr0 ? -- God Bless -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] trying to bridge wireless
Quoting matthew byers (faintstlsa...@gmail.com): here is what i got when i ran last command: stlsaint@stlsaint-devcore:~$ sudo /opt/bin/lxcbr0-up iptables v1.4.4: host/network `' not found Oh, fudge. The problem is I told you (in the blog post) to do cat file EOF hack hack $var hack hack EOF but when you do that $var gets substituted! So your script has '/24' instead of '${braddr}/24' Please open /opt/bin/lxcbr0-up in an editor, clear it out, and paste in: #!/bin/sh # This is the address we assigned to our bridge in /etc/network/interfaces braddr=192.168.30.1 # ip address range for containers brrange=192.168.30.2,192.168.30.254 iptables -A FORWARD -i lxcbr0 -s ${braddr}/24 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE dnsmasq --bind-interfaces --conf-file= --listen-address $braddr --except-interface lo --dhcp-range $brrange --dhcp-lease-max=253 --dhcp-no-override Hopefully that's the last of my blog posting booboos for now, and it'll now work for you. -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] natty without network isolation
Quoting webcubator webcubator (webcuba...@mail.ru): Hello! Shortly... I want to install natty as guest without network isolation The problem is lxc-start hangs in this case If I add network all works fine With this network settings all works fine -- cut -- lxc.network.type=veth -- ent cut -- But network is isolated and I doesn't want to isolate network Bellow details, what I do exactly: # dpkg -l | grep lxc ii lxc 0.7.4-0ubuntu7.1 Linux containers userspace tools # uname -a Linux XXX 2.6.38-8-virtual #42-Ubuntu SMP Mon Apr 11 07:04:38 UTC 2011 i686 i686 i386 GNU/Linux # lxc-create -t natty -n natty01 Don't do it with no lxc.conf (-f), rather use something like /usr/share/doc/lxc/examples/lxc-empty-netns.conf: # Container with new network withtout network devices lxc.utsname = omega lxc.network.type = empty lxc.network.flags = up -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't remove cgroup
Quoting Brian K. White (br...@aljex.com): On 6/16/2011 3:26 PM, Serge Hallyn wrote: Quoting Brian K. White (br...@aljex.com): I thought we killed this problem? ... nj12:~ # rm -rf /sys/fs/cgroup/vps001 rmdir Did that too. no joy. In fact I did both the main directory and several runs of find|xargs to delete files and directories using rm -f , rm -rf and rmdir. I'll have to wait for it to happen again to diagnose what the problem was. I had to reboot the host because I needed that vm back up. I'm guessing the developer was doing something I didn't expect within the vm, besides the use of the reboot command, to tie up the context group even after all processes went away. Or maybe, if you don't have a release agent set, he just ran something like vsftpd which created new cgroups by cloning? -serge -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] can't remove cgroup
Quoting Brian K. White (br...@aljex.com): On 6/17/2011 12:06 PM, Serge Hallyn wrote: Quoting Brian K. White (br...@aljex.com): On 6/16/2011 3:26 PM, Serge Hallyn wrote: Quoting Brian K. White (br...@aljex.com): I thought we killed this problem? ... nj12:~ # rm -rf /sys/fs/cgroup/vps001 rmdir Did that too. no joy. In fact I did both the main directory and several runs of find|xargs to delete files and directories using rm -f , rm -rf and rmdir. I'll have to wait for it to happen again to diagnose what the problem was. I had to reboot the host because I needed that vm back up. I'm guessing the developer was doing something I didn't expect within the vm, besides the use of the reboot command, to tie up the context group even after all processes went away. Or maybe, if you don't have a release agent set, he just ran something like vsftpd which created new cgroups by cloning? -serge I do have a release agent, and I usually have the required vsftpd config options to disable namespace usage as part of my recipe for setting up all systems, but I did not do most of the setup of these particular vm's, I'm trying to get one of my people up to speed so they can do it so I intentionally stayed away. It's entirely possible the special vsftpd config either didn't get done, or got lost in a full distribution version in-place upgrade that was done from within the vm. ... aha, just checked. An old version of my template vsftpd config was used which did not yet have the namespace options. I will add them and test! (as well as update the source of the template config obviously) Thank you even if this doesn't turn out to be the culprit of this incident, it's still a hole I missed. Hm, if you have release agents then that shouldn't be the problem, unless there was a client still connected to one of those vsftpd servers (which I think you've said was not the case). -serge -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on Fedora 15
Quoting Michael H. Warfield (m...@wittsend.com): On Tue, 2011-05-31 at 14:00 -0500, Serge Hallyn wrote: Quoting Ramez Hanna (rha...@informatiq.org): On Tue, May 31, 2011 at 5:38 PM, Serge Hallyn serge.hal...@canonical.comwrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 05/31/2011 01:44 PM, Ramez Hanna wrote: On Tue, May 31, 2011 at 2:07 PM, Daniel Lezcanodaniel.lezc...@free.fr wrote: On 05/31/2011 12:33 PM, Ramez Hanna wrote: it seems that lxc cannot handle cgroups when capabilities are not all in the same mount it fails now because it cannot write the devices.deny in the cgroup if i comment out all the lxc.cgroup.devices lines in the config of the container then i can actually start it I would think that the way lxc identifies the cgroup mount might be the part that needs patching Thanks for investigating. The main problem is lxc is cgroup agnostic, so we should find a solution where we don't break that. Maybe one solution would be to collect all the mount points found for the cgroup and try to find the right path when writing or reading from one cgroup file. that is what i had in mind, tried looking into the code but my C skills are next to zero Does systemd run lxc within a cgroup which is not the root cgroup ? the lxc-start command would run under $user/master/ (/sys/fs/cgroup/systemd/$user/$master) and the container itself would run under $container_name (/sys/fs/cgroup/systemd/$container_name) so it would run the container in the root cgroup ouch ! I have to install systemd on a test machine to check how systemd plays with the cgroup. I don't think the cgroup created by lxc should escape the cgroup the command is assigned to. Another similar - and easier to setup - thing we need to address is running on a system with libcgroup installed. For both, I assume it'll basically come down to: 1. figure out the path of the cgroup we are in for each cgroup we care about 2. create new child cgroup for ourselves in each of the above paths whic is unique 3. track those through the lifetime of the container So it just slightly complicates what's being done now. -serge how does libcgroup change things? does it also mount cgroup on different points ? Yes, in whatever way you ask it to. I noticed this a couple of clicks back. Maybe even F13 where I had libcgroup installed and it was mounting things, initially, in /cgroup (or some such) before the kernel dudes created the mountpoint in /sys/fs/cgroup. I got burned by it, even back then, and had to disable libcgroup and do the manual mount stuff in fstab. That was back months ago when we were having the controversy over whether cgroups should be mounted under /cgroup or /dev/cgroup or /var/lib/cgroup or /var/run/cgroup. I thought I raised the whole issue that these things were in a hierarchy and not a flat mount even back then. Now it's under the /sys/fs/cgroup mount point and we need to deal with this, now. I've had to disable the devices.{allow|deny} options on several of my host machines at this point. Is anyone working on a solution? Not that I know of. I don't think it's fundamentally hard, though it may get a bit dicy in principle. Just find the mountpoint for each cgroup, and change each set/get in the lxc code to use the right mountpoint. Is this something you have time to take a stab at? Daniel mentioned getting systemd running on a system but it's more fundamental than that. Like you say, even setting up and enabling libcgroup is going to be problematical and we need to play nicey nicey with the other kids in the sandbox. Regards, Mike -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure
Re: [Lxc-users] Ubuntu Lucid containers on Ubuntu Natty
Quoting Elliot Pahl (elliot.p...@gmail.com): Is there a good solution for these issues? Is the solution to modify the debootstrap template, or does it lie elsewhere? Thanks for bringing this up, Elliot. I've gone ahead and backported the oneiric lxc package to lucid and pushed it to https://launchpad.net/~ubuntu-virt/+archive/ppa?field.series_filter=lucid I created a full lucid debootstrap - actually I copied /usr/lib/lxc/templates/lxc-natty to /usr/lib/lxc/templates/lxc-lucidfull, removed 'lxcguest' from the list of packages to be installed with debootstrap, and used '-t lucifull' to create a container. Then I chrooted into that container and installed the backported lxcguest*.deb. Exited, started the container, success. -serge -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-clone
Hi Daniel, Quoting Daniel Lezcano (daniel.lezc...@free.fr): +echo Tweaking configuration +cp $lxc_path/$lxc_orig/config $lxc_path/$lxc_new/config +sed -i '/lxc.utsname/d' $lxc_path/$lxc_new/config +echo lxc.utsname = $hostname $lxc_path/$lxc_new/config We should not assume lxc.utsname is in the configuration file in order to not write a hostname in all the cases. The user may want to let the container to setup itself the hostname. What do you think is the best way to do this? We could allow the user to specify a 'firstboot' script, which gets copied into root directory of the container. Maybe boot the container when it's done, run /firstboot.sh, and shut down. Or just let that happen when the user first boots. We could use a /etc/init.d/lxc-firstboot script, but that will only work if the container's init system actually looks at sysvinit scripts. Obviously sysvinit and upstart do, and I must assume that systemd does. lxc-init I assume doesn't. Mmh, that's look a bit complicate for the user. I was thinking about something simpler like: grep -q lxc.utsname $lxc_path/$lxc_new/config if [ $? == 0 ]; then sed -e s/lxc.utsname/lxc.utsname=$hostname $lxc_path/$lxc_new/config else echo lxc.utsname = $hostname $lxc_path/$lxc_new/config fi I started changing my code to this, but now am wondering how this differs from what I was doing, which was: sed -i '/lxc.utsname/d' $lxc_path/$lxc_new/config echo lxc.utsname = $hostname $lxc_path/$lxc_new/config The only difference is that in mine, if the original config had a hostname at top of file, it'll now be at bottom of file. But with both your snippets and mine, the 'lxc.utsname = new_hostname' will be the one and only utsname in the config. If you still think it's worth changing I'll do so, but I like that mine is shorter. -serge -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 1/1] Add lxc-clone script
Actually, perhaps this is better integrated into the templates. I'm working on consolidating and extending the ubuntu templates into one, and it looks like maybe it's better to put the cloning stuff into that. Though it makes the create command syntax all the more baroque, which I don't like. But I'll send out the result and we'll see how it goes. thanks, -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid.
Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com My thought (which I meant to point out in the help output) was that we should default to the latest LTS. lucid for now, 12.04 when it comes out. What do you think? If you think it's better to use the host's release by default, I'm fine with that. --- templates/lxc-ubuntu.in |9 + 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index b49542c..4c72aee 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -396,6 +396,15 @@ fi eval set -- $options release=lucid +if [ -f /etc/lsb-release ]; then +. /etc/lsb-release +case $DISTRIB_CODENAME in +lucid|maverick|natty|oneiric) +release=$DISTRIB_CODENAME +;; +esac +fi + bindhome= # Code taken from debootstrap -- 1.7.5.4 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid.
Quoting Stéphane Graber (stgra...@ubuntu.com): On Thu, 2011-06-23 at 11:13 -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com My thought (which I meant to point out in the help output) was that we should default to the latest LTS. lucid for now, 12.04 when it comes out. What do you think? If you think it's better to use the host's release by default, I'm fine with that. I kind of like having all the defaults set to what I'm currently running. Me too, but I had a feeling that most users would want an LTS. One thing that bothers me is that we can't give the distro, arch, ... as parameter when doing a lxc-create (which I'm assuming is the most common What do you mean? lxc-create -t ubuntu -f /etc/lxc.conf -n n1 -- -a i386 -r natty Is that not what you mean? way of using our templates). Should we change the template to prompt the user instead? showing the supported values for the distro and architecture (at least) and using the current system's values as a default? By default no, but we could add a [-i|--interactive] option to the ubuntu template? -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-ubuntu: Only replace i386 by i686 in lxc's config, otherwise debootstrap will fail
Quoting Stéphane Graber (stgra...@ubuntu.com): Unless I missed something, the following commits should be good to apply: - [PATCH 1/2] lxc-create: pass remaining args to templates - [PATCH 2/2] templates: consolidate and extend ubuntu templates Then, the following should be fixed: - [PATCH 3/2] lxc-ubuntu template: set lxc.arch in config Yup, And then the following should apply fine: - lxc-ubuntu: Base arch detection code on debootstrap's with some additions when we don't have dpkg or udpkg - lxc-ubuntu: Default to current ubuntu release. If can't match any valid release, use lucid. Dropping: - lxc-ubuntu: Only replace i386 by i686 in lxc's config, otherwise debootstrap will fail And finally drop the 'if [ $arch = ]' so we ignore what's in the environment. Sounds good? Did I miss something? Sounds good. And then let's add better help like you suggested, and -i. I'm trying to nail a few other bugs right now (and get cgroups-bin interaction working next). I'll do this after that if you like, or if you want to do it now, that'd rock. -serge -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/4] templates: consolidate and extend ubuntu templates
Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu' template. Add support for specifying architecture. Add support for '--trim|-x' option, which removes services like the lucid template used to. This creates smaller, faster-booting containers, but they will not be safe with certain upgrades, like mountall or udev. When -x is not specified for lucid or maverick container, then install lxcguest from the ubuntu-virt ppa, since it does not exist in the official archives, and the container is not safe to boot without lxcguest. Add support for '--bindhome user' option, which will cause /home/user to be bind-mounted into the container, and create the user with his original password, shell, and group memberships in the container. changelog: june 23: lxc-ubuntu template: set lxc.arch in config install lxcguest when NOT trimming the container lxc-ubuntu: always install lxcguest in postprocess Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- configure.ac |5 +- doc/lxc-create.sgml.in|2 +- templates/Makefile.am |5 +- templates/lxc-lucid.in| 361 -- templates/lxc-maverick.in | 284 --- templates/lxc-natty.in| 285 --- templates/lxc-oneiric.in | 285 --- templates/lxc-ubuntu.in | 479 + 8 files changed, 482 insertions(+), 1224 deletions(-) delete mode 100644 templates/lxc-lucid.in delete mode 100644 templates/lxc-maverick.in delete mode 100644 templates/lxc-natty.in delete mode 100644 templates/lxc-oneiric.in create mode 100644 templates/lxc-ubuntu.in diff --git a/configure.ac b/configure.ac index 6cce1b4..81bc877 100644 --- a/configure.ac +++ b/configure.ac @@ -139,10 +139,7 @@ AC_CONFIG_FILES([ templates/Makefile templates/lxc-lenny templates/lxc-debian - templates/lxc-lucid - templates/lxc-maverick - templates/lxc-natty - templates/lxc-oneiric + templates/lxc-ubuntu templates/lxc-busybox templates/lxc-fedora templates/lxc-sshd diff --git a/doc/lxc-create.sgml.in b/doc/lxc-create.sgml.in index de3ef4e..f3e8524 100644 --- a/doc/lxc-create.sgml.in +++ b/doc/lxc-create.sgml.in @@ -107,7 +107,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA para 'template' is the short name of an existing 'lxc-template' script that is called by lxc-create, - eg. busybox, debian, fedora, lucid, maverick, natty or sshd. + eg. busybox, debian, fedora, ubuntu or sshd. Refer to the examples in filename@LXCTEMPLATEDIR@/filename for details of the expected script structure. /para diff --git a/templates/Makefile.am b/templates/Makefile.am index cfdf8f9..619eae5 100644 --- a/templates/Makefile.am +++ b/templates/Makefile.am @@ -3,10 +3,7 @@ templatesdir=@LXCTEMPLATEDIR@ templates_SCRIPTS = \ lxc-debian \ lxc-lenny \ - lxc-lucid \ - lxc-maverick \ - lxc-natty \ - lxc-oneiric \ + lxc-ubuntu \ lxc-fedora \ lxc-busybox \ lxc-sshd diff --git a/templates/lxc-lucid.in b/templates/lxc-lucid.in deleted file mode 100644 index 88a4618..000 --- a/templates/lxc-lucid.in +++ /dev/null @@ -1,361 +0,0 @@ -#!/bin/bash - -# -# template script for generating ubuntu/lucid container for LXC -# -# This script is based on lxc-debian (Daniel Lezcano daniel.lezc...@free.fr) -# - -# Copyright � 2010 Wilhelm Meier -# Author: Wilhelm Meier wilhelm.me...@fh-kl.de -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2, as -# published by the Free Software Foundation. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -configure_ubuntu() -{ -rootfs=$1 -hostname=$2 - -# disable selinux in ubuntu -mkdir -p $rootfs/selinux -echo 0 $rootfs/selinux/enforce - - # configure the network using the dhcp -cat EOF $rootfs/etc/network/interfaces -auto lo -iface lo inet loopback - -auto eth0 -iface eth0 inet dhcp -EOF - -# set the hostname -cat EOF $rootfs/etc/hostname -$hostname -EOF -# set minimal hosts -cat EOF $rootfs/etc/hosts -127.0.0.1 localhost $hostname -EOF - -# provide the lxc service -cat EOF $rootfs/etc/init/lxc.conf -# fake some events needed for correct startup other services - -description Container
[Lxc-users] [PATCH 4/4] Clarify the template-specific options a bit in lxc-create's help
This does not supplant the need for a manpage, but it's a start. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/lxc-create.in | 13 - 1 files changed, 12 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc-create.in b/src/lxc/lxc-create.in index 00e6b21..63750e9 100644 --- a/src/lxc/lxc-create.in +++ b/src/lxc/lxc-create.in @@ -21,7 +21,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { -echo usage: lxc-create -n name [-f configuration] [-t template] [-h] +echo usage: lxc-create -n name [-f configuration] [-t template] [-h] -- [template_options] } help() { @@ -33,6 +33,17 @@ help() { echo name : name of the container echo configuration: lxc configuration echo template : lxc-template is an accessible template script +if [ -z $lxc_template ]; then +echo for template-specific help, specify a template, for instance: +echo lxc-create -t ubuntu -h +exit 0 +fi +type ${templatedir}/lxc-$lxc_template /dev/null +echo +echo template-specific help follows: (these options follow '--') +if [ $? -eq 0 ]; then +${templatedir}/lxc-$lxc_template -h +fi } shortoptions='hn:f:t:' -- 1.7.4.1 -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/2] print netdev name, not link, after moving dev into netns
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/conf.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 483d375..2eb598b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1633,7 +1633,7 @@ int lxc_assign_network(struct lxc_list *network, pid_t pid) return -1; } - DEBUG(move '%s' to '%d', netdev-link, pid); + DEBUG(move '%s' to '%d', netdev-name, pid); } return 0; -- 1.7.4.1 -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Use XID tagging with LXC
Quoting Julien VAUBOURG (jul...@vaubourg.com): Hi all, I would like to handle disk quotas of my containers, but in avoiding to use partitions. With linux-vserver, this is possible with the xid tagging and the vdlimit command[0]. Would you know if LXC can use xid in the same way ? Thanks in advance. Cheers, Ju. [0] http://linux-vserver.org/Disk_Limits_and_Quota The vserver xid tagging is not upstream. You can port that support and either patch your own kernel or try to push it upstream. As an alternative, see 'man xfs_quota' for directory tree quotas, which may give you what you need. -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Hiding PCI devices inside the container
Quoting Devendra K. Modium (dmod...@isi.edu): Hi Please let me know is it possible to hide PCI devices inside the container. Although I used the cgroups.deny=a option in the configuration script. When I run the command lspci inside container, I can see all the devices connected to host machine. Please let me know if I can avoid it someway or is there any development going on currently. Not currently possible. Things that would help this are /proc and /sys filtering and device namespaces. Daniel was looking into a /proc filtering approach recently, but noone is working on device namespaces that I know of. -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Latest test results - Was: cgroups: support cgroups mounted in multiple places (v3)
Quoting Michael H. Warfield (m...@wittsend.com): ... F15 systemd: Passed. F12 single mount: Passed. F13 single mount: Passed. F14 single mount: Passed. F14 libcgroup:Failed. I had the default /etc/cgconfig.conf file and here are the results: [root@berserker-base ~]# cat /etc/cgconfig.conf # # Copyright IBM Corporation. 2007 # # Authors: Balbir Singh bal...@linux.vnet.ibm.com # This program is free software; you can redistribute it and/or modify it # under the terms of version 2.1 of the GNU Lesser General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # See man cgconfig.conf for further details. # # By default, mount all separately controllers # to /cgroup/controller name mount { cpuset = /cgroup/cpuset; cpu = /cgroup/cpu; cpuacct = /cgroup/cpuacct; memory = /cgroup/memory; devices = /cgroup/devices; freezer = /cgroup/freezer; net_cls = /cgroup/net_cls; ns = /cgroup/ns; blkio = /cgroup/blkio; } [root@berserker-base ~]# uname -a Linux berserker-base.wittsend.com 2.6.35.13-92.fc14.i686 #1 SMP Sat May 21 17:39:42 UTC 2011 i686 i686 i386 GNU/Linux [root@berserker-base ~]# mount -t cgroup cgroup on /cgroup/cpuset type cgroup (rw,relatime,cpuset) cgroup on /cgroup/cpu type cgroup (rw,relatime,cpu) cgroup on /cgroup/cpuacct type cgroup (rw,relatime,cpuacct) cgroup on /cgroup/memory type cgroup (rw,relatime,memory) cgroup on /cgroup/devices type cgroup (rw,relatime,devices) cgroup on /cgroup/freezer type cgroup (rw,relatime,freezer) cgroup on /cgroup/net_cls type cgroup (rw,relatime,net_cls) cgroup on /cgroup/ns type cgroup (rw,relatime,ns) cgroup on /cgroup/blkio type cgroup (rw,relatime,blkio) [root@berserker-base ~]# lxc-start -n Ashaman lxc-start: no ns_cgroup option specified Just a thought - does F14's kernel not support clone_children? See output of ls /cgroup/cpuset and see if /cgroup/cpuset/cgroup.clone_children exists. If not, then yeah there's nothing that can be done without the ns cgroup. Thanks for testing! -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/3] Add arm as a supported srcarch
From: Serge Hallyn serge.hal...@canonical.com Otherwise building on armel fails with checking for linux SRCARCH... configure: error: architecture arm-unknown-linux-gnueabi not supported See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/745884 for details. Author: Marcin Juszkiewicz marcin.juszkiew...@linaro.org Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- config/linux.m4 |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/config/linux.m4 b/config/linux.m4 index 338f393..e117923 100644 --- a/config/linux.m4 +++ b/config/linux.m4 @@ -65,6 +65,7 @@ AC_DEFUN([AC_LINUX_SRCARCH],[ x86_64-*) LINUX_SRCARCH=x86;; powerpc*-*) LINUX_SRCARCH=powerpc;; s390*-*) LINUX_SRCARCH=s390;; + arm*-*) LINUX_SRCARCH=arm;; *) AC_MSG_ERROR([architecture ${host} not supported]);; esac -- 1.7.4.1 -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on Lean Startup Secrets Revealed. This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 2/3] lxc-ubuntu: don't put devpts in $confdir/container/fstab
From: Serge Hallyn serge.hal...@canonical.com src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab entry, which is getting processed first, did not specify -o newinstance. This can cause the host's devpts entry mount options to change, as in https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636. Note - I messed up. This was applied upstream, but I dropped it in subsequent conversion to lxc-ubuntu template. It therefore needs to be reapplied. Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- templates/lxc-ubuntu.in |1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 439e1d0..2934dc1 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -198,7 +198,6 @@ EOF cat EOF $path/fstab proc$rootfs/proc procnodev,noexec,nosuid 0 0 -devpts $rootfs/dev/pts devpts defaults 0 0 sysfs $rootfs/sys sysfs defaults 0 0 EOF -- 1.7.4.1 -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on Lean Startup Secrets Revealed. This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 3/3] lxc-ubuntu: Allow /dev/fuse to be used in a container
From: Serge Hallyn serge.hal...@canonical.com As people seem to want it, i.e. https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/800886 Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- templates/lxc-ubuntu.in |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 2934dc1..e450dae 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -194,6 +194,8 @@ lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 254:0 rwm +#fuse +lxc.cgroup.devices.allow = c 10:229 rwm EOF cat EOF $path/fstab -- 1.7.4.1 -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on Lean Startup Secrets Revealed. This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] 3 small patches for 0.7.5
Hi, following are three small patches which are applied in the Ubuntu lxc package, on top of the current lxc git HEAD. Would you mind applying these before tagging 0.7.5? thanks, -serge -- AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on Lean Startup Secrets Revealed. This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Upgrading udev and plymouth in a lucid container
Quoting Elliot Pahl (elliot.p...@gmail.com): Upgrading udev and plymouth in a lucid container seems to require access to udev devices with the following lines in container/config lxc.cgroup.devices.allow = c 108:0 rwm lxc.cgroup.devices.allow = b 7:0 rwm lxc.cgroup.devices.allow = c 10:200 rwm Otherwise you get something along the lines of: Setting up udev (151-12.3) ... mknod: `/lib/udev/devices/ppp': Operation not permitted dpkg: error processing udev (--configure): subprocess installed post-installation script returned error exit status 1 dpkg: dependency problems prevent configuration of plymouth: plymouth depends on udev (= 149-2); however: Package udev is not configured yet. dpkg: error processing plymouth (--configure): dependency problems - leaving unconfigured No apport report written because the error message indicates its a followup error from a previous failure. Errors were encountered while processing: udev plymouth E: Sub-process /usr/bin/dpkg returned an error code (1) Can this be added to the ubuntu creation template? (I'm running lxc daily from https://launchpad.net/~ubuntu-lxc/+archive/daily). I think we might want to open a bug against udev and see if we can get it to not fail bc it can't create/open a specific device. Bug might be rejected, but I think it's the right place to handle this. -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fedora 15 on Fedora 15 LXC with Libvirt
Hi, This mailing list is intended for users of the lxc.sf.net toolsuite. While the libvirt lxc implementation is in many ways similar, there definately are differences. I point this out because your first step has to be to get more debugging information, and I don't know that anyone here can help you with that. Can you get systemd to copy all of its console output to a file which you can read later? We certainly are interested in helping, since it certainly seems you are suffering from the same problem we are. I'm just not sure how to have you get started. Perhaps you can hack src/lxc/lxc_container.clxcContainerSetStdio() to open a file '/debugoutput', and use that fd rather than ttyfd for the dup2()s? That might give you some better debug info. You also might to ask on the libvir mailing list, or oftc#virt irc channel. -serge -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-clone
Quoting Ramez Hanna (rha...@informatiq.org): Hi, I have started using lxc to setup a pre-production system instead of KVM at first glance clone seemd to me that it would copy everything to a new roots but turns out that in case of LVM it will snapshot AFAIK snapshots are meant more for backup or testing some changes and discarding them later do you think it makes sense if I modify the script in this way if user doesn't specify -s, then a new lv is created and copy all comtents to it, rather than snapshot which would work if user uses the -s option? Yes, I guess I didn't implement that bit yet, but not specifying -s was meant to do a simple copy. You'll probably want to check whether the original was a simple directory tree or an lvm, and only lvcreate if the original was an lvm. (then lxc-convert can offer conversion from one to the other.) -serge -- EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] multiple mods to lxc-clone
Thanks, Ramez. It looks good to me. My only comment would be that if the rootfs copy fails (either rsync or lvm clone), and you've frozen the original container, then you need to unfreeze the original container before erroring out. -serge Quoting Ramez Hanna (rha...@informatiq.org): * allow cloning of non-snapshot lvm devices * if no -s then create a copy of the lvm block device and copy data from the orig to the new container device * first take a snapshot, then use this snapshot to copy data, remove snapshot after done * if orig container is running freeze it while copying * in case lvm block device, the container is only frozen during creation of snapshot ~1 sec * use rsync -ax insted of cp -a * in case copying a live contrainer it won't copy runtine mounted files such as /proc, /sys and some /dev * new opts * fstype: type of fs for the newly created lvm device in case of non-snapshot lvm * lvprefix: prefix for new lvm device name. * do not delete the lines lxc.mount by default * check is fstab exists then copy it * only modify lines that contain lxc.mount =, debian template seems to not have that line but uses lxc.mount. lines which get screwed Signed-off-by: InformatiQ rha...@informatiq.org --- src/lxc/lxc-clone.in | 98 ++ 1 files changed, 75 insertions(+), 23 deletions(-) mode change 100644 = 100755 src/lxc/lxc-clone.in diff --git a/src/lxc/lxc-clone.in b/src/lxc/lxc-clone.in old mode 100644 new mode 100755 index 91944a0..d42160b --- a/src/lxc/lxc-clone.in +++ b/src/lxc/lxc-clone.in @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash # # lxc: linux Container library @@ -22,7 +22,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { -echo usage: lxc-clone -o orig -n new [-s] [-h] [-L fssize] [-v vgname] +echo usage: lxc-clone -o orig -n new [-s] [-h] [-L fssize] [-v vgname] [-p lxc_lv_prefix] [-t fstype] } help() { @@ -36,15 +36,19 @@ help() { echo -s : make the new rootfs a snapshot of the original echo fssize : size if creating a new fs. By default, 2G echo vgname : lvm volume group name, lxc by default +echo lvprefix : lvm volume name prefix, none by default, e.g. --lvprefix=lxc_ then new lxc lv name will be lxc_newname +echo fstype : new container file system type, ext3 by default (only works for non-snapshot lvm) } -shortoptions='ho:n:sL:v:' -longoptions='help,orig:,name:,snapshot,fssize,vgname' +shortoptions='ho:n:sL:v:p:t:' +longoptions='help,orig:,name:,snapshot,fssize:,vgname:,lvprefix:,fstype:' lxc_path=/var/lib/lxc bindir=/usr/bin snapshot=no lxc_size=2G lxc_vg=lxc +lxc_lv_prefix= +fstype=ext3 getopt=$(getopt -o $shortoptions --longoptions $longoptions -- $@) if [ $? != 0 ]; then @@ -63,6 +67,7 @@ while true; do -s|--snapshot) shift snapshot=yes +snapshot_opt=-s ;; -o|--orig) shift @@ -84,6 +89,11 @@ while true; do lxc_new=$1 shift ;; +-p|--lvprefix) +shift +lxc_lv_prefix=$1 +shift +;; --) shift break;; @@ -141,50 +151,92 @@ trap ${bindir}/lxc-destroy -n $lxc_new; echo aborted; exit 1 SIGHUP SIGINT SIG mkdir -p $lxc_path/$lxc_new +hostname=$lxc_new + echo Tweaking configuration cp $lxc_path/$lxc_orig/config $lxc_path/$lxc_new/config sed -i '/lxc.utsname/d' $lxc_path/$lxc_new/config echo lxc.utsname = $hostname $lxc_path/$lxc_new/config -sed -i '/lxc.mount/d' $lxc_path/$lxc_new/config -echo lxc.mount = $lxc_path/$lxc_new/fstab $lxc_path/$lxc_new/config +grep lxc.mount = $lxc_path/$lxc_new/config /dev/null 21 { sed -i '/lxc.mount =/d' $lxc_path/$lxc_new/config; echo lxc.mount = $lxc_path/$lxc_new/fstab $lxc_path/$lxc_new/config; } -cp $lxc_path/$lxc_orig/fstab $lxc_path/$lxc_new/fstab -sed -i s@$lxc_path/$lxc_orig@$lxc_path/$lxc_new@ $lxc_path/$lxc_new/fstab +if [ -e $lxc_path/$lxc_orig/fstab ];then +cp $lxc_path/$lxc_orig/fstab $lxc_path/$lxc_new/fstab +sed -i s@$lxc_path/$lxc_orig@$lxc_path/$lxc_new@ $lxc_path/$lxc_new/fstab +fi echo Copying rootfs... rootfs=$lxc_path/$lxc_new/rootfs # First figure out if the old is a device. For now we only support # lvm devices. mounted=0 +#is container running +lxc-info -s -n $lxc_orig|grep RUNNING /dev/null 21 +if [ $? -ne 0 ]; then +container_running=True +fi sed -i '/lxc.rootfs/d' $lxc_path/$lxc_new/config oldroot=`grep lxc.rootfs $lxc_path/$lxc_orig/config | awk -F= '{ print $2 '}` if [ -b $oldroot ]; then # this is a device. If we don't want to snapshot, then mkfs, mount # and rsync. Trivial but not yet implemented - if [
Re: [Lxc-users] Is it possible to create symbolic links between different containers
Quoting nishant mungse (nishantmun...@gmail.com): Hi all I want to create a sym link between different containers. Is it possible to create?and how? Hm. How about doing a bind mount instead? -- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free Love Thy Logs t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] help regarding lxc
Quoting nishant mungse (nishantmun...@gmail.com): hi all when i write create commnd it shows this output:: lxc-create -n ubuntu -t lucid -f /home/nishant/ubuntu.conf debootstrap is /usr/sbin/debootstrap Checking cache download in /var/cache/lxc/lucid/rootfs- i386 ... Downloading ubuntu lucid minimal ... I: Retrieving Release And hangs here or sum times shows failed to download. My internet connection is working properly. Is there sumtng i m missing?? What is your host distro+release? what is in /home/nishant/ubuntu.conf? What is in /etc/default/lxc? What do you get when you just do sudo debootstrap lucid lucid-dir ? -- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free Love Thy Logs t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start fails when / is a shared mount
Quoting Marios Titas (redneb8...@gmail.com): Hi list, I just ran into this problem: If you do # mount --make-shared / to mark / as a shared mount then lxc-start fails when you have specified a lxc.rootfs in the configuration file. The error that lxc-start gives is the following: Invalid argument - pivot_root syscall failed Is this the normal behavior or is this a kernel bug? It is normal behavior. Perhaps lxc should fall back to chroot when pivot_root fails. -serge -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerryreg; mobile platform with sessions, labs more. See new tools and technologies. Register for BlackBerryreg; DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to mount inside of running container
Quoting Arie Skliarouk (sklia...@gmail.com): Hi, Thank you for the instructions, but looks I did something wrong. Sorry, no, my instructions weren't quite right. I'm going to spend a bit of time right now whipping up some tested directions, and will get back to you. -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to mount inside of running container
Quoting Serge Hallyn (serge.hal...@canonical.com): Quoting Arie Skliarouk (sklia...@gmail.com): Hi, Thank you for the instructions, but looks I did something wrong. Sorry, no, my instructions weren't quite right. I'm going to spend a bit of time right now whipping up some tested directions, and will get back to you. -serge I see you fixed it for yourself, but fwiw: http://s3hh.wordpress.com/2011/09/22/sharing-mounts-with-a-container/ -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Dependencies Use Cases
Quoting Daniel Baumann (daniel.baum...@progress-technologies.net): On 11/04/2011 01:16 PM, Huang Liang wrote: Check out toft: https://github.com/exceedhl/toft. It provides rpm and deb packages which already handles the dependencies on centos and ubuntu. why would one want this instead of using lxc from your distributions repository? Moreover, it packages the bind and dhcp setup on the host machine and ships with pre-created images, saves a lot of time of hassling around these issues. that particular 'problem' we're going to solve in debian within about a week when lxc provides linux-container (a generic version of something similar what lxcguest in ubuntu and for ubuntu-only does) and live-build therefore can build proper system images for lxc containers that are shipped through .debs and which are going to be prefered over caches in /var/cache/lxc in debians lxc package. don't know what ubuntu has in mind for such use cases. We aim to fix the two things that lxcguest is currently papering over so that the same unmodified ubuntu install can be used in kvm, lxc, or on bare metal. -serge -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Dependencies Use Cases
Quoting Alex Eagar (alexea...@gmail.com): Can LXC use cgroups without libcgroup? For that matter, just to be clear, can LXC use cgroups without cgroup-bin? LXC doesn't need anything from cgroup-bin, and, if it did, cgroup-bin could not deliver. (see below) In what use case would using LXC without cgroups make sense? Aren't cgroups fundamental to I think you misunderstand cgroup-bin. The point of cgroup-bin is to try and catch applications/daemons as they start and classify them into cgroups according to a configuration. However because tasks are classified by placing their pids one at a time into a file, there are cases where it misses tasks, and it's not entirely reliable. LXC controls cgroups (the kernel feature) itself through the cgroup filesystem. cgroup-bin is not needed for this. The cgroups just need to be composed in a (set of) cgroup mount(s) somewhere. happening, but based on my presumptions, which presumptions I am actively asking you to correct, that is what appears to have occurred in Ubuntu. Hopefully the above explained why that's not what happened. serge, as a fellow member of the Ubuntu community, please do not refer to others' efforts as 'papering over' even if it perhaps is in I wrote lxcguest. 'Papering over' is not meant as a put-down. The point is that there are things in a stock Ubuntu install which stop a container from booting. For each of those, the right thing to do is to update the packages involved so that they can work just as well in a container as on hardware/kvm. But for a first step, I chose to create a package to hide the problems. In part, that gave us a better chance to figure out what the real problems were. Currently there are (if I'm thinking right), at core, two: 1. the need for the lxc-monitor to watch /run/utmp in the container to detect reboot/shutdown. That means the guest can't mount tmpfs on /run, which suddenly creates a whole set of issues. Daniel is hoping to resend a kernel patchset this week or next which well let us not do that. 2. mountall needs to not mount certain things in a container at boot. Here is where I almost literally paper over :) : lxcguest just bind-mounts a different file over /lib/init/fstab to make mountall do what we want. This can break upgrades, when they want to overwrite /lib/init/fstab. So I intend to fix mountall so we don't need that. -serge -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] ubuntu template: use -updates and -security (v3)
Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use release-security and release-updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. Changelog: Nov 14: as Stéphane Graber suggested, make sure no daemons start on the host while doing dist-upgrade from chroot. Nov 15: use security.ubuntu.com, not mirror. (stgraber) Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- templates/lxc-ubuntu.in | 31 +-- 1 files changed, 29 insertions(+), 2 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 2be8680..ed6131f 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -105,9 +105,36 @@ download_ubuntu() return 1 fi -mv $1/partial-$arch $1/rootfs-$arch -echo Download complete. +echo Installing updates +if [ -z $MIRROR ]; then +MIRROR=http://archive.ubuntu.com/ubuntu; +fi +cat $1/partial-${arch}/etc/apt/sources.list EOF +deb $MIRROR ${release}-updates main universe +deb http://security.ubuntu.com/ubuntu ${release}-security main universe +EOF +chroot $1/partial-${arch} apt-get update +if [ $? -ne 0 ]; then +echo Failed to update the apt cache +return 1 +fi +cat $1/partial-${arch}/usr/sbin/policy-rc.d EOF +#!/bin/sh +exit 101 +EOF +chmod +x $1/partial-${arch}/usr/sbin/policy-rc.d + +chroot $1/partial-${arch} apt-get dist-upgrade -y +ret=$? + +rm -f $1/partial-${arch}/usr/sbin/policy-rc.d +if [ $ret -ne 0 ]; then +echo Failed to upgrade the cache +return 1 +fi +mv $1/partial-$arch $1/rootfs-$arch +echo Download complete return 0 } -- 1.7.5.4 -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Downgrade disk IO PRIORITY automatically
Quoting Arie Skliarouk (sklia...@gmail.com): Hi, I understand that this is not the quite appropriate mailing list to ask the question, but the question is related to the LXC tech we use on the server, so here it goes: Most of the time the LXC containers on our servers work properly, but occasionally someone, somewhere starts an IO heavy operation that kills performance for everybody. For some time I tried to ask people nicely to use ionice -c 3 or run the task offhours but this is not enough. The problem happens quite often for people to complain, but not (IMHO) to warrant purchasing of new hardware. I envision that an ideal solution would be some daemon that would monitor disk IO activity and automatically reduce (or raise, depending how you view it) ionice priority of the process or the container. The daemon would restore the IO niceness after some good behavior period. Is there any solution along the lines? Have you tried the blkio cgroup? (I haven't, so am curious how effective it is) -serge -- Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH] Cgroup cleanups: play more nicely with others, and support nesting
Summary: With this patch, I can start a container 'o1' inside another container 'o1'. (Of course, the containers must be on a different subnet) Detail: 1. Create cgroups for containers under /lxc. 2. Support nested lxc: respect init's cgroup: Create cgroups under init's cgroup. So if we start a container c2 inside a container 'c1', we'll use /sys/fs/cgroup/freezer/lxc/c1/lxc/c2 instead of /sys/fs/cgroup/freezer/c2. This allows a container c1 to be created inside container c1 It also allow a container's limits to be enforced on all a container's children (which a MAC policy could already enforce, in which case current lxc code would be unable to nest altogether). 3. Finally, if a container's cgroup already exists, rename it rather than failing to start the container. Try to WARN the user so they might go clean the old cgroup up. Whereas without this patch, container o1's cgroup would be /sys/fs/cgroup/subsys/o1, it now becomes /sys/fs/cgroup/subsys/initcgroup/lxc/o1 so if init is in cgroup '/' then o1's freezer cgroup would be: /sys/fs/cgroup/freezer/lxc/o1 Signed-off-by: Serge Hallyn serge.hal...@canonical.com --- src/lxc/cgroup.c | 147 +++--- 1 files changed, 129 insertions(+), 18 deletions(-) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index a2b823e..8d3b245 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -52,9 +52,65 @@ enum { CGROUP_CLONE_CHILDREN, }; +/* + * get_init_cgroup: get the cgroup init is in. + * dsg: preallocated buffer to put the output in + * subsystem: the exact cgroup subsystem to look up + * mntent: a mntent (from getmntent) whose mntopts contains the + * subsystem to look up. + * + * subsystem and mntent can both be NULL, in which case we return + * the first entry in /proc/1/cgroup. + * + * Returns a pointer to the answer, which may be . + */ +static char *get_init_cgroup(const char *subsystem, struct mntent *mntent, +char *dsg) +{ + FILE *f; + char *c, *c2; + char line[MAXPATHLEN]; + + *dsg = '\0'; + f = fopen(/proc/1/cgroup, r); + if (!f) + return dsg; + + while (fgets(line, MAXPATHLEN, f)) { + c = index(line, ':'); + if (!c) + continue; + c++; + c2 = index(c, ':'); + if (!c2) + continue; + *c2 = '\0'; + c2++; + if (!subsystem !mntent) + goto good; + if (subsystem strcmp(c, subsystem) != 0) + continue; + if (mntent !hasmntopt(mntent, c)) + continue; +good: + DEBUG(get_init_cgroup: found init cgroup for subsys %s at %s\n, + subsystem, c2); + strncpy(dsg, c2, MAXPATHLEN); + c = dsg[strlen(dsg)-1]; + if (*c == '\n') + *c = '\0'; + goto found; + } + +found: + fclose(f); + return dsg; +} + static int get_cgroup_mount(const char *subsystem, char *mnt) { struct mntent *mntent; + char initcgroup[MAXPATHLEN]; FILE *file = NULL; file = setmntent(MTAB, r); @@ -68,13 +124,18 @@ static int get_cgroup_mount(const char *subsystem, char *mnt) if (strcmp(mntent-mnt_type, cgroup)) continue; if (!subsystem || hasmntopt(mntent, subsystem)) { - strcpy(mnt, mntent-mnt_dir); + int ret; + ret = snprintf(mnt, MAXPATHLEN, %s%s/lxc, mntent-mnt_dir, + get_init_cgroup(subsystem, NULL, initcgroup)); + if (ret 0 || ret = MAXPATHLEN) + goto fail; fclose(file); DEBUG(using cgroup mounted at '%s', mnt); return 0; } }; +fail: DEBUG(Failed to find cgroup for %s\n, subsystem ? subsystem : (NULL)); fclose(file); @@ -166,26 +227,71 @@ static int cgroup_attach(const char *path, pid_t pid) } /* + * rename cgname, which is under cgparent, to a new name starting + * with 'cgparent/dead'. That way cgname can be reused. Return + * 0 on success, -1 on failure. + */ +int try_to_move_cgname(char *cgparent, char *cgname) +{ + char *newdir; + + /* tempnam problems don't matter here - cgroupfs will prevent +* duplicates if we race, and we'll just fail at that (unlikely) +* point +*/ + + newdir = tempnam(cgparent, dead); + if (!newdir) + return -1; + if (rename(cgname, newdir)) + return -1; + WARN(non-empty cgroup %s renamed to %s, please manually inspect it\n, + cgname, newdir
Re: [Lxc-users] [PATCH] Cgroup cleanups: play more nicely with others, and support nesting
Quoting Derek Simkowiak (de...@simkowiak.net): Serge, Could you please elaborate on this comment? (Of course, the containers must be on a different subnet) Do you mean a TCP/IP subnet? If so, why does this limitation exist? No I just mean that you have to make sure to use different addresses for the bridges and all the containers :) If you use lxc in ubuntu precise, it by default creates the following bridge: LXC_BRIDGE=lxcbr0 LXC_ADDR=10.0.4.1 LXC_NETWORK=10.0.4.0/24 LXC_DHCP_RANGE=10.0.4.2,10.0.4.254 LXC_DHCP_MAX=253 You have to change that in the nested container. Just as you would with nested libvirt. So on my host I left it as above, and in the first container (*for* the containers it nested) I changed it to 10.0.5.x. -serge I would like to use nested LXC containers for reselling CPU, disk, and network at a data center. (I.e., my customers re-sell their CPU, disk, and network to their customers by using nested LXC containers.) In that scenario, all LXC containers (incl. nested ones) would need to be on the same subnet (because that's how the data center sells cabinets). That's fine, just avoid conflicts :) -serge -- Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc and guest /proc/kcore access restriction
Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hello List, I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized. I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions? * Is secure /proc use (no escape, no major host/container or inter-container info leaks) inside guest possible? ATM I recommend you use an LSM to do that. -serge -- Systems Optimization Self Assessment Improve efficiency and utilization of IT resources. Drive out cost and improve service delivery. Take 5 minutes to use this Systems Optimization Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc and guest /proc/kcore access restriction
Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hi Serge, -Ursprüngliche Nachricht- Von: Serge Hallyn [mailto:serge.hal...@canonical.com] An: Fiedler Roman Cc: lxc-users@lists.sourceforge.net Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hello List, I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized. I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions? * Is secure /proc use (no escape, no major host/container or inter- container info leaks) inside guest possible? ATM I recommend you use an LSM to do that. Thanks for the hint, I'm looking into that. Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with? Yes, check out http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg4.html for Olivier using Smack. I don't know of anyone using SELinux, but it should be a snap. I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-ContainsS_TACT=105AGX59S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted. In the next few months we hope to have effective (not very flexibile, but effective) apparmor support. Then over the next 6 months after that, more flexibility will be added. (I can say more about the limitations etc, but I suspect as you can't use it right now that's less interesting to you than following up on the Smack usage.) http://wiki.ubuntu.com/LxcSecurity may be of interest. -serge -- Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Broken pipe when ssh from host to container
Quoting Verdi March (cincaipat...@gmx.net): As additional info, the network configuration of the container is as follows: lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 What does br0's config look like? Can you show us /etc/network/interfaces and output of brctl show ip link ip addr lxc.network.name = eth0 lxc.network.mtu = 1500 ... debug3: Wrote 32 bytes for a total of 2071 debug3: Wrote -1 bytes for a total of 2071 uh, well, in my professional opinion, that there is gonna be your problem /joke :) -serge -- 10 Tips for Better Server Consolidation Server virtualization is being driven by many needs. But none more important than the need to reduce IT complexity while improving strategic productivity. Learn More! http://www.accelacomm.com/jaw/sdnl/114/51507609/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Broken pipe when ssh from host to container
Quoting Verdi March (cincaipat...@gmx.net): ... ifconfig br0 198.55.32.143 promisc up ... That all looks fine... The fact that it works fine when logging in from another machine but fails from the host itself must be relevant, but how... So your LAN is 198.55.32.X, and your containers are on 198.55.37.X... What does netstat -nr show you? -serge -- Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-destroy does not destroy cgroup
Quoting Arie Skliarouk (sklia...@gmail.com): I don't have the /cgroup directory mounted. Somehow, the directory is mounted automatically onto the /sys/fs/cgroup *root@mf:~# df | grep cgroup cgroup12368328 0 12368328 0% /sys/fs/cgroup root@mf:~# ls /sys/fs/cgroup/ blkio cpu cpuacct cpuset devices freezer memory net_cls perf_event* Each subdirectory of the above contains directory per container with knobs that are specific to the resource: *root@mf:~# ls /sys/fs/cgroup/cpu/dev cgroup.clone_children cgroup.procs cpu.rt_runtime_us notify_on_release cgroup.event_control cpu.rt_period_us cpu.shares tasks root@mf:~#* Could well be this is because of the 3.0.0-12-server kernel. I don't see No, userspace does the mounting. i.e. in ubuntu the cgroup-lite or cgroup-bin packages both do it. how I can rename a stuck cgroup easily in this situation. Any advices? You can build an lxc with my patch (until Daniel has a chance to apply it), but in the meantime you can make a script 'move_cgroup.sh' along the lines of: #!/bin/sh if [ $# -lt 1 ]; then echo Usage: $0 cgroup-name echo Moves the cgroup-name out of the way. fi g=$1 t=`mktemp -u cg.` for d in /sys/fs/cgroup/*; do mv $d/$g $d/$g.$t done Note that doesn't clean anything up, so if there are hung tasks those will still be around. A script to list details of each task in the hung cgroup would be pretty simple too, and useful - if you write one, you might send it here for inclusion in lxc! BTW, I once had /cgroup mounted from fstab like this: *none /cgroup cgroup defaults 0 0* It grouped all settings into per-container directory nicely, but the server failed to boot with that. Yes, once early userspace has mounted the /sys/fs/cgroup/*, that fstab entry would cause trouble. But if you remove the package doing the cgroup mounting, you should be able to go back to using this fstab entry. -serge -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can not write log, openpty() failed
Quoting christian mueller (christian.muell...@gmx.de): Hi Serge, thanks for your reply and your work. I assume you did '--path=/home/chm/lxc/myfirstcontainer/', not '- path=/home/chm/lxc/myfirstcontainer/'? yes, you are right. Would you mind opening a bug on launchpad? Otherwise I'll do it. since i dont have a launchpad account, and you seem to have the better technical experience, maybe its the better choice if you file the bug. Can I ask why you specified '--path'? i wanted the LXC container to reside on my home partition, since i have plenty of space left there. By default lxc-create installed the containers rootfs somewhere in my rootfs where space is limited. Ok. The --path to lxc-ubuntu is only meant to be used by lxc-create. I've removed it (in precise, not in oneiric which I think you're on) from the help list. I will add an option to lxc-create itself to specify where the rootfs should be stored. It'll look like lxc-create -t ubuntu -n p1 -f lxc.conf -B dir --rootfs /home/chm/lxc/p1 For now, I recommend you do it the old fashioned way: either symlink or bind mount /home/chm/lxc to /var/lib/lxc: rm -rf /var/lib/lxc mkdir -p /home/chm/lxc ln -s /home/chm/lxc /var/lib/lxc Now just do lxc-create -f lxc.conf -n p1 -t ubuntu and the container will sit in your homedir. -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can not write log, openpty() failed
Quoting christian mueller (christian.muell...@gmx.de): Hi Serge, For now, I recommend you do it the old fashioned way: either symlink or bind mount /home/chm/lxc to /var/lib/lxc: rm -rf /var/lib/lxc mkdir -p /home/chm/lxc ln -s /home/chm/lxc /var/lib/lxc Now just do lxc-create -f lxc.conf -n p1 -t ubuntu and the container will sit in your homedir. this works - thank you. Question: How long does it usually take until you get your prompt after executing lxc-create? Here is takes several minutes - fells like it takes longer than booting on physical hardware. It should be fast - a few seconds. If it takes longer, please file a bug with 'ubuntu-bug lxc'. Stephane suggested that when he has seen slow boots it's been due to dhcp, in particular (one time) due to virbr0 having stp on. We'll likely have to either find the problem in your network setup, or else switching to static network setup should work around it regardless. -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] host fstab, boot error at cgconfig ...
Quoting István Király - LaKing (d...@yahoo.com): Hi folks. I accidentally zero-ed out my original fstab generated by anaconda on my CentOs 6 box. After recreation it looks like this: UUID=5c4ef826-7786-43f7-8ebd-775f230e2e25 / ext4 defaults 1 1 UUID=c4a00fec-7931-4c4b-9cd3-906864bfadd3 /boot ext4 defaults 1 2 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 none /cgroup cgroup defaults 0 0 At boot-time, I get the error: Entering non-interactive startup Calling the system activity data collector (sadc): Starting cgconfig service: Loading configuration file /etc/cgconfig.conf failed My guess is cgconfig is trying to mount cgroups (one at a time, non-composed) and that fails because your fstab has already mounted all cgroups together under /cgroup. Try removing the last line in your regenerated fstab? -serge -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Doesn't auditd work on an LXC instance?
On Thu, Jan 19, 2012 at 11:00 AM, David Kang dk...@isi.edu wrote: Hi, I'm trying to run auditd on an LXC instance. First of all, I cannot make kauditd start. And $ service auditd start always fails. Does it mean auditd does not work on an LXC instance? I'll appreciate your help. Sorry meant to respond to this earlier. Auditd won't work on an lxc instance, because you can't open that netlink socket in a non-init network namespace. -serge -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] minimum fstab?
Quoting Gary Ballantyne (gary.ballant...@haulashore.com): Hello List Various templates have differing fstab definitions (at least for ubuntu). For example, [1] includes only /proc and /sys, [2] further adds /dev/pts, You don't need devpts in there. Lxc sets that up itself regardless while setting up the container. Beside that, you do not want to try mounting devpts again. If you mount it without -o newinstance, the container will get the host devpts instance. If you do with -o newinstance, then you get a new instance separate from the one lxc has already set up. and [3] further adds /var/lock and /var/run. That's actually somewhat clever. The container can't mount tmpfs on /var/run, because it'll overmount the /var/run/utmp that the lxc monitor is watching to distinguish reboot from shutdown. But the /var/lib/lxc/container/fstab is processed before the utmp watch is set up. So (until about now) if you wanted tmpfs on /var/run, this was the way to do it. Fortunately, if you run bleeding edge (-mm) kernel and (github.com/hallyn/lxc) lxc, you no longer need utmp watching at all. So you can let the distro in the container mount {/var}/run however it wants. Could someone please explain the pros/cons of including more than /proc and /sysfs? (which I assume is the bare minimum)? It comes down to the order you need things to happen in. For instance you might want to arrange read-only bind mounts inside the container. Or perhaps bind-mount lxc-init into the container before executing it. Finally, if you want to run a container without cap_sy_admin, then it won't be able to mount things through its $rootfs/etc/fstab, so you need to do it in /var/lib/lxc/container/fstab which is done before privilege is dropped. Many thanks, Gary [1] https://github.com/hallyn/lxc/blob/master/templates/lxc-ubuntu.in [2] http://www.activestate.com/blog/2011/10/virtualization-ec2-cloud-using-lxc [3] https://github.com/dereks/lxc-ubuntu-x/blob/master/lxc-ubuntu-x/hooks.d/configure_fstab -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC from lxc.sf.net vs. Libvirt-lxc
Quoting Shweta Shinde (shwetasshind...@gmail.com): I tried out LXC sf.net for creating containers. It works well. According to following link, RHEL 6.2 will support LXC libvirt API. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.2_Technical_Notes/index.html It further says, Linux Containers are just a Technology Preview. Will RHEL provide libvirt lxc integrated with its future releases? I think so, and it appears that they are integrating support for launching jobs into containers into systemd (their new upcoming init system) directly. And, if I want to work with container for longterm using RHEL, will I need to shift to libvirt LXC? As of now, from where can I download the libvirt LXC. It just ships with libvirt (http://libvirt.org). -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] notes on the /var/lib/lxc-becomes-readonly problem
During my testing I ran back into the issue of lxc-stop marking /var/lib/lxc read-only. So here is the deal. When a container shuts down, it tries to remount its / readonly. That doesn't work if the mount is busy (i.e. a file is held open for write). If /var/lib/lxc is on the same fs as '/', or if a second container is running, you'll see mount: / is busy on the console, and /var/lib/lxc won't be set to readonly. But if you create a new fs and mount it onto /var/lib/lxc, and start only a single container there, then /var/lib/lxc is marked readonly after shutdown (and the '/ is busy' message doesn't show up). Now as Dave has several times helped us to remember, this happens because mount --bind -o remount,ro / sets the mount's readonly flag, but mount -o remount,ro / sets the superblock's readonly flag. And there is only one sb for all the bind mounts. This gets particularly nasty when you develop dreams of using btrfs snapshots for containers. Because all the subvolumes will share a sb. So - a workaround, for now, is to have /etc/init.d/lxc on the host make sure that a file under /var/lib/lxc is always held open :) A proper fix is possible though. Thanks again to Dave for thinking of it. In the kernel source, at fs/namespace.c:do_remount(), there is: if (flags MS_BIND) err = change_mount_flags(path-mnt, flags); else err = do_remount_sb(sb, flags, data, 0); I think it would be conceptually clean to do something like: if (flags MS_BIND || devcgroup_write_allowed(sb)) err = change_mount_flags(path-mnt, flags); else err = do_remount_sb(sb, flags, data, 0); where devcgroup_write_allowed() would be much like security/device_cgroup:__devcgroup_inode_permission(), but using the sb-s_dev. The idea would be, the devices cgroup isn't letting you mount that major:minor, so why would you be able to change an existing mount? If someone cares to work on the proper kernel patch, please send an email to make sure there's no duplicate effort. I don't expect to do it this week though. -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container start unmounts shared bind mounts
Quoting Ivan Vilata i Balaguer (i...@selidor.net): Serge Hallyn (2012-02-09 19:30:29 +0100) wrote: Quoting Ivan Vilata i Balaguer (i...@selidor.net): Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up a shared mountpoint to dynamically export some host directories into one container, like this:: # mkdir -p /lxc-shared # mount --bind /lxc-shared /lxc-shared # mount --make-unbindable /lxc-shared # mount --make-shared /lxc-shared (I should think more before answering, but ...) What if you do 'mount --make-rslave /lxc-shared' here? That should prevent the container's mount actions from being forwarded to the host. Thanks for the suggestion! That does prevent a starting container from unmounting bind mounts under /lxc-shared in the host, *however* it also renders (un)mounts performed after the --make-rslave invisible to any container which had access to the directory. E.g. imagine myvm has a Right, this was a quick test. What you actually want to do is leave the mount shared on the host, and have the container startup turn it into a slave mount. I'm not sure offhand what would be the best time to do this, but one thing you could do is use a wrapper around lxc-start like: mv /usr/bin/lxc-start /usr/bin/lxc-start.real cat /usr/bin/lxc-start.mid EOF mount --make-unbindable /lxc-shared mount --make-shared /lxc-shared exec /usr/bin/lxc-start.real $* EOF cat /usr/bin/lxc-start EOF lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $* EOF chmod ugo+x /usr/bin/lxc-start{,.mid} You can probably do this through /var/lib/lxc/container/fstab entries, but it would take some tweaking. We could also add support for this in the lxc config files. I think it's a common enough request that it'd be worth doing. /shared directory and this config line:: lxc.mount.entry = /lxc-shared/myvm/ /var/lib/lxc/debtest/rootfs/shared/ none defaults,bind 0 0 Then:: host# mkdir -p /lxc-shared host# mount --bind /lxc-shared /lxc-shared host# mount --make-shared /lxc-shared host# lxc-start -n myvm -d # myvm sees /lxc-shared/myvm at /shared host# mkdir -p /lxc-shared/myvm/foo host# mount --bind /tmp /lxc-shared/myvm/foo # myvm sees mounted /shared/foo host# mount --make-rslave /lxc-shared # myvm still sees mounted /shared/foo host# lxc-start -n myothervm -d # myvm still sees mounted /shared/foo host# mkdir -p /lxc-shared/myvm/bar host# mount --bind /tmp /lxc-shared/myvm/bar # myvm sees /shared/bar but nothing mounted on it! A workaround I found is bind mounting the desired directory *in the container* (which requires not dropping the sys_admin capability):: host# mkdir -p /lxc-shared host# mount --bind /lxc-shared /lxc-shared host# mount --make-shared /lxc-shared host# lxc-start -n myvm -d # myvm sees /lxc-shared/myvm at /shared host# mkdir -p /lxc-shared/myvm/foo host# mount --bind /tmp /lxc-shared/myvm/foo # myvm sees mounted /shared/foo myvm# mount --bind /shared/foo /mnt/foo host# lxc-start -n myothervm -d # host's /lxc-shared/myvm/foo gets unmounted # myvm sees /shared/foo but nothing mounted on it # myvm still sees mounted /mnt/foo host# mkdir -p /lxc-shared/myvm/bar host# mount --bind /tmp /lxc-shared/myvm/bar # myvm sees mounted /shared/bar myvm# mount --bind /shared/bar /mnt/bar # and so on... However, the question still remains: *Why on Earth does starting a container unmount all bind mounts under a shared mount???* Doesn't it look like a bug to you? No, when a container starts up, it mounts its new root under, say, /usr/lib/lxc/, and mounts other directories under there. Then it does pivot_root (see man 8 pivot_root), so now /usr/lib/lxc is its '/', and the old '/' and all its submounts are now mounted on '/old'. Then the container startup recursively unmounts /old, including /old/lxc-shared. That umount of /old/lxc-shared is what is getting propagated to the host mount. -serge Thanks cheers! Now I bind mount the host directory under the shared directory:: # mkdir -p /lxc-shared/myvm/foo # mount --bind /tmp /lxc-shared/myvm/foo The problem is that whenever I start any container, /lxc-shared/myvm/foo gets unmounted (even if it has processes working under it!). This affects bind mounts only if they are under shared mountpoints, e.g. if I also do this mount on the host:: # mount --bind /tmp /mnt It survives after starting the container. Does anyone know why does this happen? Should I file a bug report? Thanks a lot! -- Ivan Vilata i Balaguer -- https://elvil.net/ -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223
Re: [Lxc-users] Container start unmounts shared bind mounts
Quoting Ivan Vilata i Balaguer (i...@selidor.net): Serge Hallyn (2012-02-10 16:05:19 +0100) wrote: Quoting Ivan Vilata i Balaguer (i...@selidor.net): Serge Hallyn (2012-02-09 19:30:29 +0100) wrote: Quoting Ivan Vilata i Balaguer (i...@selidor.net): Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up a shared mountpoint to dynamically export some host directories into one container, like this:: # mkdir -p /lxc-shared # mount --bind /lxc-shared /lxc-shared # mount --make-unbindable /lxc-shared # mount --make-shared /lxc-shared (I should think more before answering, but ...) What if you do 'mount --make-rslave /lxc-shared' here? That should prevent the container's mount actions from being forwarded to the host. Thanks for the suggestion! That does prevent a starting container from unmounting bind mounts under /lxc-shared in the host, *however* it also renders (un)mounts performed after the --make-rslave invisible to any container which had access to the directory. E.g. imagine myvm has a Right, this was a quick test. What you actually want to do is leave the mount shared on the host, and have the container startup turn it into a slave mount. I'm not sure offhand what would be the best time to do this, but one thing you could do is use a wrapper around lxc-start like: mv /usr/bin/lxc-start /usr/bin/lxc-start.real cat /usr/bin/lxc-start.mid EOF mount --make-unbindable /lxc-shared mount --make-shared /lxc-shared Oops, this isn't right. I think I just meant cat /usr/bin/lxc-start.mid EOF mount --make-rslave /lxc-shared exec /usr/bin/lxc-start.real $* EOF exec /usr/bin/lxc-start.real $* EOF cat /usr/bin/lxc-start EOF lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $* EOF chmod ugo+x /usr/bin/lxc-start{,.mid} You can probably do this through /var/lib/lxc/container/fstab entries, but it would take some tweaking. We could also add support for this in the lxc config files. I think it's a common enough request that it'd be worth doing. Well, I'm actually trying on the host to mount and unmount file systems I don't know beforehand *while myvm is running* under subdirectories in /lxc-shared, You've lost me here (I don't understand what you're saying), but but running myvm through the scripts you suggest creates a new namespace so that myvm no longer sees mounts done by the host. Note that you're still supposed to do mount --bind /lxc-shared /lxc-shared mount --make-shared /lxc-shared /lxc-shared at host boot. Then creating a new namespace shouldn't stop myvm from seeing new mounts done by the host. The reason I was creating that new namespace was so that the mount --make-rslave wouldn't happen in the host's namespace. But in any case, like I say I think it'd be worth adding explicit support through the config file for this. thanks, -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container start unmounts shared bind mounts
Quoting Ivan Vilata i Balaguer (i...@selidor.net): Serge Hallyn (2012-02-11 00:08:10 +0100) wrote: Quoting Ivan Vilata i Balaguer (i...@selidor.net): Serge Hallyn (2012-02-10 16:05:19 +0100) wrote: mv /usr/bin/lxc-start /usr/bin/lxc-start.real cat /usr/bin/lxc-start.mid EOF mount --make-unbindable /lxc-shared mount --make-shared /lxc-shared Oops, this isn't right. I think I just meant cat /usr/bin/lxc-start.mid EOF mount --make-rslave /lxc-shared exec /usr/bin/lxc-start.real $* EOF exec /usr/bin/lxc-start.real $* EOF cat /usr/bin/lxc-start EOF lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $* EOF chmod ugo+x /usr/bin/lxc-start{,.mid} Yup, the new one did work! :) Well, I'm actually trying on the host to mount and unmount file systems I don't know beforehand *while myvm is running* under subdirectories in /lxc-shared, You've lost me here (I don't understand what you're saying), but Sorry, tried to stuff too much into too few words. :D What I want to do is set up a shared directory /lxc-shared in the host, which will appear as /shared in myvm. While myvm is running, I'll be binding host directories to /lxc-shared/foo, /lxc-shared/bar and other subdirs I don't know beforehand so that they become visible as /shared/foo, /shared/bar etc. at myvm. I don't need other containers to access /lxc-shared (and of course I don't want them to accidentaly unmount things from it when starting). but running myvm through the scripts you suggest creates a new namespace so that myvm no longer sees mounts done by the host. Note that you're still supposed to do mount --bind /lxc-shared /lxc-shared mount --make-shared /lxc-shared /lxc-shared at host boot. Then creating a new namespace shouldn't stop myvm from seeing new mounts done by the host. The reason I was creating that new namespace was so that the mount --make-rslave wouldn't happen in the host's namespace. Yes, I was already doing that before starting myvm. Indeed, your fix above made the sharing work as expected. But in any case, like I say I think it'd be worth adding explicit support through the config file for this. Running the containers through your scripts do the trick, but having an option in myvm's config file to make the host's /lxc-shared directory shared only for this container (so that other containers don't need to go through lxc-unshare --make-rslave) would be great. Does that fit the behaviour of the new config entries you suggest? I think so. I've put it down on the list of things to consider for next cycle. Anyway, thanks a lot for you help! My pleasure. It's a good feature to have. -serge -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] fedora 16 under lxc
Quoting Ramez Hanna (rha...@informatiq.org): On Mon, Feb 13, 2012 at 10:34 PM, Ramez Hanna rha...@informatiq.org wrote: hei I have been able to get some form of f16 under lxc running but some quirks so steps (untill i make a patch or a new script) use the current lxc-fedora to create a container chroot into the rootfs unlink /etc/systemd/system/default.target ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target touch /etc/fstab now that should in theory work my setup is a KVM guest with lxc installed i'm using VM-manager so i get to see the ttys while i start the container from ssh in fedora the tty1 is empty i make sure i have tty1 visible start the container from an ssh session using the -d flag looking at the tty1 of the VM i can see the console log from the lxc container so 1st quirk: i only get the container output on tty1 of the host (kvm guest) and not from the lxc-console lxc-console is blank when i installed ssh inside the container i was able to access it and use it nicely only had 2 services failing systemd-kmsg-syslogd.service plymouth-start.service any hints on how does lxc-console work to help me figure it out also agetty on tty* keeps restarting (maybe that's why no lxc-console) anyoe interested in trying it out? -- BR RH http://informatiq.org now all my efforts have not succeedd to get getty on tty1 to start unmasking udev did something different it created all the /dev devices and made getty start but it started on the hosts's tty not on the container's could someone shed some light here? Blind guess: lxc-start creates some ptys and bind mounts them onto the guest's /dev/{console,tty{1,2,3,4}}. It sounds like fedora's init is mounting over the /dev set up by lxc causing a new /dev/tty to be created as chardev 4:{1-4}. Devices namespaces would help this. We're hoping to discuss design for those at next UDS, but those will come after user namespaces. In the mean time, you'll need to make sure that the guest does not mount over /dev, and does not remount /dev/pts. -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-console and indents
Quoting Whit Blauvelt (w...@transpect.com): Hi, Running 0.7.5 compiled and running on Debian Squeeze, with a Debian Squeeze container, when I use lxc-console and view a configuration file for a daemon which uses indents as part of its syntax, the file is displayed with each line at the left margin, without the five spaces in the indents. If I ssh into the same container and look at the same file, it displays correctly. This makes lxc-console useless when editing files where the indents are syntactic rather than just decorative. Odd problem. Interesting. I don't have this problem, with either debian or ubuntu containers (on ubuntu). Maybe something to do with your terminal? shrug -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to use system container
Quoting allen (allen303al...@gmail.com): HI ALL: My aim is to run a Graphical application in a container, then an user connect to the container with a GUI interface, so that he can see and operate the application. As I want to separate all resources, I think I'll need a system container. Now I already use lxc-create -n maverick-lxc-template -t maverick -f /tmp/maverick-template-network.conf to create an Ubuntu template, start it and use lxc-console to get a console of it. Now my question is: 1. If I want to run an application, do I have to install it in the system container first? no. 2. How can I connect to the container with a GUI interface? It depends on how you've set up the container's network and where the guest will connect from. If your container were using a veth connected to libvirt's virbr0, and the application is available on port , then your guest could simply ssh -L :container_ip_addr: and then connect to port on his local host. For instance, if you were opening up vnc on :1 in the container, the container is 192.168.122.89, and your host is 10.0.1.1, then he would do ssh -L 5951:192.168.122.89:5901 10.0.1.1 and then vncviewer :51 You can also put the container straight onto your local network, but the above works with how containers creation is usually shown. -serge -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to use system container
Quoting allen (allen303al...@gmail.com): 2012/2/20 Serge Hallyn serge.hal...@canonical.com: Quoting allen (allen303al...@gmail.com): HI ALL: My aim is to run a Graphical application in a container, then an user connect to the container with a GUI interface, so that he can see and operate the application. As I want to separate all resources, I think I'll need a system container. Now I already use lxc-create -n maverick-lxc-template -t maverick -f /tmp/maverick-template-network.conf to create an Ubuntu template, start it and use lxc-console to get a console of it. Now my question is: 1. If I want to run an application, do I have to install it in the system container first? no. Then how can I run that application, could you show me some examples? I mean, in a system container. I'm sorry, I had misread this as asking whether you need to install it on the system (i.e. the host). Now, you *can* get around installing the application in the container by binding in the binaries and libraries from the host, but I would recommend installing the application in the container, yes. 2. How can I connect to the container with a GUI interface? It depends on how you've set up the container's network and where the guest will connect from. If your container were using a veth connected to libvirt's virbr0, and the application is available on port , then your guest could simply ssh -L :container_ip_addr: and then connect to port on his local host. For instance, if you were opening up vnc on :1 in the container, the container is Dose this mean I have to start vncserver in my system container? yes Then I have some troubles on that, my template is a minimum system, the lack of a lot of library files make the job difficult. Do I need a more powerful template? How can I get that? I don't know what you've started with. Treat it the same way as installing the application on the container's distribution if it were on the host... yum for fedora, apt-get for debian/ubuntu, or git clone/configure/make if you did it from scratch, etc. -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] version 0.8.0 coming soon
Quoting Papp Tamas (tom...@martos.bme.hu): On 02/28/2012 01:20 AM, Serge Hallyn wrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): Hi all, I will release a 0.8.0-rc1. I am looking for volunteer to test it :) Worked fine for me. Tested create and clone of ubuntu, ubuntu and ubuntu-cloud images, with dir and lvm backing stores. (And a run of lp:~serge-hallyn/+junk/lxc-test) Note, because upstream kernel didn't much care about the 'mount -o remount,ro /' problem, I'm going to patch lxc to pin open a '${rootfs}.hold' file, as long as the container is running. That will prevent the underlying fs from being remounted ro. (see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/942325 for details). That'll buy us some time to find a better solution in the kernel. Why can a container change mount options outside of its rootfs? Sorry for the stupid question:) It's not a stupid question at all. The container isn't changing mount options outside of its rootfs. THere are two places an fs can be marked readonly - in the mount itself, and in the superblock. When you make a bind mount, you are creating more mounts (vfsmounts) using the same superblcok. If you do mount --bind / / # not needed in container bc it's already been done mount --bind -o remount,ro / then you are setting the reasonly flag on the mount itself. If you just do mount -o remount,ro / then you are setting the reasonly flag on the superblock, which will force all other mounts of that superblcok to also be readonly. Right now there is no way to prevent a container from doing that. I sent a patch to make the devices cgroup be consulted on that, so that it could reteurn -EPERM. That was refused. The two other options I'm considering (and it wouldn't hurt ot have both) are 1. to pass the remoutn flags to the LSM (selinux or apparmor or smack) so that it can deny permission. Right now it can't do that (except for all-or-nothing check on remount). And 2. to make it so that after doing mount --bind / / mount --bind -o remount,ro / mount --bind -o remount,rw / any subsequent mount -o remount,rw / would be refused (or automatically done only at the mount level). I don't think that should be hard to do at fs/namespace.c:do_remount(). -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] version 0.8.0 coming soon
Quoting Papp Tamas (tom...@martos.bme.hu): On 02/28/2012 04:13 PM, Serge Hallyn wrote: Quoting Papp Tamas (tom...@martos.bme.hu): On 02/28/2012 01:20 AM, Serge Hallyn wrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): Hi all, I will release a 0.8.0-rc1. I am looking for volunteer to test it :) Worked fine for me. Tested create and clone of ubuntu, ubuntu and ubuntu-cloud images, with dir and lvm backing stores. (And a run of lp:~serge-hallyn/+junk/lxc-test) Note, because upstream kernel didn't much care about the 'mount -o remount,ro /' problem, I'm going to patch lxc to pin open a '${rootfs}.hold' file, as long as the container is running. That will prevent the underlying fs from being remounted ro. (see https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/942325 for details). That'll buy us some time to find a better solution in the kernel. Why can a container change mount options outside of its rootfs? Sorry for the stupid question:) It's not a stupid question at all. The container isn't changing mount options outside of its rootfs. THere are two places an fs can be marked readonly - in the mount itself, and in the superblock. When you make a bind mount, you are creating more mounts (vfsmounts) using the same superblcok. If you do mount --bind / / # not needed in container bc it's already been done mount --bind -o remount,ro / then you are setting the reasonly flag on the mount itself. If you just do mount -o remount,ro / then you are setting the reasonly flag on the superblock, which will force all other mounts of that superblcok to also be readonly. Right now there is no way to prevent a container from doing that. I sent a patch to make the devices cgroup be consulted on that, so that it could reteurn -EPERM. That was refused. The two other options I'm considering (and it wouldn't hurt ot have both) are 1. to pass the remoutn flags to the LSM (selinux or apparmor or smack) so that it can deny permission. Right now it can't do that (except for all-or-nothing check on remount). And 2. to make it so that after doing mount --bind / / mount --bind -o remount,ro / mount --bind -o remount,rw / any subsequent mount -o remount,rw / would be refused (or automatically done only at the mount level). I don't think that should be hard to do at fs/namespace.c:do_remount(). This may be to much for my brain:) Anyway, could you make deb package from it? I've got it working for an ubuntu package, though we're in freeze right now. I intend to push the patch to my github tree tomorrow, and I've pushed the package to ppa:serge-hallyn/virt (version 0.7.5-3ubuntu31, should build in a few hours). Meanwhile here is the actual patch for now. Tests fine for me. Subject: lxc-start: if rootfs is a dir, pin the fs Otherwise the container can remount the shared underlying fs readonly. Index: lxc-dnsmasq/src/lxc/conf.c === --- lxc-dnsmasq.orig/src/lxc/conf.c 2012-02-28 19:13:01.40096 + +++ lxc-dnsmasq/src/lxc/conf.c 2012-02-28 20:05:45.538144907 + @@ -445,6 +445,51 @@ return mount_unknow_fs(rootfs, target, 0); } +/* + * pin_rootfs + * if rootfs is a directory, then open ${rootfs}.hold for writing for the + * duration of the container run, to prevent the container from marking the + * underlying fs readonly on shutdown. + * return -1 on error. + * return -2 if nothing needed to be pinned. + * return an open fd (=0) if we pinned it. + */ +int pin_rootfs(const char *rootfs) +{ + char absrootfs[MAXPATHLEN]; + char absrootfspin[MAXPATHLEN]; + struct stat s; + int ret, fd; + + if (!realpath(rootfs, absrootfs)) { + SYSERROR(failed to get real path for '%s', rootfs); + return -1; + } + + if (access(absrootfs, F_OK)) { + SYSERROR('%s' is not accessible, absrootfs); + return -1; + } + + if (stat(absrootfs, s)) { + SYSERROR(failed to stat '%s', absrootfs); + return -1; + } + + if (!__S_ISTYPE(s.st_mode, S_IFDIR)) + return -2; + + ret = snprintf(absrootfspin, MAXPATHLEN, %s%s, absrootfs, .hold); + if (ret = MAXPATHLEN) { + SYSERROR(pathname too long for rootfs hold file); + return -1; + } + + fd = open(absrootfspin, O_CREAT | O_RDWR, S_IWUSR|S_IRUSR); + INFO(opened %s as fd %d\n, absrootfspin, fd); + return fd; +} + static int mount_rootfs(const char *rootfs, const char *target) { char absrootfs[MAXPATHLEN]; Index: lxc-dnsmasq/src/lxc/conf.h === --- lxc-dnsmasq.orig/src/lxc/conf.h 2012-02-28 19:13:01.40096 + +++ lxc-dnsmasq/src/lxc/conf.h 2012-02-28 19:13:01.40096 + @@ -218,6 +218,8
Re: [Lxc-users] nilfs
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): On Fri 2012-03-02 (09:02), Daniel Baumann wrote: i'm not claiming btrfs is there yet, however, if you're using btrfs, you should at least make sure to use something remotely up2date, say 3.2.x. SLES11 SP2 was released this week with a 3.0 kernel and comes with btrfs. Same b(*CENSORED*)t as always from SuSE. What they label as Enterprise is Testing on Debian. Some people have been testing btrfs on 3.1/3.2 kernels (in ubuntu precise) with good results. -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] adding a default gateway inside a container as a non root user
Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 03/02/2012 11:18 AM, Arun M wrote: With the 0.8.0 version, you will be able to setup the gateway directly from the configuration file. Cool. I wanted to try this so tested with the latest code from repository. However hit another issue now. $ lxc-execute -n alpha -f n1.conf -l DEBUG -o log -- /bin/busybox ash lxc-execute: No such file or directory - failed to rename cgroup /cgroup//lxc/3784-/cgroup//lxc/alpha ... lxc-execute 1331137335.969 INFO lxc_cgroup - [1] found cgroup mounted at '/cgroup',opts='rw,relatime,blkio,net_cls,freezer,devices,memory,cpuacct,cpu,ns,cpuset' lxc-execute 1331137335.969 DEBUGlxc_cgroup - get_init_cgroup: found init cgroup for subsys (null) at / lxc-execute 1331137335.969 DEBUGlxc_cgroup - cgroup /cgroup has flags 0x1 lxc-execute 1331137335.969 WARN lxc_cgroup - using deprecated ns_cgroup lxc-execute 1331137335.969 ERRORlxc_cgroup - No such file or directory - failed to rename cgroup /cgroup//lxc/3840-/cgroup//lxc/alpha $ file /cgroup/3840 /cgroup/3840: directory $ file /cgroup/lxc/3840 /cgroup/lxc/3840: cannot open `/cgroup/lxc/3840' (No such file or directory) It appears that lxc-execute is trying to look for a dir under /cgroup/lxc while its actually present under /cgroup. I guess we should add the 'lxc' path to the cgroup in case of the ns_cgroup because the creation is handled by the kernel. Serge ? Drat, yes. -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] adding a default gateway inside a container as a non root user
Quoting Bekir Dogan (beki...@gmail.com): Hi Daniel, On Thu, Mar 1, 2012 at 23:20, Daniel Lezcano daniel.lezc...@free.fr wrote: [...] With the 0.8.0 version, you will be able to setup the gateway directly from the configuration file. Can we see project plans or a todo list or something like these which gives us about the future features should come in next releases. I can't find something like this in a TODO file, open bug reports or a special page in sourceforge. Or do you suggest something to follow other than these. I'm about to start a project (https://github.com/bergerx/simplelxc#readme) for mainly laptop users to create and manage networking enabled test containers so simply which also setup initial networking for both lxc containers and host system. I would like to use networking as it should be and determine the project direction according to this or I should be in a position to re-implement some parts. I've talked implementing some ideas into debian lxc package Daniel Baumann mainy about a simple creation scenario without asking anything other than container name. Right now in ubuntu precise, it's lxc-create -t ubuntu -n p1 lxc-start -n p1 or lxc-create -t ubuntu-cloud -n p1 lxc-start -n p1 If you want to deploy a bunch of cloned images, you can lxc-create -t ubuntu -n plain -B lvm customize /dev/lxc/plain image if you like for i in `seq 1 20`; do lxc-clone -s -o plain -n p$i done The only things different in Ubuntu are that a lxcbr0 bridge gets installed by default (*1), and the release has been tweaked a bit so no changes are needed to run in a container. The first can't really be done in lxc.git (because it's distro-dependent), and the second is of course independent of lxc. -serge (*1) and if you don't specify a configuration file at creation time, a default one using lxcbr0 is used. -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] adding a default gateway inside a container as a non root user
Quoting Bekir Dogan (beki...@gmail.com): Hi; On Fri, Mar 2, 2012 at 19:27, Serge Hallyn serge.hal...@canonical.com wrote: [...] Right now in ubuntu precise, it's lxc-create -t ubuntu -n p1 lxc-start -n p1 [...] If you want to deploy a bunch of cloned images, you can lxc-create -t ubuntu -n plain -B lvm customize /dev/lxc/plain image if you like for i in `seq 1 20`; do lxc-clone -s -o plain -n p$i done The only things different in Ubuntu are that a lxcbr0 bridge gets installed by default (*1), and the release has been tweaked a bit so no changes are needed to run in a container. The first can't really be done in lxc.git (because it's distro-dependent), I've looked into ubuntu precise lxc package, and after then realised /etc/init/lxc-net.conf have a better implementation than I've been trying to accomplish in simplelxc. I've been trying to distribute IP addresses for containers by my, using dnsmasq seems sane, actually I don't understand why I've been trying to re-invent dhcp. This might be a disto-dependent solution but maybe other distros could implement the same concept and this provide inter-distro consistency about default lxc networking. Daniel (Bauman), what do you think about implementing a similar solution into debian package, it looks sensible, we can add a new init.d script like the one in ubuntu:precise:lxc:/etc/init/lxc-net.conf and prepare host system there. No, no. As soon as 0.8.0 comes out, I need to produce a reasonable debdiff from debian-ubuntu and propose it for merge into debian. Please don't put the onus on Daniel right now, it's my fault. -serge -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] * fix cached rootfs update * fix rootfs path * add handling of systemd (aka f15)
Quoting Ramez Hanna (rha...@informatiq.org): On Mon, Mar 5, 2012 at 10:28 PM, rha...@informatiq.org wrote: From: InformatiQ rha...@informatiq.org Signed-off-by: InformatiQ rha...@informatiq.org --- templates/lxc-fedora.in | 35 +++ 1 files changed, 27 insertions(+), 8 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index e7f42a6..3f50895 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -69,11 +69,6 @@ EOF 127.0.0.1 localhost $name EOF - sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit - sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit - chroot ${rootfs_path} chkconfig udev-post off - chroot ${rootfs_path} chkconfig network on - dev_path=${rootfs_path}/dev rm -rf $dev_path mkdir -p $dev_path @@ -99,6 +94,23 @@ EOF return 0 } +configure_fedora_init() +{ + sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit + sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit + chroot ${rootfs_path} chkconfig udev-post off + chroot ${rootfs_path} chkconfig network on +} + +configure_fedora_systemd() +{ + unlink ${rootfs_path}/etc/systemd/system/default.target + touch ${rootfs_path}/etc/fstab + chroot ${rootfs_path} ln -s /dev/null //etc/systemd/system/udev.service + chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + #dependency on a device unit fails it specially that we disabled udev + sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service +} download_fedora() { @@ -170,7 +182,8 @@ copy_fedora() update_fedora() { - chroot $cache/rootfs yum -y update + YUM=yum --installroot $cache/rootfs -y --nogpgcheck + $YUM update } install_fedora() @@ -353,7 +366,7 @@ if [ $(id -u) != 0 ]; then fi -rootfs_path=$path/$name/rootfs +rootfs_path=$path/rootfs config_path=$default_path/$name cache=$cache_base/$release @@ -362,7 +375,7 @@ revert() echo Interrupted, so cleaning up lxc-destroy -n $name # maybe was interrupted before copy config - rm -rf $path/$name + rm -rf $path rm -rf $default_path/$name echo exiting... exit 1 @@ -388,6 +401,12 @@ if [ $? -ne 0 ]; then exit 1 fi +type /bin/systemd /dev/null 21 +if [ $? -ne 0 ]; then + configure_fedora_init +else + configure_fedora_systemd +fi if [ ! -z $clean ]; then clean || exit 1 -- 1.7.7.6 there is only problem about systemd not addressed by this script is that it does mount /dev which stops getty from starting on tty1 so either make it start on any tty higher than what your host is using and allow that in your lxc cgroup conf or mount the $rootfs/dev to a different block dev that way systemd won't mount /dev Could the template create a 1M loopback file, /var/lib/lxc/container/dev.loopback, populated with /dev and mounted by a lxc.mount.entry? -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] * fix cached rootfs update * fix rootfs path * add handling of systemd (aka f15)
Yes, I think ideally you'd have a single /var/lib/lxc/fedora-devs mounted from a single loopback or block device, with each container having a /var/lib/lxc/fedora-devs/containername directory, populated, for its dev, bind-mounted in through lxc.mount.entry. -serge Quoting rha...@informatiq.org (rha...@informatiq.org): i can do that but i didn't do it brcause it could be done differently for different backingsrorage I'll do it anyway and send patch later -- Sent from my Nokia N9On 6.3.2012 16:59 Serge Hallyn wrote: Quoting Ramez Hanna (rha...@informatiq.org): On Mon, Mar 5, 2012 at 10:28 PM, rha...@informatiq.org wrote: From: InformatiQ rha...@informatiq.org Signed-off-by: InformatiQ rha...@informatiq.org --- templates/lxc-fedora.in | 35 +++ 1 files changed, 27 insertions(+), 8 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index e7f42a6..3f50895 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -69,11 +69,6 @@ EOF 127.0.0.1 localhost $name EOF - sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit - sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit - chroot ${rootfs_path} chkconfig udev-post off - chroot ${rootfs_path} chkconfig network on - dev_path=${rootfs_path}/dev rm -rf $dev_path mkdir -p $dev_path @@ -99,6 +94,23 @@ EOF return 0 } +configure_fedora_init() +{ + sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit + sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit + chroot ${rootfs_path} chkconfig udev-post off + chroot ${rootfs_path} chkconfig network on +} + +configure_fedora_systemd() +{ + unlink ${rootfs_path}/etc/systemd/system/default.target + touch ${rootfs_path}/etc/fstab + chroot ${rootfs_path} ln -s /dev/null //etc/systemd/system/udev.service + chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + #dependency on a device unit fails it specially that we disabled udev + sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service +} download_fedora() { @@ -170,7 +182,8 @@ copy_fedora() update_fedora() { - chroot $cache/rootfs yum -y update + YUM=yum --installroot $cache/rootfs -y --nogpgcheck + $YUM update } install_fedora() @@ -353,7 +366,7 @@ if [ $(id -u) != 0 ]; then fi -rootfs_path=$path/$name/rootfs +rootfs_path=$path/rootfs config_path=$default_path/$name cache=$cache_base/$release @@ -362,7 +375,7 @@ revert() echo Interrupted, so cleaning up lxc-destroy -n $name # maybe was interrupted before copy config - rm -rf $path/$name + rm -rf $path rm -rf $default_path/$name echo exiting... exit 1 @@ -388,6 +401,12 @@ if [ $? -ne 0 ]; then exit 1 fi +type /bin/systemd /dev/null 21 +if [ $? -ne 0 ]; then + configure_fedora_init +else + configure_fedora_systemd +fi if [ ! -z $clean ]; then clean || exit 1 -- 1.7.7.6 there is only problem about systemd not addressed by this script is that it does mount /dev which stops getty from starting on tty1 so either make it start on any tty higher than what your host is using and allow that in your lxc cgroup conf or mount the $rootfs/dev to a different block dev that way systemd won't mount /dev Could the template create a 1M loopback file, /var/lib/lxc/container/dev.loopback, populated with /dev and mounted by a lxc.mount.entry? -serge -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users