Re: [lxc-users] lxc-console not working on centos 7 container
On Fri, Feb 6, 2015 at 3:25 AM, CDR wrote: > In Ubuntu 14.04 fully updated and lxc latest.1.1, a container with Centos 7 > never allows connection via lxc-console. It stays as below. > If you start the container with -F, you can see how it boots and indeed you > can log in via the console. > > lxc-console -n centos7 > > Connected to tty 1 > Type to exit the console, to enter Ctrl+a itself > > Is there possible workaround? Probably not. Thanks to systemd, the only way you could start a c7 container under ubuntu should be if you use lxc.aa_profile = unconfined lxc.mount.auto = lxc.cap.drop = (or don't specify the last two lines while using your own config file, not using centos.common.conf). That would pretty much mean the container could access everything on the host, and my simple test of running "agetty tty1" inside the container pretty much screwed the host. If you exclusively need c7, it would probably easier to just use a c7 host as well, and use their "supported" method (i.e. docker). That way you'd at least get selinux protection on the container as well, which should prevent it from doing "bad stuff" to the host. Plus you don't have to deal with the mess that is systemd (since they remove it and replace with fakesystemd). You won't be able to get a login prompt either, but at least it's a "safer" and supported way to run c7 inside a container. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
Thanks for the response. I disable selinux and a apparmor routinely. My containers are just a way to separate applications, there are no users accessing them, nothing bad can happen. So basically you are saying that there is no way to run Centos 7 under an Ubuntu host. Pretty amazing, if I may say. I think somebody dropped the ball. On Fri, Feb 6, 2015 at 4:30 AM, Fajar A. Nugraha wrote: > On Fri, Feb 6, 2015 at 3:25 AM, CDR wrote: > > In Ubuntu 14.04 fully updated and lxc latest.1.1, a container with > Centos 7 > > never allows connection via lxc-console. It stays as below. > > If you start the container with -F, you can see how it boots and indeed > you > > can log in via the console. > > > > lxc-console -n centos7 > > > > Connected to tty 1 > > Type to exit the console, to enter Ctrl+a > itself > > > > Is there possible workaround? > > Probably not. > > Thanks to systemd, the only way you could start a c7 container under > ubuntu should be if you use > > lxc.aa_profile = unconfined > lxc.mount.auto = > lxc.cap.drop = > > (or don't specify the last two lines while using your own config file, > not using centos.common.conf). That would pretty much mean the > container could access everything on the host, and my simple test of > running "agetty tty1" inside the container pretty much screwed the > host. > > If you exclusively need c7, it would probably easier to just use a c7 > host as well, and use their "supported" method (i.e. docker). That way > you'd at least get selinux protection on the container as well, which > should prevent it from doing "bad stuff" to the host. Plus you don't > have to deal with the mess that is systemd (since they remove it and > replace with fakesystemd). You won't be able to get a login prompt > either, but at least it's a "safer" and supported way to run c7 inside > a container. > > -- > Fajar > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: > Thanks for the response. > I disable selinux and a apparmor routinely. My containers are just a way to > separate applications, there are no users accessing them, nothing bad can > happen. > So basically you are saying that there is no way to run Centos 7 under an > Ubuntu host. No. What I'm saying is when you use c7 container (and possible most newer-systemd-based distros) under ubuntu host: - you can't use lxc-console - root on your container can mess up the host It shouldn't really matter for your use case, since "lxc-attach" works just fine (you DO know about lxc-attach?), and you don't really care about user access anyway. This should improve in the future as debian/ubuntu is also moving towards systemd (lxcfs is supposed to help), however currently the required level of support/integration is just not there yet. Since your main use case is "separate applications", docker might be a better candidate. And when you use c7-based docker container under c7 host, you might even get better protection since they integrate selinux. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
Thanks. I love Ubuntu as a host for LXC. I just got addicted to systemctl and writing *.service files. It is much more sophisticated than the older way of starting and stopping applications. On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha wrote: > On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: > > Thanks for the response. > > I disable selinux and a apparmor routinely. My containers are just a way > to > > separate applications, there are no users accessing them, nothing bad can > > happen. > > So basically you are saying that there is no way to run Centos 7 under an > > Ubuntu host. > > No. What I'm saying is when you use c7 container (and possible most > newer-systemd-based distros) under ubuntu host: > - you can't use lxc-console > - root on your container can mess up the host > > It shouldn't really matter for your use case, since "lxc-attach" works > just fine (you DO know about lxc-attach?), and you don't really care > about user access anyway. > > This should improve in the future as debian/ubuntu is also moving > towards systemd (lxcfs is supposed to help), however currently the > required level of support/integration is just not there yet. > > Since your main use case is "separate applications", docker might be a > better candidate. And when you use c7-based docker container under c7 > host, you might even get better protection since they integrate > selinux. > > -- > Fajar > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
So after some expmeriments, this is what I have: http://goo.gl/7p3nUI - create c7 container, e.g. lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos -r 7 -a amd64 - edit config file. See "config" on that gdrive link, look for "Manual additions" - place script/systemd_create_cgroup in the correct path (whatever you use the config file), chmod 700 - start the container. This is similar with what I did for fedora20, on https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html What works that previously doesn't: - lxc-console - default apparmor container profile (so, for example, you can't mess up host's cgroup allocation) - default lxc.cap.drop (although you might want to remove sys_nice if you have apps that depend on it) - rsyslogd now always start correctly (previously there could be stale PIDs on /var/run) What still does NOT work: unpriviledged container I tried backporting F22's systemd-218 plus ubuntu vivid's changes (RPMS and SPECS folder), but it wasn't enough to run unpriviledged container. It should be reasonably safer than allow-the-container-to-do-anything approach previously needed for c7. -- Fajar On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: > Thanks. > I love Ubuntu as a host for LXC. I just got addicted to systemctl and > writing *.service files. It is much more sophisticated than the older way of > starting and stopping applications. > > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha wrote: >> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: >> > Thanks for the response. >> > I disable selinux and a apparmor routinely. My containers are just a way >> > to >> > separate applications, there are no users accessing them, nothing bad >> > can >> > happen. >> > So basically you are saying that there is no way to run Centos 7 under >> > an >> > Ubuntu host. >> >> No. What I'm saying is when you use c7 container (and possible most >> newer-systemd-based distros) under ubuntu host: >> - you can't use lxc-console >> - root on your container can mess up the host >> >> It shouldn't really matter for your use case, since "lxc-attach" works >> just fine (you DO know about lxc-attach?), and you don't really care >> about user access anyway. >> >> This should improve in the future as debian/ubuntu is also moving >> towards systemd (lxcfs is supposed to help), however currently the >> required level of support/integration is just not there yet. >> >> Since your main use case is "separate applications", docker might be a >> better candidate. And when you use c7-based docker container under c7 >> host, you might even get better protection since they integrate >> selinux. >> ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
Thanks. I think Serge may want to change permanently the config and other in the on-line template so Centos 7 does work right away. On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha wrote: > So after some expmeriments, this is what I have: http://goo.gl/7p3nUI > - create c7 container, e.g. > lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos > -r 7 -a amd64 > > - edit config file. See "config" on that gdrive link, look for > "Manual additions" > > - place script/systemd_create_cgroup in the correct path (whatever you > use the config file), chmod 700 > > - start the container. > > This is similar with what I did for fedora20, on > https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html > > What works that previously doesn't: > - lxc-console > - default apparmor container profile (so, for example, you can't mess > up host's cgroup allocation) > - default lxc.cap.drop (although you might want to remove sys_nice if > you have apps that depend on it) > - rsyslogd now always start correctly (previously there could be stale > PIDs on /var/run) > > What still does NOT work: unpriviledged container > I tried backporting F22's systemd-218 plus ubuntu vivid's changes > (RPMS and SPECS folder), but it wasn't enough to run unpriviledged > container. > > It should be reasonably safer than allow-the-container-to-do-anything > approach previously needed for c7. > > -- > Fajar > > On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: > > Thanks. > > I love Ubuntu as a host for LXC. I just got addicted to systemctl and > > writing *.service files. It is much more sophisticated than the older > way of > > starting and stopping applications. > > > > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha wrote: > >> > >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: > >> > Thanks for the response. > >> > I disable selinux and a apparmor routinely. My containers are just a > way > >> > to > >> > separate applications, there are no users accessing them, nothing bad > >> > can > >> > happen. > >> > So basically you are saying that there is no way to run Centos 7 under > >> > an > >> > Ubuntu host. > >> > >> No. What I'm saying is when you use c7 container (and possible most > >> newer-systemd-based distros) under ubuntu host: > >> - you can't use lxc-console > >> - root on your container can mess up the host > >> > >> It shouldn't really matter for your use case, since "lxc-attach" works > >> just fine (you DO know about lxc-attach?), and you don't really care > >> about user access anyway. > >> > >> This should improve in the future as debian/ubuntu is also moving > >> towards systemd (lxcfs is supposed to help), however currently the > >> required level of support/integration is just not there yet. > >> > >> Since your main use case is "separate applications", docker might be a > >> better candidate. And when you use c7-based docker container under c7 > >> host, you might even get better protection since they integrate > >> selinux. > >> > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
I cannot make this solution work. There are a lot of errors. On Thu, Feb 12, 2015 at 1:19 AM, CDR wrote: > Thanks. I think Serge may want to change permanently the config and other > in the on-line template so Centos 7 does work right away. > > > On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha wrote: > >> So after some expmeriments, this is what I have: http://goo.gl/7p3nUI >> - create c7 container, e.g. >> lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos >> -r 7 -a amd64 >> >> - edit config file. See "config" on that gdrive link, look for >> "Manual additions" >> >> - place script/systemd_create_cgroup in the correct path (whatever you >> use the config file), chmod 700 >> >> - start the container. >> >> This is similar with what I did for fedora20, on >> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html >> >> What works that previously doesn't: >> - lxc-console >> - default apparmor container profile (so, for example, you can't mess >> up host's cgroup allocation) >> - default lxc.cap.drop (although you might want to remove sys_nice if >> you have apps that depend on it) >> - rsyslogd now always start correctly (previously there could be stale >> PIDs on /var/run) >> >> What still does NOT work: unpriviledged container >> I tried backporting F22's systemd-218 plus ubuntu vivid's changes >> (RPMS and SPECS folder), but it wasn't enough to run unpriviledged >> container. >> >> It should be reasonably safer than allow-the-container-to-do-anything >> approach previously needed for c7. >> >> -- >> Fajar >> >> On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: >> > Thanks. >> > I love Ubuntu as a host for LXC. I just got addicted to systemctl and >> > writing *.service files. It is much more sophisticated than the older >> way of >> > starting and stopping applications. >> > >> > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha >> wrote: >> >> >> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: >> >> > Thanks for the response. >> >> > I disable selinux and a apparmor routinely. My containers are just a >> way >> >> > to >> >> > separate applications, there are no users accessing them, nothing bad >> >> > can >> >> > happen. >> >> > So basically you are saying that there is no way to run Centos 7 >> under >> >> > an >> >> > Ubuntu host. >> >> >> >> No. What I'm saying is when you use c7 container (and possible most >> >> newer-systemd-based distros) under ubuntu host: >> >> - you can't use lxc-console >> >> - root on your container can mess up the host >> >> >> >> It shouldn't really matter for your use case, since "lxc-attach" works >> >> just fine (you DO know about lxc-attach?), and you don't really care >> >> about user access anyway. >> >> >> >> This should improve in the future as debian/ubuntu is also moving >> >> towards systemd (lxcfs is supposed to help), however currently the >> >> required level of support/integration is just not there yet. >> >> >> >> Since your main use case is "separate applications", docker might be a >> >> better candidate. And when you use c7-based docker container under c7 >> >> host, you might even get better protection since they integrate >> >> selinux. >> >> >> ___ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
On Thu, Feb 12, 2015 at 2:41 PM, CDR wrote: > I cannot make this solution work. > There are a lot of errors. ... which are ...? a copy-paste of the output "lxc-start -F -n" will help, as well as your final container config. Also, I have cgroupfs-mount installed, so that I have /sys/fs/cgroups/* on the host usable. You probably only need to install that. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
I cannot get past this root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v Connected to tty 1 Type to exit the console, to enter Ctrl+a itself On Thu, Feb 12, 2015 at 2:41 AM, CDR wrote: > I cannot make this solution work. > There are a lot of errors. > > > On Thu, Feb 12, 2015 at 1:19 AM, CDR wrote: > >> Thanks. I think Serge may want to change permanently the config and >> other in the on-line template so Centos 7 does work right away. >> >> >> On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha wrote: >> >>> So after some expmeriments, this is what I have: http://goo.gl/7p3nUI >>> - create c7 container, e.g. >>> lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos >>> -r 7 -a amd64 >>> >>> - edit config file. See "config" on that gdrive link, look for >>> "Manual additions" >>> >>> - place script/systemd_create_cgroup in the correct path (whatever you >>> use the config file), chmod 700 >>> >>> - start the container. >>> >>> This is similar with what I did for fedora20, on >>> >>> https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html >>> >>> What works that previously doesn't: >>> - lxc-console >>> - default apparmor container profile (so, for example, you can't mess >>> up host's cgroup allocation) >>> - default lxc.cap.drop (although you might want to remove sys_nice if >>> you have apps that depend on it) >>> - rsyslogd now always start correctly (previously there could be stale >>> PIDs on /var/run) >>> >>> What still does NOT work: unpriviledged container >>> I tried backporting F22's systemd-218 plus ubuntu vivid's changes >>> (RPMS and SPECS folder), but it wasn't enough to run unpriviledged >>> container. >>> >>> It should be reasonably safer than allow-the-container-to-do-anything >>> approach previously needed for c7. >>> >>> -- >>> Fajar >>> >>> On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: >>> > Thanks. >>> > I love Ubuntu as a host for LXC. I just got addicted to systemctl and >>> > writing *.service files. It is much more sophisticated than the older >>> way of >>> > starting and stopping applications. >>> > >>> > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha >>> wrote: >>> >> >>> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: >>> >> > Thanks for the response. >>> >> > I disable selinux and a apparmor routinely. My containers are just >>> a way >>> >> > to >>> >> > separate applications, there are no users accessing them, nothing >>> bad >>> >> > can >>> >> > happen. >>> >> > So basically you are saying that there is no way to run Centos 7 >>> under >>> >> > an >>> >> > Ubuntu host. >>> >> >>> >> No. What I'm saying is when you use c7 container (and possible most >>> >> newer-systemd-based distros) under ubuntu host: >>> >> - you can't use lxc-console >>> >> - root on your container can mess up the host >>> >> >>> >> It shouldn't really matter for your use case, since "lxc-attach" works >>> >> just fine (you DO know about lxc-attach?), and you don't really care >>> >> about user access anyway. >>> >> >>> >> This should improve in the future as debian/ubuntu is also moving >>> >> towards systemd (lxcfs is supposed to help), however currently the >>> >> required level of support/integration is just not there yet. >>> >> >>> >> Since your main use case is "separate applications", docker might be a >>> >> better candidate. And when you use c7-based docker container under c7 >>> >> host, you might even get better protection since they integrate >>> >> selinux. >>> >> >>> ___ >>> lxc-users mailing list >>> lxc-users@lists.linuxcontainers.org >>> http://lists.linuxcontainers.org/listinfo/lxc-users >>> >> >> > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
You DID read that I asked for "lxc-start -F"? It's entirely possible that your container's systemd freeze, thus nothing is listening on its tty1. And if you don't have systemd cgroup mounted on the host (which is what cgroupfs-mount is for), it would certainly be the case. -- Fajar On Thu, Feb 12, 2015 at 2:50 PM, CDR wrote: > I cannot get past this > root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v > > Connected to tty 1 > Type to exit the console, to enter Ctrl+a itself > > > On Thu, Feb 12, 2015 at 2:41 AM, CDR wrote: >> >> I cannot make this solution work. >> There are a lot of errors. >> >> >> On Thu, Feb 12, 2015 at 1:19 AM, CDR wrote: >>> >>> Thanks. I think Serge may want to change permanently the config and >>> other in the on-line template so Centos 7 does work right away. >>> >>> >>> On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha wrote: So after some expmeriments, this is what I have: http://goo.gl/7p3nUI - create c7 container, e.g. lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos -r 7 -a amd64 - edit config file. See "config" on that gdrive link, look for "Manual additions" - place script/systemd_create_cgroup in the correct path (whatever you use the config file), chmod 700 - start the container. This is similar with what I did for fedora20, on https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html What works that previously doesn't: - lxc-console - default apparmor container profile (so, for example, you can't mess up host's cgroup allocation) - default lxc.cap.drop (although you might want to remove sys_nice if you have apps that depend on it) - rsyslogd now always start correctly (previously there could be stale PIDs on /var/run) What still does NOT work: unpriviledged container I tried backporting F22's systemd-218 plus ubuntu vivid's changes (RPMS and SPECS folder), but it wasn't enough to run unpriviledged container. It should be reasonably safer than allow-the-container-to-do-anything approach previously needed for c7. -- Fajar On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: > Thanks. > I love Ubuntu as a host for LXC. I just got addicted to systemctl and > writing *.service files. It is much more sophisticated than the older > way of > starting and stopping applications. > > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha > wrote: >> >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: >> > Thanks for the response. >> > I disable selinux and a apparmor routinely. My containers are just >> > a way >> > to >> > separate applications, there are no users accessing them, nothing >> > bad >> > can >> > happen. >> > So basically you are saying that there is no way to run Centos 7 >> > under >> > an >> > Ubuntu host. >> >> No. What I'm saying is when you use c7 container (and possible most >> newer-systemd-based distros) under ubuntu host: >> - you can't use lxc-console >> - root on your container can mess up the host >> >> It shouldn't really matter for your use case, since "lxc-attach" >> works >> just fine (you DO know about lxc-attach?), and you don't really care >> about user access anyway. >> >> This should improve in the future as debian/ubuntu is also moving >> towards systemd (lxcfs is supposed to help), however currently the >> required level of support/integration is just not there yet. >> >> Since your main use case is "separate applications", docker might be >> a >> better candidate. And when you use c7-based docker container under c7 >> host, you might even get better protection since they integrate >> selinux. >> ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users >>> >>> >> > > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
What changes do I need to do at the host level so my provileged systemd containers may work? I am using Ubuntu 14.04, and there is systemd On Thu, Feb 12, 2015 at 3:00 AM, Fajar A. Nugraha wrote: > You DID read that I asked for "lxc-start -F"? > > It's entirely possible that your container's systemd freeze, thus > nothing is listening on its tty1. And if you don't have systemd cgroup > mounted on the host (which is what cgroupfs-mount is for), it would > certainly be the case. > > -- > Fajar > > On Thu, Feb 12, 2015 at 2:50 PM, CDR wrote: > > I cannot get past this > > root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v > > > > Connected to tty 1 > > Type to exit the console, to enter Ctrl+a > itself > > > > > > On Thu, Feb 12, 2015 at 2:41 AM, CDR wrote: > >> > >> I cannot make this solution work. > >> There are a lot of errors. > >> > >> > >> On Thu, Feb 12, 2015 at 1:19 AM, CDR wrote: > >>> > >>> Thanks. I think Serge may want to change permanently the config and > >>> other in the on-line template so Centos 7 does work right away. > >>> > >>> > >>> On Thu, Feb 12, 2015 at 1:08 AM, Fajar A. Nugraha > wrote: > > So after some expmeriments, this is what I have: http://goo.gl/7p3nUI > - create c7 container, e.g. > lxc-create -n c7v -t download -B zfs --zfsroot rpool/lxc -- -d centos > -r 7 -a amd64 > > - edit config file. See "config" on that gdrive link, look for > "Manual additions" > > - place script/systemd_create_cgroup in the correct path (whatever you > use the config file), chmod 700 > > - start the container. > > This is similar with what I did for fedora20, on > > > https://lists.linuxcontainers.org/pipermail/lxc-users/2014-May/007069.html > > What works that previously doesn't: > - lxc-console > - default apparmor container profile (so, for example, you can't mess > up host's cgroup allocation) > - default lxc.cap.drop (although you might want to remove sys_nice if > you have apps that depend on it) > - rsyslogd now always start correctly (previously there could be stale > PIDs on /var/run) > > What still does NOT work: unpriviledged container > I tried backporting F22's systemd-218 plus ubuntu vivid's changes > (RPMS and SPECS folder), but it wasn't enough to run unpriviledged > container. > > It should be reasonably safer than allow-the-container-to-do-anything > approach previously needed for c7. > > -- > Fajar > > On Fri, Feb 6, 2015 at 9:35 PM, CDR wrote: > > Thanks. > > I love Ubuntu as a host for LXC. I just got addicted to systemctl > and > > writing *.service files. It is much more sophisticated than the > older > > way of > > starting and stopping applications. > > > > On Fri, Feb 6, 2015 at 8:40 AM, Fajar A. Nugraha > > wrote: > >> > >> On Fri, Feb 6, 2015 at 8:15 PM, CDR wrote: > >> > Thanks for the response. > >> > I disable selinux and a apparmor routinely. My containers are > just > >> > a way > >> > to > >> > separate applications, there are no users accessing them, nothing > >> > bad > >> > can > >> > happen. > >> > So basically you are saying that there is no way to run Centos 7 > >> > under > >> > an > >> > Ubuntu host. > >> > >> No. What I'm saying is when you use c7 container (and possible most > >> newer-systemd-based distros) under ubuntu host: > >> - you can't use lxc-console > >> - root on your container can mess up the host > >> > >> It shouldn't really matter for your use case, since "lxc-attach" > >> works > >> just fine (you DO know about lxc-attach?), and you don't really > care > >> about user access anyway. > >> > >> This should improve in the future as debian/ubuntu is also moving > >> towards systemd (lxcfs is supposed to help), however currently the > >> required level of support/integration is just not there yet. > >> > >> Since your main use case is "separate applications", docker might > be > >> a > >> better candidate. And when you use c7-based docker container under > c7 > >> host, you might even get better protection since they integrate > >> selinux. > >> > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > >>> > >>> > >> > > > > > > ___ > > lxc-users mailing list > > lxc-users@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > __
Re: [lxc-users] lxc-console not working on centos 7 container
Do you have cgroupfs-mount installed? Did you follow the steps I pasted? Did you run "lxc-start -F" and look at the output? On Thu, Feb 12, 2015 at 3:05 PM, CDR wrote: > What changes do I need to do at the host level so my provileged systemd > containers may work? > I am using Ubuntu 14.04, and there is systemd > > On Thu, Feb 12, 2015 at 3:00 AM, Fajar A. Nugraha wrote: >> >> You DID read that I asked for "lxc-start -F"? >> >> It's entirely possible that your container's systemd freeze, thus >> nothing is listening on its tty1. And if you don't have systemd cgroup >> mounted on the host (which is what cgroupfs-mount is for), it would >> certainly be the case. >> >> -- >> Fajar >> >> On Thu, Feb 12, 2015 at 2:50 PM, CDR wrote: >> > I cannot get past this >> > root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v >> > >> > Connected to tty 1 >> > Type to exit the console, to enter Ctrl+a >> > itself >> > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
mount /dev/sda1 on / type ext4 (rw,errors=remount-ro) proc on /proc type proc (rw,noexec,nosuid,nodev) sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) none on /sys/fs/cgroup type tmpfs (rw) none on /sys/fs/fuse/connections type fusectl (rw) none on /sys/kernel/debug type debugfs (rw) none on /sys/kernel/security type securityfs (rw) udev on /dev type devtmpfs (rw,mode=0755) devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) none on /run/shm type tmpfs (rw,nosuid,nodev) none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755) none on /sys/fs/pstore type pstore (rw) systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd) I followed the steps This is all I get lxc-start -n c7v -F mount: sysfs already mounted or /usr/lib/x86_64-linux-gnu/lxc/sys busy mount: according to mtab, sysfs is mounted on /sys systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'lxc'. Welcome to CentOS Linux 7 (Core)! Failed to install release agent, ignoring: No such file or directory Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory. [ OK ] Reached target Remote File Systems. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Delayed Shutdown Socket. Failed to open /dev/autofs: No such file or directory Failed to initialize automounter: No such file or directory [FAILED] Failed to set up automount Arbitrary Executable File Formats File System Automount Point. See 'systemctl status proc-sys-fs-binfmt_misc.automount' for details. Unit proc-sys-fs-binfmt_misc.automount entered failed state. [ OK ] Listening on Journal Socket. Mounting Huge Pages File System... Starting Create static device nodes in /dev... Starting Apply Kernel Variables... Starting Journal Service... [ OK ] Started Journal Service. [ OK ] Reached target Encrypted Volumes. Mounting Debug File System... Mounting POSIX Message Queue File System... Mounting FUSE Control File System... On Thu, Feb 12, 2015 at 3:08 AM, Fajar A. Nugraha wrote: > Do you have cgroupfs-mount installed? > Did you follow the steps I pasted? > Did you run "lxc-start -F" and look at the output? > > On Thu, Feb 12, 2015 at 3:05 PM, CDR wrote: > > What changes do I need to do at the host level so my provileged systemd > > containers may work? > > I am using Ubuntu 14.04, and there is systemd > > > > On Thu, Feb 12, 2015 at 3:00 AM, Fajar A. Nugraha > wrote: > >> > >> You DID read that I asked for "lxc-start -F"? > >> > >> It's entirely possible that your container's systemd freeze, thus > >> nothing is listening on its tty1. And if you don't have systemd cgroup > >> mounted on the host (which is what cgroupfs-mount is for), it would > >> certainly be the case. > >> > >> -- > >> Fajar > >> > >> On Thu, Feb 12, 2015 at 2:50 PM, CDR wrote: > >> > I cannot get past this > >> > root@ubuserver:/var/lib/lxc/c7v# lxc-console -n c7v > >> > > >> > Connected to tty 1 > >> > Type to exit the console, to enter Ctrl+a > >> > itself > >> > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
OK. So first of all, the steps that I posted above are NOT, in any way, official or supported by lxc. However it works for me. On Thu, Feb 12, 2015 at 3:23 PM, CDR wrote: > mount > /dev/sda1 on / type ext4 (rw,errors=remount-ro) > proc on /proc type proc (rw,noexec,nosuid,nodev) > sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) > none on /sys/fs/cgroup type tmpfs (rw) > none on /sys/fs/fuse/connections type fusectl (rw) > none on /sys/kernel/debug type debugfs (rw) > none on /sys/kernel/security type securityfs (rw) > udev on /dev type devtmpfs (rw,mode=0755) > devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) > tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) > none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) > none on /run/shm type tmpfs (rw,nosuid,nodev) > none on /run/user type tmpfs > (rw,noexec,nosuid,nodev,size=104857600,mode=0755) > none on /sys/fs/pstore type pstore (rw) > systemd on /sys/fs/cgroup/systemd type cgroup > (rw,noexec,nosuid,nodev,none,name=systemd) Do you have systemd cgroup mounted? # grep systemd /proc/mounts systemd /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0 If not, try mounting it manually # mkdir -p /sys/fs/cgroup/systemd # mount -n -t cgroup -o rw,nosuid,nodev,noexec,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd systemd /sys/fs/cgroup/systemdutopic ~ # > > I followed the steps > > This is all I get > lxc-start -n c7v -F > mount: sysfs already mounted or /usr/lib/x86_64-linux-gnu/lxc/sys busy > mount: according to mtab, sysfs is mounted on /sys > systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA > +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) > Detected virtualization 'lxc'. > > Welcome to CentOS Linux 7 (Core)! > > Failed to install release agent, ignoring: No such file or directory > Cannot add dependency job for unit display-manager.service, ignoring: Unit > display-manager.service failed to load: No such file or directory. > [ OK ] Reached target Remote File Systems. > [ OK ] Listening on /dev/initctl Compatibility Named Pipe. > [ OK ] Listening on Delayed Shutdown Socket. > Failed to open /dev/autofs: No such file or directory > Failed to initialize automounter: No such file or directory > [FAILED] Failed to set up automount Arbitrary Executable File Formats File > System Automount Point. > See 'systemctl status proc-sys-fs-binfmt_misc.automount' for details. > Unit proc-sys-fs-binfmt_misc.automount entered failed state. > [ OK ] Listening on Journal Socket. > Mounting Huge Pages File System... > Starting Create static device nodes in /dev... > Starting Apply Kernel Variables... > Starting Journal Service... > [ OK ] Started Journal Service. > [ OK ] Reached target Encrypted Volumes. > Mounting Debug File System... > Mounting POSIX Message Queue File System... > Mounting FUSE Control File System... My GUESS is that you don't have systemd cgroup mounted. Here's what I have: # lxc-start -F -n c7 mount: sysfs is already mounted or /usr/lib/x86_64-linux-gnu/lxc/sys busy sysfs is already mounted on /sys systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Detected virtualization 'lxc'. Welcome to CentOS Linux 7 (Core)! Failed to insert module 'autofs4' Failed to install release agent, ignoring: No such file or directory Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory. [ OK ] Reached target Remote File Systems. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Delayed Shutdown Socket. [ OK ] Reached target Encrypted Volumes. Failed to open /dev/autofs: No such file or directory Failed to initialize automounter: No such file or directory [FAILED] Failed to set up automount Arbitrary Executable File Formats File System Automount Point. See 'systemctl status proc-sys-fs-binfmt_misc.automount' for details. Unit proc-sys-fs-binfmt_misc.automount entered failed state. [ OK ] Listening on Journal Socket. Starting Create static device nodes in /dev... Starting Apply Kernel Variables... Mounting Huge Pages File System... Starting Journal Service... [ OK ] Started Journal Service. Mounting FUSE Control File System... Mounting Debug File System... Mounting POSIX Message Queue File System... [ OK ] Reached target Swap. Starting Remount Root and Kernel File Systems... [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Created slice System Slice. [ OK ] Reached target Slices. [ OK ] Created slice system-getty.slice. [ OK ] Started Create static device nodes in /dev. [FAILED] Failed to start
Re: [lxc-users] lxc-console not working on centos 7 container
On Thu, Feb 12, 2015 at 5:20 PM, Fajar A. Nugraha wrote: > OK. So first of all, the steps that I posted above are NOT, in any > way, official or supported by lxc. However it works for me. Upon further tests, it seems I missed something. Sorry for the mix up. I actually tried two scenarios, one with config modifications and mount hook. That one runs, and indeed can use default apparmor profile. However it still doesn't display anything on lxc-console with that setup, I missed lxc-console test for this one. Console login prompt works though, so if you hang on "Mounting FUSE Control File System", you still miss something (probably systemd cgroup mount on the host). The second scenario was with backported systemd, from f20 + ubuntu vivid. This is the one where lxc-console works. You need to upgrade systemd and related packages (use chroot) from http://goo.gl/7p3nUI , RPMS folder. Use "yum install" so that all dependencies (e.g. kernel) are also installed automatically. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-console not working on centos 7 container
On Thu, Feb 12, 2015 at 5:56 PM, Fajar A. Nugraha wrote: > The second scenario was with backported systemd, from f20 + ubuntu That should be "with config modifications, mount hook, AND backported systemd ..." -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
