Hi Daniel
As live-debconfig have not yet been accepted into Debian yet, I'm not sure
where to report the bugs I've found, so I'm sending them directly to you. If
you prefer me to report them on b.d.o I'll do so instead.
What I've tested is a home-brew deb built from the debian/4.0_a1-1 tag in
git://live.debian.net/git/live-debconfig.git
1. First, there is a typo in scripts/debconfig/0030-sysvinit.templates, a
missing white space causes live-debconfig to try to disable the (non-existing)
umountfsumountroot service, instead of the umountfs *and* umountroot services
by default.
2. Secondly, even if you add the white space manually, disabling those
services will have no effect. That is because all update-rc.d ... disable does
is replacing any S??«service» links with K??«service» links in all runlevels.
As the umount* services are in fact only stopped, never started, that makes
disable useless. What you actually need to do is to *remove* those services.
Unfortunately, update-rc.d don't remember that you have done so, and will re-
add them on upgrades/reinstalls of the package providing them (initscripts). I
have no idea how to work around that...
3. Additionally, disabling the hwclockfirst.sh hwclock.sh does not have the
effect you want. Those scripts will set the system clock on start, and set the
hw clock on stop. Of course, neither works inside a container, but disabling
the service will only exchange one error message for another in a container,
and will cause massive misbehaviour if done outside of a container. The
correct way of disabling hwclockfirst.sh hwclock.sh is to edit
/etc/default/hwclock and set HWCLOCKACCESS to "no".
4. Next, if starting a container without "lxc.cap.drop = sys_admin", the
debian initscripts will mount a tmpfs on ${root}/run, which will block host
access to /run/initctl (as it is now on a file system inaccessible from outside
the container), which makes lxc-halt fail with an error message, and makes
lxc-start unable to detect a shutdown from within the container (thus
mandating a manual lxc-stop call). The only way I've found to stop that is to
disable the "mountkernfs.sh" and "mountall.sh" initscripts.
Disabling the "mountkernfs.sh" initscript necessitates adding lxc.mount.entry
lines in the lxc configuration file for proc, sys, and run/shm (and optionally
run/lock and tmp), while the removal of mountall.sh means that the
/etc/default/tmpfs size settings are not applied (should be set in the lxc
configure file instead) and unfortunately also prevents boot-time mounting of
stuff in /etc/fstab. However, static mounting is better done in the lxc
configuration file anyway, so the loss of /etc/fstab support is no big deal.
5. Finally, I've found that letting the container shut down the loopback
network device will also cause the host to try to shut down it's loopback
device, which will fail if it is in use and instead spam all consoles with
error messages every second untill you restart the computer. Not actually a
serious prolem, but damn irritating, so please make live-debconfig comment out
the "auto lo" line in /etc/network/interfaces when in an lxc container (lxc-
start will set it up anyway)...
Attaching a patch fixing all these issues to the best of my ability.
Best Regards
Jon Severinsson
diff --git a/scripts/debconfig/0030-sysvinit b/scripts/debconfig/0030-sysvinit
index 47a5e21..5890ea0 100755
--- a/scripts/debconfig/0030-sysvinit
+++ b/scripts/debconfig/0030-sysvinit
@@ -16,7 +16,7 @@ Defaults ()
{
_LXC_ENABLE="${_LXC_ENABLE:-false}"
_LXC_CONSOLES="${_LXC_CONSOLES:-6}"
- _LXC_DISABLE_SERVICES="${_LXC_DISABLE_SERVICES:-checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools umountfs umountroot}"
+ _LXC_DISABLE_SERVICES="${_LXC_DISABLE_SERVICES:-checkroot.sh module-init-tools mountkernfs.sh mountall.sh umountfs umountroot}"
}
db_get live-debconfig/sysvinit/lxc-enable
@@ -140,20 +140,36 @@ case "${_LXC_ENABLE}" in
# Remove pointless services in a container
for _SERVICE in ${_LXC_DISABLE_SERVICES}
do
+ case ${_SERVICE} in
+ umount*)
+ _ACTION=remove
+ ;;
+ *)
+ _ACTION=disable
+ ;;
+ esac
if [ -e "/etc/init.d/${_SERVICE}" ]
then
- update-rc.d -f ${_SERVICE} disable 2>&1 | \
+ update-rc.d -f ${_SERVICE} ${_ACTION} 2>&1 | \
grep -v "update-rc.d: using dependency based boot sequencing" | \
grep -v "update-rc.d: error: cannot find a LSB script for mountroot" || true
fi
done
+
+ # Let lxc-start manage the loopback interface
+ sed -e "s|\(auto lo\)|#\1|" /etc/network/interfaces > /etc/network/interfaces.tmp
+ mv -f /etc/network/interfaces.tmp /etc/network/interfaces
+
+ # Disable hwclock access
+ sed -e "s|#\?\(HWCLOCKACCESS\)=.*|\1=no|" /etc/default/hwclock > /etc/default/hwclock.tmp
+ mv -f /etc/default/hwclock.tmp /etc/default/hwclock
;;
false)
# Revert /etc/inittab
cp -p /usr/share/sysvinit/inittab /etc/inittab
- # Renable services
+ # Re-enable services
for _SERVICE in ${_LXC_DISABLE_SERVICES}
do
if [ -e "/etc/init.d/${_SERVICE}" ]
@@ -163,5 +179,13 @@ case "${_LXC_ENABLE}" in
grep -v "update-rc.d: error: cannot find a LSB script for mountroot" || true
fi
done
+
+ # Re-enable the loopback interface
+ sed -e "s|#\(auto lo\)|\1|" /etc/network/interfaces > /etc/network/interfaces.tmp
+ mv -f /etc/network/interfaces.tmp /etc/network/interfaces
+
+ # Re-enable hwclock access
+ sed -e "s|#\?\(HWCLOCKACCESS\)=.*|#\1=yes|" /etc/default/hwclock > /etc/default/hwclock.tmp
+ mv -f /etc/default/hwclock.tmp /etc/default/hwclock
;;
esac
diff --git a/scripts/debconfig/0030-sysvinit.templates b/scripts/debconfig/0030-sysvinit.templates
index 58fe618..bab4ad5 100644
--- a/scripts/debconfig/0030-sysvinit.templates
+++ b/scripts/debconfig/0030-sysvinit.templates
@@ -20,9 +20,9 @@ Description: live-debconfig: How many consoles for LXC?
Template: live-debconfig/sysvinit/lxc-disable-services
Type: string
-Default: checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools umountfsumountroot
+Default: checkroot.sh module-init-tools mountkernfs.sh mountall.sh umountfs umountroot
Description: live-debconfig: Which services to disable for LXC?
Some services are not useful in containers and should be disabled.
.
- This defaults to checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools
+ This defaults to checkroot.sh module-init-tools mountkernfs.sh mountall.sh
umountfs umountroot.
Attachment:
signature.asc
Description: This is a digitally signed message part.