Fajar A. Nugraha
2015-08-10 10:13:30 UTC
As a follow up to
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008658.html
, I've tested similar setup but with systemd-224. My build is
available on https://goo.gl/XpKFxS
Tested and works:
- container start & stop
- lxc-console
- lxc-attach
- login via ssh
What DOESN'T work:
- systemd-journald. This means (among others) you won't have any
additional output from "systemctl status"
Improvement from before: no more crash on unprivileged container poweroff
Host:
- ubuntu vivid with wily's 4.1.0-3-generic kernel (I didn't test
vivid's kernel, but should work as well)
- lxc 1.1.2-0ubuntu5~ubuntu15 and lxcfs
0.9-0ubuntu1~ubuntu15.04.1~ppa1 from ppa:ubuntu-lxc/lxc-stable
Container:
- unprivileged centos 7 container, with custom systemd and related packages
Howto:
Note that lines starting with "$" is executed as normal user on the
host, while lines starting with "[***@c7-test" is executed inside the
container.
(1) As a normal, non-root user, setup unprivileged container (see
https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv for
prequisites, including making sure you have subuid/subgid assigned,
editing /etc/lxc/lxc-usernet, and editing ~/.config/lxc/default.conf).
I name the container "c7-test"
$ id -u
1000
$ lxc-create -n c7-test -t download -- -d centos -r 7 -a amd64
(2) Edit its config
$ vi ~/.local/share/lxc/c7-test/config
Replace
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
... with
lxc.include = /usr/share/lxc/config/fedora.common.conf
lxc.include = /usr/share/lxc/config/fedora.userns.conf
(3) Install "tar" on the container. We need this to transfer files to
the container without having to worry about permission
3.a) start the container directly using bash as init (do NOT use
normal container startup method as this point as centos bundled
systemd doesn't work)
$ lxc-execute -n c7-test -- bash --login
3.b) start networking on the container. You should already have dhcp
working if you use the default bridge (lxcbr0). Verify you get a
working address (it should be printed since you use "-v")
[***@c7-test /]# dhclient -v eth0
3.c) install tar
[***@c7-test /]# yum -y install tar
4) set container root password
[***@c7-test /]# passwd
5) On another terminal window, download the RPMS from the two
directories inside "RPMS-install", put it on a directory on the host
(I put it on "RPMS" directory)
6) Copy the RPMS directory to the container (I copy it to "/" inside
the container)
$ tar cf - RPMS | lxc-attach -n c7-test -- bash -c "cd / && tar xvf -"
7) Back to the first terminal (the container), install the RPMS with
yum (so that all dependencies from centos repo will be automatically
installed as well)
[***@c7-test /]# yum -y install /RPMS/*.rpm
8) Disable systemd-journald service, and enable poweroff from the host
[***@c7-test /]# ln -s /dev/null /etc/systemd/system/systemd-journald.service
[***@c7-test /]# ln -s /usr/lib/systemd/system/poweroff.target
/etc/systemd/system/sigpwr.target
9) Kill dhclient, and then exit
[***@c7-test /]# pkill dhclient
[***@c7-test /]# exit
10) Start the container in foreground so you can see its boot process.
Note that you will see "FAILED" lines, just ignore it.
$ lxc-start -F -n c7-test
systemd 224 running in system mode. (+PAM +AUDIT +SELINUX +IMA
-APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL
+XZ -LZ4 +SECCOMP -BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
...
systemd-journald-audit.socket: Socket service systemd-journald.service
not loaded, refusing.
[FAILED] Failed to listen on Journal Audit Socket.
...
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-update-utmp-runlevel.service:
Permission denied
Starting Update UTMP about System Runlevel Changes...
[ OK ] Reached target Network is Online.
Startup finished in 5.296s.
CentOS Linux 7 (Core)
Kernel 4.1.0-3-generic on an x86_64
c7-test login:
11) Login as root with password set on step (4)
12) Install ssh server
[***@c7-test ~]# yum -y install openssh-server
13) Start ssh server. You will see lots of "Failed" lines, just ignore
it. Also note the container's IP address.
[***@c7-test ~]# systemctl status sshd
[***@c7-test ~]# systemctl start sshd
[***@c7-test ~]# systemctl status sshd
[***@c7-test ~]# ip ad li eth0
14) From the host, ssh to the container, do some tests, then logout
15) Back to the container terminal window, power it down
[***@c7-test ~]# poweroff
[ OK ] Stopped Session c1 of user root.
Stopping User Manager for UID 0...
...
[ OK ] Reached target Shutdown.
dev-null.mount: Mount process exited, code=exited status=32
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-poweroff.service:
Permission denied
sys-devices-virtual-net.mount: Mount process exited, code=exited status=32
sys-devices-virtual-net.mount: Unit entered failed state.
Shutting down.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Powering off.
16) After you verify that everything is working, you can now
start/stop the container again in the background
$ lxc-start -n c7-test
$ lxc-ls -f --running
NAME STATE IPV4 IPV6 GROUPS AUTOSTART
----------------------------------------------------------
c7-test RUNNING A.B.C.D - - NO
$ lxc-stop -n c7-test
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008658.html
, I've tested similar setup but with systemd-224. My build is
available on https://goo.gl/XpKFxS
Tested and works:
- container start & stop
- lxc-console
- lxc-attach
- login via ssh
What DOESN'T work:
- systemd-journald. This means (among others) you won't have any
additional output from "systemctl status"
Improvement from before: no more crash on unprivileged container poweroff
Host:
- ubuntu vivid with wily's 4.1.0-3-generic kernel (I didn't test
vivid's kernel, but should work as well)
- lxc 1.1.2-0ubuntu5~ubuntu15 and lxcfs
0.9-0ubuntu1~ubuntu15.04.1~ppa1 from ppa:ubuntu-lxc/lxc-stable
Container:
- unprivileged centos 7 container, with custom systemd and related packages
Howto:
Note that lines starting with "$" is executed as normal user on the
host, while lines starting with "[***@c7-test" is executed inside the
container.
(1) As a normal, non-root user, setup unprivileged container (see
https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-unpriv for
prequisites, including making sure you have subuid/subgid assigned,
editing /etc/lxc/lxc-usernet, and editing ~/.config/lxc/default.conf).
I name the container "c7-test"
$ id -u
1000
$ lxc-create -n c7-test -t download -- -d centos -r 7 -a amd64
(2) Edit its config
$ vi ~/.local/share/lxc/c7-test/config
Replace
lxc.include = /usr/share/lxc/config/centos.common.conf
lxc.include = /usr/share/lxc/config/centos.userns.conf
... with
lxc.include = /usr/share/lxc/config/fedora.common.conf
lxc.include = /usr/share/lxc/config/fedora.userns.conf
(3) Install "tar" on the container. We need this to transfer files to
the container without having to worry about permission
3.a) start the container directly using bash as init (do NOT use
normal container startup method as this point as centos bundled
systemd doesn't work)
$ lxc-execute -n c7-test -- bash --login
3.b) start networking on the container. You should already have dhcp
working if you use the default bridge (lxcbr0). Verify you get a
working address (it should be printed since you use "-v")
[***@c7-test /]# dhclient -v eth0
3.c) install tar
[***@c7-test /]# yum -y install tar
4) set container root password
[***@c7-test /]# passwd
5) On another terminal window, download the RPMS from the two
directories inside "RPMS-install", put it on a directory on the host
(I put it on "RPMS" directory)
6) Copy the RPMS directory to the container (I copy it to "/" inside
the container)
$ tar cf - RPMS | lxc-attach -n c7-test -- bash -c "cd / && tar xvf -"
7) Back to the first terminal (the container), install the RPMS with
yum (so that all dependencies from centos repo will be automatically
installed as well)
[***@c7-test /]# yum -y install /RPMS/*.rpm
8) Disable systemd-journald service, and enable poweroff from the host
[***@c7-test /]# ln -s /dev/null /etc/systemd/system/systemd-journald.service
[***@c7-test /]# ln -s /usr/lib/systemd/system/poweroff.target
/etc/systemd/system/sigpwr.target
9) Kill dhclient, and then exit
[***@c7-test /]# pkill dhclient
[***@c7-test /]# exit
10) Start the container in foreground so you can see its boot process.
Note that you will see "FAILED" lines, just ignore it.
$ lxc-start -F -n c7-test
systemd 224 running in system mode. (+PAM +AUDIT +SELINUX +IMA
-APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL
+XZ -LZ4 +SECCOMP -BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Linux 7 (Core)!
...
systemd-journald-audit.socket: Socket service systemd-journald.service
not loaded, refusing.
[FAILED] Failed to listen on Journal Audit Socket.
...
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-update-utmp-runlevel.service:
Permission denied
Starting Update UTMP about System Runlevel Changes...
[ OK ] Reached target Network is Online.
Startup finished in 5.296s.
CentOS Linux 7 (Core)
Kernel 4.1.0-3-generic on an x86_64
c7-test login:
11) Login as root with password set on step (4)
12) Install ssh server
[***@c7-test ~]# yum -y install openssh-server
13) Start ssh server. You will see lots of "Failed" lines, just ignore
it. Also note the container's IP address.
[***@c7-test ~]# systemctl status sshd
[***@c7-test ~]# systemctl start sshd
[***@c7-test ~]# systemctl status sshd
[***@c7-test ~]# ip ad li eth0
14) From the host, ssh to the container, do some tests, then logout
15) Back to the container terminal window, power it down
[***@c7-test ~]# poweroff
[ OK ] Stopped Session c1 of user root.
Stopping User Manager for UID 0...
...
[ OK ] Reached target Shutdown.
dev-null.mount: Mount process exited, code=exited status=32
Failed to reset devices.list on
/user.slice/user-1000.slice/session-c2.scope/lxc/c7-test/system.slice/systemd-poweroff.service:
Permission denied
sys-devices-virtual-net.mount: Mount process exited, code=exited status=32
sys-devices-virtual-net.mount: Unit entered failed state.
Shutting down.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Powering off.
16) After you verify that everything is working, you can now
start/stop the container again in the background
$ lxc-start -n c7-test
$ lxc-ls -f --running
NAME STATE IPV4 IPV6 GROUPS AUTOSTART
----------------------------------------------------------
c7-test RUNNING A.B.C.D - - NO
$ lxc-stop -n c7-test
--
Fajar
Fajar