Discussion:
f16 update
(too old to reply)
Ramez Hanna
2012-03-02 08:01:05 UTC
Permalink
hi,

here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s /lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot

if you had installed sshd in the rootfs then ssh is ready you can just ssh in

the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys

any one wants to contribute or comment please do
i will start working on the template now and soon send patches
--
BR
RH
http://informatiq.org
Serge Hallyn
2012-03-02 14:21:44 UTC
Permalink
Post by Ramez Hanna
hi,
here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s /lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot
if you had installed sshd in the rootfs then ssh is ready you can just ssh in
the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys
any one wants to contribute or comment please do
i will start working on the template now and soon send patches
I've looked at that. It does it, unconditionally, during early startup
while setting up selinux. There is no way you can ask systemd not to
do it.

I actually had an item in my todo list to ask you if you wanted to
write a patch to fix that (preferably allowing a systemd.nodevmount
or somesuch argument) and send it to the systemd list.

Fortunately it doesn't check the return value, so until that patch gets
written and sent to systemd, my plan is to have apparmor refuse the
container's permission to mount /dev and /dev/pts. I should be able to
test that in the next few days.

-serge
Ramez Hanna
2012-03-02 19:24:00 UTC
Permalink
Post by Ramez Hanna
hi,
here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s ?/lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot
if you had installed sshd in the rootfs then ssh is ready you can just ssh in
the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys
any one wants to contribute or comment please do
i will start working on the template now and soon send patches
I've looked at that. ?It does it, unconditionally, during early startup
while setting up selinux. ?There is no way you can ask systemd not to
do it.
I actually had an item in my todo list to ask you if you wanted to
write a patch to fix that (preferably allowing a systemd.nodevmount
or somesuch argument) and send it to the systemd list.
Fortunately it doesn't check the return value, so until that patch gets
written and sent to systemd, my plan is to have apparmor refuse the
container's permission to mount /dev and /dev/pts. ?I should be able to
test that in the next few days.
-serge
what if the /dev is mounted in lxc.mount as a bind mount won't that
deny systemd from mounting it!
--
BR
RH
http://informatiq.org
Serge Hallyn
2012-03-02 19:38:57 UTC
Permalink
Post by Ramez Hanna
Post by Ramez Hanna
hi,
here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s ?/lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot
if you had installed sshd in the rootfs then ssh is ready you can just ssh in
the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys
any one wants to contribute or comment please do
i will start working on the template now and soon send patches
I've looked at that. ?It does it, unconditionally, during early startup
while setting up selinux. ?There is no way you can ask systemd not to
do it.
I actually had an item in my todo list to ask you if you wanted to
write a patch to fix that (preferably allowing a systemd.nodevmount
or somesuch argument) and send it to the systemd list.
Fortunately it doesn't check the return value, so until that patch gets
written and sent to systemd, my plan is to have apparmor refuse the
container's permission to mount /dev and /dev/pts. ?I should be able to
test that in the next few days.
-serge
what if the /dev is mounted in lxc.mount as a bind mount won't that
deny systemd from mounting it!
Hmm, what you literally said isn't true (it won't *deny* systemd
from mounting it if it wanted to), but what I think you meant, to
my surprise, is true :)

src/mount-setup.c:mount_one() won't mount a filesystem if its
stat.st_dev != its parent dir's stat.st_dev. So yeah, mounting it from
lxc.mount should prevent that from happening. Excellent! That was the
only thing keeping me from pushing an updated fedora template that works
for f16. Your list however looks a lot shorter than mine, so better I
wait and try out yours.

Looking forward to testing your new template!

thanks,
-serge
Ramez Hanna
2012-03-03 20:35:09 UTC
Permalink
Post by Serge Hallyn
Post by Ramez Hanna
Post by Ramez Hanna
hi,
here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s ?/lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot
if you had installed sshd in the rootfs then ssh is ready you can just ssh in
the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys
any one wants to contribute or comment please do
i will start working on the template now and soon send patches
I've looked at that. ?It does it, unconditionally, during early startup
while setting up selinux. ?There is no way you can ask systemd not to
do it.
I actually had an item in my todo list to ask you if you wanted to
write a patch to fix that (preferably allowing a systemd.nodevmount
or somesuch argument) and send it to the systemd list.
Fortunately it doesn't check the return value, so until that patch gets
written and sent to systemd, my plan is to have apparmor refuse the
container's permission to mount /dev and /dev/pts. ?I should be able to
test that in the next few days.
-serge
what if the /dev is mounted in lxc.mount as a bind mount won't that
deny systemd from mounting it!
Hmm, what you literally said isn't true (it won't *deny* systemd
from mounting it if it wanted to), but what I think you meant, to
my surprise, is true :)
src/mount-setup.c:mount_one() won't mount a filesystem if its
stat.st_dev != its parent dir's stat.st_dev. ?So yeah, mounting it from
lxc.mount should prevent that from happening. ?Excellent! ?That was the
only thing keeping me from pushing an updated fedora template that works
for f16. ?Your list however looks a lot shorter than mine, so better I
wait and try out yours.
Looking forward to testing your new template!
thanks,
-serge
i tried to do the following
in /var/lib/lxc/$container/fstab i added a line
/var/lib/lxc/$container/ddd
/var/lib/lxc/$container/rootfs/dev ext4 defaults,bind 0 0
where ddd is a dir that has the /dev needed files (pts/, tty*, nul, etc...)
started the container still /dev is mounted for devtmpfs

did i do it wrong?
--
BR
RH
http://informatiq.org
Serge Hallyn
2012-03-04 04:38:09 UTC
Permalink
Post by Ramez Hanna
Post by Serge Hallyn
Post by Ramez Hanna
Post by Ramez Hanna
hi,
here is is how o got f16 to work
* use the shipped fedora template to create the container
* chroot into the container rootfs
* touch /etc/fstab
* ln -s /dev/null /etc/systemd/system/udev.service
* unlink /etc/systemd/system/default.target
* ln -s ?/lib/systemd/system/multi-user.taget /etc/systemd/system/default.target
if you want to setup a getty
* ln -s /lib/systemd/system/getty at .service
/etc/systemd/system/getty.target.wants/getty at tty1.service
* exit the chroot
if you had installed sshd in the rootfs then ssh is ready you can just ssh in
the problem i am facing right now is that i am unable to stop systemd
from mounting /dev
which leads to not possible to access the lxc-console because the
container is using tty* from the host and not the ones created by lxc
which also means that if you pick a higher tty (above the ones used by
your host and allow it in the cgroup conf) then you can access your
container's tty using the ctrl-alt-Fx keys
any one wants to contribute or comment please do
i will start working on the template now and soon send patches
I've looked at that. ?It does it, unconditionally, during early startup
while setting up selinux. ?There is no way you can ask systemd not to
do it.
I actually had an item in my todo list to ask you if you wanted to
write a patch to fix that (preferably allowing a systemd.nodevmount
or somesuch argument) and send it to the systemd list.
Fortunately it doesn't check the return value, so until that patch gets
written and sent to systemd, my plan is to have apparmor refuse the
container's permission to mount /dev and /dev/pts. ?I should be able to
test that in the next few days.
-serge
what if the /dev is mounted in lxc.mount as a bind mount won't that
deny systemd from mounting it!
Hmm, what you literally said isn't true (it won't *deny* systemd
from mounting it if it wanted to), but what I think you meant, to
my surprise, is true :)
src/mount-setup.c:mount_one() won't mount a filesystem if its
stat.st_dev != its parent dir's stat.st_dev. ?So yeah, mounting it from
lxc.mount should prevent that from happening. ?Excellent! ?That was the
only thing keeping me from pushing an updated fedora template that works
for f16. ?Your list however looks a lot shorter than mine, so better I
wait and try out yours.
Looking forward to testing your new template!
thanks,
-serge
i tried to do the following
in /var/lib/lxc/$container/fstab i added a line
/var/lib/lxc/$container/ddd
/var/lib/lxc/$container/rootfs/dev ext4 defaults,bind 0 0
where ddd is a dir that has the /dev needed files (pts/, tty*, nul, etc...)
started the container still /dev is mounted for devtmpfs
did i do it wrong?
Yes I think so.

Remember the check done by systemd is whether the dir is on the same device
as its parent dir. It sounds like you have them being the same dir, which
won't work. You can make the container's rootfs be lvm, or create a tmpfs
/dev for the container on the fly before starting it, or something. But
if /var/lib/lxc/$container/ddd and /var/lib/lxc/$container/rootfs/dev are
both on the host's root fs (or on the host's /dev), then systemd won't
detect it as being mounted.

-serge
Serge Hallyn
2012-03-04 04:38:59 UTC
Permalink
(note I said lvm rootfs just bc that's currently easily supported; any
blockdev will do)

Continue reading on narkive:
Loading...