[lxc-users] lxd limits.memory don't work in trusty instances
Good night I have two servers with Ubuntu 14.04.3 and LXD don't setup limits (now) for memory usage. == ☁ ~ lxc launch ubuntu master Creating master done. Starting master done. ☁ ~ free total used free sharedbuffers cached Mem: 161126761416092 14696584 1984 326184 814600 -/+ buffers/cache: 275308 15837368 Swap: 16451580 0 16451580 ☁ ~ lxc exec master free total used free sharedbuffers cached Mem: 16112676 10604 16102072 2016 0 2412 .. ☁ ~ lxc config set master limits.memory 25% ☁ ~ lxc exec master free total used free sharedbuffers cached Mem: 16112676 10484 16102192 2016 0 2412 .. == the same happens in another server here (with 16GB RAM too) and in my Laptop (Ideapad Flex 14) now if i try in https://linuxcontainers.org/lxd/try-it/ == root@tryit:~# lxc launch ubuntu d1 Creating d1 Starting d1 root@tryit:~# lxc exec d1 free total used free sharedbuffers cached Mem:262144 114668 147476804 0 106320 -/+ buffers/cache: 8348 253796 Swap: 6151872 86151864 root@tryit:~# lxc config set d1 limits.memory 50% root@tryit:~# lxc exec d1 free total used free sharedbuffers cached Mem:131068 114464 16604800 0 106316 -/+ buffers/cache: 8148 122920 Swap: 6151872 86151864 root@tryit:~# == this works! now, the differences are that i am using 14.04, not 15.10 like in try-it, but the try-it server is using 3.19 kernel (vivid based IIRC) and my servers and my laptop are with wily kernel, 4.2.0-25 now, the problem is related to kernel versions (appear in wily too ?) my lxd packages comes from trusty-backports (now 0.26 version) and my related packages in servers are: == ☁ ~ dpkg -l | grep -E 'lxd|lxc|cgmanager' ii cgmanager 0.39-2ubuntu2~ubuntu14.04.1 amd64Central cgroup manager daemon ii libcgmanager0:amd64 0.39-2ubuntu2~ubuntu14.04.1 amd64Central cgroup manager daemon (client library) ii liblxc1 1.1.5-0ubuntu3~ubuntu14.04.1 amd64Linux Containers userspace tools (library) ii lxc 1.1.5-0ubuntu3~ubuntu14.04.1 amd64Linux Containers userspace tools ii lxc-templates 1.1.5-0ubuntu3~ubuntu14.04.1 amd64Linux Containers userspace tools (templates) ii lxcfs 0.11-0ubuntu3~ubuntu14.04.1 amd64FUSE based filesystem for LXC ii lxd 0.26-0ubuntu2~ubuntu14.04.1 amd64Container hypervisor based on LXC - daemon ii lxd-client 0.26-0ubuntu2~ubuntu14.04.1 amd64Container hypervisor based on LXC - client ii lxd-tools 0.26-0ubuntu2~ubuntu14.04.1 amd64Container hypervisor based on LXC - extra tools ii python3-lxc 1.1.5-0ubuntu3~ubuntu14.04.1 amd64Linux Containers userspace tools (Python 3.x bindings) ☁ ~ == latest versions from trusty-backports branch. i am thinking that the problem can be: 1. Kernel (4.2.0-25) in this case i will need, rollback to 3.19.x kernels until the problem get corrected. 2. trusty-backports repository, in this case i will need, add lxd-stable ppa to my servers and laptop. 3. some other thing unrelated to 1 and 2. (maybe limits.memory dont work with lxd 0.26, try-it is using lxd 0.20 now for example) well, somebody can help me to resolve this issue ? Yonsy Solis ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] post start hook
Hello, i have this problem: https://lists.linuxcontainers.org/pipermail/lxc-users/2011-November/002916.html which is related to wlan0 interfaces which should assign directly to a lxc container. Which worked for me is to call iw phy0 set ns after the container is started. If I want to automate how i could do it? Is there any hook which I can implement the iw command in the host after the init of the container is started. Keep in might, that the pid of the init of the just started container to issue the iw command. I found several hooks but no which is called after the init is started in the host. Thx in advance meno ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user?
Since LXD is starting the unprivileged containers as root, does that mean that from a security point of view there is no difference between running the 'lxc' commands from a user which is member of the 'sudo' group and a user which is not? For plain LXC I've understood that it is more secure to run as a user which is not member of the 'sudo' group. That doesn't seem to be the case to LXD anymore. Is that correct? -"lxc-users" wrote: - To: LXC users mailing-list From: Serge Hallyn Sent by: "lxc-users" Date: 01/11/2016 23:36 Subject: Re: [lxc-users] is starting unprivileged containers as root as secure as running them as any other user? Quoting Carlos Alberto Lopez Perez (clo...@igalia.com): > On 11/01/16 23:13, Serge Hallyn wrote: > > Quoting david.an...@bli.uzh.ch (david.an...@bli.uzh.ch): > >> Hmm, this is interesting. > >> I am runnung my container from the unprivileged user 'lxduser' and yet: > >> > >> root@qumind:~# ps -ef | grep '[l]xc monitor' > >> root 7609 1 0 11:54 ? 00:00:00 [lxc monitor] > >> /var/lib/lxd/containers pgroonga > >> > >> What is wrong here? > > > > You're using lxd. Lxd runs as root. You are not starting the > > containers as 'lxduser' - you are making requests as 'lxduser' for > > the root-owned process 'lxd' to start the containers. > > I understood that LXD uses unprivileged containers by default... > > Does this mean that LXD is starting the unprivileged containers as root? yes. It does many things which an unprivileged user cannot do, so it has to run as root. The lxc-attach weakness I mentioned does not apply to 'lxc exec', because lxd interposes a pty between your console and the container's. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxd - autostart unreliable on busy servers
When I restart a busy server (running several containers, creating 100% IO load for about 10 mins after start), my lxd containers do not autostart reliably. If I start them manually later on, they start fine (although "lxc start containername" needs a while to return). Is there a way to make lxd autostart more reliable? Perhaps it's some kind of timeout which needs to be increased somewhere? In the log, I can see: lxc 1453630080.796 ERRORlxc_cgmanager - cgmanager.c:cgm_dbus_connect:176 - Error cgroup manager api version: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. lxc 1453630080.796 ERRORlxc_cgmanager - cgmanager.c:do_cgm_get:872 - Error connecting to cgroup manager lxc 1453630080.797 WARN lxc_cgmanager - cgmanager.c:cgm_get:989 - do_cgm_get exited with error lxc 1453630080.799 DEBUGlxc_cgmanager - cgmanager.c:cgm_dbus_connect:152 - Failed opening dbus connection: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /sys/fs/cgroup/cgmanager/sock: Connection refused lxc 1453630080.799 ERRORlxc_cgmanager - cgmanager.c:do_cgm_get:872 - Error connecting to cgroup manager lxc 1453630080.799 WARN lxc_cgmanager - cgmanager.c:cgm_get:989 - do_cgm_get exited with error lxc 1453630081.096 DEBUGlxc_cgmanager - cgmanager.c:cgm_dbus_connect:152 - Failed opening dbus connection: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /sys/fs/cgroup/cgmanager/sock: Connection refused lxc 1453630081.097 ERRORlxc_cgmanager - cgmanager.c:do_cgm_get:872 - Error connecting to cgroup manager lxc 1453630081.097 WARN lxc_cgmanager - cgmanager.c:cgm_get:989 - do_cgm_get exited with error lxc 1453630085.958 INFO lxc_confile - confile.c:config_idmap:1437 - read uid map: type u nsid 0 hostid 10 range 65536 lxc 1453630085.958 INFO lxc_confile - confile.c:config_idmap:1437 - read uid map: type g nsid 0 hostid 10 range 65536 lxc 1453630085.960 DEBUGlxc_cgmanager - cgmanager.c:cgm_dbus_connect:152 - Failed opening dbus connection: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /sys/fs/cgroup/cgmanager/sock: Connection refused lxc 1453630085.960 ERRORlxc_cgmanager - cgmanager.c:do_cgm_get:872 - Error connecting to cgroup manager lxc 1453630085.961 WARN lxc_cgmanager - cgmanager.c:cgm_get:989 - do_cgm_get exited with error Tomasz Chmielewski http://wpkg.org ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users