Re: [Lxc-users] [PATCH 1/1] ubuntu template: use -updates and -security
Quoting Stéphane Graber (stgra...@ubuntu.com): > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 11/10/2011 04:42 PM, Serge E. Hallyn wrote: > > Particularly for LTS releases, which many people will want to use > > in their containers, it is not wise to not use release-security > > and release-updates. Furthermore the fix allowing ssh to allow the > > container to shut down is in lucid-updates only. > > > > With this patch, after debootstrapping a container, we add -updates > > and -security to sources.list and do an upgrade under chroot. > > Unfortunately we need to do this because debootstrap doesn't know > > how to. > > As mentioned on IRC, I think it'd be worth making sure no daemon will > start when running dist-upgrade. > > This is usually done using: > cat << EOF > #!/bin/sh > exit 101 > EOF > ) > /usr/sbin/policy-rc.d > chmod +x /usr/sbin/policy-rc.d > > Then removing it once the dist-upgrade is done. Awesome, thanks Stéphane - I had no idea about that. I was afraid we'd have to do it inside the container itself, meaning we'd have to slow down every container creation with an update, rather than just the cache image creation. I'll update my bzr tree first (probably not this morning or even today :( ) and send out a new patch against git later this week. -serge -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] ubuntu template: use -updates and -security
Particularly for LTS releases, which many people will want to use in their containers, it is not wise to not use release-security and release-updates. Furthermore the fix allowing ssh to allow the container to shut down is in lucid-updates only. With this patch, after debootstrapping a container, we add -updates and -security to sources.list and do an upgrade under chroot. Unfortunately we need to do this because debootstrap doesn't know how to. Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in | 24 ++-- 1 files changed, 22 insertions(+), 2 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index d116f4c..a153433 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -105,9 +105,29 @@ download_ubuntu() return 1 fi -mv "$1/partial-$arch" "$1/rootfs-$arch" -echo "Download complete." +# Serge isn't sure whether we should avoid doing this when +# $release == `distro-info -d` +echo "Installing updates" +if [ -z "$MIRROR" ]; then +MIRROR="http://archive.ubuntu.com/ubuntu"; +fi +cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF +deb $MIRROR ${release}-updates main universe +deb $MIRROR ${release}-security main universe +EOF +chroot "$1/partial-${arch}" apt-get update +if [ $? -ne 0 ]; then +echo "Failed to update the apt cache" +return 1 +fi +chroot "$1/partial-${arch}" apt-get dist-upgrade -y +if [ $? -ne 0 ]; then +echo "Failed to upgrade the cache" +return 1 +fi +mv "$1/partial-$arch" "$1/rootfs-$arch" +echo "Download complete" return 0 } -- 1.7.5.4 -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] ubuntu template: add the new precise release
Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 2be8680..d116f4c 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -382,7 +382,7 @@ usage() { cat < --clean [-a|--arch] [-b|--bindhome ] [--trim] [-r|--release] -release: lucid | maverick | natty | oneiric +release: lucid | maverick | natty | oneiric | precise trim: make a minimal (faster, but not upgrade-safe) container bindhome: bind 's home into the container arch: amd64 or i386: defaults to host arch @@ -401,7 +401,7 @@ release=lucid if [ -f /etc/lsb-release ]; then . /etc/lsb-release case "$DISTRIB_CODENAME" in -lucid|maverick|natty|oneiric) +lucid|maverick|natty|oneiric|precise) release=$DISTRIB_CODENAME ;; esac -- 1.7.5.4 -- RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-stop crashes the host
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): > On Mon 2011-10-24 (18:56), Ulli Horlacher wrote: > > > vms1 is an Ubuntu 10.04 based host system (4 * Xeon 64bit) with: > > > > root@vms1:/lxc# uname -a > > Linux vms1 2.6.38-11-server #50~lucid1-Ubuntu SMP Tue Sep 13 22:10:53 UTC > > 2011 x86_64 GNU/Linux > > Today 2.6.38-12-server has come. > > > But when I try to stop this container with: > > > > root@vms1:/lxc# lxc-stop -n fex > > > > the host (vms1) crashes with a kernel traceback. > > The bug is still there. But I was able to localize what triggers this bug: > I am able to start/stop the container if I do not use iptables inside the > container. When I set my ipfilter rules with iptables and then try to stop > the container, the host crashes again. Daniel, one of your emails yesterday implied you've figured out the cause? Is that the case? thanks, -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 1/1] Drop resolvconf from oneiric container package list
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > On 10/24/2011 07:09 PM, Serge E. Hallyn wrote: > > It prevents containers from getting a good resolv.conf without doing > > ifdown eth0; ifup eth0. > > > > (see pad.lv/880020) > > > > Signed-off-by: Serge Hallyn > > --- > > Applied. > > Thanks. Thanks for applying these, Daniel :) -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Bug discussion: implementing high virtual device MAC addresses
Quoting Derek Simkowiak (de...@simkowiak.net): > Serge, > Thank you for looking at this. > > Serge> /However, I actually don't think it should happen the way you > describe./ > > I believe you have mis-read my description. I think we are > actually in agreement with what is happening. You're right :) > You said: > > Serge> /So the mac address of the veth endpoint in the container > should not matter./ > > I think that is the same thing that I said: > > Derek> [The problem MAC address] is NOT the mac address specified in > lxc.conf, like this: > > > lxc.network.hwaddr = fe:16:3e:fd:5a:5b Ah, right! > That MAC address has nothing to do with the bug; the host's bridge > device (br0) will never assume a configured LXC MAC address as its own. > > > Also, you said: > > Serge> /The other endpoint, the veth which stays in the host's > network namespace, that is the one which gets placed on the bridge./ > > I agree, that is the address which causes the ~4 network second > freeze. As I said in my original description: > > Derek>> ...the MAC address in question is the one of the virtual > veth device, as shown with "ifconfig" on the host: > > > veth0IEDlk Link encap:Ethernet HWaddr 4e:34:7c:dc:92:e8 > [...snip...] > > > So, are we in agreement that the problem address is NOT the one > in the LXC .conf file (as specified by the user), but instead is the > "random" address of the veth device on the host? Yes. So I think it's worth following up. > Serge> /Hmm, I haven't seen this happen at all./ > > I have seen it on Ubuntu 10.04, and there was an independent > description of the same symptom (and a different but very similar > work-around) filed in SourceForge here: > > http://sourceforge.net/tracker/index.php?func=detail&aid=3411497&group_id=163076&atid=826303 > > (That's SF bug ID# 3411497.) > > As described in the libvirt bugfix for this issue (linked > below), the reason some people see it and some people don't is that > it only happens when the veth MAC address is lower than that of the Right - I do remember when it came up in libvirt. Come to think of it, the reason I don't see it much is that I don't, every often, bridge the container nic and host nic together. But obviously for *real* people (not fake ppl like me) that's a very important use case. > physical eth0 device's MAC address. (That is how the Linux kernel > handles it, by design. I don't know why.) > > Since the MAC address is randomly chosen, it is a random symptom > that will vary from one NIC to another. Those who happen to have a > high MAC address for eth0 will see it more frequently (but still > randomly.) This is a major impact on production symptoms, where a > ~4 second network freeze could trigger admin alerts and/or failover > scripts. (Note the exact duration of the network freeze also > depends on your switches and routers, and how they handle ARP > caching.) Yup. I think you should proceed with a patch. Patch the function instanciate_veth() in src/lxc/conf.c to set the hwaddr on veth1 after lxc_veth_create() but before the call to lxc_bridge_attach(). src/lxc/conf.c:setup_hw_addr() shows how to go about setting a mac address. You'll presumably want to only set the first two bytes, leaving the rest random. Libvirt used 0xFE. It did a SIOCGIFHWADDR ioctl to get the mac address, overwrote the first two bytes with 0xFE, then did SIOCSIFHWADDR to set the tweaked address. Thanks! -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Bug discussion: implementing high virtual device MAC addresses
Quoting Derek Simkowiak (de...@simkowiak.net): > Hello, > Just following up re: this bug. I think it's a pretty serious issue. > > I am looking to work on this, but I am seeking some feedback and > direction from one of the core LXC devs. > > - Do you agree with my analysis? > - Has anyone else worked on this already? Hmm, I haven't seen this happen at all. That doesn't mean it's not possible. However, I actually don't think it should happen the way you describe. Note that the veth passed in to the container is *not* assigned to the bridge. The other endpoint, the veth which stays in the host's network namespace, that is the one which gets placed on the bridge. So the mac address of the veth endpoint in the container should not matter. (Disclaimer: my being wrong is a not-infrequent event) -serge > etc. > > > Thanks, > Derek > > On 10/18/2011 04:31 PM, Derek Simkowiak wrote: > > There is a behavior in the Linux kernel which can cause a bridge > > device to change MAC address, thus causing a network blackout of several > > seconds (while everybody ARPs the new MAC address flushes the old one). > > This happens when bridging an enslaved interface, like we do with LXC. > > > > The symptom is that the LXC host will black out for several seconds > > when starting or stopping an LXC container. Your SSH terminal on the > > host will freeze and become unresponsive. (It is a random symptom, > > because the blackout only happens if the randomly-assigned MAC address > > of the virtual device is lower than that of the physical eth0 device). > > > > This behavior was first observed by the libvirt folks when creating > > virtual machines. You can read more details about it (and how they > > fixed it) here: > > > > https://www.redhat.com/archives/libvir-list/2010-July/msg00450.html > > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/584048 > > > > I have observed the symptom under LXC, and the workaround for it > > has been independently confirmed for LXC in this bug report (ID: 3411497): > > > > http://sourceforge.net/tracker/index.php?func=detail&aid=3411497&group_id=163076&atid=826303 > > > > > > The workaround for the bug is to give the virtual device a high MAC > > address, thus discouraging the bridge device from adapting its MAC > > address as its own. > > > > I have mentioned this bug on the list before, however, I was > > confused about which MAC address was causing the problem. This is NOT > > the mac address specified in lxc.conf, like this: > > > > lxc.network.hwaddr = fe:16:3e:fd:5a:5b > > > > That MAC address has nothing to do with the bug; the host's bridge > > device (br0) will never assume a configured LXC MAC address as its own. > > Instead, the MAC address in question is the one of the virtual veth > > device, as shown with "ifconfig" on the host: > > > > veth0IEDlk Link encap:Ethernet HWaddr 4e:34:7c:dc:92:e8 > > [...snip...] > > > > That HWaddr should be given a high prefix to avoid the network > > blackouts, just like they've done for libvirt. That does not exist in > > any config file anywhere; it must be fixed in the LXC source code. > > > > I looked in network.c for the LXC source code and I think the fix > > should go in lxc_bridge_attach() near line 991. The fix would put a > > manually-generated MAC address -- one with a high prefix -- into > > ifr.ifr_hwaddr.sa_data and thus replace the random one assigned by the > > kernel. > > > > However, I'm new to the LXC source and would like some input and > > analysis from a more seasoned contributor. I would be happy to test and > > maybe even contribute a patch, but I'd like some feedback first. > > > > > > Thank You, > > Derek Simkowiak > > > > > > -- > > All the data continuously generated in your IT infrastructure contains a > > definitive record of customers, application performance, security > > threats, fraudulent activity and more. Splunk takes this data and makes > > sense of it. Business sense. IT sense. Common sense. > > http://p.sf.net/sfu/splunk-d2d-oct > > ___ > > Lxc-users mailing list > > Lxc-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/lxc-users > > > -- > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -
Re: [Lxc-users] lxc-stop crashes the host
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): > > vms1 is an Ubuntu 10.04 based host system (4 * Xeon 64bit) with: > > root@vms1:/lxc# uname -a > Linux vms1 2.6.38-11-server #50~lucid1-Ubuntu SMP Tue Sep 13 22:10:53 UTC > 2011 x86_64 GNU/Linux > > root@vms1:/lxc# lxc-version > lxc version: 0.7.5 > > > I can start (Ubuntu 10.04) containers without problems: > > root@vms1:/lxc# lxc-start -f fex.cfg -n fex -d -o fex.log > > root@vms1:/lxc# lxc-info -n fex > state: RUNNING > pid: 4073 > > > But when I try to stop this container with: > > root@vms1:/lxc# lxc-stop -n fex > > the host (vms1) crashes with a kernel traceback. > > After reboot of vms1 no crash traces are found in /var/log/ > > I have attached vms1 to a console server, where I can make screenshots: > > http://fex.rus.uni-stuttgart.de/tmp/vms1-crash.png > > It's a pity, but this console server (HP IP console) cannot log ASCII > based, it is GUI only. I can make only screenshots and cannot scroll back, > so the beginning of the kernel crash message is missing. > > Any tips for debugging or even problem solving? Can you use some screencast program to grab the video as the error passes by on the gui? Then export a .jpg from the screencast video? -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] Drop resolvconf from oneiric container package list
It prevents containers from getting a good resolv.conf without doing ifdown eth0; ifup eth0. (see pad.lv/880020) Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9a41a49..1ecfbbf 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -86,7 +86,7 @@ download_ubuntu() elif [ $release = "natty" ]; then packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase else - packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring + packages=dialog,apt,apt-utils,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring fi echo "installing packages: $packages" -- 1.7.5.4 -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] Define $hostname before its first use
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > On 09/14/2011 10:27 PM, Serge E. Hallyn wrote: > > Otherwise you get 'lxc.utsname =' in config, instead of the > > actual hostname being filled in. > > > > https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/850205 > > > > Index: lxc/src/lxc/lxc-clone.in > > Hi Serge, > > I was not able to apply this patch, it fails with: No worries, looks like it got fixed in: commit 27078f4422580c39dc451d79be90679992d3137e Author: InformatiQ Date: Wed Aug 31 00:20:09 2011 +0200 * allow cloning of non-snapshot lvm devices thanks, -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Live Migration of LXC
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > On 10/24/2011 02:07 PM, Ulli Horlacher wrote: > > On Mon 2011-10-24 (12:03), Greg Kurz wrote: > > > >> C/R and live migration is a complicated matter for LXC containers. > > I have assumed nothing else... > > > > > >> No status for the moment... I guess people who really want migration > >> should participate > > Not every LXC (admin-)user is a kernel hacker, too. I am fluent in Perl > > programming, but not in C. > > > > > > > >> at least to show kernel maintainers there's a demand for it. > > How can we do this? Send mass e-mails (spam) to the kernel maintainers? :-) Not out of the blue. But you can watch lkml and, when related emails come by and, especially, when the community discusses whether the patches are worthwhile, then chime in. > Different approaches were proposed: > > * CR from userspace only : we know it is not possible to fully support > the CR with this approach. But since so far the alternative to this partial support is *zero* support, I've been tempted to go back to one of these implementations. > * CR from the kernel space : the CR is monolithic and is very intrusive > in the different kernel subsystems and their interactions make the > maintenance very complicate for the owner of the subsystem. This is why > this approach has been nacked from the community. It was never officially nacked, fwiw. But the effort appears to be dead, and the effort has shifted to the hybrid approach. > * a hybrid CR where the userspace collects CR information exported from > the kernel. IHMO, this approach is the better in terms of maintenance > and flexibility. If some of those patches will make it upstream, then if nothing else we can look into augmenting the purely-userspace c/r with that support. > The latter is for the moment investigated by the containers@ community > and AFAIK this approach has a better chance to be accepted but there is > still a lot of work to do. I personally feel pessimistic about it, but we'll see. -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Output from init in daemon mode
Quoting Ryan Campbell (ryan.campb...@gmail.com): > I have an sshd container that I'm starting up in daemon mode: > > lxc-start -n sshd -d -l DEBUG -o /tmp/lxc.log > > I'd like to be able to see the output from the container's init process, but > I don't see this in the log file. Is this a bug? Where is this output > going? Try '-c consolefile'. Manpage says that should work. (Or don't do -d and read the console output from your terminal). -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] lxc-ubuntu: stop early if a bad user is specified in -b option
Otherwise we end up with a bad container fstab and a container that won't boot. See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/879052 Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in | 18 +- 1 files changed, 13 insertions(+), 5 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9a41a49..f92c695 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -331,20 +331,21 @@ do_bindhome() rootfs=$1 user=$2 -# bind-mount the user's path into the container's /home -h=`getent passwd $user | cut -d: -f 6` -mkdir -p $rootfs/$h -echo "$h $rootfs/$h none bind 0 0" >> $path/fstab - # copy /etc/passwd, /etc/shadow, and /etc/group entries into container pwd=`getent passwd $user` if [ $? -ne 0 ]; then echo 'Warning: failed to copy password entry for $user' + return else echo $pwd >> $rootfs/etc/passwd fi shad=`getent shadow $user` echo $shad >> $rootfs/etc/shadow + +# bind-mount the user's path into the container's /home +h=`getent passwd $user | cut -d: -f 6` +mkdir -p $rootfs/$h +echo "$h $rootfs/$h none bind 0 0" >> $path/fstab } clean() @@ -437,6 +438,13 @@ do esac done +pwd=`getent passwd $bindhome` +if [ $? -ne 0 ]; then +echo "Error: no password entry found for $bindhome" +exit 1 +fi + + if [ "$arch" == "i686" ]; then arch=i386 fi -- 1.7.5.4 -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] cannot start any more any container?!
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): > On Thu 2011-10-20 (16:39), Ulli Horlacher wrote: > > On Thu 2011-10-20 (09:18), Serge E. Hallyn wrote: > > > > > > And everytime I run lxc-start I get a new veth interface: > > > > > > > > root@vms1:/lxc# ifconfig | grep veth > > > > vethCmnezx Link encap:Ethernet HWaddr 3e:d6:06:4e:26:ae > > > > vethFGQBYd Link encap:Ethernet HWaddr fe:0e:3c:f1:15:8c > > > > vethL8qOhT Link encap:Ethernet HWaddr de:55:6e:db:82:7a > > > > vethMBfmpb Link encap:Ethernet HWaddr 4a:00:a6:e0:ce:b8 > > > > vethMwcqoU Link encap:Ethernet HWaddr a6:d9:b8:d1:37:77 > > > > vethOYkLQf Link encap:Ethernet HWaddr 7a:3a:bd:cd:d0:51 > > > > vethP1BDUb Link encap:Ethernet HWaddr 52:de:98:d8:5a:71 > > > > > > > > > > > > Any idea? > > > > > > Ah, that's an old kernel bug. Someone (Daniel?) should remember where it > > > got fixed offhand. > > > > root@vms1:/opt/src# uname -a > > Linux vms1 2.6.35-30-server #60~lucid1-Ubuntu SMP Tue Sep 20 22:28:40 UTC > > 2011 x86_64 GNU/Linux > > > > root@vms1:/opt/src# dpkg -l | grep linux-image > > ii linux-image-2.6.35-30-server 2.6.35-30.60~lucid1 > >Linux kernel image for version 2.6.35 on x86_64 > > ii linux-image-server-lts-backport-maverick 2.6.35.30.38 > >Linux kernel image on Server Equipment. > > Which kernel should I use instead? First google hit shows http://kerneltrap.org/mailarchive/linux-kernel/2010/12/6/4655591 So I guess 2.6.37-rc4 or later should be safe but i'm not sure what exactly was the fixing patch. According to http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg01394.html removing the ipv6 address may be a workaround? -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] cannot start any more any container?!
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): > On Thu 2011-10-20 (09:00), Papp Tamas wrote: > > On 10/20/2011 12:54 AM, Ulli Horlacher wrote: > > > > > On Wed 2011-10-19 (22:11), Papp Tamas wrote: > > > > > >> What version of lxc package do you use? > > > See my first mail: > > > > > > lxc version: 0.7.4.1 > > > > Well, I don't see anything like this. Actually I use 0.7.5. Try to upgrade. > > 0.7.5 is out? Ok, I will install it! > > > > What do you see in system logs? > > How stupid of me! I should have checked it first. > > lxc-start -f /data/lxc/vmtest1.cfg -n vmtest1 -d -o /data/lxc/vmtest1.log > > /var/log/kern.log : > > 2011-10-20 15:44:39 [856474.455886] device vethP1BDUb entered promiscuous mode > 2011-10-20 15:44:39 [856474.457199] ADDRCONF(NETDEV_UP): vethP1BDUb: link is > not ready > 2011-10-20 15:44:43 [856478.670026] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > 2011-10-20 15:44:54 [856488.810020] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > 2011-10-20 15:45:04 [856498.950026] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > 2011-10-20 15:45:14 [856509.090021] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > 2011-10-20 15:45:24 [856519.230023] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > 2011-10-20 15:45:34 [856529.370022] unregister_netdevice: waiting for lo to > become free. Usage count = 3 > (...) > > And everytime I run lxc-start I get a new veth interface: > > root@vms1:/lxc# ifconfig | grep veth > vethCmnezx Link encap:Ethernet HWaddr 3e:d6:06:4e:26:ae > vethFGQBYd Link encap:Ethernet HWaddr fe:0e:3c:f1:15:8c > vethL8qOhT Link encap:Ethernet HWaddr de:55:6e:db:82:7a > vethMBfmpb Link encap:Ethernet HWaddr 4a:00:a6:e0:ce:b8 > vethMwcqoU Link encap:Ethernet HWaddr a6:d9:b8:d1:37:77 > vethOYkLQf Link encap:Ethernet HWaddr 7a:3a:bd:cd:d0:51 > vethP1BDUb Link encap:Ethernet HWaddr 52:de:98:d8:5a:71 > > > Any idea? Ah, that's an old kernel bug. Someone (Daniel?) should remember where it got fixed offhand. -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] A footing for lxc - a fitted distribution
Quoting Daniel Baumann (daniel.baum...@progress-technologies.net): > On 10/20/2011 11:25 AM, Clemens Perz wrote: > > does anybody know about a minimized, actively maintained distribution, > > that brings everything to run a container, and thats it? > > being a debian developer (and maintainer of lxc in debian), i'm doing > that in the form of a state-of-the-art debian derivative, see > http://www.progress-linux.org/. in my total biased opinion, it is the > best available debian based system for lxc host and container systems. > > > the 1.0.x releases are squeeze plus required fixes for lxc (and a few > other things that just are broken in debian stable). > > if you want newer stuff (like current lxc or kernels), you can go with > 1.9.x (which is squeeze plus fixes plus backports of certain key > packages). however, until the first 1.9.x release images are ready > (needs some backports of debian-installer), you can't install it > directly but have to install 1.0.x, enable backports, and run apt-get > update && apt-get upgrade. > > the current so called 'server-lxc' images are ~250mb and are combined > live and installer iso-hybrid images (can be written to optical media as > well as dumped to usb sticks). Hey, that's neat - thanks, Daniel :) -serge -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Ciosco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
Quoting Papp Tamas (tom...@martos.bme.hu): > On 10/18/2011 04:47 PM, Serge E. Hallyn wrote: > > > > http://wiki.ubuntu.com/UserNamespace > > > > I've got a few patches to send yet for tightening down some remaining > > privilege leaks, then we should be ready to start relaxing things to make > > them usable. This includes Eric's simple implementation of assigning a > > superblock to a user namespace. My current tree is at > > http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns > > > > (Please feel free to join in!) > > > > When can be expected to be available in the stock kernel? Depends on how many people join in? :) I'm hoping they'll be somewhat usable (including basic VFS support) sometime during 2012. -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Launching init in a container as non-root
Quoting Ryan Campbell (ryan.campb...@gmail.com): > fedora 13 > lxc 0.7.2-1.fc13 > > > I've used lxc-setcap to allow non-root to run lxc-start. This seems to > work OK, until LXC attempts to launch init. Init fails with "init: > Need to be root". > > I would expect init to be launched using the 0 UID of the container. > However, from what I've read, UID namespaces are not complete yet. > > Is this correct? Should one expect that once UID namespaces are > implemented within lxc, that one should be able to launch processes as > "root" within the container, but have them run as non-root from the > perspective of the host? Yes. > Is there anywhere I can read more about this? http://wiki.ubuntu.com/UserNamespace I've got a few patches to send yet for tightening down some remaining privilege leaks, then we should be ready to start relaxing things to make them usable. This includes Eric's simple implementation of assigning a superblock to a user namespace. My current tree is at http://kernel.ubuntu.com/git?p=serge/linux-2.6.git;a=shortlog;h=refs/heads/userns (Please feel free to join in!) thanks, -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [lxc] [autofs nfs V4/V3] umount_autofs_indirect:279: ioctl failed: Permission denied
Quoting LACROIX Jean Marc (jeanmarc.lacr...@free.fr): > hi mailing list, > > I am running Debian Squeeze (V6.02) container with lxc 0.7.2-1 > I have a problem with autofs daemon on lxc container We know there are some problems with autofs and namespaces. If you try to automount a dir in a container you get back 'too many symbolic links', for instance. AFAIK noone has had the time to look into this further. If you are so inclined, by all means please feel free to look at the autofs code in more detail. -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu /etc/init.d/xinetd kills container's xinetd
Quoting Ulli Horlacher (frams...@rus.uni-stuttgart.de): > On Thu 2011-10-06 (09:14), Ulli Horlacher wrote: > > > > Then attach the patch to the bug making sure that it's flagged as a > > > patch. This should ensure someone will look at it, sadly not for Oneiric > > > (11.10) but hopefully for Precise (12.04). > > > > > > Launchpad lets you mark a bug as affecting multiple packages, so I'd > > > suggest you add a "task" to any other package showing the same bug > > > > ok, done. > > Result: > > From: Robie Basak <868...@bugs.launchpad.net> > To: frams...@rus.uni-stuttgart.de > Subject: [Bug 868538] Re: /etc/init.d/xinetd kills LXC container's > xinetd > Date: Thu, 06 Oct 2011 09:41:03 - > > Setting Importance to Low as this bug applies only to an unusual > configuration and there is a workaround available. Hi Ulli, are you going to submit the Debian bug, or should I do it? If I do, I'll just send an email to sub...@bugs.debian.org starting with Package: xinetd Version: 1:2.3.14-7 Ulli Horlacher reports: and proceeding with the body of the description from the your bug. thanks, -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] New LXC Creation Script: lxc-ubuntu-x
Quoting Jäkel, Guido (g.jae...@dnb.de): > > I think there is about 80% overlap between the two projects but > >enough differences to be interesting. I'll take a closer look at your > >script looking for ideas I may have missed, and I invite you to do the same. > > @Derek: well-spoken. > > > @Daniel & Serge: Is there already something like a Wiki to collect such > "contribute" work? I think, there are much more people around here which have > developed such tools around LXC: Focused on their own requirements and > conditions and therefore not fitted to publish to the community. But usefull > to study for others to take an idea of it for own purposes. I've just created https://wiki.ubuntu.com/lxc. Please feel free to add your own or, Derek and Uli, please fill in your own description of yours :) thanks, -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] New LXC Creation Script: lxc-ubuntu-x
Quoting Daniel Baumann (daniel.baum...@progress-technologies.net): > On 09/30/2011 03:21 PM, Serge E. Hallyn wrote: > > Thanks, Derek, at a first glance this looks pretty neat. I'll have to > > try it out (and package it, if noone else does) when I get a bit more time. > > i think it's the wrong approach, at least for those cases where one is > creating debian based containers on a debian based system. there, > debconf is so more convenient to be used. which reminds me to finally > merge in the lxc-debian-with-debconf tempplate into the lxc debian package. Hi Daniel, I'm sorry I still haven't sent you the debian->ubuntu delta. I'm hoping things will settle down next week. At this point I'll need to do a new merge against upstream again (into a ppa, as we'll be in freeze until end of october), and then anything remaining that is sane I'll send back to you. As far as lxc-ubuntu-x, I actually think I'm more likely to start using openstack locally to quickly create containers, and in the past I've been happy with lxc-clone on lvm, but this looks flexible for deployments. I look forward to seeing your lxc-debian-with-debconf! thanks, -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] New LXC Creation Script: lxc-ubuntu-x
Quoting Derek Simkowiak (de...@simkowiak.net): > Hello, > I have just published a new Open Source LXC container creation > script, called lxc-ubuntu-x. It implements all the latest "best > practices" I found on the web, and introduces some new features. I am > using this script in a production environment, and I invite you to check > it out: > > http://derek.simkowiak.net/lxc-ubuntu-x/ Thanks, Derek, at a first glance this looks pretty neat. I'll have to try it out (and package it, if noone else does) when I get a bit more time. -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc and moving containers around while running (aka live migration)
Quoting Thomas Schweikle (t...@vr-web.de): > Hi! > > I'd like to migrate containers from one host to an other while they > are running. Is this possible? It is for kvm guests. For lxc-guests too? No. Some people are working on a new set of checkpoint/restart patches, but that'll be awhile and might come to nothing. I am tempted though to revisit the user-space cryo patchset for very simple containers. But don't wait for me. > And if yes --- any hint where to find information how to set it up? -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC, Python 2.6, and Multiprocessing.synchronize
Quoting Robert Pendell (shi...@elite-systems.org): > python crash > Traceback (most recent call last): > File "/home/shinji/trunk/chromite/bin/parallel_emerge", line 116, in > > KILLED = multiprocessing.Event() > File "/usr/lib64/python2.6/multiprocessing/__init__.py", line 206, in > Event > return Event() > File "/usr/lib64/python2.6/multiprocessing/synchronize.py", line 268, in > __init__ > self._cond = Condition(Lock()) > File "/usr/lib64/python2.6/multiprocessing/synchronize.py", line 117, in > __init__ > SemLock.__init__(self, SEMAPHORE, 1, 1) > File "/usr/lib64/python2.6/multiprocessing/synchronize.py", line 49, in > __init__ > sl = self._semlock = _multiprocessing.SemLock(kind, value, maxvalue) > OSError: [Errno 38] Function not implemented Could also be that the userspace isn't set up quite right - i.e. the wrong syscall numbers listed in the include files or libraries. But yes, it called a syscall number that is not defined. Could've been worse, it could have called a syscall # for a different syscall, that can get tough to diagnose :) -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] pivot_root fails on Fedora 15 host
Quoting Mark Clarkson (mark.clark...@smorg.co.uk): > Hi, > On a Fedora 15 host (systemd) with lxc 0.7.5, centos container fails to > start: > > ... mountpoint for old rootfs is '/usr/local/lib/lxc/rootfs/mnt' > ... ERRORlxc_conf - Invalid argument - pivot_root syscall failed > ... ERRORlxc_conf - failed to setup pivot root > ... ERRORlxc_conf - failed to set rootfs for 'centos' > > I changed source to chroot instead of pivot_root and container now > starts. > > Any ideas what's wrong with pivot_root and how to fix? / (or, even worse, the old / from initramfs) is probably MS_SHARED. You can try doing 'mount --make-rprivate /' in an early init script, and if that doesn't work, also in your initrd's init. -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] how to mount inside of running container
Quoting Arie Skliarouk (sklia...@gmail.com): > I want to bind-mount an directory inside of a running container. > If I mount the directory using bind mount, the container does not see > files in it. > > It is important to me to be able to do the mounts and umounts from the > host machine, as we are dealing with LVM snapshots. If it's ok to do it ahead of time, then you can use mount entries in your config file. If you want to be able to just manually run the mount command from the host at any time, then you'll need to create a directory for the sharing and mount that into your container ahead of time. For instance, mkdir /share/containerX mkdir /var/lib/lxc/containerX/rootfs/share mount -t tmpfs share /share/containerX mount --make-rshared /share/containerX mount --make-rslave /share/containerX cat >> /var/lib/lxc/containerX/fstab << EOF /share/containerX /var/lib/lxc/containerX/rootfs/share none bind 0 0 EOF lxc-start -n containerX -d Now when you mount something under /share/containerX, it will show up under /share in the container. I.e. -serge -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-start fails when / is a shared mount
It'd be worth asking Ram about that. It's possible he was being overly cautious as this was new ground, but it seems likely there was a good reason for it. Heck, rather than guessing, cc:ing Ram. Ram, can you explain the need for all three parts of that check at pivot_root(): + if (IS_MNT_SHARED(old_nd.mnt) || + IS_MNT_SHARED(new_nd.mnt->mnt_parent) || + IS_MNT_SHARED(user_nd.mnt->mnt_parent)) ? thanks, -serge Quoting Marios Titas (redneb8...@gmail.com): > It seems that the kernel commit > 210327fa01b2f3f65e355120a78211685702 from 2005 is the culprit. > It's the commit that implemented mount --move in presense of shared > mounts. It added a check in fs/namespace.c that makes pivot_root fail > when the old root is marked as a shared mount. I don't understand the > reason for that. > > > On Mon, Sep 19, 2011 at 09:35, Serge Hallyn > wrote: > > Quoting Marios Titas (redneb8...@gmail.com): > >> Hi list, > >> > >> I just ran into this problem: If you do > >> # mount --make-shared / > >> to mark / as a shared mount then lxc-start fails when you have > >> specified a lxc.rootfs in the configuration file. The error that > >> lxc-start gives is the following: > >> Invalid argument - pivot_root syscall failed > >> Is this the normal behavior or is this a kernel bug? > > > > It is normal behavior. Perhaps lxc should fall back to chroot when > > pivot_root fails. > > > > -serge > > -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Help regarding lxc
Quoting nishant mungse (nishantmun...@gmail.com): > Hii all > > I am using lxc for creating containers. > > But when i create lxc container using "lxc-create -n abc" it creates a abc Exactly what command did you use? Please list the configuration file as well. I will try to reproduce. -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Problem with lxc
Quoting Kristian Kirilov (d3v1...@d3v1ous.info): ... > lxc-checkconfig show this status: > > blackbird:~# lxc-checkconfig > Kernel config /proc/config.gz not found, looking in other places... > Found kernel config file /boot/config-3.0.4 > --- Namespaces --- > Namespaces: enabled > Utsname namespace: enabled > Ipc namespace: enabled > Pid namespace: enabled > User namespace: enabled > Network namespace: enabled > Multiple /dev/pts instances: enabled > > --- Control groups --- > Cgroup: enabled > Cgroup namespace: required This one should be fine to ignore. I've sent a patch to not warn about this when there's not an actual problem. Do you get a failure when you actually try to start a container? > Cgroup device: enabled > Cgroup sched: enabled > Cgroup cpu account: enabled > Cgroup memory controller: enabled > Cgroup cpuset: enabled > > --- Misc --- > Veth pair device: enabled > Macvlan: enabled > Vlan: enabled > File capabilities: enabled > > Note : Before booting a new kernel, you can check its configuration > usage : CONFIG=/path/to/config /usr/local/bin/lxc-checkconfig > > blackbird:~# > > Can somebody help to me to fix this issue? > Thanks > > > -- > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > http://p.sf.net/sfu/rim-devcon-copy2 > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] lxc-clone: fix dhclient.conf send hostname command
End the command with ';', which is needed, and put the hostname in quotes (which doesn't really seem needed, but shown in man page). Signed-off-by: Serge Hallyn --- src/lxc/lxc-clone.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc-clone.in b/src/lxc/lxc-clone.in index 657486d..38369d8 100644 --- a/src/lxc/lxc-clone.in +++ b/src/lxc/lxc-clone.in @@ -252,7 +252,7 @@ echo "Updating rootfs..." # so you can 'ssh $hostname.' or 'ssh $hostname.local' if [ -f $rootfs/etc/dhcp/dhclient.conf ]; then - sed -i "s/send host-name.*$/send host-name $hostname/" $rootfs/etc/dhcp/dhclient.conf + sed -i "s/send host-name.*$/send host-name \"$hostname\";/" $rootfs/etc/dhcp/dhclient.conf fi # set the hostname -- 1.7.5.4 -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Help troubleshooting declining performance / high %SI CPU when running 9 Ubuntu 10.04 LXCs
In addition to needing info Iliyan mentioned - what kernel are you running? Is it a standard backport kernel? Do you know if a kernel update coincides with the performance degredation showing up? Quoting Iliyan Stoyanov (i...@ilf.me): > Hi Ivan, > > you should probably do a monitoring with iostat and vmstat also. On the > top of my head I can think of at least 3 or 4 reasons why this might be > happening. I have similar problems with a simple laptop machine without > LXC containers on it (and don't have such on a server with a bunch of > containers on it). In my experience with bad SI everything always come > back to be RAM related. Also check your filesystem performance. Most of > the FSes nowadays keep a ton of the journalling info in RAM. I know my > response is not exactly an answer to your specific question but I hope > it might give you some pointers for better monitoring of the situation. > > BR, > > --ilf > > On Thu, 2011-09-15 at 09:12 -0600, Ivan Fetch wrote: > > > Hello, > > > > I've inherited a Sun 4540 (thumper) machine running 9 LXC containers. > > During the past few weeks we've been troubleshooting a decline in > > performance, which ends up in high %SI (software interrupt) CPU usage. I'm > > hoping someone here can help troubleshoot and narrow down what the real > > issue is - this one really has me stumped. > > > > THis box has 48 disks, 5 RAID6 which are in a RAID0, using md. Two NICs are > > bonded together, and a bridge is used for the box's IP, and the LXC network > > interfaces. > > > > Linux is Ubuntu 10.04, LXC 0.6.3 , containers are also 10.04. Containers > > run Apache, some custom image processing, gaussian, and FTP server... > > > > The box performs well after a reboot, with all containers back online. > > After ~5 days, we notice that the box is sluggish, and backup jobs > > (Netbackup) get less than 1Mb/sec over the network. CPU eventually reaches > > 61% SI. OTher processes (I am looking at ps -ax -o pcpu . |sort -n) > > begin taking much higher percent CPU than they should need, I imagine > > because the high %SI is taking cycles; E.G. I'll briefly see ps or sort or > > a shell using 6% CPU. Top shows %sy between 5-20, %wa under 5. > > Memory (32Gb) is mostly used for cache, and there is no swapping. > > > > I know next-to-nothing about tracking down the cause for high %SI CPU usage. > > > > > > Thanks for any help looking at this with a clear head, > > > > - Ivan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > . > > -- > > Doing More with Less: The Next Generation Virtual Desktop > > What are the key obstacles that have prevented many mid-market businesses > > from deploying virtual desktops? How do next-generation virtual desktops > > provide companies an easier-to-deploy, easier-to-manage and more affordable > > virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ > > ___ > > Lxc-users mailing list > > Lxc-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/lxc-users > -- > Doing More with Less: The Next Generation Virtual Desktop > What are the key obstacles that have prevented many mid-market businesses > from deploying virtual desktops? How do next-generation virtual desktops > provide companies an easier-to-deploy, easier-to-manage and more affordable > virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] ubuntu template: allow containers to create tap devices
Thought I had sent this before, but I don't find it anywhere. Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 05d71b9..95b218a 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -199,6 +199,8 @@ lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 254:0 rwm #fuse lxc.cgroup.devices.allow = c 10:229 rwm +#tun +lxc.cgroup.devices.allow = c 10:200 rwm EOF cat < $path/fstab -- 1.7.5.4 -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] ubuntu template: disallow cap_sys_module (by popular demand)
This isn't particularly reassuring, and will be moot with user namespaces, but as people are asking for it, turn off sys_module. While we're at it, turn off mac_admin and mac_override. Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9a41a49..05d71b9 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -179,6 +179,7 @@ lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab lxc.arch = $arch +lxc.cap.drop = sys_module mac_override mac_admin lxc.cgroup.devices.deny = a # /dev/null and zero -- 1.7.5.4 -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 2/2] Accurately detect whether a system supports clone_children
If multiple cgroups are mounted under /sys/fs/cgroup, then the original check ends up looking for /sys/fs/cgroup/cgroup.clone_children, which does not exist because that is just a tmpfs. So make sure to check an actual cgroupfs. Signed-off-by: Serge Hallyn --- src/lxc/lxc-checkconfig.in |7 ++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc-checkconfig.in b/src/lxc/lxc-checkconfig.in index 5dcf3a4..30f6186 100755 --- a/src/lxc/lxc-checkconfig.in +++ b/src/lxc/lxc-checkconfig.in @@ -63,7 +63,12 @@ echo -n "Multiple /dev/pts instances: " && is_enabled DEVPTS_MULTIPLE_INSTANCES echo echo "--- Control groups ---" -CGROUP_MNT_PATH=$(grep -m1 "^cgroup" /proc/self/mounts | awk '{ print $2 }') +print_cgroups() { + # print all mountpoints for cgroup filesystems + awk '$1 !~ /#/ && $3 == mp { print $2; } ; END { exit(0); } ' "mp=$1" "$2" ; +} + +CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -1` echo -n "Cgroup: " && is_enabled CONFIG_CGROUPS yes -- 1.7.5.4 -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/2] Let sshd template work on ubuntu systems.
/dev/shm is a symlink to /run/shm, so we need /run/shm to exist in the container rootfs. Also, /dev/mqueue does not exist on the host, and can't be created by the container. But we don't really need it so ignore that. Signed-off-by: Serge Hallyn --- src/lxc/utils.c |5 +++-- templates/lxc-sshd.in |1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 6279d77..4647bd4 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -135,9 +135,10 @@ extern int lxc_setup_fs(void) return -1; /* If we were able to mount /dev/shm, then /dev exists */ + /* Sure, but it's read-only per config :) */ if (access("/dev/mqueue", F_OK) && mkdir("/dev/mqueue", 0666)) { - SYSERROR("failed to create '/dev/mqueue'"); - return -1; + DEBUG("failed to create '/dev/mqueue'"); + return 0; } if (mount_fs("mqueue", "/dev/mqueue", "mqueue")) diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index 0e8346f..bd5d293 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -30,6 +30,7 @@ $rootfs/var/empty/sshd \ $rootfs/var/lib/empty/sshd \ $rootfs/etc/ssh \ $rootfs/dev/shm \ +$rootfs/run/shm \ $rootfs/proc \ $rootfs/bin \ $rootfs/sbin \ -- 1.7.5.4 -- Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH] Define $hostname before its first use
Otherwise you get 'lxc.utsname =' in config, instead of the actual hostname being filled in. https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/850205 Index: lxc/src/lxc/lxc-clone.in === --- lxc.orig/src/lxc/lxc-clone.in 2011-09-14 15:04:30.459058616 -0500 +++ lxc/src/lxc/lxc-clone.in2011-09-14 15:05:17.179057825 -0500 @@ -137,6 +137,8 @@ exit 1 fi +hostname=$lxc_new + trap "${bindir}/lxc-destroy -n $lxc_new; echo aborted; exit 1" SIGHUP SIGINT SIGTERM mkdir -p $lxc_path/$lxc_new @@ -184,7 +186,6 @@ fi echo "Updating rootfs..." -hostname=$lxc_new # so you can 'ssh $hostname.' or 'ssh $hostname.local' if [ -f $rootfs/etc/dhcp/dhclient.conf ]; then -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Hierarchical containers using lxc
Quoting Nikhil Handigol (nikhil.handi...@gmail.com): > Is there a way to use lxc to create hierarchical containers? > > More specifically, I have my cgroup filesystem mounted on /cgroup. I want to > be able to create a container, say "root", and then create N other > containers, say "c1", "c2",..., "cN", as children of "root". Is there a way > to do it using lxc? Not yet, but there is no good reason why not. Patches welcome :) -serge -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] PAM-module for adhoc creation of container
Quoting "Axel Schöner" (axel.schoe...@gmx.de): > Hello, > > i need some feedback and suggestions for this project. If there are > similar solutions please let me know. > > I want to build a solution for creating and starting a container on user > login > (via ssh or shell). The user should be redirected inside a container as root > to a bash. For now, don't give away root in a container to anyone who you wouldn't give root on your host. > I know there is a PAM-module (pam-netns) for creating a network in > a separated namespace when a user logs in. I think it should be possible to > realize my goals based on this module. Not until the patchset allowing you to unshare pidns goes upstream. Cloning won't suffice. That is actually the whole reason why Janak initially pushed sys_unshare(). -serge -- Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [RFC 2/2] lxc-start-ephemeral
Hi, here is a script we're toying with which starts an ephemeral container based on an existing one, with an aufs read-write layer on top. When the container shuts down, it disappears. This same script should be trivial to extend to support use of overlayfs in place of aufs. (It belongs in src/lxc/lxc-start-ephemeral.in, but I have it sitting elsewhere so that it stands cleanly apart from upstream code) Thoughts? Many thanks to Robert Collins for the original script. #!/bin/bash # This script runs up and removes an aufs layered lxc container. # # Usage: lxc-start-aufs BASECONTAINER (BINDMOUNT or --) [COMMAND [ARGS...]] # BASECONTAINER should be the simple name of a container to layer on. This # container probably shouldn't be running. # BINDMOUNT is a path in the host environment to bind mount into the container # - e.g. /home/username or some such. # COMMAND and ARGS are the command and args to run in the container. # If no BINDMOUNT is desired *and* a COMMAND is desired, provide -- as the # BINDMOUNT. # (C) Copyright Canonical 2011 # What lxc container to clone LXC_BASE="" # $2 is a path to bind mount e.g. /tmp/foo. LXC_BIND="" uniontype="aufs" usage() { echo "usage: lxc-start-ephemeral [-h] [-t type] [-b bdir] -o orig -- [COMMAND [ARGS...]]" } help() { usage echo echo "Runs an ephemeral (one-off) container" echo echo "Options:" echo "type: type of union fs to use. aufs by default" echo ": Overlayfs and others will be possible one day" echo "orig: name of the original container" echo "bdir: directory to bind mount into container" } shortoptions='ht:b:o:' longoptions='help,orig:,bdir:,type:' getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -t|--type) shift uniontype=$1 shift if [ $uniontype != 'aufs' ]; then echo "only aufs is supported" fi ;; -o|--orig) shift LXC_BASE=$1 shift ;; -b|--bdir) shift LXC_BIND=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done LXC_USER=`id -un` # validation if [ -z $LXC_BASE ]; then echo "original container must be specified" usage exit 1 fi if [ ! -d /var/lib/lxc/$LXC_BASE ] ; then echo 'no such lxc container $LXC_BASE' exit 1 fi echo "Setting up ephemeral container..." OVERLAY_DIR=`mktemp -d /tmp/lxc-lp-XXX` sudo mount -t tmpfs none $OVERLAY_DIR LXC_DIR=`sudo mktemp -d --tmpdir=/var/lib/lxc $LXC_BASE-temp-aufs-XXX` LXC_NAME=`basename $LXC_DIR` sudo mount -t $uniontype -o br=$OVERLAY_DIR=rw:/var/lib/lxc/$LXC_BASE=ro,noplink none $LXC_DIR if [ -n "$LXC_BIND" ]; then sudo mkdir -p $LXC_DIR/rootfs$LXC_BIND sudo mount --bind $LXC_BIND $LXC_DIR/rootfs$LXC_BIND fi sudo sed -i -e "s/$LXC_BASE/$LXC_NAME/" $LXC_DIR/fstab $LXC_DIR/config $LXC_DIR/rootfs/etc/hostname $LXC_DIR/rootfs/etc/hosts LEASES=$LXC_DIR/rootfs/var/lib/dhcp3/dhclient.eth0.leases if [ ! -f $LEASES ]; then LEASES=$LXC_DIR/rootfs/var/lib/dhcp/dhclient.leases fi sudo truncate -c -s0 $LEASES echo "Starting up the container..." sudo lxc-start -n $LXC_NAME -d echo "$LXC_NAME is running" echo "You connect with the command:" echo "lxc-console -n $LXC_NAME" lxc-monitor -Q -n $LXC_NAME echo "Stopping lxc" >&2 sudo lxc-stop -n $LXC_NAME sleep 2 if [ -n "$LXC_BIND" ]; then echo "umounting bind" >&2 sudo umount $LXC_DIR/rootfs$LXC_BIND fi # echo "umounting lxc_dir $LXC_DIR" >&2 sudo umount $LXC_DIR # echo "umounting overlay" >&2 sudo umount $OVERLAY_DIR # echo "rming lxc_dir $LXC_DIR" >&2 sudo rmdir $LXC_DIR # echo "rming overlay dir $OVERLAY_DIR" >&2 rmdir $OVERLAY_DIR -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [RFC 1/2] lxc-monitor: support --quit-on-stop
Hi, do you have any objections to this patch? It adds a '-Q' option to lxc-monitor to have lxc-monitor quit when the monitored container stops. This is used by lxc-start-ephemeral to track a container's death. Index: ephemeral/src/lxc/lxc_monitor.c === --- ephemeral.orig/src/lxc/lxc_monitor.c2011-08-03 23:00:42.925819531 -0500 +++ ephemeral/src/lxc/lxc_monitor.c 2011-08-03 23:43:43.396909384 -0500 @@ -36,9 +36,18 @@ lxc_log_define(lxc_monitor_ui, lxc_monitor); static const struct option my_longopts[] = { + {"quit-on-stop", no_argument, 0, 'Q'}, LXC_COMMON_OPTIONS }; +static int my_parser(struct lxc_arguments* args, int c, char* arg) +{ + switch (c) { + case 'Q': args->quit_on_stop = 1; break; + } + return 0; +} + static struct lxc_arguments my_args = { .progname = "lxc-monitor", .help = "\ @@ -47,11 +56,13 @@ lxc-monitor monitors the state of the NAME container\n\ \n\ Options :\n\ - -n, --name=NAME NAME for name of the container\n\ -NAME may be a regular expression", + -Q, --quit-on-stop quit when the container stops\n\ + -n, --name=NAMENAME for name of the container\n\ + NAME may be a regular expression", .options = my_longopts, - .parser = NULL, + .parser = my_parser, .checker = NULL, + .quit_on_stop = 0, }; int main(int argc, char *argv[]) @@ -95,6 +106,8 @@ case lxc_msg_state: printf("'%s' changed state to [%s]\n", msg.name, lxc_state2str(msg.value)); + if (msg.value == STOPPED && my_args.quit_on_stop) + goto quit; break; default: /* ignore garbage */ @@ -102,6 +115,7 @@ } } +quit: regfree(&preg); return 0; Index: ephemeral/src/lxc/arguments.h === --- ephemeral.orig/src/lxc/arguments.h 2011-08-03 23:32:20.905831229 -0500 +++ ephemeral/src/lxc/arguments.h 2011-08-03 23:32:37.625831332 -0500 @@ -58,6 +58,9 @@ /* for lxc-wait */ char *states; + /* for lxc-shutdown*/ + int quit_on_stop; + /* remaining arguments */ char *const *argv; int argc; -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc-ps: support '-n name' and '-- ps-options'
This is more consistent with other lxc commands Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/820720 Index: ephemeral/src/lxc/lxc-ps.in === --- ephemeral.orig/src/lxc/lxc-ps.in2011-08-03 22:28:39.854937920 -0500 +++ ephemeral/src/lxc/lxc-ps.in 2011-08-03 22:29:35.995216226 -0500 @@ -131,7 +131,7 @@ sub display_usage { print
Re: [Lxc-users] make lxc-ps work with separate mtab
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > On 08/04/2011 04:30 PM, Serge E. Hallyn wrote: > > Quoting Daniel Lezcano (daniel.lezc...@free.fr): > >> On 07/28/2011 08:19 PM, Serge E. Hallyn wrote: > >>> It breaks with multiple cgroup mounts unless /etc/mtab is linked > >>> to /proc/self/mounts (which it is not in Ubuntu, for instance). > >>> > >>> Signed-off-by: Serge Hallyn > >> Hi Serge, > >> > >> not sure, you got the email > > No, I did not. Where did you send it to? > > The same recipient as this mail. Anyway, the last two days were > thunderstorm days. It is probable something went wrong on my home network. > > >> but I was not able to apply this one. > > Ah I see, I didn't have commit c011782c8d83ece9ee883fcd9406433c09f220be. > > The jist of this hunk is: ns cgroup might not need to be mounted, so > > accept any cgroup entry. > > > > (Yes, this still makes assumptions - namely that the container is > > in the same group for all cgroups; but I think that makes more > > sense than assuming that ns cgroup is mounted somewhere) > > > > Do you want me to send a new patch, or do you want to tweak it > > in-flight? > > Please, send me a new one if possible. Sorry for not sending yesterday. I've got one more lxc-ps patch I'd like to send in a few minutes. Date: Fri, 5 Aug 2011 08:44:56 -0500 Subject: [PATCH 1/1] make lxc-ps work with cgroup-bin in Ubuntu (v2) It breaks with multiple cgroup mounts unless /etc/mtab is linked to /proc/self/mounts, which it is not in ubuntu. Also, the current git HEAD fails if ns cgroup is not mounted. With this patch, it will return the cgroup path in the ns cgroup if that is mounted, otherwise it will return the cgroup path in the first cgroup listed in /proc/$$/cgroups. Rationale: the ns cgroup stops the container from escaping its cgroup path, which may still be useful (though I'm doubtful). Otherwise, there is no good way for deciding which cgroup's path to use. (We could standardize on freezer or devices, since we always use those) Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/817606 Signed-off-by: Serge Hallyn --- src/lxc/lxc-ps.in | 40 1 files changed, 28 insertions(+), 12 deletions(-) diff --git a/src/lxc/lxc-ps.in b/src/lxc/lxc-ps.in index 7b3c8ab..6377938 100755 --- a/src/lxc/lxc-ps.in +++ b/src/lxc/lxc-ps.in @@ -53,15 +53,22 @@ sub get_cgroup { my $mount_string; $mount_string=`mount -t cgroup |grep -E -e '^lxc '`; - unless ($mount_string) { - $mount_string=`mount |grep -m1 'type cgroup'`; - } - chomp($mount_string); if ($mount_string) { + # use the one 'lxc' cgroup mount if it exists + chomp($mount_string); $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f3`; chomp($$ref_cgroup); + return + } + # Otherwise (i.e. cgroup-bin) use the first cgroup mount + $mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup' /proc/self/mounts`; + unless ($mount_string) { + die "unable to find mounted cgroup" unless $$ref_cgroup; } - die "unable to find mounted cgroup" unless $$ref_cgroup; + chomp($mount_string); + $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f2`; + chomp($$ref_cgroup); + return; } sub get_pids_in_containers { @@ -111,21 +118,30 @@ sub execute_ps { sub get_container { my $pid = shift; my $filename = "/proc/$pid/cgroup"; +my $container = ''; +my $firstcgroup = ''; open(LXC, "$filename"); # read all lines at once my @cgroup = ; close LXC; -my $container = ''; +# If ns cgroup is mounted, return the path in there +# otherwise return the path of first cgroup in /proc/$$/cgroups. foreach ( @cgroup ) { -chomp; -# find the container name -if (m/[:,]ns[:,]/o) { + $container = $_; +chomp($container); + # is this ns cgroup? + if ($container =~ m/[:,]ns[:,]/o) { # container name after :/ - s/.*:\///o; -$container = $_; + $container =~ s/.*:\///o; + return $container; } + if ($firstcgroup == '') { + # container name after :/ + $container =~ s/.*:\///o; + $firstcgroup = $container; + } } -return $container; +return $firstcgroup; } sub display_headers { -- 1.7.5.4 -- BlackBerry® DevCon Americas, Oct
Re: [Lxc-users] make lxc-ps work with separate mtab
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > On 07/28/2011 08:19 PM, Serge E. Hallyn wrote: > > It breaks with multiple cgroup mounts unless /etc/mtab is linked > > to /proc/self/mounts (which it is not in Ubuntu, for instance). > > > > Signed-off-by: Serge Hallyn > > Hi Serge, > > not sure, you got the email No, I did not. Where did you send it to? > but I was not able to apply this one. Ah I see, I didn't have commit c011782c8d83ece9ee883fcd9406433c09f220be. The jist of this hunk is: ns cgroup might not need to be mounted, so accept any cgroup entry. (Yes, this still makes assumptions - namely that the container is in the same group for all cgroups; but I think that makes more sense than assuming that ns cgroup is mounted somewhere) Do you want me to send a new patch, or do you want to tweak it in-flight? thanks, -serge > The reject file contains: > > --- src/lxc/lxc-ps.in2011-07-28 11:29:35.003183756 -0500 > +++ src/lxc/lxc-ps.in2011-07-28 11:31:37.973180821 -0500 > @@ -121,11 +127,7 @@ > my $container = ; > close LXC; > chomp($container); > -if ($container =~ m/[:,]ns[:,]/o) { > -$container =~ s/.*:\///o; > -} else { > -$container =''; > -} > +$container =~ s/.*:\///o; > return $container; > } > -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Mitigating LXC Container Evasion?
Quoting Andre Nathan (an...@digirati.com.br): > Hi Mike > > On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote: > > That's v4 syntax. Does it not work at all? Did you try this: > > > > echo ::/0 @ > /smack/netlabel > > > > Not having tried this myself at all, I'm just asking. If it doesn't > > work, that needs to be fixed but it's a SMACK bug. > > Olivier's IPv4 example works fine, but with IPv6 I get an error: > > # echo ::/0 @ > /smack/netlabel > -bash: echo: write error: Invalid argument Looking at linux-2.6/security/smack/smackfs.c, nothing but 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed. Now, smack_lsm.c does suggest that it wants to work with IPV6, but I haven't looked closely enough to tell how it will try to match the labels. Casey, is Smack netlabel supposed to work with IPV6? thanks, -serge -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Silence lxc-unshare warning when removing cgroup
If ns cgroup is mounted, then when lxc-unshare runs, the kernel automatically creates a new cgroup for the task. So lxc-unshare tries to delete it. But if ns cgroup is not mounted, that cgroup does not get created, and now lxc-unshare spits an error. Author: Serge Hallyn Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319 Forwarded: no Index: lxc/src/lxc/cgroup.c === --- lxc.orig/src/lxc/cgroup.c 2011-08-01 10:22:53.319598290 -0500 +++ lxc/src/lxc/cgroup.c2011-08-01 10:55:00.349641606 -0500 @@ -82,6 +82,13 @@ return -1; } +int lxc_ns_is_mounted(void) +{ + static charbuf[MAXPATHLEN]; + + return (get_cgroup_mount("ns", buf) == 0); +} + static int get_cgroup_flags(struct mntent *mntent) { int flags = 0; Index: lxc/src/lxc/cgroup.h === --- lxc.orig/src/lxc/cgroup.h 2011-08-01 10:22:54.149598308 -0500 +++ lxc/src/lxc/cgroup.h2011-08-01 10:54:52.889641439 -0500 @@ -30,4 +30,5 @@ int lxc_cgroup_destroy(const char *name); int lxc_cgroup_path_get(char **path, const char *subsystem, const char *name); int lxc_cgroup_nrtasks(const char *name); +int lxc_ns_is_mounted(void); #endif Index: lxc/src/lxc/lxc_unshare.c === --- lxc.orig/src/lxc/lxc_unshare.c 2011-08-01 10:17:52.189591521 -0500 +++ lxc/src/lxc/lxc_unshare.c 2011-08-01 11:06:54.889657669 -0500 @@ -210,12 +210,14 @@ return -1; } - if (asprintf(&pid_name, "%d", pid) == -1) { - ERROR("pid_name: failed to allocate memory"); - return -1; + if (lxc_ns_is_mounted()) { + if (asprintf(&pid_name, "%d", pid) == -1) { + ERROR("pid_name: failed to allocate memory"); + return -1; + } + lxc_cgroup_destroy(pid_name); + free(pid_name); } - lxc_cgroup_destroy(pid_name); - free(pid_name); return lxc_error_set_and_log(pid, status); } -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 2/3] make lxc-netstat work when /etc/mtab is not /proc/mounts
like lxc-ps and lxc-ls, lxc-netstat breaks if there is not an 'lxc' cgroup mount and /etc/mtab is not a link to /proc/mounts. Author: Serge Hallyn Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319 Forwarded: no Index: lxc/src/lxc/lxc-netstat.in === --- lxc.orig/src/lxc/lxc-netstat.in 2011-08-01 10:17:02.909590412 -0500 +++ lxc/src/lxc/lxc-netstat.in 2011-08-01 11:22:11.509678274 -0500 @@ -60,6 +60,16 @@ done if [ -z "$cgroup_path" ]; then + cgroups=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup' /proc/self/mounts` + for i in "$cgroups"; do + cgroup_path=$(echo $i | awk ' { print $2 } ') + if [ -n $cgroup_path ]; then + break; + fi + done +fi + +if [ -z "$cgroup_path" ]; then echo "no cgroup mount point found" exit 1 fi -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/3] fix lxc-ls with mtab != /proc/mounts
The cgroup mounts created by cgroup-bin do not show up in /etc/mtab. lxc-ls, as lxc-ps before it, assumes that /etc/mtab is symlinked to /proc/mounts. Author: Serge Hallyn Forwarded: no Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/819319 Index: lxc/src/lxc/lxc-ls.in === --- lxc.orig/src/lxc/lxc-ls.in 2011-08-01 09:25:00.298567408 -0500 +++ lxc/src/lxc/lxc-ls.in 2011-08-01 09:25:33.918568164 -0500 @@ -10,12 +10,16 @@ { local mount_string mount_string=$(mount -t cgroup |grep -E -e '^lxc ') - if test -z "$mount_string"; then - mount_string=$(mount |grep -m1 'type cgroup') - fi if test -n "$mount_string"; then mount_point=$(echo $mount_string |cut -d' ' -f3) + return + fi + mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup' /proc/self/mounts`; + if test -z "$mount_string"; then + echo "failed to find mounted cgroup" + exit 1 fi + mount_point=`echo "$mount_string" |cut -d' ' -f2`; } ls "$@" $lxcpath -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Fedora 15 on Fedora 15 LXC with Libvirt
Quoting Iliyan ILF Stoyanov (i...@ilf.me): > On the other side, would someone be so kind to point me in the right > direction (either documentation, source or anything else available) that > I can follow so that I set up lxc container just with the LXC tools. I Ramez Hanna has posted a new fedora template. I think this was the latest: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg01707.html It looks like it was for F13 and F14 containers, but it should be a starting point. See the usage() section. I've not used it myself, but the author should be on this list. -serge -- BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Use container's /run/utmp if it exists
If /var/run is a symlink to /run in the container, then opening /proc//root/var/run/utmp will end up opening the host's utmp. Therefore the hack detecting shutdown through utmp fails. Signed-off-by: Serge Hallyn Index: lxc/src/lxc/utmp.c === --- lxc.orig/src/lxc/utmp.c 2011-07-28 12:16:21.973116768 -0500 +++ lxc/src/lxc/utmp.c 2011-07-28 12:50:47.295227858 -0500 @@ -170,6 +170,15 @@ char path[MAXPATHLEN]; struct lxc_handler *handler = utmp_data->handler; + if (snprintf(path, MAXPATHLEN, "/proc/%d/root/run/utmp", +handler->pid) > MAXPATHLEN) { + ERROR("path is too long"); + return -1; + } + + if (!access(path, F_OK) && !utmpxname(path)) + goto utmp_ok; + if (snprintf(path, MAXPATHLEN, "/proc/%d/root/var/run/utmp", handler->pid) > MAXPATHLEN) { ERROR("path is too long"); @@ -181,6 +190,8 @@ return -1; } +utmp_ok: + setutxent(); while ((utmpx = getutxent())) { @@ -219,6 +230,7 @@ struct lxc_handler *handler) { char path[MAXPATHLEN]; + char path2[MAXPATHLEN]; int fd, wd; struct lxc_utmp *utmp_data; struct lxc_conf *conf = handler->conf; @@ -230,6 +242,19 @@ * in utmp at the moment, but want to watch for delete and create * events as well. */ + if (snprintf(path, MAXPATHLEN, "/proc/%d/root/run", +handler->pid) > MAXPATHLEN) { + ERROR("path is too long"); + return -1; + } + if (snprintf(path2, MAXPATHLEN, "/proc/%d/root/run/utmp", +handler->pid) > MAXPATHLEN) { + ERROR("path is too long"); + return -1; + } + if (!access(path2, F_OK)) + goto run_ok; + if (snprintf(path, MAXPATHLEN, "/proc/%d/root/var/run", handler->pid) > MAXPATHLEN) { ERROR("path is too long"); @@ -241,6 +266,8 @@ return 0; } +run_ok: + utmp_data = (struct lxc_utmp *)malloc(sizeof(struct lxc_utmp)); if (NULL == utmp_data) { -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] make lxc-ps work with separate mtab
It breaks with multiple cgroup mounts unless /etc/mtab is linked to /proc/self/mounts (which it is not in Ubuntu, for instance). Signed-off-by: Serge Hallyn Index: lxc/src/lxc/lxc-ps.in === --- lxc.orig/src/lxc/lxc-ps.in 2011-07-28 11:29:35.003183756 -0500 +++ lxc/src/lxc/lxc-ps.in 2011-07-28 11:31:37.973180821 -0500 @@ -53,15 +53,21 @@ my $mount_string; $mount_string=`mount -t cgroup |grep -E -e '^lxc '`; - unless ($mount_string) { - $mount_string=`mount |grep -m1 'type cgroup'`; - } - chomp($mount_string); if ($mount_string) { + # use the one 'lxc' cgroup mount if it exists + chomp($mount_string); $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f3`; chomp($$ref_cgroup); } - die "unable to find mounted cgroup" unless $$ref_cgroup; + # Otherwise (i.e. cgroup-bin) use the first cgroup mount + $mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup' /proc/self/mounts`; + unless ($mount_string) { + die "unable to find mounted cgroup" unless $$ref_cgroup; + } + chomp($mount_string); + $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f2`; + chomp($$ref_cgroup); + return; } sub get_pids_in_containers { @@ -115,11 +121,7 @@ my $container = ; close LXC; chomp($container); -if ($container =~ m/[:,]ns[:,]/o) { - $container =~ s/.*:\///o; -} else { - $container =''; -} +$container =~ s/.*:\///o; return $container; } -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] add ubuntu-keyring to the packagelist for oneiric containers.
Otherwise apt fails during and after debootstrap. Signed-off-by: Serge Hallyn Index: lxc-0.7.4.2/templates/lxc-ubuntu.in === --- lxc-0.7.4.2.orig/templates/lxc-ubuntu.in2011-07-27 16:32:44.297421437 -0500 +++ lxc-0.7.4.2/templates/lxc-ubuntu.in 2011-07-27 16:33:15.177420914 -0500 @@ -83,8 +83,10 @@ packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg elif [ $release = "maverick" ]; then packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg,netbase -else +elif [ $release = "natty" ]; then packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase +else + packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring fi echo "installing packages: $packages" -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Can a process change its container membership ?
Quoting Vinay Wagh (vinay.h.w...@gmail.com): > Hi, > > I had an architectural question on containers. I wanted to use containers to > run multiple instances of the same application with different resource > allocation (CPU, memory). The problem is that I have user/kernel space > drivers that access network processors and I might not be able to run > multiple instances in this case. These processes need to serve requests from > applications running in different containers. So I need these processes to > run in a container that can communicate with other containers. But since > this process will serve requests from other containers it should be able to > honor the CPU resource isolation that containers provide. > > To do this I could embed an id in the IPC that maps to the container but I > still need the serving process to be able to 'switch' in to a different > container membership based on which container I received the request from. > Is that something that can be done today or is there another way to do > this. Just the moving to different resource isolations, yeah that's simple enough. Just move yourself into the container's cgroup, then (assuming you're not using the ns cgroup) back out. I.e. if the container task's /proc/self cgroup shows: 5:freezer:/apache2 4:memory:/apache2 3:devices:/apache2 2:cpuacct:/apache2 1:cpu:/apache2 and you want the same cpu, cpuacct, and memory restrictions, then do for f in cpu cpuacct memory; do echo $$ > /sys/fs/cgroup/$f/apache2/tasks done Then to jump back out: for f in cpu cpuacct memory; do echo $$ > /sys/fs/cgroup/$f/tasks done -serge -- Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH] Don't try to add host user's groups in container
When '-b user' is specified to lxc-ubuntu container creation template, do not automatically add all the groups of which user is a member on the host, to user's groups in the container. Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index e450dae..0b59f26 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -343,9 +343,6 @@ do_bindhome() fi shad=`getent shadow $user` echo $shad >> $rootfs/etc/shadow -for g in `groups $user | cut -d: -f 2-`; do -chroot $rootfs adduser $user $g -done } clean() -- 1.7.4.1 -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Ubuntu lxc on top of RHEL
Quoting Devendra K. Modium (dmod...@isi.edu): > Hi All > > I am trying to run the Ubuntu LXC container on top > of RHEL. Everything runs fine. /sbin/init , console dhcpclient etc. > > But even though sshd demon gets started. I am not able to ssh into the > container. > > I debbuged and noticed that lsof -i -n -P output says > that ssd cannot stat the libraries /lib/libcry* , /lib/libns*,... etc (No > such file or directory). > > I checked inside the container and found that those libraries are present and > in correct path. > Infact I copied those libraries to /lib64 also.But couldn't get sshd working. > > Is this because of Ubuntun on top of RHEL? > > Any inputs are appreciated. Can you give a few more details? How exactly did you create the container? Can you log in with lxc-console? If so, what do you get when you 'strace -f sshd -D'? thanks, -serge -- 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > > > But... I got this for the root system on Alcove. > > > > > > 106 55 8:17 /lxc/private/Alcove / rw,relatime master:1 - ext4 /dev/sdb1 > > > rw,barrier=1,data=ordered > > > > > > Ok... That now says "master:1". Not sure what it signifies... See linux-2.6/Documentation/filesystems/proc.txt for details: shared:X mount is shared in peer group X master:X mount is slave to peer group X propagate_from:X mount is slave and receives propagation from peer group X (*) unbindable mount is unbindable linux-2.6/Documentation/filesystems/sharedsubtree.txt also has good info (as does fs/namespace.c). -serge -- 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > On Tue, 2011-07-19 at 13:34 -0500, Serge E. Hallyn wrote: > > Quoting C Anthony Risinger (anth...@xtfx.me): > > > there it would seem. however, while i could *maybe* see the rootfs > > > being an unconditional slave, i would NOT want to see any lxc > > > default/enforcement preventing container -> host propagation on a > > > globally recursive scale. im of the opinion that the implementor > > > should decide the best tactic ... especially in light of the fact the > > > one distro may not even have the same problems as say > > > ubutnu/fedora/etc because they keep mount points private by default. > > > Good point. (I don't see it on ubuntu either fwiw) Perhaps there > > should be a toggle in the per-container config file? > > Quick question. > > Is there any way to test for these flags (SHARED, PRIVATE, SLAVE)? I > don't see them showing up anywhere from mount, in proc mounts or > mountstats. How do you check to see if they are set? /proc/self/mountinfo is supposed to tell that. i.e. if you do a --make-shared on /mnt, it'll show 'shared' next to the /mnt entry. (I say 'is supposed to' bc --make-rslave just shows nothing, but maybe that's bc the way i did it it wasn't a slave to anything, so it was actually private) -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] Re: read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > On Tue, 2011-07-19 at 12:59 -0500, Serge E. Hallyn wrote: > > Quoting Michael H. Warfield (m...@wittsend.com): > > > I think the problem is that you are only doing this on the rootfs and > > > that flag does not automagically propagate to the submounts. That's > > > D'oh! Yeah, what you want is MS_REC | MS_SLAVE. The rest should be fine > > as I had it? > > Well, you still need the patch for /rootfs->path/rootfs->mount/ on the > second parameter to that mount call. > > I gave it a shot. No error on the build or running lxc-start but... No > joy. A remount,ro still propagates back into the host from the > container. > > Been reading the kernel Documentation/filesystems/sharedsubtree.txt file > about the SHARED, PRIVATE, and SLAVE semantics and it doesn't sound like > it does what we think it does. It will stop the propagation of mounts > themselves from master to slave and vice versa but I don't see anything > about remounts. I mean, I can see it argued both ways. Well, you're > not really propagating a mount because it's already mounted. Yeah, but > it is propagating the mount action. That file is not clear on what > action would take place in the case of a remount like this. > > This comment in section 5a of that file seems to favor the second > interpretation that shared or private should affect remounts: > > == > A 'propagation event' is defined as event generated on a vfsmount > that leads to mount or unmount actions in other vfsmounts. > == > > Is a remount a "mount action"? I would presume it is. But wait, is your rootfs remounted ro? I thought it was only your devpts on the host? In which case it is being propagated as a mount event. -serge -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] Re: read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > On Tue, 2011-07-19 at 12:59 -0500, Serge E. Hallyn wrote: > > Quoting Michael H. Warfield (m...@wittsend.com): > > > I think the problem is that you are only doing this on the rootfs and > > > that flag does not automagically propagate to the submounts. That's > > > D'oh! Yeah, what you want is MS_REC | MS_SLAVE. The rest should be fine > > as I had it? > > Well, you still need the patch for /rootfs->path/rootfs->mount/ on the > second parameter to that mount call. > > I gave it a shot. No error on the build or running lxc-start but... No > joy. A remount,ro still propagates back into the host from the > container. > > Been reading the kernel Documentation/filesystems/sharedsubtree.txt file > about the SHARED, PRIVATE, and SLAVE semantics and it doesn't sound like > it does what we think it does. It will stop the propagation of mounts > themselves from master to slave and vice versa but I don't see anything > about remounts. I mean, I can see it argued both ways. Well, you're > not really propagating a mount because it's already mounted. Yeah, but > it is propagating the mount action. That file is not clear on what > action would take place in the case of a remount like this. > > This comment in section 5a of that file seems to favor the second > interpretation that shared or private should affect remounts: > > == > A 'propagation event' is defined as event generated on a vfsmount > that leads to mount or unmount actions in other vfsmounts. > == > > Is a remount a "mount action"? I would presume it is. oh, no, i think you are right. It is not, if it is fs remount. > IAC... Still broken here. > > Regards, > Mike > -- > Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com >/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ >NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! > -- > Magic Quadrant for Content-Aware Data Loss Prevention > Research study explores the data loss prevention market. Includes in-depth > analysis on the changes within the DLP market, and the criteria used to > evaluate the strengths and weaknesses of these DLP solutions. > http://www.accelacomm.com/jaw/sfnl/114/51385063/ > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] read only rootfs
Quoting C Anthony Risinger (anth...@xtfx.me): > there it would seem. however, while i could *maybe* see the rootfs > being an unconditional slave, i would NOT want to see any lxc > default/enforcement preventing container -> host propagation on a > globally recursive scale. im of the opinion that the implementor > should decide the best tactic ... especially in light of the fact the > one distro may not even have the same problems as say > ubutnu/fedora/etc because they keep mount points private by default. Good point. (I don't see it on ubuntu either fwiw) Perhaps there should be a toggle in the per-container config file? -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] Re: read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > I think the problem is that you are only doing this on the rootfs and > that flag does not automagically propagate to the submounts. That's D'oh! Yeah, what you want is MS_REC | MS_SLAVE. The rest should be fine as I had it? -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH] Re: read only rootfs
Quoting Michael H. Warfield (m...@wittsend.com): > On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: > > Quoting Michael H. Warfield (m...@wittsend.com): > > > Unfortunately, I also still find that if there's a -o remount,ro in the > > > halt/reboot script, it still sets /dev/pts to ro and that still > > > propagates to the host and to the other containers triggering random > > > > Wow. > > > > Did a quick grep; is there any reason why lxc-start doesn't turn on > > MS_SLAVE for the client's root? Something like: > > > > From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001 > > From: Serge Hallyn > > Date: Mon, 18 Jul 2011 07:29:57 -0500 > > Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE > > > > Signed-off-by: Serge Hallyn > > --- > > src/lxc/conf.c |5 + > > 1 files changed, 5 insertions(+), 0 deletions(-) > > > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > > index 2eb598b..d36fe47 100644 > > --- a/src/lxc/conf.c > > +++ b/src/lxc/conf.c > > @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs > > *rootfs) > > return -1; > > } > > > > + if (mount(rootfs->path, rootfs->path, "none", MS_SLAVE, 0)) { > > + ERROR("failed to turn child rootfs into slave"); > > + return -1; > > + } > > + > > DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount); > > > > return 0; > > -- > > 1.7.4.1 > > > > The kernel should also prohibit, totally, the propagation of remount > > > The kernel doesn't know about containers, so it's up to userspace :) > > Acceptable and that's reasonable. But, for security and integrity > reasons, it has to be the host / parent user space not the guest / child > user space which can make that decision. And it has to be the default. > Anything less is a security vulnerability. Right, which is why lxc, not the container, has to do it. -serge -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mount from outside of a container online
Quoting C Anthony Risinger (anth...@xtfx.me): > You'd also need to --make-shared the host mount before --bind'ing and > --make-slave'ing to the container ... by default mounts are --private. Not with all distros, but it's definately the safe and right thing to do, good point. thanks, -serge -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mount from outside of a container online
Quoting Papp Tamas (tom...@martos.bme.hu): > On 2011-07-18 15:14, Serge E. Hallyn wrote: > > It should be possible, but you have to set it up in advance. You can > > create a /lxcshare directory on the host, make sure it is slave > > (mount --make-rslave /lxcshare) and bind-mount that into the container > > at startup. Then mounting a directory into /lxcshare should expose it > > to the container. > > > > helo! > > Thank you for you answer, Serge:) > > I'm not sure I correctly unserstand this part of manual, but I'm sure, > this is not exactly I want. > I wanted (and also want to do it in the future) to mount a directory as > 'adhoc', without restarting the container. I don't think that's possible. But note that the setup I'm proposing only needs to be done once at container creation, and could be supported in templates. Once set up, usage would be: host admin: mkdir /lxcshare/cdrom mount /dev/cdrom /lxcshare/cdrom container admin: mount --move /lxcshare/cdrom /mnt/cdrom > Nevermind, thank you, -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] what's the difference in lxc-attach
Quoting Joerg Gollnick (code4lxc+l...@wurzelbenutzer.de): > Hello Serge, > I think that the main point is the initial setup of the cgroup (directory) > structure. > > systemd > tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755) > cgroup on /sys/fs/cgroup/systemd type cgroup > (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/systemd/systemd-cgroups- > agent,clone_children,name=systemd) > cgroup on /sys/fs/cgroup/cpuset type cgroup > (rw,nosuid,nodev,noexec,relatime,cpuset,clone_children) > cgroup on /sys/fs/cgroup/ns type cgroup (rw,nosuid,nodev,noexec,relatime,ns) > cgroup on /sys/fs/cgroup/cpu type cgroup > (rw,nosuid,nodev,noexec,relatime,cpu,clone_children) > cgroup on /sys/fs/cgroup/cpuacct type cgroup > (rw,nosuid,nodev,noexec,relatime,cpuacct,clone_children) > cgroup on /sys/fs/cgroup/memory type cgroup > (rw,nosuid,nodev,noexec,relatime,memory,clone_children) > cgroup on /sys/fs/cgroup/devices type cgroup > (rw,nosuid,nodev,noexec,relatime,devices,clone_children) > cgroup on /sys/fs/cgroup/freezer type cgroup > (rw,nosuid,nodev,noexec,relatime,freezer,clone_children) > cgroup on /sys/fs/cgroup/net_cls type cgroup > (rw,nosuid,nodev,noexec,relatime,net_cls,clone_children) > cgroup on /sys/fs/cgroup/blkio type cgroup > (rw,nosuid,nodev,noexec,relatime,blkio,clone_children) That looks an awful lot like the default setup with cgroup-bin installed on a ubuntu oneiric upstart system. Actually, I see ns cgroup is mounted (separately). If you can find a way to not have that mounted, that may solve the issue. I wonder if systemd actually uses ns cgroup (perhaps to lock consoles into a cgroup)? -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] what's the difference in lxc-attach
(sorry, just realized postfix has been messing up my email, hope this comes through ok) Quoting Ramez Hanna (rha...@informatiq.org): > in f15 systemd whenever a user starts a process it looks like this > ├ user > │ ├ root > │ │ └ 86 > │ │ ├ 24814 -bash > │ │ ├ 24848 top > │ │ └ 31324 login -- root > │ └ rhanna > │ ├ 56 > │ │ ├ 1002 pam: gdm-password > │ │ ├ 1047 /usr/bin/enlightenment > │ │ ├ 1058 dbus-launch --sh-syntax --exit-with-session > │ │ ├ 1059 /bin/dbus-daemon --fork --print-pid 5 --print-address 7 > --sess... > > so i would expect lxc to create it's cgroup under the user (root in this > case) instead > while it currebtly shows it like this > boss is the name of the container > ├ 24811 [kworker/1:0] > ├ boss > │ ├ 8914 init [3] > │ ├ 9135 /usr/sbin/cron > │ ├ 9146 /usr/sbin/sshd > > now I am not trying to use systemd-nspawn to replace lxc or anything, I am > just using it to debug if i had problems in my container rootfs > and well if nspawn doesn't screw up my host then it is doing something > better Sorry I've not had time to read this thread through sufficiently, but the above, at first glance, is telling. Does fedora's initramfs set up the first part of the cgroup hierarchy? My guess is that's the problem and so systemd is expecting /user to be already set up. So to support systemd, we may need to either have a init wrapper to do some of the initramfs cruft, or have lxc do it. Yuck to both. Yuck to use of initramfs for anything other than loading needed kernel modules :) -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] read only rootfs
(sorry, just realized postfix has been messing up my email, hope this comes through ok) Quoting C Anthony Risinger (anth...@xtfx.me): > On Jul 15, 2011 12:01 PM, "Michael H. Warfield" wrote: > > > > Unfortunately, I also still find that if there's a -o remount,ro in the > > halt/reboot script, it still sets /dev/pts to ro and that still > > propagates to the host and to the other containers triggering random > > acts of terrorism like "unable to create pty/0" in the containers and > > inability to start new containers in the host. Not sure if we can apply > > a bind to that or not. > > Doesn't `-o newinstance` mount option to devpts mounts prevent this? It I haven't looked further than reading Michael's email, but a plausible sequence is that (a) the container's rootfs is just a bind mount from the parent's, (b) the mount -o remount,ro is not being done with 'bind' and so affects the fs, not the mount (as helpfully pointed out a few weeks ago on irc by dhansen), and so (c) the fs on which the host's /var/lib/lxc//rootfs is mounted gets recursively mounted ro, and the host's /dev/pts is under that. > should privatize the devices for each ... its best to mount host this way > too -- then set symlink for each: > > /dev/ptmx -> /dev/pts/ptmx > > > The kernel should also prohibit, totally, the propagation of remount > > options from inside a container to the outer host or to other > > containers. That is tantamount to a security vulnerability and clearly > > a violation of container isolation. > > But not all use cases are system containers, eg 100% isolated. Isn't a > slave mount enough to prevent this? I'd have to check but I *thought* bind > mounts only responded to the `ro` flag ... and the new mount NS I'd think > would play a role too ... not sure details offhand. See '(b)' above. You're sort of mixing mounts propagation with bind mounts subtleties. Your second sentence in that paragraph is 100% correct. The third is non sequitur :) See the patch I just sent in response to Michael's email. thanks, -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] mount from outside of a container online
(sorry, just realized postfix has been messing up my email, hope this comes through ok) Quoting Papp Tamas (tom...@martos.bme.hu): > hi! > > Is it possible somehow? > > I'd like to bind mount a directory into a container and also I'd like to > avoid restarting it. It should be possible, but you have to set it up in advance. You can create a /lxcshare directory on the host, make sure it is slave (mount --make-rslave /lxcshare) and bind-mount that into the container at startup. Then mounting a directory into /lxcshare should expose it to the container. -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH] Re: read only rootfs
(sorry, just realized postfix has been messing up my email) Quoting Michael H. Warfield (m...@wittsend.com): > Unfortunately, I also still find that if there's a -o remount,ro in the > halt/reboot script, it still sets /dev/pts to ro and that still > propagates to the host and to the other containers triggering random Wow. Did a quick grep; is there any reason why lxc-start doesn't turn on MS_SLAVE for the client's root? Something like: >From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Mon, 18 Jul 2011 07:29:57 -0500 Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE Signed-off-by: Serge Hallyn --- src/lxc/conf.c |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 2eb598b..d36fe47 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs) return -1; } + if (mount(rootfs->path, rootfs->path, "none", MS_SLAVE, 0)) { + ERROR("failed to turn child rootfs into slave"); + return -1; + } + DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount); return 0; -- 1.7.4.1 > The kernel should also prohibit, totally, the propagation of remount The kernel doesn't know about containers, so it's up to userspace :) -serge -- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Latest test results - Was: cgroups: support cgroups mounted in multiple places (v3)
Quoting Michael H. Warfield (m...@wittsend.com): > On Sat, 2011-07-02 at 15:13 -0500, Serge Hallyn wrote: > > Quoting Michael H. Warfield (m...@wittsend.com): > > ... > > > F15 systemd: Passed. > > > F12 single mount: Passed. > > > F13 single mount: Passed. > > > F14 single mount: Passed. > > > F14 libcgroup:Failed. > > > > > > I had the default /etc/cgconfig.conf file and here are the results: > > > > > > [root@berserker-base ~]# cat /etc/cgconfig.conf > > > # > > > # Copyright IBM Corporation. 2007 > > > # > > > # Authors: Balbir Singh > > > # This program is free software; you can redistribute it and/or modify it > > > # under the terms of version 2.1 of the GNU Lesser General Public License > > > # as published by the Free Software Foundation. > > > # > > > # This program is distributed in the hope that it would be useful, but > > > # WITHOUT ANY WARRANTY; without even the implied warranty of > > > # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > # > > > # See man cgconfig.conf for further details. > > > # > > > # By default, mount all separately controllers > > > # to /cgroup/ > > > > > > mount { > > > cpuset = /cgroup/cpuset; > > > cpu = /cgroup/cpu; > > > cpuacct = /cgroup/cpuacct; > > > memory = /cgroup/memory; > > > devices = /cgroup/devices; > > > freezer = /cgroup/freezer; > > > net_cls = /cgroup/net_cls; > > > ns = /cgroup/ns; > > > blkio = /cgroup/blkio; > > > } > > > > > > [root@berserker-base ~]# uname -a > > > Linux berserker-base.wittsend.com 2.6.35.13-92.fc14.i686 #1 SMP Sat May > > > 21 17:39:42 UTC 2011 i686 i686 i386 GNU/Linux > > > [root@berserker-base ~]# mount -t cgroup > > > cgroup on /cgroup/cpuset type cgroup (rw,relatime,cpuset) > > > cgroup on /cgroup/cpu type cgroup (rw,relatime,cpu) > > > cgroup on /cgroup/cpuacct type cgroup (rw,relatime,cpuacct) > > > cgroup on /cgroup/memory type cgroup (rw,relatime,memory) > > > cgroup on /cgroup/devices type cgroup (rw,relatime,devices) > > > cgroup on /cgroup/freezer type cgroup (rw,relatime,freezer) > > > cgroup on /cgroup/net_cls type cgroup (rw,relatime,net_cls) > > > cgroup on /cgroup/ns type cgroup (rw,relatime,ns) > > > cgroup on /cgroup/blkio type cgroup (rw,relatime,blkio) > > > [root@berserker-base ~]# lxc-start -n Ashaman > > > lxc-start: no ns_cgroup option specified > > > Just a thought - does F14's kernel not support clone_children? See output > > of ls /cgroup/cpuset and see if /cgroup/cpuset/cgroup.clone_children exists. > > If not, then yeah there's nothing that can be done without the ns cgroup. > > 1) The ns cgroup does exist and is mounted. Yes but it needs to be composed with the others :) > 2) It works with the single mount point and clone children is not > present. Ok, cool. So the results make perfect sense. thanks, -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [RFC] best way to add creation of lvm containers
Hey, so lxc-clone will create a snapshot-based clone of an lvm-backed container in about a second. Creating the first lvm-backed container is a bit of a pain though. I do it using the script below, called 'lxclvmconvert' on my machine. So I do lxc-create -t ubuntu -f /etc/lxc.conf -n mavbase -- -r maverick lxclvmconvert mavbase and from then on I can do fast lxc-clone -s -o mavbase -n mav-bugxyz My question is, where do we want to put this functionality? Of course I *can* put it in the ubuntu template itself, but I'm leary of adding too many options to that. Consider that just for the lvm support we'd need to add optional arguments for: backing store type: (lvm, loopback file, real blockdev) backing store fstype backing store size other options, i.e. lvm volume group name So, do you think it would be better for the container creation templates to offer this support, or to have a separate tool, not lxclvmconvert, but maybe 'lxc-convert', which converts a container from any supported backing type to any other. Backing types I guess could start out by including directory (the current way) lvm loopback file raw device thanks, -serge #!/bin/sh if [ $# -lt 1 ]; then echo "Usage: $0 container-name " exit 1 fi c=$1 size=2G fstype=ext3 echo "converting container $c" if [ $# -gt 1 ]; then size=$2 echo "Using size $size" fi if [ $# -gt 2 ]; then fstype=$3 echo "Using fstype $fstype" fi if [ ! -d /var/lib/lxc/$c/rootfs ]; then echo "Container $c doesn't seem to exist?" exit 1 fi if [ -e /dev/lxc/$c ]; then echo "/dev/lxc/$c already exists. Bailing" exit 1 fi lvcreate -L $size -n $c lxc || cleanup sleep 1 mkfs -t $fstype /dev/lxc/$c if [ $? -ne 0 ]; then echo "Failed to create the filesystem" lvremove -f /dev/lxc/$c exit 1 fi mkdir /var/lib/lxc/$c/lvm || { lvremove -f /dev/lxc/$c; exit 1; } mount -t $fstype /dev/lxc/$c /var/lib/lxc/$c/lvm || { lvremove -f /dev/lxc/$c; exit 1; } rsync -va /var/lib/lxc/$c/rootfs/ /var/lib/lxc/$c/lvm || echo "Rsync had errors, you may want to check; continuing" umount /var/lib/lxc/$c/lvm rmdir /var/lib/lxc/$c/lvm rm -rf /var/lib/lxc/$c/rootfs mkdir /var/lib/lxc/$c/rootfs sed -i '/lxc.rootfs/d' /var/lib/lxc/$c/config echo "lxc.rootfs = /dev/lxc/$c" >> /var/lib/lxc/$c/config echo "Finished" -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH] cgroups: support cgroups mounted in multiple places (v3)
(sorry for the extra traffic.) With this patch, lxc works for me both with all cgroups mounted with ns cgroup on /cgroup, and with libcgroup mounting all cgroups separately. To do this, instead of looking for one cgroup called 'lxc' or otherwise taking the first cgroup we find, we actually create a container in every mounted cgroup fs. Right now it's done under the root of each fs. We may want to put that under lxc, or, better yet, make that configurable. Changelog: Michael H. Warfield: Handle the case where subsystem doesn't have '.'. Daniel Lezcano: clean up incorrect reentrant use of mntent helpers v3: use the rest of Daniel's cleanups TODO: add a configurable directory name, 'lxc' by default, under which all lxc cgroups are created (i.e. /sys/fs/cgroup/lxc) Signed-off-by: Serge Hallyn --- src/lxc/cgroup.c | 234 ++--- src/lxc/cgroup.h |2 +- src/lxc/freezer.c |2 +- src/lxc/lxc.h |8 +- src/lxc/state.c |2 +- 5 files changed, 139 insertions(+), 109 deletions(-) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index a068a01..950869a 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -52,90 +52,49 @@ enum { CGROUP_CLONE_CHILDREN, }; -static int get_cgroup_mount(const char *mtab, char *mnt) +static int get_cgroup_mount(const char *subsystem, char *mnt) { struct mntent *mntent; FILE *file = NULL; -int err = -1; -file = setmntent(mtab, "r"); +file = setmntent(MTAB, "r"); if (!file) { -SYSERROR("failed to open %s", mtab); +SYSERROR("failed to open %s", MTAB); return -1; } while ((mntent = getmntent(file))) { - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - strcpy(mnt, mntent->mnt_dir); - err = 0; - break; - } - - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { +if (strcmp(mntent->mnt_type, "cgroup")) + continue; + if (!subsystem || hasmntopt(mntent, subsystem)) { strcpy(mnt, mntent->mnt_dir); - err = 0; + fclose(file); + DEBUG("using cgroup mounted at '%s'", mnt); + return 0; } }; - DEBUG("using cgroup mounted at '%s'", mnt); + DEBUG("Failed to find cgroup for %s\n", subsystem ? subsystem : "(NULL)"); fclose(file); -return err; +return -1; } -static int get_cgroup_flags(const char *mtab, int *flags) +static int get_cgroup_flags(struct mntent *mntent) { -struct mntent *mntent; -FILE *file = NULL; -int err = -1; - -file = setmntent(mtab, "r"); -if (!file) { -SYSERROR("failed to open %s", mtab); - return -1; -} - - *flags = 0; - -while ((mntent = getmntent(file))) { - - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; - - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; - - err = 0; - break; - } +int flags = 0; - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; + if (hasmntopt(mntent, "ns")) + flags |= CGROUP_NS_CGROUP; - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; + if (hasmntopt(mntent, "clone_children")) + flags |= CGROUP_CLONE_CHILDREN; - err = 0; - } -}; - - DEBUG("cgroup flags is 0x%x", *flags); - -fclose(file); - -return err; + DEBUG("cgroup %s has flags 0x%x", mntent->mnt_dir, flags); + return flags; } static int cgroup_rename_nsgroup(const char *mnt, const char *name, pid_t pid) @@ -199,19 +158,19 @@ static int cgroup_attach(const char *path, pid_t pid) return ret; } -int lxc_cgroup_create(const char *name, pid_t pid) +/* + * create a cgroup for the container in a particular subsystem. + * XXX TODO we will of course want to use cgroup_path{subsystem}/lxc/name, + * not just
[Lxc-users] [PATCH] lxc: support cgroups mounted in multiple places (v2)
With this patch, lxc works for me both with all cgroups mounted with ns cgroup on /cgroup, and with libcgroup mounting all cgroups separately. To do this, instead of looking for one cgroup called 'lxc' or otherwise taking the first cgroup we find, we actually create a container in every mounted cgroup fs. Right now it's done under the root of each fs. We may want to put that under lxc, or, better yet, make that configurable. Changelog: Michael H. Warfield: Handle the case where subsystem doesn't have '.'. Daniel Lezcano: clean up incorrect reentrant use of mntent helpers TODO: 1. add a configurable directory name, 'lxc' by default, under which all lxc cgroups are created (i.e. /sys/fs/cgroup/lxc) 2. improve clone_children interaction. Report if it isn't set, or automatically set it. Signed-off-by: Serge Hallyn --- src/lxc/cgroup.c | 230 ++--- src/lxc/cgroup.h |2 +- src/lxc/freezer.c |2 +- src/lxc/lxc.h |8 +- src/lxc/state.c |2 +- 5 files changed, 138 insertions(+), 106 deletions(-) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index a068a01..e037c7b 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -52,90 +52,52 @@ enum { CGROUP_CLONE_CHILDREN, }; -static int get_cgroup_mount(const char *mtab, char *mnt) +static int get_cgroup_mount(const char *subsystem, char *mnt) { struct mntent *mntent; FILE *file = NULL; -int err = -1; -file = setmntent(mtab, "r"); +file = setmntent(MTAB, "r"); if (!file) { -SYSERROR("failed to open %s", mtab); +SYSERROR("failed to open %s", MTAB); return -1; } while ((mntent = getmntent(file))) { - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - strcpy(mnt, mntent->mnt_dir); - err = 0; - break; - } - - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { +if (strcmp(mntent->mnt_type, "cgroup")) + continue; + if (!subsystem || hasmntopt(mntent, subsystem)) { strcpy(mnt, mntent->mnt_dir); - err = 0; + fclose(file); + DEBUG("using cgroup mounted at '%s'", mnt); + return 0; } }; - DEBUG("using cgroup mounted at '%s'", mnt); + DEBUG("Failed to find cgroup for %s\n", subsystem ? subsystem : "(NULL)"); fclose(file); -return err; +return -1; } -static int get_cgroup_flags(const char *mtab, int *flags) +static int get_cgroup_flags(struct mntent *mntent, int *flags) { -struct mntent *mntent; -FILE *file = NULL; int err = -1; -file = setmntent(mtab, "r"); -if (!file) { -SYSERROR("failed to open %s", mtab); - return -1; -} - *flags = 0; -while ((mntent = getmntent(file))) { - - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; - - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; - - err = 0; - break; - } - - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { - - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; - - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; - - err = 0; - } -}; - - DEBUG("cgroup flags is 0x%x", *flags); - -fclose(file); - -return err; + if (hasmntopt(mntent, "ns")) { + *flags |= CGROUP_NS_CGROUP; + err = 0; + } + if (hasmntopt(mntent, "clone_children")) { + *flags |= CGROUP_CLONE_CHILDREN; + err = 0; + } + DEBUG("cgroup flags for %s is 0x%x", mntent->mnt_dir, *flags); + return err; } static int cgroup_rename_nsgroup(const char *mnt, const char *name, pid_t pid) @@ -199,19 +161,18 @@ static int cgroup_attach(const char *path, pid_t pid) return ret; } -int lxc_cgroup_create(const char *name, pid_t pid) +/* + * create a cgroup for the container in a particular subsys
Re: [Lxc-users] [PATCH 2/2] cgroups: support cgroups mounted in multiple places
Quoting Michael H. Warfield (m...@wittsend.com): > On Sun, 2011-06-26 at 14:00 -0500, Serge E. Hallyn wrote: > > Quoting Michael H. Warfield (m...@wittsend.com): > > > > Thanks, Michael, good catch. > > > > > > Now wait a minute. Is that a typo here: > > > > No it's not, but: > > > > > > char *s = index(retbuf, '.'); > > > > > > > > If you're doing, in effect, a dirname here should that be this: > > > > > > > > char *s = index(retbuf, '/'); > > > > > > > > IAC... That "*s = '\0';" should include a NULL check. > > > > > > > > Adding the NULL check and lxc-info works. > > > > > > > > Looks like that subsystem name in the call to that routine is not what > > > > Serge thought it was. I threw a print above the snprintf about just for > > > > giggles to print out the subsystem name being passed to it and this is > > > > what I got back... > > > > > > > > [mhw@forest SPECS]$ sudo lxc-info -n Alcove > > > > subsystem name: "freezer" > > > > 'Alcove' is RUNNING > > > > > > > > No wonder "s" was null. No dot and no /. > > > > > > I applied this patch and it got lxc-info working. But it was a quick > > > hack just to address the NULL pointer. Is it the correct fix? > > > > No, it's not. > > > > For the calls to this function that come from cgroup.c itself, '.' is the > > right thing. The problem is that lxc_cgroup_set() and lxc_cgroup_get() > > pass in things like 'devices.allow'. I was going to make the index > > conditional, but all the callers of this function pass in either a filename > > (with a '.' in it) or NULL. > > > > I failed to notice these: > > > > src/lxc/freezer.c: ret = lxc_cgroup_path_get(&nsgroup, "freezer", > > name); > > src/lxc/state.c:err = lxc_cgroup_path_get(&nsgroup, "freezer", > > name); > > > > :) > > > > These are what you are running into. > > > So the thing to do is leave it searching for index(s, '.') but do nothing > > if s is NULL. > > And that's what I believe results with my little hack. Only truncate if Oops, sorry, I didn't look closely enough and assumed your patch was switching to checking for '/'. > there was a hit and s was non-null. I see now from your comments that > the check on '.' was correct. I was uncertain about the inputs and > outputs in this routine. Checking for the NILL condition may not be > "the" solution, in this case, but it is still a best common practice to > check pointers like that. Never can tell what may crop up in the > future. > > > Really it would be cleaner to have lxc_cgroup_{sg}et() do the index, so > > that lxc_cgorup_path_get() always gets a subsystem or NULL. I'm not doing > > that patch right now, though, trivial as it ought to be. > > I hear you. So Acked-by: Serge Hallyn to your patch to fix my bug, and let's leave it at that for now until it gets more testing? Thanks again for testing and looking into it! -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 2/2] cgroups: support cgroups mounted in multiple places
Quoting Michael H. Warfield (m...@wittsend.com): Thanks, Michael, good catch. > > Now wait a minute. Is that a typo here: No it's not, but: > > char *s = index(retbuf, '.'); > > > > If you're doing, in effect, a dirname here should that be this: > > > > char *s = index(retbuf, '/'); > > > > IAC... That "*s = '\0';" should include a NULL check. > > > > Adding the NULL check and lxc-info works. > > > > Looks like that subsystem name in the call to that routine is not what > > Serge thought it was. I threw a print above the snprintf about just for > > giggles to print out the subsystem name being passed to it and this is > > what I got back... > > > > [mhw@forest SPECS]$ sudo lxc-info -n Alcove > > subsystem name: "freezer" > > 'Alcove' is RUNNING > > > > No wonder "s" was null. No dot and no /. > > I applied this patch and it got lxc-info working. But it was a quick > hack just to address the NULL pointer. Is it the correct fix? No, it's not. For the calls to this function that come from cgroup.c itself, '.' is the right thing. The problem is that lxc_cgroup_set() and lxc_cgroup_get() pass in things like 'devices.allow'. I was going to make the index conditional, but all the callers of this function pass in either a filename (with a '.' in it) or NULL. I failed to notice these: src/lxc/freezer.c: ret = lxc_cgroup_path_get(&nsgroup, "freezer", name); src/lxc/state.c:err = lxc_cgroup_path_get(&nsgroup, "freezer", name); :) These are what you are running into. So the thing to do is leave it searching for index(s, '.') but do nothing if s is NULL. Really it would be cleaner to have lxc_cgroup_{sg}et() do the index, so that lxc_cgorup_path_get() always gets a subsystem or NULL. I'm not doing that patch right now, though, trivial as it ought to be. thanks, -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on fedora 15 (was : cgroups: support cgroups mounted in multiple places)
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > I reported the problem some month ago. > > https://bugzilla.redhat.com/show_bug.cgi?id=636210 > > When running a debian container, there is no problem. Dude, does redhat have a maintainer for the package? I think they informally closed the bug assuming that it was F13 only, and F13 is EOL. -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc on fedora 15 (was : cgroups: support cgroups mounted in multiple places)
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > fedora 15 has a patched kernel with utrace. By patched, you mean utrace is not upstream? > Are we sure, utrace is pid namespace aware ? I've not looked at it, no. > My natty container booted on fedora 15 but is stuck at: > > \_ lxc-start -n natty -l DEBUG -o /dev/pts/0 > \_ /sbin/init > \_ /sbin/plymouthd --mode=boot --attach-to-session > \_ /sbin/plymouthd --mode=boot --attach-to-session Does this only happen with my patches? > pidof /sbin/plymouthd > 6224 6222 > > cat /proc/6224/stack > [] utrace_stop+0x128/0x181 > [] finish_resume_report+0x6a/0xb2 > [] utrace_get_signal+0x460/0x5a6 > [] get_signal_to_deliver+0x102/0x3a9 > [] do_signal+0x69/0x67f > [] do_notify_resume+0x28/0x83 > [] int_signal+0x12/0x17 > [] 0x > > cat /proc/6222/stack > [] pipe_wait+0x61/0x7c > [] pipe_read+0x344/0x3c1 > [] do_sync_read+0xbf/0xff > [] vfs_read+0xa9/0xf0 > [] sys_read+0x4a/0x6e > [] system_call_fastpath+0x16/0x1b > [] 0x > > > -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 2/2] cgroups: support cgroups mounted in multiple places
Quoting Michael H. Warfield (m...@wittsend.com): > > cd /sys/fs/cgroup > >for d in `/bin/ls`; do > > echo 1 > $d/cgroup.clone_children > >done > > Doing this step alone broke lxc totally for me, with or without the > patch below. This was on Fedora 15 testing with lxc 0.7.4.2 as well as Do you have the ns cgroup mounted? The above is only for without ns cgroup. -serge -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH RFC] cgroups: support cgroups mounted in multiple places
= Mind you, this patch isn't right. Strace shows it does the right thing with the cgroups. Creates new ones for each container. Moves the container into them. But then fails on connecting to the lxc-monitor socket.I'm done for tonight, so sending this out in case anyone wants to review/comment. = cgroups: support cgroups mounted in multiple places I.e. with systemd or libcgroup. The approach is just, instead of looking for a cgroup called 'lxc' or otherwise taking the first cgroup we find, we actually create a container in every mounted cgroup fs. Right now it's done under the root of each fs. We may want to put that under lxc, or, better yet, make that configurable. Signed-off-by: Serge Hallyn --- src/lxc/cgroup.c | 183 ++--- src/lxc/cgroup.h |2 +- src/lxc/freezer.c |2 +- src/lxc/state.c |2 +- 4 files changed, 106 insertions(+), 83 deletions(-) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index a068a01..5e9455c 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -52,11 +52,10 @@ enum { CGROUP_CLONE_CHILDREN, }; -static int get_cgroup_mount(const char *mtab, char *mnt) +static int get_cgroup_mount(const char *mtab, const char *subsystem, char *mnt) { struct mntent *mntent; FILE *file = NULL; -int err = -1; file = setmntent(mtab, "r"); if (!file) { @@ -66,29 +65,23 @@ static int get_cgroup_mount(const char *mtab, char *mnt) while ((mntent = getmntent(file))) { - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - strcpy(mnt, mntent->mnt_dir); - err = 0; - break; - } - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { +if (strcmp(mntent->mnt_type, "cgroup")) + continue; + if (!subsystem || hasmntopt(mntent, subsystem)) { strcpy(mnt, mntent->mnt_dir); - err = 0; + fclose(file); + DEBUG("using cgroup mounted at '%s'", mnt); + return 0; } -}; - - DEBUG("using cgroup mounted at '%s'", mnt); +} + DEBUG("Failed to find cgroup for %s\n", subsystem ? subsystem : "(NULL)"); fclose(file); - -return err; +return -1; } -static int get_cgroup_flags(const char *mtab, int *flags) +static int get_cgroup_flags(const char *mtab, const char *mnt_dir, int *flags) { struct mntent *mntent; FILE *file = NULL; @@ -104,37 +97,26 @@ static int get_cgroup_flags(const char *mtab, int *flags) while ((mntent = getmntent(file))) { - /* there is a cgroup mounted named "lxc" */ - if (!strcmp(mntent->mnt_fsname, "lxc") && - !strcmp(mntent->mnt_type, "cgroup")) { - - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; - - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; + if (strcmp(mntent->mnt_type, "cgroup")) + continue; + if (strcmp(mntent->mnt_dir, mnt_dir)) + continue; + if (hasmntopt(mntent, "ns")) { + *flags |= CGROUP_NS_CGROUP; err = 0; - break; } - - /* fallback to the first non-lxc cgroup found */ -if (!strcmp(mntent->mnt_type, "cgroup") && err) { - - if (hasmntopt(mntent, "ns")) - *flags |= CGROUP_NS_CGROUP; - - if (hasmntopt(mntent, "clone_children")) - *flags |= CGROUP_CLONE_CHILDREN; - + if (hasmntopt(mntent, "clone_children")) { + *flags |= CGROUP_CLONE_CHILDREN; err = 0; } -}; - DEBUG("cgroup flags is 0x%x", *flags); - -fclose(file); + fclose(file); + DEBUG("cgroup flags for %s is 0x%x", mnt_dir, *flags); + return err; + } + fclose(file); return err; } @@ -199,18 +181,17 @@ static int cgroup_attach(const char *path, pid_t pid) return ret; } -int lxc_cgroup_create(const char *name, pid_t pid) +/* + * create a cgroup for the container in a particular subsystem. + * XXX TODO we will of course want to use cgroup_path{subsystem}/lx
[Lxc-users] [PATCH 5/2] lxc-ubuntu: always install lxcguest in postprocess
Argh, sorry. But this is it. Now it works again :) Now I'm going to stop with patches for a bit, and just keep stuff in https://code.launchpad.net/~serge-hallyn/ubuntu/oneiric/lxc/update-templates/ Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |6 +- 1 files changed, 1 insertions(+), 5 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 60f5ae3..d6bc787 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -86,10 +86,6 @@ download_ubuntu() else packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase fi -# If this is natty or newer, and we weren't asked to trim the container, then add lxcguest -if [ $release != "lucid" -a $release != "maverick" -a $trim_container -ne 1 ]; then -packages=$packages,lxcguest -fi echo "installing packages: $packages" # check the mini ubuntu was not already downloaded @@ -324,8 +320,8 @@ post_process() chroot $rootfs apt-get install --force-yes -y python-software-properties chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa chroot $rootfs apt-get update -chroot $rootfs apt-get install --force-yes -y lxcguest fi +chroot $rootfs apt-get install --force-yes -y lxcguest fi } -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 4/2] lxc-ubuntu: fix thinko
install lxcguest when NOT trimming the container Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 92fff86..60f5ae3 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -87,7 +87,7 @@ download_ubuntu() packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase fi # If this is natty or newer, and we weren't asked to trim the container, then add lxcguest -if [ $release != "lucid" -a $release != "maverick" -a $trim_container -eq 1 ]; then +if [ $release != "lucid" -a $release != "maverick" -a $trim_container -ne 1 ]; then packages=$packages,lxcguest fi echo "installing packages: $packages" -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] [PATCH 3/2] lxc-ubuntu template: set lxc.arch in config
Gah! Wrong patch. Here is the right one. Sorry about that. Subject: [PATCH 3/2] lxc-ubuntu template: set lxc.arch in config Otherwise the container works fine, except uname -a reports x86_64, not i686. And unfortunately debootstrap and lxc.arch each accept only the opposite of each other (i386 vs i686) :) Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in | 12 +++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 0b68e84..92fff86 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -167,6 +167,11 @@ copy_configuration() path=$1 rootfs=$2 name=$3 +arch=$4 + +if [ $arch = "i386" ]; then +arch="i686" +fi cat <> $path/config lxc.utsname = $name @@ -175,6 +180,7 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab +lxc.arch = $arch lxc.cgroup.devices.deny = a # /dev/null and zero @@ -418,6 +424,10 @@ do esac done +if [ "$arch" == "i686" ]; then +arch=i386 +fi + if [ ! -z "$clean" -a -z "$path" ]; then clean || exit 1 exit 0 @@ -458,7 +468,7 @@ if [ $? -ne 0 ]; then exit 1 fi -copy_configuration $path $rootfs $name +copy_configuration $path $rootfs $name $arch if [ $? -ne 0 ]; then echo "failed write configuration file" exit 1 -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 3/2] lxc-ubuntu template: set lxc.arch in config
Otherwise the container works fine, except uname -a reports x86_64, not i686. And unfortunately debootstrap and lxc.arch each accept only the opposite of each other (i386 vs i686) :) Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |9 +++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 0b68e84..41ea90f 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -175,6 +175,7 @@ lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab +lxc.arch = $arch lxc.cgroup.devices.deny = a # /dev/null and zero @@ -397,8 +398,8 @@ trim_container=0 if [ "$arch" == "x86_64" ]; then arch=amd64 fi -if [ "$arch" == "i686" ]; then -arch=i386 +if [ "$arch" == "i386" ]; then +arch=i686 fi hostarch=$arch @@ -418,6 +419,10 @@ do esac done +if [ "$arch" == "i386" ]; then +arch=i686 +fi + if [ ! -z "$clean" -a -z "$path" ]; then clean || exit 1 exit 0 -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] lxc-ubuntu template: add /dev/fuse to the whitelist
Signed-off-by: Serge Hallyn --- templates/lxc-ubuntu.in |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index e1a6a45..0b68e84 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -192,6 +192,8 @@ lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 254:0 rwm +#fuse +lxc.cgroup.devices.allow = c 10:229 rwm EOF cat < $path/fstab -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 2/2] templates: consolidate and extend ubuntu templates
Consolidate lucid, maverick, natty, and oneiric templates into one 'ubuntu' template. Add support for specifying architecture. Add support for '--trim|-x' option, which removes services like the lucid template used to. This creates smaller, faster-booting containers, but they will not be safe with certain upgrades, like mountall or udev. When -x is not specified for lucid or maverick container, then install lxcguest from the ubuntu-virt ppa, since it does not exist in the official archives, and the container is not safe to boot without lxcguest. Add support for '--bindhome ' option, which will cause /home/ to be bind-mounted into the container, and create the user with his original password, shell, and group memberships in the container. Signed-off-by: Serge Hallyn --- configure.ac |5 +- doc/lxc-create.sgml.in|2 +- templates/Makefile.am |5 +- templates/lxc-lucid.in| 361 -- templates/lxc-maverick.in | 284 --- templates/lxc-natty.in| 285 --- templates/lxc-oneiric.in | 285 --- templates/lxc-ubuntu.in | 473 + 8 files changed, 476 insertions(+), 1224 deletions(-) delete mode 100644 templates/lxc-lucid.in delete mode 100644 templates/lxc-maverick.in delete mode 100644 templates/lxc-natty.in delete mode 100644 templates/lxc-oneiric.in create mode 100644 templates/lxc-ubuntu.in diff --git a/configure.ac b/configure.ac index 0d4f4c0..5def411 100644 --- a/configure.ac +++ b/configure.ac @@ -139,10 +139,7 @@ AC_CONFIG_FILES([ templates/Makefile templates/lxc-lenny templates/lxc-debian - templates/lxc-lucid - templates/lxc-maverick - templates/lxc-natty - templates/lxc-oneiric + templates/lxc-ubuntu templates/lxc-busybox templates/lxc-fedora templates/lxc-sshd diff --git a/doc/lxc-create.sgml.in b/doc/lxc-create.sgml.in index de3ef4e..f3e8524 100644 --- a/doc/lxc-create.sgml.in +++ b/doc/lxc-create.sgml.in @@ -107,7 +107,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 'template' is the short name of an existing 'lxc-template' script that is called by lxc-create, - eg. busybox, debian, fedora, lucid, maverick, natty or sshd. + eg. busybox, debian, fedora, ubuntu or sshd. Refer to the examples in @LXCTEMPLATEDIR@ for details of the expected script structure. diff --git a/templates/Makefile.am b/templates/Makefile.am index cfdf8f9..619eae5 100644 --- a/templates/Makefile.am +++ b/templates/Makefile.am @@ -3,10 +3,7 @@ templatesdir=@LXCTEMPLATEDIR@ templates_SCRIPTS = \ lxc-debian \ lxc-lenny \ - lxc-lucid \ - lxc-maverick \ - lxc-natty \ - lxc-oneiric \ + lxc-ubuntu \ lxc-fedora \ lxc-busybox \ lxc-sshd diff --git a/templates/lxc-lucid.in b/templates/lxc-lucid.in deleted file mode 100644 index 88a4618..000 --- a/templates/lxc-lucid.in +++ /dev/null @@ -1,361 +0,0 @@ -#!/bin/bash - -# -# template script for generating ubuntu/lucid container for LXC -# -# This script is based on lxc-debian (Daniel Lezcano ) -# - -# Copyright © 2010 Wilhelm Meier -# Author: Wilhelm Meier -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2, as -# published by the Free Software Foundation. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# - -configure_ubuntu() -{ -rootfs=$1 -hostname=$2 - -# disable selinux in ubuntu -mkdir -p $rootfs/selinux -echo 0 > $rootfs/selinux/enforce - - # configure the network using the dhcp -cat < $rootfs/etc/network/interfaces -auto lo -iface lo inet loopback - -auto eth0 -iface eth0 inet dhcp -EOF - -# set the hostname -cat < $rootfs/etc/hostname -$hostname -EOF -# set minimal hosts -cat < $rootfs/etc/hosts -127.0.0.1 localhost $hostname -EOF - -# provide the lxc service -cat < $rootfs/etc/init/lxc.conf -# fake some events needed for correct startup other services - -description "Container Upstart" - -start on startup - -script -rm -rf /var/run/*.pid -rm -rf /var/run/network/* -/sbin/initctl emit stopped JOB=udevtrigger --no-wait -/sbin/initctl emit started JOB=udev --no-wait -end script -EOF - -# fix buggus runlevel with sshd -cat < $rootfs/
[Lxc-users] [PATCH 1/2] lxc-create: pass remaining args to templates
This way I can do lxc-create -t ubuntu -f /etc/lxc.conf -n u1 -- -x and have -x passed to the template Signed-off-by: Serge Hallyn --- src/lxc/lxc-create.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc-create.in b/src/lxc/lxc-create.in index 16011ab..00e6b21 100644 --- a/src/lxc/lxc-create.in +++ b/src/lxc/lxc-create.in @@ -162,7 +162,7 @@ if [ ! -z $lxc_template ]; then read dummy fi -${templatedir}/lxc-$lxc_template --path=$lxc_path/$lxc_name --name=$lxc_name +${templatedir}/lxc-$lxc_template --path=$lxc_path/$lxc_name --name=$lxc_name $* if [ $? -ne 0 ]; then echo "failed to execute template '$lxc_template'" ${bindir}/lxc-destroy -n $lxc_name -- 1.7.4.1 -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] [PATCH 1/1] Add lxc-clone script
Create an lxc-clone script to clone containers. It should probably be factored into helpers and then enhanced, in particular to convert between LVM and non-LVM containers, create non-snapshot LVM clones, support loopback devices, and, when stable enough, to use overlayfs, btrfs, etc. But this is a start. Signed-off-by: Serge Hallyn --- configure.ac |1 + lxc.spec.in |1 + src/lxc/Makefile.am |1 + src/lxc/lxc-clone.in | 208 ++ 4 files changed, 211 insertions(+), 0 deletions(-) create mode 100644 src/lxc/lxc-clone.in diff --git a/configure.ac b/configure.ac index 6cce1b4..0d4f4c0 100644 --- a/configure.ac +++ b/configure.ac @@ -157,6 +157,7 @@ AC_CONFIG_FILES([ src/lxc/lxc-setuid src/lxc/lxc-version src/lxc/lxc-create + src/lxc/lxc-clone src/lxc/lxc-destroy ]) diff --git a/lxc.spec.in b/lxc.spec.in index 452493d..f22cd06 100644 --- a/lxc.spec.in +++ b/lxc.spec.in @@ -78,6 +78,7 @@ rm -rf %{buildroot} %{_bindir}/* %attr(4111,root,root) %{_bindir}/lxc-attach %attr(4111,root,root) %{_bindir}/lxc-create +%attr(4111,root,root) %{_bindir}/lxc-clone %attr(4111,root,root) %{_bindir}/lxc-start %attr(4111,root,root) %{_bindir}/lxc-netstat %attr(4111,root,root) %{_bindir}/lxc-unshare diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 9def453..1dfca00 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -70,6 +70,7 @@ bin_SCRIPTS = \ lxc-setuid \ lxc-version \ lxc-create \ + lxc-clone \ lxc-destroy bin_PROGRAMS = \ diff --git a/src/lxc/lxc-clone.in b/src/lxc/lxc-clone.in new file mode 100644 index 000..91944a0 --- /dev/null +++ b/src/lxc/lxc-clone.in @@ -0,0 +1,208 @@ +#!/bin/bash + +# +# lxc: linux Container library + +# Authors: +# Serge Hallyn +# Daniel Lezcano + +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +usage() { +echo "usage: lxc-clone -o -n [-s] [-h] [-L fssize] [-v vgname]" +} + +help() { +usage +echo +echo "creates a lxc system object." +echo +echo "Options:" +echo "orig: name of the original container" +echo "new : name of the new container" +echo "-s : make the new rootfs a snapshot of the original" +echo "fssize : size if creating a new fs. By default, 2G" +echo "vgname : lvm volume group name, lxc by default" +} + +shortoptions='ho:n:sL:v:' +longoptions='help,orig:,name:,snapshot,fssize,vgname' +lxc_path=/var/lib/lxc +bindir=/usr/bin +snapshot=no +lxc_size=2G +lxc_vg=lxc + +getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") +if [ $? != 0 ]; then +usage +exit 1; +fi + +eval set -- "$getopt" + +while true; do +case "$1" in + -h|--help) + help + exit 1 + ;; + -s|--snapshot) + shift + snapshot=yes + ;; + -o|--orig) + shift + lxc_orig=$1 + shift + ;; + -L|--fssize) + shift + lxc_size=$1 + shift + ;; + -v|--vgname) + shift + lxc_vg=$1 + shift + ;; + -n|--new) + shift + lxc_new=$1 + shift + ;; +--) + shift + break;; +*) + echo $1 + usage + exit 1 + ;; +esac +done + +if [ -z "$lxc_path" ]; then +echo "no configuration path defined !" +exit 1 +fi + +if [ ! -r $lxc_path ]; then +echo "configuration path '$lxc_path' not found" +exit 1 +fi + +if [ -z "$lxc_orig" ]; then +echo "no original container name specified" +usage +exit 1 +fi + +if [ -z "$lxc_new" ]; then +echo "no new container name specified" +usage +exit 1 +fi + +if [ "$(id -u)" != "0" ]; then + echo "This command has to be run as root" + exit 1 +fi + +if [ ! -r $lxc_path ]; then +echo "no configuration path defined !" +exit 1 +fi + +if [ ! -d "$lxc_path/$lxc_orig" ]; then +echo "'$lxc_orig' does not exist" +exit 1 +fi + +if [ -d "$lx
[Lxc-users] [PATCH] lxc-destroy: delete a rootfs if it is an lvm volume
If this is acceptable as is, then I'll try to get a simple lxc-clone out tomorrow (taking into account your comments from last time). Signed-off-by: Serge Hallyn --- src/lxc/lxc-destroy.in | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/src/lxc/lxc-destroy.in b/src/lxc/lxc-destroy.in index 565d89d..ddd3c3b 100644 --- a/src/lxc/lxc-destroy.in +++ b/src/lxc/lxc-destroy.in @@ -75,5 +75,15 @@ if [ ! -d "$lxc_path/$lxc_name" ]; then exit 1 fi +# Deduce the type of rootfs +# If LVM partition, destroy it. If anything else, ignore it. We'll support +# deletion of others later. +rootdev=`grep lxc.rootfs $lxc_path/$lxc_name/config | awk -F= '{ print $2 '}` +if [ -b $rootdev -o -h $rootdev ]; then + lvdisplay $rootdev > /dev/null 2>&1 + if [ $? -eq 0 ]; then + lvremove $rootdev + fi +fi # recursively remove the container to remove old container configuration rm -rf --preserve-root $lxc_path/$lxc_name -- 1.7.4.1 -- EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-clone
Quoting Daniel Lezcano (daniel.lezc...@free.fr): > >What do you think is the best way to do this? We could allow the user > >to specify a 'firstboot' script, which gets copied into root directory > >of the container. Maybe boot the container when it's done, run > >/firstboot.sh, and shut down. Or just let that happen when the user > >first boots. We could use a /etc/init.d/lxc-firstboot script, but > >that will only work if the container's init system actually looks at > >sysvinit scripts. Obviously sysvinit and upstart do, and I must > >assume that systemd does. lxc-init I assume doesn't. > > Mmh, that's look a bit complicate for the user. I was thinking about > something simpler like: > > grep -q "lxc.utsname" $lxc_path/$lxc_new/config > if [ $? == 0 ]; then > sed -e "s/lxc.utsname/lxc.utsname=$hostname" $lxc_path/$lxc_new/config > else > echo "lxc.utsname = $hostname">> $lxc_path/$lxc_new/config > fi > > and so for the rest of the configuration variables. Ok, yeah, that'll be necessary and independent of the distro. But I do think a firstboot option will be useful both for -clone and -create. It can be totally optional so as not to confuse those who don't want it. > I suspect the configuration tweaks will be more complicated than that.. > > For example: > > lxc.network.veth.peer = veth1234 > > should be removed or replaced by a random name. Sigh, yeah. > But we can improve the different configuration tweaks later. Phes :) > >Thanks for looking it over, Daniel. I'm using this heavily every day, > >so am really keen on polishing it :) > > Thanks for this command, I think it is very useful. > > By the way, did the lxc.rootfs= worked ? Yup! Now, to do btrfs (I got sidetracked and won't be able to get to it this week probably), we will probably want to be able to specify a bind mount source. That way we can mount a btrfs somewhere like /opt/lxc. Otherwise IIRC the way btrfs works we won't be able to create a snapshot from /var/lib/lxc/natty/rootfs for /var/lib/lxc/n2/rootfs, because the snapshots are are created as sibling directories. Can you think of a clean way to do that or add that to the current config format? thanks, -serge signature.asc Description: Digital signature -- Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc-fstab vs /etc/fstab vs /lib/init/fstab
Quoting Trent W. Buck (t...@cyber.com.au): > Serge Hallyn > writes: > > > Next, upstart's mountall consults /lib/init/fstab. That's the one > > which will usually prevent container startup from proceeding. The > > lxcguest package for ubuntu will force upstart to mount an empty > > version of that file before mountall runs. So if you install lxcguest > > then mountall can safely run, which makes your container safer against > > package updates. > > Interesting approach. IIRC I just > > dpkg-divert --rename /lib/init/fstab > :> /lib/init/fstab Yeah that can be a good trick. That doesn't meet my goal, though, of having a single disk image able to boot both as container and kvm host (and physical host). Which is particularly useful when dealing with something like openstack, where Chuck now has a single image which is used to fire off both kvm based and libvirt-lxc based images. thanks, -serge signature.asc Description: Digital signature -- Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] fedora template
Quoting Justin Cormack (jus...@specialbusservice.com): > On Wed, 2011-03-30 at 10:32 -0500, Serge E. Hallyn wrote: > > Quoting Justin Cormack (jus...@specialbusservice.com): > > > This one didnt work... > > > > > > lxc.utsname = vm1 > > > lxc.tty = 4 > > > lxc.network.type = veth > > > lxc.network.flags = up > > > lxc.network.link = virbr0 > > > lxc.network.hwaddr = 08:00:27:83:C4:82 > > > lxc.network.ipv4 = 192.168.122.2 > > > lxc.network.name = eth0 > > > lxc.mount = /usr/lib/lxc/vm1/fstab > > > lxc.rootfs = /usr/lib/lxc/vm1/rootfs > > > > Odd. Did you start this as root? > > Yes, just retested and behaving the same. If I get lxc-start to > run /bin/bash instead of init (and then mount proc manually) it has > brought up eth0 in the container on the right IP, and I can ping the > other end, which suggests that it has got network namespaces. And > netstat does not list anything. Which is rather confusing as it suggests > everything is as expected. And exactly what distro/release/version are the container and host? signature.asc Description: Digital signature -- Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc-clone
I've replaced most of my previous use of kvm and cloud instances for bug investigations with lxc instances. To emulate my older workflows, I've created lxc-clone. My diff against the current natty lxc package is attached. I've written up how I use this at s3hh.wordpress.com. Briefly, I have a single pristine container, with LVM rootfs, for each of lucid, maverick, and natty. When I want a container, I lxc-clone -o natty -n n1 -s lxc-start -n n1 which takes about 5 seconds altogether. Ruin n1 however I like, and lxc-destroy -l -n n1 when done. It needs fleshing out, but it's at the point where it does exactly what I need. The next thing I'm likely to add will be btrfs snapshotting, not sure when. Daniel, is this something you'd consider adding? I assume that if so, then there are changes you'd like to make to the interface :) thanks, -serge === modified file 'configure' --- configure 2011-03-10 07:25:34 + +++ configure 2011-03-30 15:36:58 + @@ -5057,7 +5057,7 @@ CFLAGS="$CFLAGS -Wall" fi -ac_config_files="$ac_config_files Makefile lxc.pc lxc.spec config/Makefile doc/Makefile doc/lxc-create.sgml doc/lxc-destroy.sgml doc/lxc-execute.sgml doc/lxc-start.sgml doc/lxc-checkpoint.sgml doc/lxc-restart.sgml doc/lxc-stop.sgml doc/lxc-console.sgml doc/lxc-freeze.sgml doc/lxc-unfreeze.sgml doc/lxc-monitor.sgml doc/lxc-wait.sgml doc/lxc-ls.sgml doc/lxc-ps.sgml doc/lxc-cgroup.sgml doc/lxc-kill.sgml doc/lxc.conf.sgml doc/lxc.sgml doc/common_options.sgml doc/see_also.sgml doc/rootfs/Makefile doc/examples/Makefile doc/examples/lxc-macvlan.conf doc/examples/lxc-vlan.conf doc/examples/lxc-no-netns.conf doc/examples/lxc-empty-netns.conf doc/examples/lxc-phys.conf doc/examples/lxc-veth.conf doc/examples/lxc-complex.conf templates/Makefile templates/lxc-lenny templates/lxc-debian templates/lxc-lucid templates/lxc-maverick templates/lxc-natty templates/lxc-busybox templates/lxc-fedora templates/lxc-sshd src/Makefile src/lxc/Makefile src/lxc/lxc-ps src/lxc/lxc-ls src/lxc/lxc-netstat src/lxc/lxc-checkconfig src/lxc/lxc-setcap src/lxc/lxc-setuid src/lxc/lxc-version src/lxc/lxc-create src/lxc/lxc-destroy" +ac_config_files="$ac_config_files Makefile lxc.pc lxc.spec config/Makefile doc/Makefile doc/lxc-create.sgml doc/lxc-destroy.sgml doc/lxc-execute.sgml doc/lxc-start.sgml doc/lxc-checkpoint.sgml doc/lxc-restart.sgml doc/lxc-stop.sgml doc/lxc-console.sgml doc/lxc-freeze.sgml doc/lxc-unfreeze.sgml doc/lxc-monitor.sgml doc/lxc-wait.sgml doc/lxc-ls.sgml doc/lxc-ps.sgml doc/lxc-cgroup.sgml doc/lxc-kill.sgml doc/lxc.conf.sgml doc/lxc.sgml doc/common_options.sgml doc/see_also.sgml doc/rootfs/Makefile doc/examples/Makefile doc/examples/lxc-macvlan.conf doc/examples/lxc-vlan.conf doc/examples/lxc-no-netns.conf doc/examples/lxc-empty-netns.conf doc/examples/lxc-phys.conf doc/examples/lxc-veth.conf doc/examples/lxc-complex.conf templates/Makefile templates/lxc-lenny templates/lxc-debian templates/lxc-lucid templates/lxc-maverick templates/lxc-natty templates/lxc-busybox templates/lxc-fedora templates/lxc-sshd src/Makefile src/lxc/Makefile src/lxc/lxc-ps src/lxc/lxc-ls src/lxc/lxc-netstat src/lxc/lxc-checkconfig src/lxc/lxc-setcap src/lxc/lxc-setuid src/lxc/lxc-version src/lxc/lxc-create src/lxc/lxc-clone src/lxc/lxc-destroy" ac_config_commands="$ac_config_commands default" @@ -5842,6 +5842,7 @@ "src/lxc/lxc-setuid") CONFIG_FILES="$CONFIG_FILES src/lxc/lxc-setuid" ;; "src/lxc/lxc-version") CONFIG_FILES="$CONFIG_FILES src/lxc/lxc-version" ;; "src/lxc/lxc-create") CONFIG_FILES="$CONFIG_FILES src/lxc/lxc-create" ;; +"src/lxc/lxc-clone") CONFIG_FILES="$CONFIG_FILES src/lxc/lxc-clone" ;; "src/lxc/lxc-destroy") CONFIG_FILES="$CONFIG_FILES src/lxc/lxc-destroy" ;; "default") CONFIG_COMMANDS="$CONFIG_COMMANDS default" ;; === modified file 'configure.ac' --- configure.ac2011-03-10 07:25:34 + +++ configure.ac2011-03-30 15:36:58 + @@ -156,6 +156,7 @@ src/lxc/lxc-setuid src/lxc/lxc-version src/lxc/lxc-create + src/lxc/lxc-clone src/lxc/lxc-destroy ]) === modified file 'lxc.spec' --- lxc.spec2011-03-10 07:25:34 + +++ lxc.spec2011-03-30 15:36:58 + @@ -78,6 +78,7 @@ %{_bindir}/* %attr(4111,root,root) %{_bindir}/lxc-attach %attr(4111,root,root) %{_bindir}/lxc-create +%attr(4111,root,root) %{_bindir}/lxc-clone %attr(4111,root,root) %{_bindir}/lxc-start %attr(4111,root,root) %{_bindir}/lxc-netstat %attr(4111,root,root) %{_bindir}/lxc-unshare === modified file 'src/lxc/Makefile.am' --- src/lxc/Makefile.am 2011-03-10 07:25:34 + +++ src/lxc/Makefile.am 2011-03-30 15:36:58 + @@ -72,6 +72,7 @@ lxc-setuid \ lxc-version \ lxc-create \ + lxc-clone \ lxc-destroy bin_PROGRAMS = \ === modified file 'src/lxc/Makefile.in' --- src/lxc/Makefile.in 2011-03-10 07:25:34 + +++ src/lxc/Makefile.in 2011-03-30 15:36:58 +0
Re: [Lxc-users] fedora template
Quoting Justin Cormack (jus...@specialbusservice.com): > > > > How do I make sure my container does have a private network namespace? > > > Network namespaces are enabled on my system, but I cant find the > > > documentation anywhere about how to turn this on when I create a > > > container (only the clone flags documentation...) > > > > > > Sorry to be dumb about this > > > > Not dumb, I'm not sure either - I suspect you just have to define a > > lxc.network.type in your config file. Can you send us the config > > file for the container that didn't work? > > > > -serge > > This one didnt work... > > lxc.utsname = vm1 > lxc.tty = 4 > lxc.network.type = veth > lxc.network.flags = up > lxc.network.link = virbr0 > lxc.network.hwaddr = 08:00:27:83:C4:82 > lxc.network.ipv4 = 192.168.122.2 > lxc.network.name = eth0 > lxc.mount = /usr/lib/lxc/vm1/fstab > lxc.rootfs = /usr/lib/lxc/vm1/rootfs Odd. Did you start this as root? signature.asc Description: Digital signature -- Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] fedora template
Quoting Justin Cormack (jus...@specialbusservice.com): > On Wed, 2011-03-30 at 08:20 -0500, Serge E. Hallyn wrote: > > Quoting Justin Cormack (jus...@specialbusservice.com): > > > On Tue, 2011-03-29 at 18:19 -0500, Serge E. Hallyn wrote: > > > > > > > As for trouble with init - is your fedora using systemd? How does it > > > > actually start runlevel changes? Upstart uses dbus over abstract unix > > > > socket (which is containerized with netns), sysvinit uses ioctl over > > > > /dev/init which is a distinct file from the one in the container... > > > > Does systemd do something we're not containerizing right now? > > > > > > When I tried Ubuntu on Ubuntu (using upstart), the abstract socket was > > > not containerized, and it was changing runlevels on the host, which was > > > a complete pain. How do I make sure that it is? Is it an lxc version > > > issue (I was using the lxc that ships with Ubuntu 10.10, 0.7.2)? > > > > No, you must have created a container without private network namespace. > > Since upstart uses an abstact unix domain socket, you can only keep > > root in a container from being able to reboot by either (1) starting > > the container as a user who is not root and having a private user > > namespace (which is not currently recommended since userns is going > > through churn), or (2) having a private network namespace. > > How do I make sure my container does have a private network namespace? > Network namespaces are enabled on my system, but I cant find the > documentation anywhere about how to turn this on when I create a > container (only the clone flags documentation...) > > Sorry to be dumb about this Not dumb, I'm not sure either - I suspect you just have to define a lxc.network.type in your config file. Can you send us the config file for the container that didn't work? -serge signature.asc Description: Digital signature -- Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] fedora template
Quoting Justin Cormack (jus...@specialbusservice.com): > On Tue, 2011-03-29 at 18:19 -0500, Serge E. Hallyn wrote: > > > As for trouble with init - is your fedora using systemd? How does it > > actually start runlevel changes? Upstart uses dbus over abstract unix > > socket (which is containerized with netns), sysvinit uses ioctl over > > /dev/init which is a distinct file from the one in the container... > > Does systemd do something we're not containerizing right now? > > When I tried Ubuntu on Ubuntu (using upstart), the abstract socket was > not containerized, and it was changing runlevels on the host, which was > a complete pain. How do I make sure that it is? Is it an lxc version > issue (I was using the lxc that ships with Ubuntu 10.10, 0.7.2)? No, you must have created a container without private network namespace. Since upstart uses an abstact unix domain socket, you can only keep root in a container from being able to reboot by either (1) starting the container as a user who is not root and having a private user namespace (which is not currently recommended since userns is going through churn), or (2) having a private network namespace. -serge signature.asc Description: Digital signature -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] fedora template
Quoting Ramez Hanna (rha...@informatiq.org): > I have been working on a fedora template that actually works > febootstrap is not anymore producing fedora rootfs but rather a minimal Really, febootstrap can't be used to create a rootfs at all any more? > fedora appliance > my solution works by using yum instead, but I am facing a really weired > situation > whenever i start my fedora container, it would actually try to change the > init level of the host > host is f14 and container is f14 > could anyone shed some light on how the container is actually being > isolated, so i can start from there > or how can i debug? > script used to create the container attached, it is based on the current > template with a few modifications here and there Note that for me to use this template on ubuntu, I have to specify '-R 14', but lxc-create doesn't allow me to forward that option. So I have to first create the config file and then run fedora2 by hand. After that, for some reason I still have no actual rootfs :(. As for trouble with init - is your fedora using systemd? How does it actually start runlevel changes? Upstart uses dbus over abstract unix socket (which is containerized with netns), sysvinit uses ioctl over /dev/init which is a distinct file from the one in the container... Does systemd do something we're not containerizing right now? I'd love to get a working fedora template. thanks, -serge -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-attach status update?
Quoting Goran Cetusic (goran.cetu...@gmail.com): > I'm running hundreds of nodes executing commands at startup. Not really > suitable. I don't understand what you mean by that. Does it just mean you don't have time to port the kernel patch and send it to lkml? The answer to your other email, asking when it will be upstream, depends mostly on when someone will need it badly enough that they write it and push it :) -serge -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Lxc-attach status update?
Quoting Goran Cetusic (goran.cetu...@gmail.com): > I'm trying to replace FreeBSD with Linux on a project. For that I need to > replace the BSD jails with Linux containers and a vital component is > jexec/lxc-attach. > The patch for 2.6.35.8 is working great but there is a bug in that kernel > preventing me from doing ANYTHING I think Daniel was saying the kernel patch needs some porting to the latest kernel. Goran, would you be able to produce a patch for the latest kernel and send it to lkml for review? This seems to be a popular feature to get upstream (though I personally don't much care about it :), so I think you'll have the thanks of many if you do. thanks, -serge -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Bind9/named does not work with Debian Lenny
Quoting Christoph Mitasch (cmita...@thomas-krenn.com): > Hi, > > I just resolved it, it was related to Apparmor on the host. > > The host has a rule regarding bind (/etc/apparmor.d/usr.sbin.named), but > bind has changed the pid file from Lenny (/var/run/bind/run/named.pid) > to Squeeze (/var/run/named/named.pid). So the Apparmor rule worked for > the Squeeze guest but not for Lenny. > > Are there any recommendations regarding Apparmor on the host? > Is it best to disable it when running different Linux Distros on one host? Interesting question. Can we have lxc-start enter a different namespace of domains? At first, by default, it can just be either fully permissive. Then we can think about sane rules to add to lock down the container, and maybe even add other container-specific domains to the namespace? (CC:d some apparmor folks who might be helpful) > Regards, > Christoph > > On 03/23/2011 03:38 PM, Christoph Mitasch wrote: > > Hi, > > > > I recently tried to run the bind9 package inside a Debian Lenny > > container. It fails to start with the following message in /var/log/syslog: > > Mar 23 14:28:37 blub named[831]: couldn't open pid file > > '/var/run/bind/run/named.. > > pid': Permission denied > > Mar 23 14:28:37 blub named[831]: exiting (due to early fatal error) > > > > I've created the container with the help of the lxc-lenny template script. > > > > When creating an Debian Squeeze container with lxc-debian, bind9 works > > out of box as expected. > > > > Any ideas what could be the problem here? > > > > Thank you, > > Christoph > > > > -- > > Enable your software for Intel(R) Active Management Technology to meet the > > growing manageability and security demands of your customers. Businesses > > are taking advantage of Intel(R) vPro (TM) technology - will your software > > be a part of the solution? Download the Intel(R) Manageability Checker > > today! http://p.sf.net/sfu/intel-dev2devmar > > ___ > > Lxc-users mailing list > > Lxc-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/lxc-users > > -- > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users signature.asc Description: Digital signature -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] scripts to simplify application checkpoint/restart testing
Let me first off admit that I have not gotten checkpoint/restart to work with the ckpt-v23-rc1-pids tree. But hopefully this will help make it easier to debug that. Ideally (and eventually), the lxc toolsuite will be used for checkpoint/restart. However, c/r is too unflexible and lxc too flexible, so for now I've just coded some scripts to create little containers. The start_job.sh script takes two arguments, a name for the job, and the program to run. It creates a container with private netns, running an ssh server and a running your job in a screen session. You can checkpoint it with checkpoint.sh, and restart it with restart.sh. kill_job.sh kills the job and cleans up the cgroup and other state. You can get this from https://launchpad.net/~appcr/+archive/ppa, or just put the attached scripts into /usr/bin. They assume nsexec, appcheckpoint, and apprestart exist (yes, bc 'restart' is hijacked by upstart :( ). The next time I can spend some time on c/r, I'll be using these scripts to try and figure out why kernel isn't treating me right. I may go back to the rc1 (not '-pids') version. -serge PS - I did start on creating a 'lxc-cr'-like container template to create checkpointable containers with lxc, but never quite got that to work. Perfecting that seemed inappropriate when sys_checkpoint isn't working anyway. checkpoint.sh Description: Bourne shell script jobinit.sh Description: Bourne shell script kill_job.sh Description: Bourne shell script restart_real.sh Description: Bourne shell script restart.sh Description: Bourne shell script start_job.sh Description: Bourne shell script -- Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users