Bug#768827: systemd: issues with systemd in a lxc container

Fri Dec 12 15:49:28 GMT 2014

El vie, 12 de dic 2014 a las 12:25 , Michael Biebl <biebl at debian.org> 
escribió:
> Hi,
> 
> Am 12.12.2014 um 07:26 schrieb Cameron Norman:
>>  On Sun, 09 Nov 2014 16:22:36 +0100 Michael Biebl <biebl at debian.org> 
>> wrote:
>>>  not not systemd. That said, if there is something we can do in the
>>>  systemd package, to make it work (better) in lxc, please let us 
>>> know.
>> 
>>  There are a few things. Linking sigpwr.target to halt.target would 
>> make
>>  lxc-stop work *cleanly* OOTB.
> 
> Why is that necessary to stop lxc containers cleanly? That sounds odd.

Because lxc needs to signal the init to shutdown cleanly, and you do 
not want to use a normal signal (e.g. SIGTERM) because all init systems 
block those. So SIGPWR is used. After SIGPWR is sent and a timeout 
lapses, lxc-stop just SIGKILLs the cgroup. So to avoid the timeout and 
an unclean shutdown occuring, systemd needs to respond to SIGPWR. 
Alternatively, we could make LXC signal that one special systemd clean 
shutdown signal (it is documented on the container interface I think), 
but that would require changing the container's configuration to make 
it incompatible with Upstart and sysvinit (well the inittab is modified 
to respond to sigpwr for sysvinit, not something supported locally).

>>  The big one would be to pop up a prompt on first install of 
>> systemd-sysv
>>  while in an lxc container (similar to the /etc/inittab checking and
>>  associated message that is planned I think) telling the user that 
>> the
>>  host's version of LXC must be 0.8 or greater (available in
>>  squeeze-backports and wheezy), and the configuration for the 
>> container
>>  (a file on the host) needs to contain the lines `lxc.kmsg = 0` and
>>  `lxc.autodev = 1`.
> 
> If lxc in wheezy is recent enough, tbh I wouldn't worry too much about
> squeeze users running jessie containers. I think documenting that fact
> is sufficient.

Fair enough, it is just that Wheezy does not use those options by 
default so the user still has to intervene in that case and add them 
him/herself. Jessie uses those options by default. I suppose we could 
backport that little patch (it is just a little two liner), so no 
biggy. And the only HUGE problem is if the user of the container does 
not have access to the host, but I do not think there are many (if any) 
of those setups.

>>  Also apparently udev should not run in containers. Do you think we
>>  should have something with ConditionVirtualization!=container or
>>  whatever in the udev service file?
> 
> The systemd-udevd service already has ConditionPathIsReadWrite=/sys
> which I thought was there to make sure udevd is not started in a
> container. Does lxc (bind)-mount /sys writable into the containers?
> If so, maybe it should change that.

Upstream, /sys and /proc are mounted read-write, but apparently the 
Debian maintainer has patched the common debian config to mount /sys 
ro. Still, that is only on Jessie (and will probably not reach Ubuntu). 
If it does not hurt, it would help for Wheezy hosts where /sys is still 
rw to add that virt related line.

Thank you for the quick response!
--
Cameron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141212/52852545/attachment-0002.html>