Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Jun 15, 2015, at 18:15, Chris Morgan chmor...@gmail.com wrote: But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. I’m starting to us it for testing of installation and upgrades of various web apps on UBOS [1] using webapptest [2]. This means spinning up, doing installing a few things, running curl from the host, and then shutting down lots of containers in a short amount of time. So far, I have been using VirtualBox, which takes a looong time and only works on x86, but I’d also like to test on various little ARM devices. Currently, the jury is still out whether nspawn is currently reliable enough to migrate most of our automated tests to it. Most of my posts to this list in the past month have come from trying to figure that out / make it work. Cheers, Johannes. [1] http://ubos.net/ http://ubos.net/ [2] http://ubos.net/docs/developers/app-test.html#alternate-scaffolds http://ubos.net/docs/developers/app-test.html#alternate-scaffolds ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Mon, 2015-06-15 at 21:15 -0400, Chris Morgan wrote: On Monday, June 15, 2015, Lennart Poettering lenn...@poettering.net wrote: On Mon, 15.06.15 13:22, Matthew Karas (mkarasc...@gmail.com) wrote: Yes - that seems to have let me set the password. Now I can get started learning about this. Thanks a lot! Though it does return an error about selinux when I start the shell to set the password $ sudo systemd-nspawn -bD /srv/srv1 Spawning container srv1 on /srv/srv1. Press ^] three times within 1s to kill container. Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Hmm, weird. Is /srv/srv1 read-only or so? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel On a somewhat related topic, are many people making use of nspawn containers in production or test environments? I was a little surprised by the issues I had when trying them out with f21. f22 seems smoother but still required the audit=0 and I think I had to disable selinux to set the password but I was trying for a while with a blank password so... But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. Chris I am using it to host instances of webservers. It's much easier and more intuitive than using docker. I haven't tried rkt, but that appears to use nspawn as the back end anyways. Docker expects you to create separate containers for each application, and expects to expose network in a certain specific way. nspawn was able to simulate virtual machines, ie: full user space systems. docker I had a lot of trouble trying to get setup and started, and configured. With nspawn, I just install the packages, run it as nspawn and away I go. Since I'm just using it to provision network devices via macvlans and separating processes, I did not worry about the security. Basically, I assumed that since i controlled all the container applications anyways, it should be fine. So far it's worked out great. Far better than trying to manage something as complex as docker, and it worked much more intuitively with how virtual machines have worked in the past. Regards, Jake ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Mon, 15.06.15 21:15, Chris Morgan (chmor...@gmail.com) wrote: On a somewhat related topic, are many people making use of nspawn containers in production or test environments? I was a little surprised by the issues I had when trying them out with f21. f22 seems smoother but still required the audit=0 and I think I had to disable selinux to set the password but I was trying for a while with a blank password so... But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. Until recently the man page clarified that it was a tool for debugging things only. However, we removed that recently, because I noticed that people *are* using it in production now. Also, the rkt guys use it as backend for their stuff these days. Turning off audit is not necessary anymore since we did the seccomp hack, at least on x86-64. It's still necessary to turn it off explicitly on i386. Also note, that even in i386 it's also not necessary to turn off auditing when you use debian or ubuntu in the container, only running fedora/redhat inside a container requires this (because only Fedora's PAM is weird). My guess is that most people who run nspawn turn off selinux though, or don't use Fedora, since SELinux appears to be pretty much a fedora/redhat-only thing. Both the selinux and audit issues apply to all container managers that are supposed to run full distros inside, not only nspawn. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Mon, 15.06.15 11:30, Matthew Karas (mkarasc...@gmail.com) wrote: I'm trying to use systemd-nspawn but when I launch it and try to login as root - it still asks for a password and I can't seem to set one. The docs for fedora mentioned turning off auditing - which I've done. My cmd line says audit=0 at the end. $ cat /proc/cmdline BOOT_IMAGE=/vmlinuz-3.19.7-200.fc21.x86_64 root=/dev/mapper/fedora_localhost-root ro rd.lvm.lv=fedora_localhost/swap rd.lvm.lv=fedora_localhost/root rhgb audit=0 quiet (This is fedora 21) Using these docs https://fedoraproject.org/wiki/Features/SystemdLightweightContainers When I try to change the password it tells me I have a auth token manipulation error. $ sudo systemd-nspawn -D /srv/eq1 Spawning container eq1 on /srv/eq1. Press ^] three times within 1s to kill container. -bash-4.3# passwd Changing password for user root. New password: Retype new password: passwd: Authentication token manipulation error -bash-4.3# Hmm, this is weird. This should just work if audit=0 is set on the kernel cmdline. Is this f21 both inside and on the host? If you strace what passwd is doing there, do you see anything interesting? If in doubt, paste the output on some pastebin and link it here. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Monday, June 15, 2015, Lennart Poettering lenn...@poettering.net wrote: On Mon, 15.06.15 13:22, Matthew Karas (mkarasc...@gmail.com javascript:;) wrote: Yes - that seems to have let me set the password. Now I can get started learning about this. Thanks a lot! Though it does return an error about selinux when I start the shell to set the password $ sudo systemd-nspawn -bD /srv/srv1 Spawning container srv1 on /srv/srv1. Press ^] three times within 1s to kill container. Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Hmm, weird. Is /srv/srv1 read-only or so? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org javascript:; http://lists.freedesktop.org/mailman/listinfo/systemd-devel On a somewhat related topic, are many people making use of nspawn containers in production or test environments? I was a little surprised by the issues I had when trying them out with f21. f22 seems smoother but still required the audit=0 and I think I had to disable selinux to set the password but I was trying for a while with a blank password so... But yeah, was wondering if there were known users of nspawn containers that discussed their use cases. Chris ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
Here is my output https://gist.github.com/mkcybi/eae6a2a67c5dc864 -- Forwarded message -- From: Lennart Poettering lenn...@poettering.net Date: Mon, Jun 15, 2015 at 11:32 AM Subject: Re: [systemd-devel] Fedora 21 and systemd-nspawn To: Matthew Karas mkarasc...@gmail.com Cc: systemd-devel@lists.freedesktop.org On Mon, 15.06.15 11:30, Matthew Karas (mkarasc...@gmail.com) wrote: I'm trying to use systemd-nspawn but when I launch it and try to login as root - it still asks for a password and I can't seem to set one. The docs for fedora mentioned turning off auditing - which I've done. My cmd line says audit=0 at the end. $ cat /proc/cmdline BOOT_IMAGE=/vmlinuz-3.19.7-200.fc21.x86_64 root=/dev/mapper/fedora_localhost-root ro rd.lvm.lv=fedora_localhost/swap rd.lvm.lv=fedora_localhost/root rhgb audit=0 quiet (This is fedora 21) Using these docs https://fedoraproject.org/wiki/Features/SystemdLightweightContainers When I try to change the password it tells me I have a auth token manipulation error. $ sudo systemd-nspawn -D /srv/eq1 Spawning container eq1 on /srv/eq1. Press ^] three times within 1s to kill container. -bash-4.3# passwd Changing password for user root. New password: Retype new password: passwd: Authentication token manipulation error -bash-4.3# Hmm, this is weird. This should just work if audit=0 is set on the kernel cmdline. Is this f21 both inside and on the host? If you strace what passwd is doing there, do you see anything interesting? If in doubt, paste the output on some pastebin and link it here. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
Yes - that seems to have let me set the password. Now I can get started learning about this. Thanks a lot! Though it does return an error about selinux when I start the shell to set the password $ sudo systemd-nspawn -bD /srv/srv1 Spawning container srv1 on /srv/srv1. Press ^] three times within 1s to kill container. Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system On Mon, Jun 15, 2015 at 12:24 PM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 15.06.15 12:21, Matthew Karas (mkarasc...@gmail.com) wrote: Here is my output https://gist.github.com/mkcybi/eae6a2a67c5dc864 This line is probably the error: rename(/etc/nshadow, /etc/shadow) = -1 EACCES (Permission denied) For some reason the container cannot reply /etc/shadow in it. MAybe an SELinux problem? Have you tried turning it off? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Fedora 21 and systemd-nspawn
On Mon, 15.06.15 13:22, Matthew Karas (mkarasc...@gmail.com) wrote: Yes - that seems to have let me set the password. Now I can get started learning about this. Thanks a lot! Though it does return an error about selinux when I start the shell to set the password $ sudo systemd-nspawn -bD /srv/srv1 Spawning container srv1 on /srv/srv1. Press ^] three times within 1s to kill container. Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Failed to create directory /srv/srv1//sys/fs/selinux: Read-only file system Hmm, weird. Is /srv/srv1 read-only or so? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel