Re: [lxc-users] TTY issue

[Fajar A. Nugraha]

On Thu, Nov 16, 2017 at 10:50 PM, Saint Michael  wrote:

> The issue is with fuse, that is why I keep
> lxc.autodev=0
> if I do not, if I set it to 1, then fuse does not mount inside a
> container. I need fuse, for I mount an FTP server inside the container.
> So I am caught between a rock and a hard place.
> I akready asked about this contradiction on the LXC developers list.
>
>

I use fuse (for clipboard and file copy/paste support on xrdp) on
privileged lxd container. Works fine.
Can't comment more about the old lxc though, since all my newer systems are
using lxd.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Saint Michael]

The issue is with fuse, that is why I keep
lxc.autodev=0
if I do not, if I set it to 1, then fuse does not mount inside a container.
I need fuse, for I mount an FTP server inside the container.
So I am caught between a rock and a hard place.
I akready asked about this contradiction on the LXC developers list.



On Thu, Nov 16, 2017 at 10:45 AM, Fajar A. Nugraha  wrote:

> On Thu, Nov 16, 2017 at 10:04 PM, Saint Michael  wrote:
>
>> I missfired.
>> But I found the culprit, it is
>> lxc.autodev = 0
>>
>> if I use
>> lxc.autodev = 1
>> the issue does not happens
>> Can somebodu shed any light on the ramifications of this?
>>
>
> Try https://linuxcontainers.org/lxc/manpages/man5/lxc.
> container.conf.5.html , look for 'CONSOLE DEVICES' and 'lxc.autodev'.
>
>
>> Some additional information: I use fuse inside my containers.
>>
>>
> One the reasons I suggested using lxd, is that with the default lxd setup,
> you'd be less-likely to shoot-yourself-in-the-foot.
>
> Fuse complicates things a little, since you need a privileged container to
> use it. But even when using privileged container, the default lxd setup
> (using templates) is still good-enough to prevent common problems created
> by host-container interaction.
>
>
> --
> Fajar
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Fajar A. Nugraha]

On Thu, Nov 16, 2017 at 10:04 PM, Saint Michael  wrote:

> I missfired.
> But I found the culprit, it is
> lxc.autodev = 0
>
> if I use
> lxc.autodev = 1
> the issue does not happens
> Can somebodu shed any light on the ramifications of this?
>

Try https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
, look for 'CONSOLE DEVICES' and 'lxc.autodev'.


> Some additional information: I use fuse inside my containers.
>
>
One the reasons I suggested using lxd, is that with the default lxd setup,
you'd be less-likely to shoot-yourself-in-the-foot.

Fuse complicates things a little, since you need a privileged container to
use it. But even when using privileged container, the default lxd setup
(using templates) is still good-enough to prevent common problems created
by host-container interaction.


-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Saint Michael]

I missfired.
But I found the culprit, it is
lxc.autodev = 0

if I use
lxc.autodev = 1
the issue does not happens
Can somebodu shed any light on the ramifications of this?
Some additional information: I use fuse inside my containers.

Philip



On Thu, Nov 16, 2017 at 9:52 AM, Saint Michael  wrote:

> THAT WORKED
> But the new key is
> lxc.tty.dir = lxc
>
>
> On Thu, Nov 16, 2017 at 9:32 AM, Marat Khalili  wrote:
>
>> On 16/11/17 14:58, Saint Michael wrote:
>>
>> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
>> lxc.mount.entry = sysfs sys sysfs defaults  0 0
>> lxc.mount.entry = /cdr cdr none bind 0 0
>> lxc.mount.auto = cgroup:mixed
>> lxc.tty = 10
>> lxc.pts = 1024
>> lxc.cgroup.devices.deny = a
>> lxc.cgroup.devices.allow = c 1:3 rwm
>> lxc.cgroup.devices.allow = c 1:5 rwm
>> lxc.cgroup.devices.allow = c 5:1 rwm
>> lxc.cgroup.devices.allow = c 5:0 rwm
>> lxc.cgroup.devices.allow = c 4:0 rwm
>> lxc.cgroup.devices.allow = c 4:1 rwm
>> lxc.cgroup.devices.allow = c 1:9 rwm
>> lxc.cgroup.devices.allow = c 1:8 rwm
>> lxc.cgroup.devices.allow = c 136:* rwm
>> lxc.cgroup.devices.allow = c 5:2 rwm
>> lxc.cgroup.devices.allow = c 254:0 rwm
>> lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
>> lxc.cgroup.devices.allow = b 7:* rwm# loop*
>> lxc.cgroup.devices.allow = c 10:229 rwm #fuse
>> lxc.autodev = 0
>> lxc.aa_profile = unconfined
>> lxc.cap.drop=
>> lxc.network.type = phys
>> lxc.network.flags = up
>> lxc.network.link = eth6
>> lxc.network.name = eth0
>> lxc.network.ipv4 = 0.0.0.0/27
>> lxc.network.type = macvlan
>> lxc.network.flags = up
>> lxc.network.link = eth3
>> lxc.network.name = eth1
>> lxc.network.macvlan.mode = bridge
>> lxc.network.ipv4 = 0.0.0.0/24
>>
>> lxc.start.auto = 1
>> lxc.start.delay = 5
>> lxc.start.order = 0
>> lxc.rootfs = /data/iplinkcdr/rootfs
>> lxc.rootfs.backend = dir
>> lxc.utsname = iplinkcdr
>>
>>
>> It does not look as config created by lxc-create. Does same thing happen
>> if you use `lxc-create -t download`?
>>
>> Looking at your config, I most notably don't see `lxc.devttydir = lxc`.
>> Although according to man it should not directly cause effect you
>> described, but I'd still try to add it and see. `lxc.console` is also a
>> good thing to try, although it is not set in my system too. Probably it can
>> be the easiest fix.
>>
>> I don't run with `lxc.aa_profile = unconfined` and `lxc.cap.drop=`, so in
>> your system container can do more things than it can do here.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Saint Michael]

THAT WORKED
But the new key is
lxc.tty.dir = lxc


On Thu, Nov 16, 2017 at 9:32 AM, Marat Khalili  wrote:

> On 16/11/17 14:58, Saint Michael wrote:
>
> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> lxc.mount.entry = sysfs sys sysfs defaults  0 0
> lxc.mount.entry = /cdr cdr none bind 0 0
> lxc.mount.auto = cgroup:mixed
> lxc.tty = 10
> lxc.pts = 1024
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 4:0 rwm
> lxc.cgroup.devices.allow = c 4:1 rwm
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> lxc.cgroup.devices.allow = c 254:0 rwm
> lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
> lxc.cgroup.devices.allow = b 7:* rwm# loop*
> lxc.cgroup.devices.allow = c 10:229 rwm #fuse
> lxc.autodev = 0
> lxc.aa_profile = unconfined
> lxc.cap.drop=
> lxc.network.type = phys
> lxc.network.flags = up
> lxc.network.link = eth6
> lxc.network.name = eth0
> lxc.network.ipv4 = 0.0.0.0/27
> lxc.network.type = macvlan
> lxc.network.flags = up
> lxc.network.link = eth3
> lxc.network.name = eth1
> lxc.network.macvlan.mode = bridge
> lxc.network.ipv4 = 0.0.0.0/24
>
> lxc.start.auto = 1
> lxc.start.delay = 5
> lxc.start.order = 0
> lxc.rootfs = /data/iplinkcdr/rootfs
> lxc.rootfs.backend = dir
> lxc.utsname = iplinkcdr
>
>
> It does not look as config created by lxc-create. Does same thing happen
> if you use `lxc-create -t download`?
>
> Looking at your config, I most notably don't see `lxc.devttydir = lxc`.
> Although according to man it should not directly cause effect you
> described, but I'd still try to add it and see. `lxc.console` is also a
> good thing to try, although it is not set in my system too. Probably it can
> be the easiest fix.
>
> I don't run with `lxc.aa_profile = unconfined` and `lxc.cap.drop=`, so in
> your system container can do more things than it can do here.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Marat Khalili]

On 16/11/17 14:58, Saint Michael wrote:

lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults  0 0
lxc.mount.entry = /cdr cdr none bind 0 0
lxc.mount.auto = cgroup:mixed
lxc.tty = 10
lxc.pts = 1024
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 254:0 rwm
lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
lxc.cgroup.devices.allow = b 7:* rwm    # loop*
lxc.cgroup.devices.allow = c 10:229 rwm #fuse
lxc.autodev = 0
lxc.aa_profile = unconfined
lxc.cap.drop=
lxc.network.type = phys
lxc.network.flags = up
lxc.network.link = eth6
lxc.network.name  = eth0
lxc.network.ipv4 = 0.0.0.0/27 
lxc.network.type = macvlan
lxc.network.flags = up
lxc.network.link = eth3
lxc.network.name  = eth1
lxc.network.macvlan.mode = bridge
lxc.network.ipv4 = 0.0.0.0/24 

lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 0
lxc.rootfs = /data/iplinkcdr/rootfs
lxc.rootfs.backend = dir
lxc.utsname = iplinkcdr


It does not look as config created by lxc-create. Does same thing happen 
if you use `lxc-create -t download`?


Looking at your config, I most notably don't see `lxc.devttydir = lxc`. 
Although according to man it should not directly cause effect you 
described, but I'd still try to add it and see. `lxc.console` is also a 
good thing to try, although it is not set in my system too. Probably it 
can be the easiest fix.


I don't run with `lxc.aa_profile = unconfined` and `lxc.cap.drop=`, so 
in your system container can do more things than it can do here.


--

With Best Regards,
Marat Khalili

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Andrey Repin]

Greetings, Saint Michael!

> I use full privileged containers, since this is just a mechanism to move
> around higly complex installations.
> In my business there is one host and one container per box, which uses up
> all resources available.
> What you are saying, basically, is the root-privileged containers is not
> support by LXC, since a container does hijack the host's TTY.

No, it should not. Although I didn't use it on 16.04, but my older LTS'es use
a bunch of privileged containers to encapsulate separate services, and none
exhibit the issue described.
$  lxc-start --version
2.0.8

> Any confirmation of this? I cannot believe this is impossible to solve.

It is most likely possible to solve. Please see another branch of this thread.

OTOH, using unprivileged containers is strongly suggested for general security
considerations.


-- 
With best regards,
Andrey Repin
Thursday, November 16, 2017 16:11:02

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Saint Michael]

This is the view of the container's /dev

console  fd  full  fuse  initctl  null  ptmx  pts  random  shm  stderr
stdin  stdout  tty  tty1  tty10  tty2  tty3  tty4  tty5  tty6  tty7  tty8
tty9  urandom  zero

rom the host

Please not that I erased tty0, based on advise I found on the Internet. I
also did this inside the container

systemctl stop console-getty
systemctl disable console-getty
systemctl mask console-getty

remove /dev/tty0
systemctl stop getty@tty1.service; systemctl mask getty@tty1.service

but it keeps happening.
Philip

On Thu, Nov 16, 2017 at 6:58 AM, Saint Michael  wrote:

> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> lxc.mount.entry = sysfs sys sysfs defaults  0 0
> lxc.mount.entry = /cdr cdr none bind 0 0
> lxc.mount.auto = cgroup:mixed
> lxc.tty = 10
> lxc.pts = 1024
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 4:0 rwm
> lxc.cgroup.devices.allow = c 4:1 rwm
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> lxc.cgroup.devices.allow = c 254:0 rwm
> lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
> lxc.cgroup.devices.allow = b 7:* rwm# loop*
> lxc.cgroup.devices.allow = c 10:229 rwm #fuse
> lxc.autodev = 0
> lxc.aa_profile = unconfined
> lxc.cap.drop=
> lxc.network.type = phys
> lxc.network.flags = up
> lxc.network.link = eth6
> lxc.network.name = eth0
> lxc.network.ipv4 = 0.0.0.0/27
> lxc.network.type = macvlan
> lxc.network.flags = up
> lxc.network.link = eth3
> lxc.network.name = eth1
> lxc.network.macvlan.mode = bridge
> lxc.network.ipv4 = 0.0.0.0/24
>
> lxc.start.auto = 1
> lxc.start.delay = 5
> lxc.start.order = 0
> lxc.rootfs = /data/iplinkcdr/rootfs
> lxc.rootfs.backend = dir
> lxc.utsname = iplinkcdr
>
> On Thu, Nov 16, 2017 at 3:19 AM, Marat Khalili  wrote:
>
>> I'm using LXC on 16.04 and observe nothing of the kind you describe. How
>> are you creating containers? Please post container config file.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Saint Michael]

lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults  0 0
lxc.mount.entry = /cdr cdr none bind 0 0
lxc.mount.auto = cgroup:mixed
lxc.tty = 10
lxc.pts = 1024
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 254:0 rwm
lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
lxc.cgroup.devices.allow = b 7:* rwm# loop*
lxc.cgroup.devices.allow = c 10:229 rwm #fuse
lxc.autodev = 0
lxc.aa_profile = unconfined
lxc.cap.drop=
lxc.network.type = phys
lxc.network.flags = up
lxc.network.link = eth6
lxc.network.name = eth0
lxc.network.ipv4 = 0.0.0.0/27
lxc.network.type = macvlan
lxc.network.flags = up
lxc.network.link = eth3
lxc.network.name = eth1
lxc.network.macvlan.mode = bridge
lxc.network.ipv4 = 0.0.0.0/24

lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 0
lxc.rootfs = /data/iplinkcdr/rootfs
lxc.rootfs.backend = dir
lxc.utsname = iplinkcdr

On Thu, Nov 16, 2017 at 3:19 AM, Marat Khalili  wrote:

> I'm using LXC on 16.04 and observe nothing of the kind you describe. How
> are you creating containers? Please post container config file.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

[Marat Khalili]

I'm using LXC on 16.04 and observe nothing of the kind you describe. How 
are you creating containers? Please post container config file.


--

With Best Regards,
Marat Khalili

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users