Re: [Lxc-users] lxc-busybox template [features, fixes, future]
On 07/28/2011 04:16 PM, Charles Hewson wrote: I have been expirmenting with template for a while. Have hacked a little. And, need the group's input. Feature I have added - When busybox is not accessable or dynamicly linked on host get current stable binary from busybox.net. Debian (lenny squeeze) Grml and others default to dynamic libraries. Some fail with current static busybox. With this feature in template it is not necessary to adjust $PATH on host to create a container. Fixed - only setup links for /lib64 /usr/lib64 if they exist on host; update functions to include all in busybox stable v1.18.4; restrict devices container can impact in $NAME/config; add /sys sysfs to rootfs tree; add tty's for lxc-console; others, this is a work in progress. Future - Should root have a default passwd of toor which is expired forcing change at first lxc-start? Should commands that affect host be removed from linkages (brctl, tunctl, etc.)? NOTE: this would not prevent container user from directly exec $ /bin/busybox brctl. Will any of this impact the present usage of the template? I am currently testing on squeeze i686. Plan to post template/diff after testing on second hardware platform and more distros Charles, all these enhancements sound good to me. I will be glad to take your patches. Next week there is a lxc developer summit. I am planning to write an email to this list in order to collect the different features we want to add to lxc. I will add the different items you are proposing for busybox if you are ok with that. Thanks -- Daniel -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mitigating LXC Container Evasion?
Hi Olivier On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote: Furthermore system has SMACK enabled - Simplified Mandatory Access Control - a label based MAC. Each LXC container has its files and processes labeled differently - Labels which can't write the host system default label, so basically a root in a container can't make anything harmfull on the host system. Same can be achieved _less easily_ with Selinux - Look at IBM papers. Would you mind sharing your SMACK setup? Also, do you know how this applies to bind-mounted directories? Can I label a container's files when they are read-only bind-mounted from the host? Thanks, Andre -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fedora 15 on Fedora 15 LXC with Libvirt
Hi, This mailing list is intended for users of the lxc.sf.net toolsuite. While the libvirt lxc implementation is in many ways similar, there definately are differences. I point this out because your first step has to be to get more debugging information, and I don't know that anyone here can help you with that. Can you get systemd to copy all of its console output to a file which you can read later? We certainly are interested in helping, since it certainly seems you are suffering from the same problem we are. I'm just not sure how to have you get started. Perhaps you can hack src/lxc/lxc_container.clxcContainerSetStdio() to open a file '/debugoutput', and use that fd rather than ttyfd for the dup2()s? That might give you some better debug info. You also might to ask on the libvir mailing list, or oftc#virt irc channel. -serge -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fedora 15 on Fedora 15 LXC with Libvirt
Hi again, Thanks, but no thanks on the libvirt mailing list. I found out that just reading their -devel ml was enough for me and combined with the trial and error method I was able to reach what I wanted a while ago, concerning SANs over FC, IB and building private cloud infras with libvirt and qemu, however I decline going that road again :). On the other side, would someone be so kind to point me in the right direction (either documentation, source or anything else available) that I can follow so that I set up lxc container just with the LXC tools. I probably decided to go the wrong way about this and use a framework I already know and trying to skip learning the nuts and bolts of LXC before going to libvirt. I would like to know first of all, did someone get F15 or any other distro (I'm also using Arch a lot) running systemd on both host and container to run and if so, what were the steps followed. I searched google with bunch of different criteria lxc fedora 15, lxc fedora systemd, etc. but from what I've been able to find, it seems no one is running lxc with systemd. I see people having success with upstart, but Debian and Ubuntu are just not my cup of tea, so I would like to stick to RedHat based distro for a bunch of company reasons. From what I gathered from the howto it seems I should run a hand made /sbin/init in the container, but with systemd I'm at a total loss, what exactly should I do. In F15 /sbin/init is actually a symlink to /bin/systemd. I would probably have better success with Arch in this regard, as I still have a proper rc.sysinit and /sbin/init that is not a symlink to /bin/systemd. Practically I'm lost here and without a hint of proper direction. I would try reading the howto again and will setup an lxc config file, but I still have the feeling it will be a fiasco, so any help would be greatly appreciated. Thank you for the time you are spending reading my messages that I realize are half rants - half help requests BR, ilf On Mon, 2011-08-01 at 16:18 -0500, Serge Hallyn wrote: Hi, This mailing list is intended for users of the lxc.sf.net toolsuite. While the libvirt lxc implementation is in many ways similar, there definately are differences. I point this out because your first step has to be to get more debugging information, and I don't know that anyone here can help you with that. Can you get systemd to copy all of its console output to a file which you can read later? We certainly are interested in helping, since it certainly seems you are suffering from the same problem we are. I'm just not sure how to have you get started. Perhaps you can hack src/lxc/lxc_container.clxcContainerSetStdio() to open a file '/debugoutput', and use that fd rather than ttyfd for the dup2()s? That might give you some better debug info. You also might to ask on the libvir mailing list, or oftc#virt irc channel. -serge -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
