Re: liblxc: lxc-debian - Serge E. Hallyn

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Daniel Lezcano <dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: liblxc: lxc-debian
Date: Fri, 5 Dec 2008 18:11:11 -0600	[thread overview]
Message-ID: <20081206001110.GA32712@us.ibm.com> (raw)
In-Reply-To: <4939AFA7.1060903-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>

Quoting Daniel Lezcano (dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org):
> Serge E. Hallyn wrote:
>> Hi Daniel,
>>
>> to create a debian-based container using lxc-debian on fedora 10,
>> I needed to just a couple of things:
>>
>> 	1. iptables -F   :)  Grrr.
>>
>> 	2. Right above the debootstrap command, I had to fool
>> 	   chage (used during openssh configuration) into thinking
>> 	   selinux was disabled.  So after the line:
>> 	   mkdir -p "$CACHE/rootfs-$ARCH"
>> 	   I added
>> 	   mkdir -p "$CACHE/rootfs-$ARCH/selinux"
>> 	   echo 0 > "$CACHE/rootfs-$ARCH/selinux/enforce"
>
> Good catch ! :)

Are you going to put those lines into the 'official' lxc-debian?

>> 	3. For the actual debootstrap command I had to do
>> 	   debootstrap --arch $ARCH etc $CACHE/rootfs-$ARCH
>> 	   Then apt-get install openssh-server and apache
>> 	   worked fine.  But your debootstrap command failed
>> 	   (the last time i tried) on chroot - no idea why.
>
> Ok, I will try to figure out what is happening.

Great, thanks.

>> Now it seems to work.  This shouldn't have taken me 2 hours to
>> figure out, but the symptoms were deceptive :)
>
> I have a some bugs reported I will fix with this one. I'll release a  
> 0.5.1 version soon.
>
> Thanks a lot for taking the time to investigate :)

One more thing that would be helpful - can you think of an
easy way to specify devices whitelist rules for lxc-debian?
I don't want to complicate the creation process, but as it
is it's not trivial to define them.  Perhaps specifying a
default that should work for most everyone would be ok?  I
find the following to be plenty flexible:

(this is the code i inserted into the old lxc-debian command,
haven't checked if i need to change it for the new one)

    echo "lxc.cgroup.devices.deny = a" >> $CONFFILE
    # /dev/null and zero
    echo "lxc.cgroup.devices.allow = c 1:3 rwm" >> $CONFFILE
    echo "lxc.cgroup.devices.allow = c 1:5 rwm" >> $CONFFILE
    # consoles
    echo "lxc.cgroup.devices.allow = c 5:1 rwm" >> $CONFFILE
    echo "lxc.cgroup.devices.allow = c 5:0 rwm" >> $CONFFILE
    echo "lxc.cgroup.devices.allow = c 4:0 rwm" >> $CONFFILE
    echo "lxc.cgroup.devices.allow = c 4:1 rwm" >> $CONFFILE
    # /dev/{,u}random
    echo "lxc.cgroup.devices.allow = c 1:9 rwm" >> $CONFFILE
    echo "lxc.cgroup.devices.allow = c 1:8 rwm" >> $CONFFILE
    # /dev/pts/* - pts namespaces are "coming soon"
    echo "lxc.cgroup.devices.allow = c 136:* rwm" >> $CONFFILE
    # rtc
    echo "lxc.cgroup.devices.allow = c 254:0 rwm" >> $CONFFILE

thanks,
-serge

next prev parent reply	other threads:[~2008-12-06  0:11 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-12-04  2:39 liblxc: lxc-debian Serge E. Hallyn
     [not found] ` <20081204023936.GA31830-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-12-05 22:48   ` Daniel Lezcano
     [not found]     ` <4939AFA7.1060903-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-12-06  0:11       ` Serge E. Hallyn [this message]
     [not found]         ` <20081206001110.GA32712-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-12-08 21:44           ` Matt Helsley
2008-12-08 23:43             ` Serge E. Hallyn
     [not found]               ` <20081208234348.GA7935-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-12-09 10:36                 ` Daniel Lezcano
     [not found]                   ` <493E4A48.5020200-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org>
2008-12-09 16:32                     ` Serge E. Hallyn
     [not found]                       ` <20081209163209.GE9487-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-12-09 16:43                         ` Daniel Lezcano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081206001110.GA32712@us.ibm.com \
    --to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=dlezcano-NmTC/0ZBporQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.