Re: Configuring LXC containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/10/24 15:40, Patrick O'Callaghan wrote:

On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote:

The last two lines are key.  Add these flags: -F -o logfile.  The
default loglevel is ERROR.  If you want more detail include -l LEVEL.

e.g. lxc-start -n containerName -F -o containerName.log -l WARN



This is what I get:

$ lxc-start -n test -F -o test.log -l WARN

<snip/>

$ cat test.log
lxc-start test 20240310223702.913 ERROR    cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9
lxc-start test 20240310223702.934 ERROR    cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9



I use this:

    lxc.apparmor.profile=unconfined
which runs the container as root. That setting doesn't stop you from adding profiles.
If I disable that line I get a cgfsng WARN and the container won't start. ( My containers are used for local services so I'm pretty lax about running them as root. They are also heavily firewalled behind a router (also a container which starts the firewall then puts an IP on the WAN and sets the default route. Until the router container comes up my host has no network connectivity at all) ) 

Also, you're remapping IDs.  What happens if you comment those out?
My thought here is to get it running as root first then begin the process of securing it as you see fit. 


I don't have this in my configs but I found this:

    lxc.cgroup.devices.allow=a
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux