From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Dwight Schauer <dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: LXC PIDs, UIDs, and halt
Date: Mon, 12 Oct 2009 10:03:56 -0500 [thread overview]
Message-ID: <20091012150355.GA5783@us.ibm.com> (raw)
In-Reply-To: <68e6eac60910110930q74358967o19e3d0e88e111bd5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> Hi all,
>
> I'm new to LXC but have been playing around with it some.
>
> I ran into a few issues:
> 1) PIDs for container processes show up on the controlling host (ps, top,
> etc). In OpenVZ there is a way to hide them.
Hmm, yes, it's basically by design, and 'fixing' it will sully the
clean hierarchical pidns design.
The easiest way to emulate that would be to have the host, during
boot, have init split off two child pid namespaces - one for most of the
host applications like the xserver, host's sshd, etc, and the other for
spawning off containers. Then management of pid namespaces by the
host has to be done either from the init pid-ns, or from the pid-ns
which spawns off containers.
> 2) All controlling host mounts show up in containers.
Same.
> 3) A "kill -9 -1" run from a user in the controlling host kills all
> processes in all containers where the owner of the process has the same UID
> as the UID of the outside user. (At least the reverse is not the case).
You can prevent this from happening using selinux or smack.
Properly fixing this requires more work on the user namespace. I am (as
always) hoping to get time to work on that soon.
> 4) In a opensuse container when I execute "halt" it is not just the
> container that halts, but the controlling host as well that shuts down.
Make sure that the container is launched with CAP_SYS_BOOT removed from
the capability bounding set.
> It does not make any difference where I mount /proc on the outside into the
> container, or from inside the container, the behavior above stays the same.
>
> I'm binding mounting the outside /dev to the container /dev mountpoints.
>
> I'm running Linux 2.6.30.6 and lxc 0.6.3
>
> In opensuse I was able to successfuly start the container only after
> commenting out si::bootwait:/etc/init.d/boot in /etc/inittab.
> Same for archlinux, I disabled rc::sysinit:/etc/rc.sysinit in /etc/inittab.
> I'm not concerned about having to do that.
>
>
> I'm looking for any insight or needed configuration changes for these issue.
-serge
next prev parent reply other threads:[~2009-10-12 15:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-11 16:30 LXC PIDs, UIDs, and halt Dwight Schauer
[not found] ` <68e6eac60910110930q74358967o19e3d0e88e111bd5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-12 15:03 ` Serge E. Hallyn [this message]
[not found] ` <20091012150355.GA5783-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 5:06 ` Dwight Schauer
[not found] ` <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-13 19:59 ` Serge E. Hallyn
[not found] ` <68e6eac60910131318w56d9394bs9191f989b16e34f3@mail.gmail.com>
[not found] ` <20091014040222.GA4710@us.ibm.com>
[not found] ` <20091014040222.GA4710-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-15 0:42 ` Dwight Schauer
[not found] ` <68e6eac60910141742h557f558cke749cd76d5706f83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-15 3:13 ` Serge E. Hallyn
2009-10-19 19:17 ` Dwight Schauer
[not found] ` <68e6eac60910191217s5d295e54ta6b0c528dce9ce55-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-19 22:24 ` Serge E. Hallyn
[not found] ` <20091019222445.GA16774-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 1:04 ` Dwight Schauer
[not found] ` <68e6eac60910201804h3f243cdel5a437701bf9c00ac-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-21 1:08 ` Dwight Schauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091012150355.GA5783@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.