[Bug 1087765] Re: Not all containers get started at bootime
Tamas Papp
tompos at gitanes.martos.bme.hu
Fri Dec 7 22:19:19 UTC 2012
create command: lxc-create -n CONTAINER -t ubuntu
containers are under the directory /data/lxc (mv /var/lib/lxc/CONTAINER
/data/lxc)
/etc/lxc/lxc.conf:
lxc.network.type=veth
lxc.network.link=br-eth0
lxc.network.flags=up
/etc/default/lxc:
LXC_AUTO="true"
USE_LXC_BRIDGE="false"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_SHUTDOWN_TIMEOUT=120
/etc/apparmor.d/lxc/lxc-default:
[= I think it's default =]
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
network,
capability,
file,
umount,
# ignore DENIED message on / remount
deny mount options=(ro, remount) -> /,
# allow tmpfs mounts everywhere
mount fstype=tmpfs,
# allow mqueue mounts everywhere
mount fstype=mqueue,
# allow fuse mounts everywhere
mount fstype=fuse.*,
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
# allow bind mount of /lib/init/fstab for lxcguest
mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
# deny writes in /proc/sys/fs but allow fusectl to be mounted
mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
deny @{PROC}/sys/fs/** wklx,
# block some other dangerous paths
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
deny @{PROC}/sys/kernel/*/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
mount fstype=fusectl -> /sys/fs/fuse/connections/,
mount fstype=securityfs -> /sys/kernel/security/,
mount fstype=debugfs -> /sys/kernel/debug/,
deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
mount fstype=proc -> /proc/,
mount fstype=sysfs -> /sys/,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
}
I also have /etc/apparmor.d/lxc/lxc-default--with-loops file with this change:
--- /etc/apparmor.d/lxc/lxc-default 2012-07-25 15:53:25.551643760 +0200
+++ /etc/apparmor.d/lxc/lxc-default--with-loops 2012-07-25 16:14:36.321513858 +0200
@@ -1,7 +1,7 @@
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
-profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
+profile lxc-container-default--with-loops flags=(attach_disconnected,mediate_deleted) {
network,
capability,
file,
@@ -52,4 +52,7 @@
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
+
+ # custom
+ mount fstype=iso9660 -> /data/www/**,
}
There are symlinks in the directory /etc/lxc/auto/, like:
lrwxrwxrwx 1 root root 19 Sep 20 17:39 af.conf -> /data/lxc/af/config
The filesystem is ext4.
See also https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087758, it's the same machine.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1087765
Title:
Not all containers get started at bootime
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1087765/+subscriptions
More information about the Ubuntu-server-bugs
mailing list