similar to: How to deal with LXC cgroup access control with apparmor ?

thx, Gao feng, If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code to skip it ? ------------------ 原始邮件 ------------------ 发件人: "Gao feng"<gaofeng@cn.fujitsu.com>; 发送时间: 2013年8月26日(星期一) 下午4:06 收件人: "止语"<zhongjj@foxmail.com>; 抄送:

On 08/26/2013 03:42 PM, 止语 wrote: > I am playing with libvirt 1.1.1 (lxc) > when I was starting a LXC container, the process location of cgroup is pretty , just the root directory > from the process. But I could tune the cgroup in a container as an user that logged, This is not accepted... > > I wonder how to restrict it with apparmor ,so one can not modify files in the cgroup

OOPS: "If I do not want to disable the cgroup in container" ==> "If I do want to disable the cgroup in container" I meant if the user namespace not enabled in kernel ... thx ,I will try user namespace later. I am not working on x86 and not suer wheather the usernamespace is ok in the kernel I am going to use. I would try to disable the cgroup in lxc first.

hi, I am currently investigating a bug with libvirt lxc. Whenever I do a systemctl daemon-reload on the host, my container loses his memory limit and then reports having access to 8 exabyte of memory. I have tracked the issue down to two parts: memory.limit_in_bytes jumps from the correct value to 9223372036854771712. libvirt lxc appears to set the memory limit in transient way without writing

Hi all I have CentOS Linux release 7.0.1406, libvirt 1.2.7 installed. Just after create and start inside LXC container present cgroups. Example for memory: [root@ce7-t1 /]# ls -la /sys/fs/cgroup/memory/ total 0 drwxr-xr-x 2 root root 0 Sep 15 17:14 . drwxr-xr-x 12 root root 280 Sep 15 17:14 .. -rw-r--r-- 1 root root 0 Sep 15 17:14 cgroup.clone_children --w--w--w- 1 root root 0 Sep 15

Hi folks I use libvirt to programmatically spawn lxc containers I am facing an issue when migrating from fedora23 to fedora24 I use the stock kernel and libvirt version on both deployments, i.e.: f23: libvirt-1.2.18.3-2.fc23.x86_64 - kernel 4.5.7-202.fc23.x86_64 f24: libvirt-1.3.3.1-4.fc24.x86_64 - kernel 4.6.3-300.fc24.x86_64 First off, I need to outline that the host installation is done

On Mon, Mar 03, 2014 at 03:52:01PM +0100, Dariusz Michaluk wrote: > Hi. > > Another week, another experiment ;) I was trying to run systemd user > session for non-root user, for example darek (uid=1000), operation > failed with error: > > systemd[26]: pam_unix(systemd-user:session): session opened for user > darek by (uid=0) > systemd[1]: Started Login Service. >

On 08/26/2013 04:36 PM, jj wrote: > thx, Gao feng, > If I do not want to disable the cgroup in container , is there any config file ? or do i have to do something to the libvirt source code > to skip it ? > > Sorry, I don't quite understand what's your request. enable user namespace doesn't disable cgroup in container, it will make user in container has no rights to

Hi Gao feng, I noticed one of your patch which adds cpuset cgroup support for lxc have been merged in libvirt 1.0.4. But I can't find any virsh command to set cpusettune for lxc container. Is there anyone? And how can I configure cpusettune for lxc container lively? Thanks ------------------ Best regards! GuanQiang

Hello all, I have two issues: 1) I am unable to start a seemingly correct LXC domain (I cloned it from a working domain). 2) I am able to crash "libvirtd" by attempting to start the cloned domain, but starting the original works just fine. I humbly submit that item #2 is a bug - the "libvirtd" daemon should never crash due to anything the "libvirt" client

Hi Guys, I started a lxc container with libvit in ubuntu Operating system, and succeed using lxc-enter-namespace to enter the namespaces and security context of the container. But when I do the same thing in debian OS, It reported an error, with details as following: root@debian:/etc# vir list Id Name State ---------------------------------------------------- 4424

Hi! I with my colleagues from Samsung trying to run systemd in Linux container. I saw that the others are experimenting in this topic, so I would like to present the results of my work and tests, perhaps it will be helpful to others. As the prototype I used a manual written by Daniel: https://www.berrange.com/posts/2013/08/12/running-a-full-fedora-os-inside-a-libvirt-lxc-guest/ After many

Hi folks! i created a server with this XML file: <domain type='lxc'> <name>lxctest1</name> <uuid>227bd347-dd1d-4bfd-81e1-01052e91ffe2</uuid> <metadata> <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> <libosinfo:os id="http://centos.org/centos/6.9"/>

We would like to mount /dev and /dev/pts correctly using the libvirt xml config file instead of doing a bind mount in a container init script we use. Currently the container config is: <domain type='lxc'> <name>CentOS_57</name> <uuid>ff5d3c04-49e6-a3cc-0a14-ff13625eca3c</uuid> <memory>262144</memory>

Hi, I'm running OpenStack to manage LXC instance through libvirt. The same setting runs perfectly well on Ubuntu 12.04, while on CentOS 6u3, libvirt dumped following message when starting lxc instance. virsh -c lxc:/// start instance-00000032 error: internal error The 'cpuacct', 'devices' & 'memory' cgroups controllers must be mounted Really appreciated if

Further followups! We are correlating DEBUG-level output from libvirt with the libvirt 1.2.2 code to try to figure out what libvirt is doing under the hood. Even though we have the log level set to 1 (info) in our libvirtd.conf, we are not seeing the VIR_DEBUG() [1] statements being printed out. There are tons of other presumably-debug lines of output showing up in our log. We are sort of

hello, i am new to lxc, i have created a lxc container on fedora 19 i created a container rootfs of fedora 19 by using yum --installroot=/containers/test1 --releasever=19 install openssh test1.xml file for container test1 <domain type="lxc"> <name>test1</name> <vcpu placement="static">1</vcpu> <cputune>

Me again! Think we've found it. By diving into the LXC logs for the specific container, we found this: 2014-04-17 21:07:06.066+0000: 2861: debug : virCgroupSetValueStr:678 : Set value '/sys/fs/cgroup/devices/machine/oshi32134.libvirt-lxc/devices.allow' to 'c 189:130 rw' Looks like libvirt the permission to 'rw', not 'rmw' [1], so no surprise that when it

HI all >After unpredictable time passed (1-5 day ?), cgroups inside LXC >magicaly removed. virsh dumpxml config look like this: <domain type='lxc' id='3566'> <name>puppet</name> <uuid>6d49b280-5686-4e3c-b048-1b5d362fb137</uuid> <memory unit='KiB'>8388608</memory> <currentMemory

Hi, I'm trying to manage LXC instances through OpenStack, which use libvirt as a virtualization driver layer. After launching LXC instance, I simply could not attach to the console. virsh # list Id Name State ---------------------------------- 14366 instance-00000078 running virsh # console 14366 Connected to domain instance-00000078 Escape character is ^] And it keeps