[systemd-devel] LXC not working with systemd 209 or later

John Lane systemd at jelmail.com
Thu Apr 3 10:53:48 PDT 2014 

On 03/04/14 16:40, Leonid Isaev wrote:
> Hi,
>
> On Thu, 03 Apr 2014 11:25:27 +0100
> John Lane <systemd at jelmail.com> wrote:
>
>> Hello, I have a number of LXC containers that have been working with
>> systemd for some time. I have just tried to perform some upgrades,
>> taking them from 204 to 212 (actually they are scripted rebuilds rather
>> than upgrades).
> You have to tell exactly what you are doing. Just calling lxc-archlinux in a
> loop?
I am not sure what you mean by "Just calling lxc-archlinux in a loop". I 
build a container using a script that is similar to, but not the 
lxc-archlinux template. It uses the Arch tools "mkarchroot" and "pacman" 
to install a collection of packages and then performs various setup 
tasks and creates appropriate configuration. Here is the LXC config 
produced:

# Use autodev to be compatible with systemd
lxc.autodev = 1
lxc.hook.autodev = /srv/lxc/testcontainer/autodev

# hostname
lxc.utsname = testcontainer
#
# network
#     if the network is not defined then the container
#     will be able to use the host's network
lxc.network.type = veth
#lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.hwaddr = DE:AD:BE:EF:CA:FE

# restrict capabilities (security) see "man capabilities"
lxc.cap.drop = sys_module
#lxc.cap.drop = sys_admin

# only explicit device access
lxc.cgroup.devices.deny = a
#
# Memory Devices
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
#
# Terminals
lxc.tty =   1
lxc.pts = 1024
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
#
# root filesystem
lxc.rootfs = /srv/lxc/testcontainer

# bind mount the host's pacman cache so container uses the same cache
# rather than wasting time downloading packages already downloaded.
lxc.mount.entry = /var/cache/pacman/pkg 
/srv/lxc/testcontainer/var/cache/pacman/pkg none rw,bind 0 0


This works fine with 208 but not with 209 so, I guess I am doing 
something that was correct for 208 but the goal-posts have been moved by 
209.
>> I have found that they do not work properly with any systemd versions
>> 209 or later. I have read that 209 was a "massive new release".
> What do you mean by "do not work properly"?
What I find is that the login prompt never results in a prompt. I enter 
the correct user/password and it takes an age before redisplaying the 
login prompt. If apply 208 before starting the container then it works 
as expected.

I can get into the container with "lxc-attach".

I'm a bit in the dark as the journal isn't showing me anything (or I 
don't know where to look). The thing I did notice was the 209 journal 
contained less than the 208 one which would suggest that 209 is not 
starting some services that 208 does (see linked pastes). I am looking 
into that but was hoping there might be an obvious pointer from the list 
- some things that have changed in 209 that might affect LXC and that I 
could perhaps look into more.
> Also, FWIW:
>
> Host:
> -hermes-11:37-cur_work$ systemctl --version
> systemd 212
> +PAM -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ +SECCOMP
> -APPARMOR
>
> Container:
> [appuser at appserver1 ~]$ systemd-detect-virt
> lxc
> [appuser at appserver1 ~]$ uname -a
> Linux appserver1 3.13.8-1-ARCH #1 SMP PREEMPT Tue Apr 1 12:19:51 CEST 2014
> x86_64 GNU/Linux
> [appuser at appserver1 ~]$ systemctl --version
> systemd 212
> +PAM -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ +SECCOMP
> -APPARMOR
> [appuser at appserver1 ~]$ journalctl PRIORITY=3
> -- Logs begin at Thu 2014-04-03 10:24:09 EDT, end at Thu 2014-04-03 11:27:50
> EDT
> [appuser at appserver1 ~]$ journalctl PRIORITY=4
> -- Logs begin at Thu 2014-04-03 10:24:09 EDT, end at Thu 2014-04-03 11:27:50
> EDT
Host:
$ systemctl --version
systemd 211
+PAM -LIBWRAP -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL 
+XZ +SECCOMP -APPARMOR

Container:
$  sudo lxc-attach -n testcontainer
# systemd-detect-virt
lxc
# systemctl --version
systemd 212
+PAM -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ 
+SECCOMP -APPARMOR
# journalctl PRIORITY=3
-- Logs begin at Thu 2014-04-03 18:27:22 BST, end at Thu 2014-04-03 
18:27:23 BST. --
# journalctl PRIORITY=4
-- Logs begin at Thu 2014-04-03 18:27:22 BST, end at Thu 2014-04-03 
18:27:23 BST. --

That one had 212, but I get the same effect with 209, 210, 211 and 212.
>
> Cheers,
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140403/b96afb22/attachment-0001.html>

More information about the systemd-devel mailing list