[ fwd from debian bts ]

Luca Falavigna [email protected] wrote:

It would be nice to have the possibility to create containers for
foreign architectures, as already implemented in Ubuntu:
https://help.ubuntu.com/12.04/serverguide/lxc.html

When using the newly-introduced -Bbest it is not possible to request a specific filesystem size with --fssize, you get an error message:

"filesystem type and size are only valid with block devices"

Same error happens with --fstype.

Hi. I'm using 1.0.0.alpha1 although I've tried with 0.8.0 also and I'm unable to start container with the following error:

lxc-start: Invalid argument - pivot_root syscall failed
lxc-start: failed to setup pivot root
lxc-start: failed to set rootfs for 'repos'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'repos'

I've tried mount --make-private on all mount point I've thought of with no luck.
Also I've tried lxc.autodev = 1 also no luck and I guess this is relevant with systemd while this systems uses openrc as init system.

Container's conf file:

lxc.arch = amd64
lxc.utsname = repos
lxc.rootfs = /virt/lxc/repos

Distribution Gentoo. Same config works fine on another gentoo system. Although systems are completely different I think important differences are:

1. init system: on laptop I'm using systemd while on server openrc
2. on server I have full system inside ram (system resides inside initramfs and after boot root stays in RAM on rootfs)

cat /proc/self/mountinfo

1 1 0:1 / / rw - rootfs rootfs rw
14 1 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
15 1 0:13 / /run rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=755
16 1 0:5 / /dev rw,nosuid,relatime - devtmpfs udev rw,size=10240k,nr_inodes=4081011,mode=755
17 16 0:10 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
18 16 0:14 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw
19 1 0:15 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw
20 19 0:12 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime - securityfs securityfs rw
21 19 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime - debugfs debugfs rw
22 19 0:16 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs cgroup_root rw,size=10240k,mode=755
23 22 0:17 / /sys/fs/cgroup/openrc rw,nosuid,nodev,noexec,relatime - cgroup openrc rw,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc
24 22 0:18 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime - cgroup cpuset rw,cpuset,clone_children
25 22 0:19 / /sys/fs/cgroup/cpu rw,nosuid,nodev,noexec,relatime - cgroup cpu rw,cpu
26 22 0:20 / /sys/fs/cgroup/cpuacct rw,nosuid,nodev,noexec,relatime - cgroup cpuacct rw,cpuacct
27 22 0:21 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime - cgroup memory rw,memory
28 22 0:22 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime - cgroup devices rw,devices
29 22 0:23 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime - cgroup freezer rw,freezer
30 22 0:24 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime - cgroup blkio rw,blkio
31 22 0:25 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime - cgroup perf_event rw,perf_event
32 1 8:1 / /mnt/root rw,noatime - ext4 /dev/sda1 rw,data=ordered
33 1 254:1 / /virt rw,relatime - ext4 /dev/mapper/virt rw,data=ordered

So any suggestions are welcome. I'll put debugging information in a moment.

A lot of dependencies are not supported by Python3. I am figuring if it's possible to compile your python binding using Python2?

I would like to point out that identifiers like "__arguments_h" and "_IFADDRS_H_" do not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?

This is a copy of a SourceForge bug:

http://git.pld-linux.org/?p=packages/lxc.git;a=commitdiff;h=bf6a07ce0ee91567e429a5e8b8e2e1ef0101a006

the variables get assigned as:
KVER_MAJOR="3\n# Linux VServer"
KVER_MINOR="10\n# Linux VServer"

which causes parse errors:

Cgroup memory controller: 
+ '[' 3 '#' Linux VServer -ge 3 -a 10 '#' Linux VServer -ge 6 ']'
/usr/bin/lxc-checkconfig[98]: [: #: unexpected operator/operand
+ is_enabled CONFIG_CGROUP_MEM_RES_CTLR

in this code:
if [ $KVER_MAJOR -ge 3 -a $KVER_MINOR -ge 6 ]; then
    is_enabled CONFIG_MEMCG
else
    is_enabled CONFIG_CGROUP_MEM_RES_CTLR
fi


---
$ zgrep '^# Linux' /proc/config.gz | sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/'
3
# Linux VServer

---

$ zcat /proc/config.gz |grep '^# Linux'

---
# Linux/x86_64 3.10.10 Kernel Configuration
# Linux VServer

---


--- lxc-0.9.0/src/lxc/lxc-checkconfig.in    2013-09-17 12:00:03.486888314 +0300
+++ lxc-0.9.0/lxc-checkconfig   2013-09-17 12:47:12.000000000 +0300
@@ -78,13 +68,13 @@
 }

 CGROUP_MNT_PATH=`print_cgroups cgroup /proc/self/mounts | head -1`
-KVER_MAJOR=$($GREP '^# Linux' $CONFIG | \
+KVER_MAJOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \
     sed -r 's/.* ([0-9])\.[0-9]{1,2}\.[0-9]{1,3}.*/\1/')
 if [ "$KVER_MAJOR" = "2" ]; then
-KVER_MINOR=$($GREP '^# Linux' $CONFIG | \
+KVER_MINOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \
     sed -r 's/.* 2.6.([0-9]{2}).*/\1/')
 else
-KVER_MINOR=$($GREP '^# Linux' $CONFIG | \
+KVER_MINOR=$($GREP '^# Linux.*Kernel Configuration' $CONFIG | \
     sed -r 's/.* [0-9]\.([0-9]{1,3})\.[0-9]{1,3}.*/\1/')
 fi

LVM Thin Pools allow for on-demand allocation of space, among other features like snapshots of snapshots.

Using a thin pool one can create containers with a larger pre-allocated size but that only allocate actual used space from the pool, and later extend the pool as the allocation grows closer to full capacity, resulting in better resource usage.

Using the lxc-1.0.0.alpha2, it seems like the pid file is removed by lxc-start when starting in daemon mode. Shouldn't it remain until the container exits?

root@debian:/var/lib/lxc# inotifywait -qm -e create,delete . | sed -e 's/^/inotifywait: /' &                                        
[1] 32339                                                                                                                           
root@debian:/var/lib/lxc# lxc-start -n mycontainer -d --pidfile=/var/lib/lxc/mycontainer.pid                                        
inotifywait: ./ CREATE mycontainer.pid                                                                                              
inotifywait: ./ CREATE monitor-fifo                                                                                                 
inotifywait: ./ CREATE monitor-sock                                                                                                 
inotifywait: ./ DELETE mycontainer.pid                                                                                              
root@debian:/var/lib/lxc# ls -l mycontainer.pid                                                                                     
ls: cannot access mycontainer.pid: No such file or directory                                                                        
root@debian:/var/lib/lxc# lxc-info -n mycontainer                                                                                   
state:   RUNNING                                                                                                                    
pid:       597

ii lxc 1.0.0alpha1+staging20130921-1534-0ubuntu1ppa1precise1 Linux Containers userspace tools

Command:
$ lxc-create -n ipa12 -t fedora

on 12.04 / 3.8.0-31-generic / lxc version: 0.7.5

terminal1 # lxc-execute -n seeme /bin/bash
terminal2 # lxc-list| grep seeme
seeme

on 13.10 / 3.11.0-12-generic / lxc version: 1.0.0.alpha1

terminal1 # lxc-execute -n seeme /bin/bash
terminal2 # lxc-ls| grep seeme
terminal2 #
But the container exists:
terminal1 # lxc-info -n seeme
state: RUNNING
pid: 5036
terminal1 # lxc-stop -n seeme

Host info-

OS- Debian testing
Kernel version- 3.11.0-7
HDD type - SSD

Container is running Ubuntu 12.04. LXC version is 0.9.0.alpha3

The output of command dd if=/dev/zero of=/tmp/output bs=20k count=100k; rm -f /tmp/output

within container is-

102400+0 records in
102400+0 records out
2097152000 bytes (2.1 GB) copied, 6.74583 s, 311 MB/s

Now when same OS (Ubuntu 12.04 LTS) is run under VirtualBox, and above command is executed, I get following result-

102400+0 records in
102400+0 records out
2097152000 bytes (2.1 GB) copied, 5.10253 s, 411 MB/s

That is a significant difference in disk io. My expectation is that LXC disk io should be at least equal to what we get using virutalbox if not more.

Hello,

It would be nice if the lxc-debian template was updated to support whezzy (the new stable by default).

Squeeze is EOL (oldstable) and will retire soon

There is a following paragraph in lxc-stop man page, DIAGNOSTIC section:

  The container is busy
         The specified container is already running an  application.  You
         should stop it before reuse this container or create a new one.

This part is unnecessary?

Hi,

On my debian machine I'm using the good old SysVinit but I've systemd-logind running (started by some GNOME component). logind is mounting the following cgroup hierarchy by default:

cat /proc/mounts |grep cgroup
none /sys/fs/cgroup tmpfs rw,rootcontext=system_u:object_r:sysfs_t:s0,seclabel,relatime,size=4k,mode=755 0 0
systemd /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,name=systemd 0 0

cat /proc/cgroups

subsys_name hierarchy num_cgroups enabled

cpuset 0 1 1
cpu 0 1 1
cpuacct 0 1 1
memory 0 1 0
devices 0 1 1
freezer 0 1 1
net_cls 0 1 1
blkio 0 1 1
perf_event 0 1 1

But this prevent lxc from starting a container:

lxc-start: No cgroup mounted on the system
lxc-start: failed to spawn 'debian-lxc'

If I switch the init to systemd then the container is starting as expected

I don't believe this should return an error if no containers are found.

lxc-ls

lxc-ls: no containers found

echo $?

1

I believe It should print nothing and return zero.

I can submit a patch but really want to know why it is like this as it makes no sense to me.
It should be more UNIXy and if there is nothing to list then it should display nothing.

This error return makes it hard to tell if there is an error or just no containers especially when calling this from a script and checking the return value.

Currently using:
lxc.network.type = phys
lxc.network.link = wlan0

Will fail as apparently moving one of those is slightly different than moving a standard eth interface, it'd be good to have lxc and lxc-device detect those and do the right thing.

im testing the master on fedora. I hope im taking the right steps:

./autogen
./configure --enable-python --prefix=/usr --localstatedir=/var
make rpm
sudo yum localinstall ~/path/to/rpmbuildroot/lxc-*.rpm

lxc-top does not work after the installation. lua complains about the getopt module. once i installed the lua-alt-getopt module, it worked. I was expecting yum to fetch the dependencies (if any).

When I lxc-ls --fancy I get unrecognised option error!
Any clue?

is there have some method to migrate container to other lxc host, no matter hot migrate

The README file says

Please see the COPYING file for details on copying and usage.

and COPYING contains the LGPLv2+, thus suggesting LXC is licensed under LGPLv2+.

However, there are some files which are licensed GPLv2:

src/lua-lxc/core.c
src/lxc/lxccontainer.c
src/lxc/lxclock.c
src/lxc/lxclock.h
src/tests/cgpath.c
src/tests/containertests.c
src/tests/createtest.c
src/tests/destroytest.c
src/tests/getkeys.c
src/tests/get_item.c
src/tests/locktests.c
src/tests/lxcpath.c
src/tests/saveconfig.c
src/tests/shutdowntest.c
src/tests/startone.c
templates/lxc-ubuntu.in
templates/lxc-ubuntu-cloud.in

And a lot of files without any licensing information. The following list contains only .c, .h, .sh, .py, .lua, and .in files:

autogen.sh
doc/examples/lxc-complex.conf.in
doc/examples/lxc-empty-netns.conf.in
doc/examples/lxc-macvlan.conf.in
doc/examples/lxc-no-netns.conf.in
doc/examples/lxc-phys.conf.in
doc/examples/lxc-veth.conf.in
doc/examples/lxc-vlan.conf.in
lxc.pc.in
runapitests.sh
src/include/getline.c
src/include/getline.h
src/include/lxcmntent.c
src/include/lxcmntent.h
src/include/openpty.h
src/lua-lxc/lxc.lua
src/lua-lxc/test/apitest.lua
src/lxc/apparmor.c
src/lxc/apparmor.h
src/lxc/list.h
src/lxc/lxccontainer.h
src/lxc/lxc-checkconfig.in
src/lxc/lxc-version.in
src/python-lxc/setup.py
templates/lxc-alpine.in

I am by no means an expert, but I think linking together GPLv2 (only) and LGPLv2 (or later) code makes the result effectively GPLv2 (only). Not sure if that is intended.

The reason why I am asking is that I am currently updating the lxc package in Fedora.

Title says it all, we want to make this template more consistent with lxc-ubuntu.

Running lxc-create -t ubuntu .... on Arch Linux currently fails to create the container. If I copy the cached container from another machine it still fails to create the container.

The problem appears to be that $PATH is inherited from the host, and Arch has /usr/bin, but no /bin on the path, so the setup scripts fail to find all the tools they need inside the new container.

However, this works:

sudo env PATH=/usr/sbin:/sbin:/bin:$PATH lxc-create -n precise -t ubuntu -- -r precise

lxc-ubuntu (and probably the others) should set $PATH to something likely to work inside the container.

(It might be that the problems populating the cache are a debootstrap problem, but the last step of preparing the container must surely be an LXC problem: useradd is not found.)

32 bit Linux fails to compile the current HEAD because of the following warning/error:

confile.c: In function 'config_string_item_max':
confile.c:238:3: error: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'size_t' [-Werror=format]

A complete build log is available at http://hydra.nixos.org/build/6362637/nixlog/1/raw.

This is a copy of a sourceforge bug:
"""
It is currently impossible to give mount options for the root fs of the container and it is impossible to remount the root fs after starting the container.

This is problematic as I would like to be able to mount it with noatime for performance reasons. Please include the option to specify mount options in the config file.
"""

It's sometimes useful to have multiple version of lxc and refer to them by absolute path.

When running the lxc-clone command it tries to run lxc-info which is not in the path.
So commands in the script are prefixed and some are not and this is pretty inconsistent throughout the scripts.

The commads below are what I've found so far

src/lxc/lxc-clone.in
src/lxc/lxc-destroy.in
src/lxc/lxc-netstat.in
src/lxc/lxc-shutdown.in

Line 66 needs more double quotes

-if [ ${CPE_NAME} != "" -a ${ID} = "fedora" -a ${VERSION_ID} != "" ]
+if [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ]

Also there's an issue with this line:

    chroot ${rootfs_path} yum --releasever=${release} -y install fedora-release

The yum fails due to no /etc/resolv.conf in ${rootfs_path}.
I've hacked around it, but don't have a general solution.
It can't just be copying the host /etc/resolv.conf because on my Ubuntu 13.04 host it says "nameserver 127.0.1.1". The real nameserver is in /etc/NetworkManager/...

I have looked at a few source files for your current software. I have noticed that some checks for return codes are missing.

Would you like to add more error handling for return values from functions like the following?

• sigaction ⇒ main
• fprintf ⇒ print_usage

rc.conf, rc.sysinit.lxc, rc.shutdown.lxc, inittab are now longer required. Most software in Arch Linux required installation of the "base" group instead of individual packages from this group.

While the version I am using is not absolute latest, diffing /usr/share/lxc/templates/lxc-ubuntu with the raw https://raw.github.com/lxc/lxc/staging/templates/lxc-ubuntu.in file revealed nothing suggesting this issue has been resolved.

Observed behaviour: Both the use of windows/command keys on PC/Mac to migrate to previous/next console, and the console font for virtual terminals on the host's console (within the default range of the Ubuntu container under setup) are broken.

Desired behaviour: Any script executing to set up the guest should not affect the host system.

Would you like to add the configuration script "AX_PTHREAD" to your build specification?

It would be nice if the Lua bindings would (additionally) support Lua 5.2, as distributions start using that instead of 5.1.

The needed patch shouldn't be that big, I guess.

Besides src/lua-lxc/Makefile.{am,in} containing the hard-coded version number, I see on occurrence of unpack() in src/lua-lxc/lxc.lua, which should be table.unpack() for Lua 5.2.

Not sure whether core.c needs to be adapted.

When I made lxc-ls or lxc-ls --fancy I have this error :
root@ns3275647:~/lxc# lxc-ls --fancy
Traceback (most recent call last):
File "/usr/local/bin/lxc-ls", line 35, in
import lxc
ImportError: No module named lxc

To install LXC I did that :
apt-get install git automake libcap-dev pkg-config python3-dev docbook2x python3-all-dev python-pip build-essential
cd /root
git clone https://github.com/lxc/lxc.git
cd /root/lxc
./autogen.sh
./configure --enable-doc --enable-python | tee -a config.log
make -j3 | tee -a compil.log
make install
mkdir /home/containers
rm -r /usr/local/var/lib/lxc
ln -s /home/containers/ /usr/local/var/lib/lxc
lxc-ls --fancy

Discovered while testing docker.

One a machine that has /etc/cgconfig.conf like

mount {
#       cpuset  = /cgroup/all;
        cpu     = /cgroup/all;
        cpuacct = /cgroup/all;
        memory  = /cgroup/all;
#       devices = /cgroup/all;
        freezer = /cgroup/all;
        net_cls = /cgroup/all;
#       blkio   = /cgroup/all;
}

The docker+lxc fails with:

lxc-start: cgroup is not mounted                                                
lxc-start: Error setting devices.deny to a for lxc/15509c8f85901ba2fc2cb883d777b836cee7cdeb2b46d6ebc07d9a1a5b1de0f0 
lxc-start: failed to setup the cgroups for '15509c8f85901ba2fc2cb883d777b836cee7cdeb2b46d6ebc07d9a1a5b1de0f0' 
lxc-start: failed to spawn '15509c8f85901ba2fc2cb883d777b836cee7cdeb2b46d6ebc07d9a1a5b1de0f0' 
lxc-start: Device or resource busy - failed to remove cgroup '/cgroup/all/lxc/15509c8f85901ba2fc2cb883d777b836cee7cdeb2b46d6ebc07d9a1a5b1de0f0'

This is failure does not occur when mounting the cgroup controllers individually.

After this upgrade I got weird "Broken Pipe" errors when connecting to my lxc instances via ssh (or any other protocol) ever ~30seconds. After a downgrade it again all works. I didn't find anything at all in the logs.

Any ideas?

I'm using https://launchpad.net/~ubuntu-lxc/+archive/daily

Seems like mount.entry with a relative path has been broken recently. Juju creates an lxc config with an entry like:

lxc.mount.entry = /home/user/.juju/env/log var/log/juju

However, using latest lxc from the ppa it tries to mount that into:

/usr/lib/x86_64-linux-gnu/lxc/var/log/juju

... instead of relative to rootfs. As such, the container fails to start.

Incidentally, during lxc-create the logs also seem to use that same path. Seems like some option is not being passed around correctly.

lxc-create 1382535470.641 DEBUG    bdev - trying to mount '/dev/lxc/precise-best'->'/usr/lib/x86_64-linux-gnu/lxc' with fstype 'ext3'
lxc-create 1382535470.760 INFO     bdev - mounted '/dev/lxc/precise-best' on '/usr/lib/x86_64-linux-gnu/lxc', with fstype 'ext3'

It would be nice if $container/config files would know about an include directive, so that one could include a global generic container config and only add settings (like network and container name etc.) in the container specific local configuration file, unique to a container.

Please excuse this if the issue is already known, but I was unable to find others who had encountered this issue.

When using ephemeral containers, under raring (i.e. LXC 0.9.0) with standard filesystem based storage, the post-stop script does not umount the tmpfs or unionfs; it simply runs rm -Rf against the containers directory.

I have been able to reproduce the memory leak by repeatedly starting an ephemeral container, run a set of commands against said container (apt-get installs, chef runs, etc), stopping said container; then rinse and repeat. After many cycles (in my case around 10 or more) the host running the ephemeral containers will run out of memory and oom killer swings into action in full force.

When I use the ephemeral containers with the --keep-data flag, memory usage behaves as expected and the issue disappears.

At this point I do not have any direct evidence to show; but I can say for certain that taking tmpfs out of the picture fixed this issue. This has led me to believe that in the post-stop script LXC should be calling umount against the unionfs and tmpfs mount points the pre-mount script created.

My theory is that since it is not calling umount the memory used by ephemeral tmpfs mounts seems to stay allocated and becomes orphaned.

I would happily submit a patch for this; but I do not currently meet your contribution guidelines, so I wanted to go ahead and bring this to your attention.

Recent systemd versions set root mount propagation mode to "shared" (commit: http://cgit.freedesktop.org/systemd/systemd/commit/?id=b3ac5f8cb98757416d8660023d6564a7c411f0a0).
This mode prevents lxc from starting containers, resulting in errors like this - http://sourceforge.net/tracker/index.php?func=detail&aid=3559833&group_id=163076&atid=826303
As suggested here - https://bugs.archlinux.org/task/31211, remounting root with --make-rprivate option workarounds this issue.

Hi,

On ArchLinux lxc-init is located here:

$ locate lxc-init
/usr/bin/lxc/lxc-init

But sshd-template is looking for /usr/bin/lxc-init

$ grep "lxc-init" /usr/share/lxc/templates/* 
/usr/share/lxc/templates/lxc-sshd:    type /usr/bin/lxc-init
/usr/share/lxc/templates/lxc-sshd:        echo "'lxc-init is not accessible on the system"
/usr/share/lxc/templates/lxc-sshd:    exec /usr/bin/lxc-init -- /usr/sbin/sshd

Is it configurable here https://github.com/lxc/lxc/blob/staging/configure.ac#L229 ?

On ubuntu 12.04LTS 3.2.0-51-generic #77 SMP Fri Aug 2 14:02:45 PDT 2013 x86_64 GNU/Linux:

$ sudo lxc-execute --name testcontainer -s lxc.utsname=hostname -s lxc.network.type=veth -s lxc.network.ipv4=192.168.1.1/24 -s lxc.network.flags=up -- cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

On ubuntu 12.04LTS 3.5.0-32-generic #53~precise1-Ubuntu SMP Wed May 29 20:33:37 UTC 2013 GNU/Linux:

$ sudo lxc-execute --name testcontainer -s lxc.utsname=hostname -s lxc.network.type=veth -s lxc.network.ipv4=192.168.1.1/24 -s lxc.network.flags=up -- cat  /ip_local_port_range
cat: /proc/sys/net/ipv4/ip_local_port_range: No such file or directory

Both machines have the file with identical values when not under isolation. /proc/sys/net/ipv4 is present under isolation on both machines (just the ip_local_port_range file is missing).

The selenium webdriver javascript code assumes /proc/sys/net/ipv4/ip_local_port_range is there, and has a bug which prevents running under isolation when it's not.

It is common wisdom within computer security that "deny all, permit explicitly" is the appropriate model for security related configuration.

lxc.cap.drop in lxc.conf represents the opposite.

Therefore, I suggest removing lxc.cap.drop (or including with a HEAVY deprecated warning for a few releases, then removing) in favor of:
lxc.cap.preserve = chown ipc_lock lease net_bind_service net_broadcast net_raw setgid setuid sys_chroot

The implementation could occur similarly to the following:

1. Get mask of current capabilities
2. Get mask of 'lxc.cap.preserve' capabilities
3. Drop any capabilities that differ

Right now, lxc users upgrading their host kernel are placed in a position where any additional capabilities implemented by the kernel will be granted by default to all containers. This is obviously undesirable.

Thanks for your consideration of this problem.

(Copied from http://sourceforge.net/tracker/?func=detail&aid=3572025&group_id=163076&atid=826303 )

It appears that (on CentOS 6.5) line 556 of the template lxc-centos is receiving the full release name string, instead of the numeric version.

Line 78 of the template lxc-centos may be simpler as:

awk '{print $3}' /etc/redhat/release

New containers' timezone is fixed to Etc/UTC, however it's always should be copied from the host:

Ubuntu:

--- lxc-ubuntu.ORIG 2013-09-21 19:19:25.535539699 +0200
+++ lxc-ubuntu  2013-09-21 20:10:12.316143642 +0200
@@ -105,6 +105,10 @@
         rm -f $rootfs/usr/sbin/policy-rc.d
     fi
 
+    # adjust timezone to the host
+    cp -f /etc/timezone $rootfs/etc/timezone
+    chroot $rootfs dpkg-reconfigure -f noninteractive tzdata
+
     return 0
 }

Fedora:

--- lxc-fedora.ORIG 2013-09-21 19:59:19.533180037 +0200
+++ lxc-fedora  2013-09-22 00:13:29.945942612 +0200
@@ -585,4 +585,8 @@
     clean || exit 1
     exit 0
 fi
+
+# adjust timezone to the host
+cp -f /etc/timezone /data/lxc/samba/rootfs/etc/localtime
+
 echo "container rootfs and config created"

Oracle Linux:

--- lxc-oracle.ORIG 2013-09-21 20:02:18.020336992 +0200
+++ lxc-oracle  2013-09-22 01:25:35.675211177 +0200
@@ -329,6 +329,9 @@
     echo "root:root" | chroot $container_rootfs chpasswd
     echo -e "Added container user:\033[1moracle\033[0m password:\033[1moracle\033[0m"
     echo -e "Added container user:\033[1mroot\033[0m password:\033[1mroot\033[0m"
+
+    # adjust timezone to the host
+    cp -f /etc/timezone $container_rootfs/etc/localtime
 }
 
 # create the container's lxc config file

However I realized, it's not good enough, as system time also depends on the hardware clock (UTC or not). It's configured in different places, eg.:

Ubuntu -> /etc/default/rcS
Red Hat clones -> /etc/sysconfig/clock

Probably other places in other distributions.
So it's hard to find a common solution to this particular issue.

root@debian-first:~# apt-get install avahi-daemon avahi-utils

# LOG CUT HERE

Starting system message bus: dbus.
Setting up avahi-daemon (0.6.27-2+squeeze1) ...
Reloading system message bus config...done.
Starting Avahi mDNS/DNS-SD Daemon: avahi-daemonTimeout reached while wating for return value
Could not receive return value from daemon process.
 (warning).

Inside ubuntu containers avahi-daemon starts correctly. Inside real squeeze VMs avahi-daemon also starts correctly.

My host is Ubuntu 12.04

Here is strace output:

root@debian-first:~# strace /etc/init.d/avahi-daemon start
execve("/etc/init.d/avahi-daemon", ["/etc/init.d/avahi-daemon", "start"], [/* 12 vars */]) = 0
brk(0)                                  = 0x247f000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc33b35a000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7116, ...}) = 0
mmap(NULL, 7116, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fc33b358000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\355\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1437064, ...}) = 0
mmap(NULL, 3545160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fc33addd000
mprotect(0x7fc33af36000, 2093056, PROT_NONE) = 0
mmap(0x7fc33b135000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x158000) = 0x7fc33b135000
mmap(0x7fc33b13a000, 18504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fc33b13a000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc33b357000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc33b356000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc33b355000
arch_prctl(ARCH_SET_FS, 0x7fc33b356700) = 0
mprotect(0x7fc33b135000, 16384, PROT_READ) = 0
mprotect(0x7fc33b35c000, 4096, PROT_READ) = 0
munmap(0x7fc33b358000, 7116)            = 0
getpid()                                = 764
rt_sigaction(SIGCHLD, {SIG_DFL, [CHLD], SA_RESTORER|SA_RESTART, 0x7fc33ae0f230}, {SIG_DFL, [], 0}, 8) = 0
geteuid()                               = 0
brk(0)                                  = 0x247f000
brk(0x24a0000)                          = 0x24a0000
getppid()                               = 763
stat("/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
open("/etc/init.d/avahi-daemon", O_RDONLY) = 3
fcntl(3, F_DUPFD, 10)                   = 10
close(3)                                = 0
fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGINT, {0x40f540, ~[RTMIN RT_1], SA_RESTORER, 0x7fc33ae0f230}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7fc33ae0f230}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7fc33ae0f230}, NULL, 8) = 0
read(10, "#!/bin/sh\n### BEGIN INIT INFO\n# "..., 8192) = 2315
stat("/usr/sbin/avahi-daemon", {st_mode=S_IFREG|0755, st_size=127992, ...}) = 0
geteuid()                               = 0
open("/lib/lsb/init-functions", O_RDONLY) = 3
fcntl(3, F_DUPFD, 10)                   = 11
close(3)                                = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
read(11, "# /lib/lsb/init-functions for De"..., 8192) = 8192
read(11, "_message (int exitstatus)\nlog_en"..., 8192) = 1592
stat("/etc/lsb-base-logging.sh", 0x7fff85b6d410) = -1 ENOENT (No such file or directory)
read(11, "", 8192)                      = 0
close(11)                               = 0
stat("/etc/default/avahi-daemon", {st_mode=S_IFREG|0644, st_size=219, ...}) = 0
open("/etc/default/avahi-daemon", O_RDONLY) = 3
fcntl(3, F_DUPFD, 10)                   = 11
close(3)                                = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
read(11, "# 1 = Try to detect unicast dns "..., 8192) = 219
read(11, "", 8192)                      = 0
close(11)                               = 0
write(1, "Starting Avahi mDNS/DNS-SD Daemo"..., 47Starting Avahi mDNS/DNS-SD Daemon: avahi-daemon) = 47
open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fcntl(1, F_DUPFD, 10)                   = 11
close(1)                                = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
dup2(3, 1)                              = 1
close(3)                                = 0
fcntl(2, F_DUPFD, 10)                   = 12
close(2)                                = 0
fcntl(12, F_SETFD, FD_CLOEXEC)          = 0
dup2(1, 2)                              = 2
stat("/sbin/modprobe", 0x7fff85b6d530)  = -1 ENOENT (No such file or directory)
stat("/bin/modprobe", 0x7fff85b6d530)   = -1 ENOENT (No such file or directory)
stat("/usr/sbin/modprobe", 0x7fff85b6d530) = -1 ENOENT (No such file or directory)
stat("/usr/bin/modprobe", 0x7fff85b6d530) = -1 ENOENT (No such file or directory)
write(2, "/etc/init.d/avahi-daemon: 102: ", 31) = 31
write(2, "modprobe: not found", 19)     = 19
write(2, "\n", 1)                       = 1
dup2(11, 1)                             = 1
close(11)                               = 0
dup2(12, 2)                             = 2
close(12)                               = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 765
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 765
--- SIGCHLD (Child exited) @ 0 (0) ---
stat("/var/run/avahi-daemon/disabled-for-unicast-local", 0x7fff85b6d400) = -1 ENOENT (No such file or directory)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 766
wait4(-1, Timeout reached while wating for return value
Could not receive return value from daemon process.
[{WIFEXITED(s) && WEXITSTATUS(s) == 255}], 0, NULL) = 766
--- SIGCHLD (Child exited) @ 0 (0) ---
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
stat("/usr/bin/tput", {st_mode=S_IFREG|0755, st_size=12192, ...}) = 0
geteuid()                               = 0
stat("/usr/bin/expr", {st_mode=S_IFREG|0755, st_size=101448, ...}) = 0
geteuid()                               = 0
open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fcntl(1, F_DUPFD, 10)                   = 11
close(1)                                = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
dup2(3, 1)                              = 1
close(3)                                = 0
fcntl(2, F_DUPFD, 10)                   = 12
close(2)                                = 0
fcntl(12, F_SETFD, FD_CLOEXEC)          = 0
dup2(1, 2)                              = 2
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 769
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 769
--- SIGCHLD (Child exited) @ 0 (0) ---
dup2(11, 1)                             = 1
close(11)                               = 0
dup2(12, 2)                             = 2
close(12)                               = 0
open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fcntl(1, F_DUPFD, 10)                   = 11
close(1)                                = 0
fcntl(11, F_SETFD, FD_CLOEXEC)          = 0
dup2(3, 1)                              = 1
close(3)                                = 0
fcntl(2, F_DUPFD, 10)                   = 12
close(2)                                = 0
fcntl(12, F_SETFD, FD_CLOEXEC)          = 0
dup2(1, 2)                              = 2
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 770
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 770
--- SIGCHLD (Child exited) @ 0 (0) ---
dup2(11, 1)                             = 1
close(11)                               = 0
dup2(12, 2)                             = 2
close(12)                               = 0
pipe([3, 4])                            = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 771
close(4)                                = 0
read(3, "\33[31m", 128)                 = 5
read(3, "", 128)                        = 0
close(3)                                = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 771
--- SIGCHLD (Child exited) @ 0 (0) ---
pipe([3, 4])                            = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 772
close(4)                                = 0
read(3, "\33[33m", 128)                 = 5
read(3, "", 128)                        = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
close(3)                                = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 772
pipe([3, 4])                            = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 773
close(4)                                = 0
read(3, "\33[39;49m", 128)              = 8
read(3, "", 128)                        = 0
--- SIGCHLD (Child exited) @ 0 (0) ---
close(3)                                = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 773
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc33b3569d0) = 774
wait4(-1,  (warning).
[{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 774
--- SIGCHLD (Child exited) @ 0 (0) ---
exit_group(0)                           = ?

Hi guys,

I was thinking to add DBus support to LXC.

LXC would launch signals to DBus in some situations, for example :

When a Container get started, created or destroyed, it broadcasts signals to be consumed by all applications interested on that.

Does it make sense ?

If a lxc.mount.entry directory name includes a space ("/tmp/foo\ bar"), lxc-start will not parse the directory name correctly and raise a "failed to mount" error.

For now this configuration don't work:

lxc-start: failed to setup ipv4 gateway for 'eth1': Network is unreachable

lxc.network.type = macvlan
lxc.network.hwaddr = 52:54:00:\*:\*:\*
lxc.network.link = eth0
lxc.network.ipv4 = 212.83.\*.\*/32
lxc.network.ipv4.gateway = 62.210.\*.1
lxc.network.flags = up

it's because 62.210..1 isn't part of 212.83../32 ... but it's the right things to do in my case.
To be able to use this, we must add route for 62.210.**.1 on interface.

# ip route add 62.210.\*.1 dev eth1
# ip route add default via 62.210.\*.1

Solution can be to add gw as route by default to this interface to avoid any problem like this.

PS: I know that it can be seen like somethings "weird", but here (in France/Europe/USA) some big hosting company (OVH, Online.net) use this way to add more IP for their dedicated servers.

The fuse is already loaded in host

modprobe -l | grep fuse shows
kernel/fs/fuse/fuse.ko
kernel/fs/fuse/cuse.ko

But in container while using it, something error:

fuse: device not found, try 'modprobe fuse' first

I also tried to copy the /lib/modules from host to container and the same error.
Another module ip_queue has the same problem.
Is it supported to use the kernel module in container by now? Or is any plan to support this feature?

Thank you!

Using catalogs: /etc/sgml/catalog
Using stylesheet: /usr/share/docbook-utils/docbook-utils.dsl#print
Working on: .../lxc/lxc/doc/lxc-attach.sgml
nsgmls:.../lxc/lxc/doc/lxc-attach.sgml:26:63:W: cannot generate system identifier for public text "-//Davenport//DTD DocBook V3.0//EN"

Installing package docbook fixes the problem.