Natanael Copa | 27 Nov 15:21 2014

[PATCH] lxc-alpine: create a default tty for console

Create a tty so we get login prompt on console by default

Signed-off-by: Natanael Copa <ncopa <at>>
 templates/ | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/ b/templates/
index 47df559..ba27aea 100644
--- a/templates/
+++ b/templates/
 <at>  <at>  -121,6 +121,7  <at>  <at>  configure_alpine() {
     cat >"$rootfs"/etc/inittab<<EOF
 ::sysinit:/sbin/rc sysinit
 ::wait:/sbin/rc default
+console:12345:respawn:/sbin/getty 38400 console
 tty1:12345:respawn:/sbin/getty 38400 tty1
 tty2:12345:respawn:/sbin/getty 38400 tty2
 tty3:12345:respawn:/sbin/getty 38400 tty3


lxc-devel mailing list
lxc-devel <at>
Natanael Copa | 27 Nov 15:20 2014

[PATCH] lxc-alpine: make sure /dev/shm is world writeable

Signed-off-by: Natanael Copa <ncopa <at>>
 templates/ | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ b/templates/
index 7a22d5e..47df559 100644
--- a/templates/
+++ b/templates/
 <at>  <at>  -246,7 +246,7  <at>  <at>  lxc.cgroup.devices.allow = c 254:0 rm
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry=run run tmpfs nodev,noexec,nosuid,relatime,size=1m,mode=0755 0 0
 lxc.mount.entry=none dev/pts devpts gid=5,mode=620 0 0
-lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec 0 0
+lxc.mount.entry=shm dev/shm tmpfs nodev,nosuid,noexec,mode=1777 0 0




lxc-devel mailing list
lxc-devel <at>
GitHub | 26 Nov 22:40 2014

[lxc/lxc] a6ee12: Fix nbd partition id test

  Branch: refs/heads/master
  Commit: a6ee12772a39f8a731e5eef9035d286a6e516a47
  Author: Stéphane Graber <stgraber@...>
  Date:   2014-11-26 (Wed, 26 Nov 2014)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  Fix nbd partition id test

Reported-by: David Binderman
Signed-off-by: Stéphane Graber <stgraber@...>

lxc-devel mailing list
lxc-devel <at>
Stéphane Graber | 26 Nov 22:35 2014

Questions about lxc.autodev


So I'm looking into how to rework lxc.autodev to apply properly to all
the cases we care about:
 - Privileged containers started by root
 - Unprivileged containers started by privileged root
 - Unprivileged containers started by unprivileged root
 - Unprivileged containers started by unprivileged user

My understanding is that autodev currently creates /dev/.lxc and then
uses one directory per-container+lxc-path-hash under there, creates the
devices nodes and uses that as the container's /dev.

My question is why the /dev/.lxc directory to begin with, wouldn't
it make more sense to use LXC_PATH/<container>/dev, mount a tiny
tmpfs on that and then use it? This would have the advantage of having
the same path for privileged and unprivileged containers and avoid the
ugly lxcpath hash.

I believe the following setup would make a bit more sense and offer a
consistent behaviour:
 - If not available or not a tmpfs, create LXC_PATH/<container>/dev and
   mount a tiny tmpfs on it. Chown the path to the container's root uid/gid
   and chmod to something sane.
 - For all the nodes we care about, attempt to mknod them in there, on
   failure, fallback to touch+bind-mount from real /dev.

This would allow for the exact same code to be used for all 4 cases, for
the layout and location of the autodev tree to be entirely guessable
without requiring fancy hashing (making it easier for external tools to
(Continue reading)

Stéphane Graber | 26 Nov 21:34 2014

[PATCH] Define a new lxc.init_cmd config option

Signed-off-by: Stéphane Graber <stgraber <at>>
 doc/ | 23 +++++++++++++++++++++++
 src/lxc/conf.c                 |  2 ++
 src/lxc/conf.h                 |  3 +++
 src/lxc/confile.c              | 10 ++++++++++
 src/lxc/lxc_autostart.c        |  6 +-----
 src/lxc/lxc_start.c            |  5 ++++-
 src/lxc/lxccontainer.c         | 12 ++++++++++--
 7 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/doc/ b/doc/
index 35907b5..6d4daac 100644
--- a/doc/
+++ b/doc/
 <at>  <at>  -202,6 +202,29  <at>  <at>  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

+      <title>Init command</title>
+      <para>
+        Sets the command to use as the init system for the containers.
+        This option is ignored when using lxc-execute.
+        Defaults to: /sbin/init
+      </para>
+      <variablelist>
+    <varlistentry>
+      <term>
(Continue reading)

Stéphane Graber | 26 Nov 21:34 2014

[PATCH] Add missing files to ignore list

Signed-off-by: Stéphane Graber <stgraber <at>>
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index ddc4e18..aa3a537 100644
--- a/.gitignore
+++ b/.gitignore
 <at>  <at>  -55,6 +55,7  <at>  <at>  src/lxc/lxc-console
 <at>  <at>  -68,6 +69,7  <at>  <at>  src/lxc/lxc-snapshot


lxc-devel mailing list
(Continue reading)

Nishant Agrawal | 26 Nov 21:28 2014

blkio.weight not working

Hi Guys,

I am trying to assign weighted limit to multiple containers on blkio but 
I don't see the effect after applying.

Throttling seems to be working but weighted share does not, any help is 
I have checked that host kernel is using CFQ scheduling. I am using kernel (ubuntu distro)


lxc-devel mailing list
lxc-devel <at>
Tao-Ya Fan Chiang | 26 Nov 21:12 2014

Do time dilation with LXC

HI all,

We're a group of researchers in Networking and Multimedia System lab at National Tsing Hua University. We're trying to add time dilation feature into Mininet, which to my understanding uses Network Namespace, but not the whole Linux Container. Since I'm not familiar to these field, I'm confused at how deep we're going to have to modify our system. I imagine that it'll be very different from modifying something say a Qemu-KVM, which is a much more heavy-weight than Container. Can someone point me at the right direction on how to do this or if this is possible?

Best Regards,
Tao-Ya Fan-Chiang
lxc-devel mailing list
lxc-devel <at>
overlay fs | 26 Nov 18:11 2014

[PATCH] Issue #278: lxc-start-ephemeral: add --cdir option for cow-mounts

This is a copy of patch version 3 for issue #278 on the issue-tracker:

-Allow multiple bind-mounts (--bdir) and multiple cow-mounts (--cdir).

-Further fixes to permissions throughout lxc-start-ephemeral
(annotated in the code).

-Reduce start-up time by ~5 seconds; only wait for a network ip
address if really need it, ie if we are running a command.

Signed-off by: Oleg Freedholm <overlayfs <at>>

--- /usr/bin/lxc-start-ephemeral    2014-11-21 17:48:49.000000000 +1100
+++ lxc-start-ephemeral 2014-11-27 00:30:42.095429007 +1100
 <at>  <at>  -84,9 +84,14  <at>  <at> 
 parser.add_argument("--name", "-n", type=str,
                     help=_("name of the target container"))

-parser.add_argument("--bdir", "-b", type=str,
+# edit: insert action="append"
+parser.add_argument("--bdir", "-b", type=str, action="append", default=[],
                     help=_("directory to bind mount into container"))

+# edit: add cdir
+parser.add_argument("--cdir", "-c", type=str, action="append", default=[],
+                    help=_("directory to cow mount into container"))
 parser.add_argument("--user", "-u", type=str,
                     help=_("the user to run the command as"))

 <at>  <at>  -156,6 +161,14  <at>  <at> 
     dest_path = tempfile.mkdtemp(prefix="%s-" % args.orig, dir=lxc_path)
 os.mkdir(os.path.join(dest_path, "rootfs"))
+# edit: set the permissions for an ephemeral container to the default
permissions for a non-ephemeral container, o770.
+#     : if the permissions are not set here, then they vary greatly,
depending upon the arguments.
+#     : sometimes permissions are too tight, so that the
(unprivileged) host user cannot list the container's host directory.
+#     : in this case, lxc-start-ephemeral fails to cleanup the
container upon termination.
+#     :           eg lxc-start-ephemeral -o trusty
+#     : othertimes permissions are too loose, so that every host user
can list the container's host directory.
+#     :           eg lxc-start-ephemeral -o trusty -n trusty_ephemeral
+os.chmod(dest_path, 0o770)

 # Setup the new container's configuration
 dest = lxc.Container(os.path.basename(dest_path), args.lxcpath)
 <at>  <at>  -206,6 +219,16  <at>  <at> 
                 # Setup an overlay for anything remaining
                 overlay_dirs += [(fields[0], dest_mount)]

+# edit: Setup an overlay for each cow mount
+for entry in args.cdir:
+    if not os.path.exists(entry):
+        print(_("Path '%s' doesn't exist, won't be cow-mounted.") %
+              entry)
+    else:
+        src_path = os.path.abspath(entry)
+        dst_path = "%s/rootfs/%s" % (dest_path, src_path)
+        overlay_dirs += [(src_path, dst_path)]
 # Generate pre-mount script
 with open(os.path.join(dest_path, "pre-mount"), "w+") as fd:
     os.fchmod(fd.fileno(), 0o755)
 <at>  <at>  -223,6 +246,17  <at>  <at> 
         if args.storage_type == "tmpfs":
             fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target))

+        # edit: attempt to fix permissions (setfacl) and optionally
ownership (chown)
+        #    - this is complicated, because we are inside an id_map,
and this confuses tools such as setfacl & chown.
+        #    - fixing permissions is essential.  Without the fix, an
unprivileged user in the container
+        #      cannot write to the top level of '--cdir' (though they
can write to subdirectories of --cdir).
+        #      setfacl seems to solve the problem.
+        #    - fixing ownership is optional, since acl permissions
trump ownership.
+        #      chown behaves strangely under the id_map, so it has
been commented out.
+        ###fd.write("chown --no-dereference --reference=%s %s %s\n" %
(entry[0], target, entry[1]))
+        fd.write("getfacl -a %s | setfacl --set-file=- %s\n" %
(entry[0], target))
+        fd.write("getfacl -a %s | setfacl --set-file=- %s\n" %
(entry[0], entry[1]))
         if args.union_type == "overlayfs":
             fd.write("mount -n -t overlayfs"
                      " -oupperdir=%s,lowerdir=%s none %s\n" % (
 <at>  <at>  -242,13 +276,13  <at>  <at> 
         count += 1

-    if args.bdir:
-        if not os.path.exists(args.bdir):
+    for entry in args.bdir:
+        if not os.path.exists(entry):
             print(_("Path '%s' doesn't exist, won't be bind-mounted.") %
-                  args.bdir)
+                  entry)
-            src_path = os.path.abspath(args.bdir)
-            dst_path = "%s/rootfs/%s" % (dest_path, os.path.abspath(args.bdir))
+            src_path = os.path.abspath(entry)
+            dst_path = "%s/rootfs/%s" % (dest_path, os.path.abspath(entry))
             fd.write("mkdir -p %s\nmount -n --bind %s %s\n" % (
                      dst_path, src_path, dst_path))

 <at>  <at>  -295,7 +329,11  <at>  <at> 

 # Try to get the IP addresses
-ips = dest.get_ips(timeout=10)
+# edit: Only wait for the IP address if we really need it, ie if we
are executing a command.
+#     : This takes ~5 seconds, perhaps because it takes that long to
launch the network in the container.
+ips = []         # edit: ... ensure ips is defined
+if args.command: # edit: added if statement
+    ips = dest.get_ips(timeout=10)

 # Deal with the case where we just print info about the container
 if args.daemon:
lxc-devel mailing list
lxc-devel <at>
Stéphane Graber | 26 Nov 16:51 2014

Release plan for LXC 1.1 (and systemd)


So we've now been working on 1.1 for a LONG time and indeed got quite a
few nice things in there.

I think it's now time to focus on the last few bits and then release
that thing and focus on LXC 1.2.

My current plan is for alpha3 to be tagged next week and then rc
releases in December with a release in early January.

The main blocker for this release is systemd support. I want LXC 1.1 to
support both privileged and unprivileged systemd using recent systemd
(there's only so much we can do about the old one) and running in a safe
way (so no disabling apparmor profiles).

The current plan to achieve this (and I'm only focusing on unprivileged
as privileged will then magically work too) is:
 1) Implement a minimal lxc.autodev for unprivileged containers, where
    rather than mknodding in /dev/.lxc it'll just mount a tmpfs on top of
    the container's /dev, then bind-mount the usual set of devices from the
    host's /dev.
 2) Use init system detection to turn on lxc.autodev, disable lxc.kmsg
    and set an appropriate if the container's init system is
    systemd (this would only change the default values of both options, any
    entry in the config would still override).
 3) Implement a minimal lxc.init_cmd configuration option which lets the
    user override the default (/sbin/init) command for the container.
 4) Get lxfs (formerly cgmanagerfs, formerly lxcfs) working properly so
    that if installed, /sys/fs/cgroup in a container is a fuse filesystem
    returning you the cgroupfs view that the container expects.

I've got a hack to simulate 1) here as well as a prototype of 4) which
lets me boot an unprivileged systemd container on my system all the way
to a login prompt. Unfortunately my hackish lxfs implementation in
python then segfaults and everything falls apart, but that shows that
the concept is valid :)

We had a chat with Lennart at Linux Plumbers 2014 and the systemd team
is currently working on getting systemd to run in an environment where
cap_sys_admin was dropped. That environment being even more harsh than
an unprivileged container, any issue we still find with systemd after we
implement the plan above should be discussed with systemd upstream
before we look into any workaround.

I'm going to be working on some of those over the next few weeks, but
any help would be greatly appreciated as I'll also be travelling and so
my time will unfortunately be limited (especially as it'll be split
between this, the new website and some lxd work).



Stéphane Graber
Ubuntu developer
lxc-devel mailing list
lxc-devel <at>
Stéphane Graber | 26 Nov 16:36 2014

All pending patches have been processed (please re-send if not)


Just a quick note to indicate that according to my e-mail client, all
pending patches have now been processed, if you have a patch which is
ready for inclusion and which I didn't include over the past couple of
days, it's because I missed it. In this case, please re-send it to the



Stéphane Graber
Ubuntu developer
lxc-devel mailing list
lxc-devel <at>