[systemd-devel] [Lxc-users] Unable to run systemd in an LXC / cgroup container.
Michael H. Warfield
mhw at WittsEnd.com
Thu Oct 25 10:23:32 PDT 2012
Hey Serge,
On Thu, 2012-10-25 at 11:19 -0500, Serge Hallyn wrote:
> Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > Sorry for taking a few days to get back on this. I was delivering a
> > guest lecture up at Fordham University last Tuesday so I was out of
> > pocket a couple of days or I would have responded sooner...
> >
> > On Mon, 2012-10-22 at 16:59 -0400, Michael H. Warfield wrote:
> > > On Mon, 2012-10-22 at 22:50 +0200, Lennart Poettering wrote:
> > > > On Mon, 22.10.12 11:48, Michael H. Warfield (mhw at WittsEnd.com) wrote:
> > > >
> > > > > > > To summarize the problem... The LXC startup binary sets up various
> > > > > > > things for /dev and /dev/pts for the container to run properly and this
> > > > > > > works perfectly fine for SystemV start-up scripts and/or Upstart.
> > > > > > > Unfortunately, systemd has mounts of devtmpfs on /dev and devpts
> > > > > > > on /dev/pts which then break things horribly. This is because the
> > > > > > > kernel currently lacks namespaces for devices and won't for some time to
> > > > > > > come (in design). When devtmpfs gets mounted over top of /dev in the
> > > > > > > container, it then hijacks the hosts console tty and several other
> > > > > > > devices which had been set up through bind mounts by LXC and should have
> > > > > > > been LEFT ALONE.
> > > > >
> > > > > > Please initialize a minimal tmpfs on /dev. systemd will then work fine.
> > > > >
> > > > > My containers have a reasonable /dev that work with Upstart just fine
> > > > > but they are not on tmpfs. Is mounting tmpfs on /dev and recreating
> > > > > that minimal /dev required?
> >
> > > > Well, it can be any kind of mount really. Just needs to be a mount. And
> > > > the idea is to use tmpfs for this.
> >
> > > > What /dev are you currently using? It's probably not a good idea to
> > > > reuse the hosts' /dev, since it contains so many device nodes that
> > > > should not be accessible/visible to the container.
> >
> > > Got it. And that explains the problems we're seeing but also what I'm
> > > seeing in some libvirt-lxc related pages, which is a separate and
> > > distinct project in spite of the similarities in the name...
> >
> > > http://wiki.1tux.org/wiki/Lxc/Installation#Additional_notes
> >
> > > Unfortunately, in our case, merely getting a mount in there is a
> > > complication in that it also has to be populated but, at least, we
> > > understand the problem set now.
> >
> > Ok... Serge and I were corresponding on the lxc-users list and he had a
> > suggestion that worked but I consider to be a bit of a sub-optimal
> > workaround. Ironically, it was to mount devtmpfs on /dev. We don't
> Oh, sorry - I take back that suggestion :)
> Note that we have mount hooks, so templates could install a mount hook to
> mount a tmpfs onto /dev and populate it.
Ok... I've done some cursory search and turned up nothing but some
comments about "pre mount hooks". Where is the documentation about this
feature and how I might use / implement it? Some examples would
probably suffice. Is there a require release version of lxc-utils?
> Or, if everyone is going to need it, we could just add a 'lxc.populatedevs = 1'
> option which does that without needing a hook.
> devtmpfs should not be used in containers :)
> -serge
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20121025/77b8535d/attachment.pgp>
More information about the systemd-devel
mailing list