LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-24-2017, 04:27 AM   #1
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,685

Rep: Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515
Starting LXC container in Slackware 14.2


I am trying to start an LXC container in Slackware 14.2. The commands I issue are:

Code:
lxc-create -n slack -f /usr/share/lxc/config/slackware.common.conf -t slackware
lxc-start -n slack -o lxc.log
Configuration file and template are the default ones that came with the installation which I have not modified. This is the error in lxc.log after I try to run lxc-start:

Code:
      lxc-start 20170924104623.469 ERROR    lxc_utils - utils.c:safe_mount:1692 - Device or resource busy - Failed to mount none onto /var/lib/rootfs-lxc//proc
      lxc-start 20170924104623.469 ERROR    lxc_conf - conf.c:mount_entry:1650 - Device or resource busy - failed to mount 'none' on '/var/lib/rootfs-lxc//proc'
      lxc-start 20170924104623.469 ERROR    lxc_conf - conf.c:lxc_setup:3726 - failed to setup the mounts for 'slack'
      lxc-start 20170924104623.469 ERROR    lxc_start - start.c:do_start:833 - failed to setup the container
      lxc-start 20170924104623.469 ERROR    lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)
      lxc-start 20170924104623.470 ERROR    lxc_start - start.c:__lxc_start:1353 - failed to spawn 'slack'
      lxc-start 20170924104628.487 ERROR    lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
      lxc-start 20170924104628.490 ERROR    lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
      lxc-start 20170924104628.492 ERROR    lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
I am running those commands as root. What am I missing?

This is the configuration I use:

Code:
$ cat slackware.common.conf 
lxc.include = /usr/share/lxc/config/common.conf
lxc.devttydir =
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
lxc.cgroup.devices.allow = c 10:232 rwm
lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir
lxc.cap.drop = mknod setfcap setpcap
$ 
$ cat common.conf 
lxc.devttydir = lxc
lxc.pts = 1024
lxc.tty = 4
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
lxc.pivotdir = lxc_putold
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.include = /usr/share/lxc/config/common.conf.d/
 
Old 09-24-2017, 05:17 AM   #2
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 4,752

Rep: Reputation: Disabled
hi ctrs,

you don't need to specify the /usr/share/lxc/config/slackware.common.conf file as a configuration file for your container, as this is already included whenever you create a container of type "slackware" (with the "-t slackware" option).
you should first decide which kind of networking you prefer for your container (here you can find a couple of examples of that) and after that create a foo.conf configuration file specific for the container you want to create following your network choices.
after that a
Code:
lxc-create -n slack -f foo.conf -t slackware
should do.
don't forget to edit the network configuration of your container in its own filesystem ($CONTAINER_ROOT/etc/rc.d/rc.inet1.conf, $CONTAINER_ROOT/etc/resolv.conf, etc.) accordingly, before starting it.
 
1 members found this post helpful.
Old 09-24-2017, 10:45 AM   #3
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,685

Original Poster
Rep: Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515
Thanks for the hint. I assumed that I do not need a network configuration since I just wanted to see if LXC works at all - without the need to connect to any network. Anyway, the container starts now and I can verify with lxc-ls

Code:
# lxc-ls -f
NAME  STATE   AUTOSTART GROUPS IPV4         IPV6 
slack RUNNING 0         -      192.168.2.10 -
However, lxc-console fails:

Code:
# lxc-console -n slack
    lxc-console 20170924173039.697 ERROR    lxc_commands - commands.c:lxc_cmd_console:714 - console -1 invalid,busy or all consoles busy
 
Old 09-24-2017, 01:22 PM   #4
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 4,752

Rep: Reputation: Disabled
I just installed a slackware64-14.2 to verify the situation and I noticed a thing (I hadn't noticed it earlier, sorry): when you use lxc-create to assemble the container the release used is current but the template is for 14.2 (maybe should be good to change this default in the template).

I suggest you to stop the container with lxc-stop, remove it (rm -fR /var/lib/lxc/slack) and re-create it with this command (note the additional "release" parameter):
Code:
release=14.2 lxc-create -n slack -f foo.conf -t slackware
for the sake of the example, the foo.conf file I used for the test is very simple
Code:
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:aa:11:bb:22:cc
lxc.network.ipv4 = 192.168.111.2/24
lxc.network.name = eth0
also before starting the container I took up a bridge for a natted network with the following script (the interface connected to my router is wlan0, set yours accordingly)
Code:
/sbin/brctl addbr br0
/sbin/brctl setfd br0 0
/sbin/ifconfig br0 192.168.111.1 netmask 255.255.255.0 promisc up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp
/usr/sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Last edited by ponce; 09-24-2017 at 01:25 PM.
 
Old 09-24-2017, 02:07 PM   #5
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,685

Original Poster
Rep: Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515
Quote:
Originally Posted by ponce View Post
I just installed a slackware64-14.2 to verify the situation and I noticed a thing (I hadn't noticed it earlier, sorry): when you use lxc-create to assemble the container the release used is current but the template is for 14.2 (maybe should be good to change this default in the template).
Even before I saw your last post I got it working. I do not know why it is suddenly working, though. I just destroyed and recreated the container a few times, starting over from scratch. While trying to verify if my firewall settings were to blame I pulled the cable and stopped the firewall. So all local traffic could flow uninhibited. When I created the container lxc-create could not make a connection. However, the packages were already in the cache from my previous attempts. It must have used them. Afterwards it started working and after I chrooted into the rootfs to set a password for root, I was able to login via lxc-console.

I then proceeded to destroy the container yet again and empty all caches. I restored all my firewall settings and repeated the all the steps like before (in the link you provided). It still worked without setting any release variable. I do not know why. At least I now know that my firewall settings were not to blame.

Anyway, could you provide some explanation why the network must be configured in order to mount the /proc directory in the LXC container? This is still quite counterintuitive to me.
 
Old 09-25-2017, 03:13 AM   #6
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 4,752

Rep: Reputation: Disabled
Quote:
Originally Posted by crts View Post
Even before I saw your last post I got it working. I do not know why it is suddenly working, though. I just destroyed and recreated the container a few times, starting over from scratch. While trying to verify if my firewall settings were to blame I pulled the cable and stopped the firewall. So all local traffic could flow uninhibited. When I created the container lxc-create could not make a connection. However, the packages were already in the cache from my previous attempts. It must have used them. Afterwards it started working and after I chrooted into the rootfs to set a password for root, I was able to login via lxc-console.
when you run lxc-create these are the last line of output
Code:
Root default password is 'root', please change it!

Copying rootfs to /var/lib/lxc/slack/rootfs...
Quote:
I then proceeded to destroy the container yet again and empty all caches. I restored all my firewall settings and repeated the all the steps like before (in the link you provided). It still worked without setting any release variable. I do not know why. At least I now know that my firewall settings were not to blame.
that's good news: the template in current has been changed since 14.2 was released, and it's fine to know that using the old with a current repository still produces a working system.

Quote:
Anyway, could you provide some explanation why the network must be configured in order to mount the /proc directory in the LXC container? This is still quite counterintuitive to me.
I can't answer you on that, actually I though it shouldn't: I tried just running the script above that setup the bridge and leaving the network configuration of the slack container blank and I could login with "lxc-console -n slack" fine
Code:
# lxc-console -n slack

Connected to tty 1
                  Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself


Welcome to Linux 4.4.88 (tty1)

slack login: root
Password: 
Linux 4.4.88.
You have mail.
root@slack:~# cat /proc/mounts 
/dev/vda1 / ext4 rw,relatime,data=ordered 0 0
none /dev tmpfs rw,relatime,size=492k,mode=755 0 0
none /proc proc rw,relatime 0 0
none /sys sysfs rw,relatime 0 0
devpts /dev/console devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty1 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty2 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty3 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
devpts /dev/tty4 devpts rw,relatime,gid=5,mode=620,ptmxmode=666 0 0
none /run tmpfs rw,relatime,mode=755 0 0
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
# head -20 /etc/rc.d/rc.inet1.conf | tail -4
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
# ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.111.2  netmask 255.255.255.0  broadcast 192.168.111.255
        ether 00:aa:11:bb:22:cc  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 688 (688.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 258 (258.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
it looks like if you don't configure it, it still takes the eth0 address from the container configuration file: after generating the container this is what I got in /var/lib/lxc/slack/config
Code:
# Template used to create this container: /usr/share/lxc/templates/lxc-slackware
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:aa:11:bb:22:cc
lxc.network.ipv4 = 192.168.111.2/24
lxc.network.name = eth0
lxc.rootfs = /var/lib/lxc/slack/rootfs
lxc.rootfs.backend = dir

lxc.utsname = slack

lxc.mount = /var/lib/lxc/slack/rootfs/etc/fstab

lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/slack/rootfs

lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap

# you can try also this alternative to the line above, whatever suits you better.
# lxc.cap.drop=sys_admin

Last edited by ponce; 09-25-2017 at 03:18 AM.
 
1 members found this post helpful.
Old 09-25-2017, 07:52 AM   #7
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 4,752

Rep: Reputation: Disabled
BTW, I just tested doing a container without specifying any config file, with a command like
Code:
release=14.2 lxc-create -n slack2 -t slackware
and, after starting it, I was able to connect to it with lxc-console just fine.
 
Old 09-27-2017, 01:23 PM   #8
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 301

Rep: Reputation: 279Reputation: 279Reputation: 279
Quote:
Originally Posted by ponce View Post
that's good news: the template in current has been changed since 14.2 was released, and it's fine to know that using the old with a current repository still produces a working system.
I asked Pat to add those packages either because they were necessary to get container networking functioning properly in exotic setups (the net-tools suite isn't cgroup-aware, but the iproute2 suite is, so putting the host-side veth adapter in a separate network namespace only works if the container-side veth adapter is managed using iproute2), or because they were necessary to complete the transitive closure of the packages installed by the template (several installed tools were missing dependent libraries, so they couldn't be used). As long as you don't have a fancy networking arrangement or a need for every binary installed in the container, the existing 14.2 template will work fine.
 
1 members found this post helpful.
Old 10-21-2017, 07:58 AM   #9
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,685

Original Poster
Rep: Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515Reputation: 515
Quote:
Originally Posted by ponce View Post
you should first decide which kind of networking you prefer for your container (here you can find a couple of examples of that) and ...
Sorry to reopen the thread again. When I click on the link above I get a Security warning that the issuer of the certificated is unknown. Since the issuer is also ponce I think it is ok to add a security exception. I just want to be sure about it. I also assume that you are the same ponce to whom the aforementioned site belongs.

Here is the SHA-256 checksum of the certificate:
Code:
SHA-256 Fingerprint: 1C:89:55:37:A1:8F:A6:41:23:CD:0E:CD:DD:68:CD:7B:1A:63:B1:72:41:D4:19:DE:B2:83:8B:DB:E1:BB:2F:C7
Please let me know if this looks alright. Thanks.
 
Old 10-21-2017, 08:05 AM   #10
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 4,752

Rep: Reputation: Disabled
Quote:
Originally Posted by crts View Post
Sorry to reopen the thread again. When I click on the link above I get a Security warning that the issuer of the certificated is unknown. Since the issuer is also ponce I think it is ok to add a security exception. I just want to be sure about it. I also assume that you are the same ponce to whom the aforementioned site belongs.

Here is the SHA-256 checksum of the certificate:
Code:
SHA-256 Fingerprint: 1C:89:55:37:A1:8F:A6:41:23:CD:0E:CD:DD:68:CD:7B:1A:63:B1:72:41:D4:19:DE:B2:83:8B:DB:E1:BB:2F:C7
Please let me know if this looks alright. Thanks.
yet, it's my site and my certificate, I'm still using a self-signed one: if this is of some concern you can also reach the site in clear via http.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slackware 14.2, unprivileged lxc container as root--fail! Uncle Lumpy Slackware 21 05-31-2018 05:39 PM
[SOLVED] LXC unprivileged container for Slackware guest mralk3 Slackware 64 05-23-2016 10:40 AM
LXC Container: sound Not working charlie101 Linux - Virtualization and Cloud 10 06-14-2015 11:16 AM
[SOLVED] [LXC] Slackware 14.1 rc1 - Upgraded host & container Chuck56 Slackware 3 10-16-2013 05:58 AM
How to end a Linux Container (LXC) from within? Skaperen Linux - Virtualization and Cloud 0 06-14-2011 09:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration