[systemd-devel] Unable to run systemd in an LXC / cgroup container.

Michael H. Warfield mhw at WittsEnd.com
Mon Oct 22 13:59:22 PDT 2012


On Mon, 2012-10-22 at 22:50 +0200, Lennart Poettering wrote:
> On Mon, 22.10.12 11:48, Michael H. Warfield (mhw at WittsEnd.com) wrote:
> 
> > > > To summarize the problem...  The LXC startup binary sets up various
> > > > things for /dev and /dev/pts for the container to run properly and this
> > > > works perfectly fine for SystemV start-up scripts and/or Upstart.
> > > > Unfortunately, systemd has mounts of devtmpfs on /dev and devpts
> > > > on /dev/pts which then break things horribly.  This is because the
> > > > kernel currently lacks namespaces for devices and won't for some time to
> > > > come (in design).  When devtmpfs gets mounted over top of /dev in the
> > > > container, it then hijacks the hosts console tty and several other
> > > > devices which had been set up through bind mounts by LXC and should have
> > > > been LEFT ALONE.
> > 
> > > Please initialize a minimal tmpfs on /dev. systemd will then work fine.
> > 
> > My containers have a reasonable /dev that work with Upstart just fine
> > but they are not on tmpfs.  Is mounting tmpfs on /dev and recreating
> > that minimal /dev required?

> Well, it can be any kind of mount really. Just needs to be a mount. And
> the idea is to use tmpfs for this.

> What /dev are you currently using? It's probably not a good idea to
> reuse the hosts' /dev, since it contains so many device nodes that
> should not be accessible/visible to the container.

Got it.  And that explains the problems we're seeing but also what I'm
seeing in some libvirt-lxc related pages, which is a separate and
distinct project in spite of the similarities in the name...

http://wiki.1tux.org/wiki/Lxc/Installation#Additional_notes

Unfortunately, in our case, merely getting a mount in there is a
complication in that it also has to be populated but, at least, we
understand the problem set now.

> > > systemd will make use of pre-existing mounts if they exist, and only
> > > mount something new if they don't exist.
> > 
> > So you're saying that, if we have something mounted on /dev, that's what
> > prevents systemd from mounting devtmpfs on /dev?  

> Yes.

> > But, I have systemd running on my host system (F17) and containers with
> > sysvinit or upstart inits are all starting just fine.  That sounds like
> > it should impact all containers as pivot_root() is issued before systemd
> > in the container is started.  Or am I missing something here?  That
> > sounds like a problem for Serge and others to investigate further.  I'll
> > see about trying that workaround though.

> The "shared" issue is F18, and it's about running LXC on a systemd
> system, not about running systemd inside of LXC.

Whew!  I'll deal with F18 when I need to deal with F18.  That explains
why my F17 hosts are running and gives Serge and others a chance to
address this, forewarned.  Thanks for that info.

> Lennart

> -- 
> Lennart Poettering - Red Hat, Inc.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20121022/2cb63b19/attachment.pgp>


More information about the systemd-devel mailing list