Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-24-2017, 04:27 AM
|
#1
|
Senior Member
Registered: Jan 2010
Posts: 2,020
|
Starting LXC container in Slackware 14.2
I am trying to start an LXC container in Slackware 14.2. The commands I issue are:
Code:
lxc-create -n slack -f /usr/share/lxc/config/slackware.common.conf -t slackware
lxc-start -n slack -o lxc.log
Configuration file and template are the default ones that came with the installation which I have not modified. This is the error in lxc.log after I try to run lxc-start:
Code:
lxc-start 20170924104623.469 ERROR lxc_utils - utils.c:safe_mount:1692 - Device or resource busy - Failed to mount none onto /var/lib/rootfs-lxc//proc
lxc-start 20170924104623.469 ERROR lxc_conf - conf.c:mount_entry:1650 - Device or resource busy - failed to mount 'none' on '/var/lib/rootfs-lxc//proc'
lxc-start 20170924104623.469 ERROR lxc_conf - conf.c:lxc_setup:3726 - failed to setup the mounts for 'slack'
lxc-start 20170924104623.469 ERROR lxc_start - start.c:do_start:833 - failed to setup the container
lxc-start 20170924104623.469 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
lxc-start 20170924104623.470 ERROR lxc_start - start.c:__lxc_start:1353 - failed to spawn 'slack'
lxc-start 20170924104628.487 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start 20170924104628.490 ERROR lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
lxc-start 20170924104628.492 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
I am running those commands as root. What am I missing?
This is the configuration I use:
Code:
$ cat slackware.common.conf
lxc.include = /usr/share/lxc/config/common.conf
lxc.devttydir =
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
lxc.cgroup.devices.allow = c 10:232 rwm
lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
lxc.cap.drop = mknod setfcap setpcap
$
$ cat common.conf
lxc.devttydir = lxc
lxc.pts = 1024
lxc.tty = 4
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
lxc.pivotdir = lxc_putold
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.include = /usr/share/lxc/config/common.conf.d/
|
|
|
09-24-2017, 05:17 AM
|
#2
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,254
|
hi ctrs,
you don't need to specify the /usr/share/lxc/config/slackware.common.conf file as a configuration file for your container, as this is already included whenever you create a container of type "slackware" (with the "-t slackware" option).
you should first decide which kind of networking you prefer for your container ( here you can find a couple of examples of that) and after that create a foo.conf configuration file specific for the container you want to create following your network choices.
after that a
Code:
lxc-create -n slack -f foo.conf -t slackware
should do.
don't forget to edit the network configuration of your container in its own filesystem ($CONTAINER_ROOT/etc/rc.d/rc.inet1.conf, $CONTAINER_ROOT/etc/resolv.conf, etc.) accordingly, before starting it.
|
|
1 members found this post helpful.
|
09-24-2017, 10:45 AM
|
#3
|
Senior Member
Registered: Jan 2010
Posts: 2,020
Original Poster
|
Thanks for the hint. I assumed that I do not need a network configuration since I just wanted to see if LXC works at all - without the need to connect to any network. Anyway, the container starts now and I can verify with lxc-ls
Code:
# lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6
slack RUNNING 0 - 192.168.2.10 -
However, lxc-console fails:
Code:
# lxc-console -n slack
lxc-console 20170924173039.697 ERROR lxc_commands - commands.c:lxc_cmd_console:714 - console -1 invalid,busy or all consoles busy
|
|
|
09-24-2017, 01:22 PM
|
#4
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,254
|
I just installed a slackware64-14.2 to verify the situation and I noticed a thing (I hadn't noticed it earlier, sorry): when you use lxc-create to assemble the container the release used is current but the template is for 14.2 (maybe should be good to change this default in the template).
I suggest you to stop the container with lxc-stop, remove it (rm -fR /var/lib/lxc/slack) and re-create it with this command (note the additional "release" parameter):
Code:
release=14.2 lxc-create -n slack -f foo.conf -t slackware
for the sake of the example, the foo.conf file I used for the test is very simple
Code:
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:aa:11:bb:22:cc
lxc.network.ipv4 = 192.168.111.2/24
lxc.network.name = eth0
also before starting the container I took up a bridge for a natted network with the following script (the interface connected to my router is wlan0, set yours accordingly)
Code:
/sbin/brctl addbr br0
/sbin/brctl setfd br0 0
/sbin/ifconfig br0 192.168.111.1 netmask 255.255.255.0 promisc up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
/usr/sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
Last edited by ponce; 09-24-2017 at 01:25 PM.
|
|
|
09-24-2017, 02:07 PM
|
#5
|
Senior Member
Registered: Jan 2010
Posts: 2,020
Original Poster
|
Quote:
Originally Posted by ponce
I just installed a slackware64-14.2 to verify the situation and I noticed a thing (I hadn't noticed it earlier, sorry): when you use lxc-create to assemble the container the release used is current but the template is for 14.2 (maybe should be good to change this default in the template).
|
Even before I saw your last post I got it working. I do not know why it is suddenly working, though. I just destroyed and recreated the container a few times, starting over from scratch. While trying to verify if my firewall settings were to blame I pulled the cable and stopped the firewall. So all local traffic could flow uninhibited. When I created the container lxc-create could not make a connection. However, the packages were already in the cache from my previous attempts. It must have used them. Afterwards it started working and after I chrooted into the rootfs to set a password for root, I was able to login via lxc-console.
I then proceeded to destroy the container yet again and empty all caches. I restored all my firewall settings and repeated the all the steps like before (in the link you provided). It still worked without setting any release variable. I do not know why. At least I now know that my firewall settings were not to blame.
Anyway, could you provide some explanation why the network must be configured in order to mount the /proc directory in the LXC container? This is still quite counterintuitive to me.
|
|
|
09-25-2017, 03:13 AM
|
#6
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,254
|
Quote:
Originally Posted by crts
Even before I saw your last post I got it working. I do not know why it is suddenly working, though. I just destroyed and recreated the container a few times, starting over from scratch. While trying to verify if my firewall settings were to blame I pulled the cable and stopped the firewall. So all local traffic could flow uninhibited. When I created the container lxc-create could not make a connection. However, the packages were already in the cache from my previous attempts. It must have used them. Afterwards it started working and after I chrooted into the rootfs to set a password for root, I was able to login via lxc-console.
|
when you run lxc-create these are the last line of output
Code:
Root default password is 'root', please change it!
Copying rootfs to /var/lib/lxc/slack/rootfs...
Quote:
I then proceeded to destroy the container yet again and empty all caches. I restored all my firewall settings and repeated the all the steps like before (in the link you provided). It still worked without setting any release variable. I do not know why. At least I now know that my firewall settings were not to blame.
|
that's good news: the template in current has been changed since 14.2 was released, and it's fine to know that using the old with a current repository still produces a working system.
Quote:
Anyway, could you provide some explanation why the network must be configured in order to mount the /proc directory in the LXC container? This is still quite counterintuitive to me.
|
I can't answer you on that, actually I though it shouldn't: I tried just running the script above that setup the bridge and leaving the network configuration of the slack container blank and I could login with "lxc-console -n slack" fine
Code:
# lxc-console -n slack
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
Welcome to Linux 4.4.88 (tty1)
slack login: root
Password:
Linux 4.4.88.
You have mail.
root@slack:~# cat /proc/mounts
/dev/vda1 / ext4 rw,relatime,data=ordered 0 0
none /dev tmpfs rw,relatime,size=492k,mode=755 0 0
none /proc proc rw,relatime 0 0
none /sys sysfs rw,relatime 0 0
devpts /dev/console devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty1 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty2 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty3 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty4 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
none /run tmpfs rw,relatime,mode=755 0 0
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
# head -20 /etc/rc.d/rc.inet1.conf | tail -4
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
# ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
inet 192.168.111.2 netmask 255.255.255.0 broadcast 192.168.111.255
ether 00:aa:11:bb:22:cc txqueuelen 1000 (Ethernet)
RX packets 8 bytes 688 (688.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 258 (258.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
it looks like if you don't configure it, it still takes the eth0 address from the container configuration file: after generating the container this is what I got in /var/lib/lxc/slack/config
Code:
# Template used to create this container: /usr/share/lxc/templates/lxc-slackware
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:aa:11:bb:22:cc
lxc.network.ipv4 = 192.168.111.2/24
lxc.network.name = eth0
lxc.rootfs = /var/lib/lxc/slack/rootfs
lxc.rootfs.backend = dir
lxc.utsname = slack
lxc.mount = /var/lib/lxc/slack/rootfs/etc/fstab
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/slack/rootfs
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you better.
# lxc.cap.drop=sys_admin
Last edited by ponce; 09-25-2017 at 03:18 AM.
|
|
1 members found this post helpful.
|
09-25-2017, 07:52 AM
|
#7
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,254
|
BTW, I just tested doing a container without specifying any config file, with a command like
Code:
release=14.2 lxc-create -n slack2 -t slackware
and, after starting it, I was able to connect to it with lxc-console just fine.
|
|
|
09-27-2017, 01:23 PM
|
#8
|
Member
Registered: Apr 2004
Distribution: Slackware
Posts: 308
|
Quote:
Originally Posted by ponce
that's good news: the template in current has been changed since 14.2 was released, and it's fine to know that using the old with a current repository still produces a working system.
|
I asked Pat to add those packages either because they were necessary to get container networking functioning properly in exotic setups (the net-tools suite isn't cgroup-aware, but the iproute2 suite is, so putting the host-side veth adapter in a separate network namespace only works if the container-side veth adapter is managed using iproute2), or because they were necessary to complete the transitive closure of the packages installed by the template (several installed tools were missing dependent libraries, so they couldn't be used). As long as you don't have a fancy networking arrangement or a need for every binary installed in the container, the existing 14.2 template will work fine.
|
|
1 members found this post helpful.
|
10-21-2017, 07:58 AM
|
#9
|
Senior Member
Registered: Jan 2010
Posts: 2,020
Original Poster
|
Quote:
Originally Posted by ponce
you should first decide which kind of networking you prefer for your container ( here you can find a couple of examples of that) and ...
|
Sorry to reopen the thread again. When I click on the link above I get a Security warning that the issuer of the certificated is unknown. Since the issuer is also ponce I think it is ok to add a security exception. I just want to be sure about it. I also assume that you are the same ponce to whom the aforementioned site belongs.
Here is the SHA-256 checksum of the certificate:
Code:
SHA-256 Fingerprint: 1C:89:55:37:A1:8F:A6:41:23:CD:0E:CD:DD:68:CD:7B:1A:63:B1:72:41:D4:19:DE:B2:83:8B:DB:E1:BB:2F:C7
Please let me know if this looks alright. Thanks.
|
|
|
10-21-2017, 08:05 AM
|
#10
|
LQ Guru
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 7,254
|
Quote:
Originally Posted by crts
Sorry to reopen the thread again. When I click on the link above I get a Security warning that the issuer of the certificated is unknown. Since the issuer is also ponce I think it is ok to add a security exception. I just want to be sure about it. I also assume that you are the same ponce to whom the aforementioned site belongs.
Here is the SHA-256 checksum of the certificate:
Code:
SHA-256 Fingerprint: 1C:89:55:37:A1:8F:A6:41:23:CD:0E:CD:DD:68:CD:7B:1A:63:B1:72:41:D4:19:DE:B2:83:8B:DB:E1:BB:2F:C7
Please let me know if this looks alright. Thanks.
|
yet, it's my site and my certificate, I'm still using a self-signed one: if this is of some concern you can also reach the site in clear via http.
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 08:18 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|