[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Various bugs in live-debconfig with regards to lxc

Hi Daniel

As live-debconfig have not yet been accepted into Debian yet, I'm not sure 
where to report the bugs I've found, so I'm sending them directly to you. If 
you prefer me to report them on b.d.o I'll do so instead.

What I've tested is a home-brew deb built from the debian/4.0_a1-1 tag in 

1. First, there is a typo in scripts/debconfig/0030-sysvinit.templates, a 
missing white space causes live-debconfig to try to disable the (non-existing)  
umountfsumountroot service, instead of the umountfs *and* umountroot services 
by default.

2. Secondly, even if you add the white space manually, disabling those 
services will have no effect. That is because all update-rc.d ... disable does 
is replacing any S??«service» links with K??«service» links in all runlevels. 
As the umount* services are in fact only stopped, never started, that makes 
disable useless. What you actually need to do is to *remove* those services. 

Unfortunately, update-rc.d don't remember that you have done so, and will re-
add them on upgrades/reinstalls of the package providing them (initscripts). I 
have no idea how to work around that...

3. Additionally, disabling the hwclockfirst.sh hwclock.sh does not have the 
effect you want. Those scripts will set the system clock on start, and set the 
hw clock on stop. Of course, neither works inside a container, but disabling 
the service will only exchange one error message for another in a container, 
and will cause massive misbehaviour if done outside of a container. The 
correct way of disabling hwclockfirst.sh hwclock.sh is to edit 
/etc/default/hwclock and set HWCLOCKACCESS to "no".

4. Next, if starting a container without "lxc.cap.drop = sys_admin", the 
debian initscripts will mount a tmpfs on ${root}/run, which will block host 
access to /run/initctl (as it is now on a file system inaccessible from outside 
the container), which makes lxc-halt fail with an error message, and makes 
lxc-start unable to detect a shutdown from within the container (thus 
mandating a manual lxc-stop call). The only way I've found to stop that is to 
disable the "mountkernfs.sh" and "mountall.sh" initscripts. 

Disabling the "mountkernfs.sh" initscript necessitates adding lxc.mount.entry 
lines in the lxc configuration file for proc, sys, and run/shm (and optionally 
run/lock and tmp), while the removal of mountall.sh means that the 
/etc/default/tmpfs size settings are not applied (should be set in the lxc 
configure file instead) and unfortunately also prevents boot-time mounting of 
stuff in /etc/fstab. However, static mounting is better done in the lxc 
configuration file anyway, so the loss of /etc/fstab support is no big deal.

5. Finally, I've found that letting the container shut down the loopback 
network device will also cause the host to try to shut down it's loopback 
device, which will fail if it is in use and instead spam all consoles with 
error messages every second untill you restart the computer. Not actually a 
serious prolem, but damn irritating, so please make live-debconfig comment out 
the "auto lo" line in /etc/network/interfaces when in an lxc container (lxc-
start will set it up anyway)...

Attaching a patch fixing all these issues to the best of my ability.

Best Regards
Jon Severinsson
diff --git a/scripts/debconfig/0030-sysvinit b/scripts/debconfig/0030-sysvinit
index 47a5e21..5890ea0 100755
--- a/scripts/debconfig/0030-sysvinit
+++ b/scripts/debconfig/0030-sysvinit
@@ -16,7 +16,7 @@ Defaults ()
-	_LXC_DISABLE_SERVICES="${_LXC_DISABLE_SERVICES:-checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools umountfs umountroot}"
+	_LXC_DISABLE_SERVICES="${_LXC_DISABLE_SERVICES:-checkroot.sh module-init-tools mountkernfs.sh mountall.sh umountfs umountroot}"
 db_get live-debconfig/sysvinit/lxc-enable
@@ -140,20 +140,36 @@ case "${_LXC_ENABLE}" in
 		# Remove pointless services in a container
+			case ${_SERVICE} in
+				umount*)
+					_ACTION=remove
+					;;
+				*)
+					_ACTION=disable
+					;;
+			esac
 			if [ -e "/etc/init.d/${_SERVICE}" ]
-				update-rc.d -f ${_SERVICE} disable 2>&1 | \
+				update-rc.d -f ${_SERVICE} ${_ACTION} 2>&1 | \
 				grep -v "update-rc.d: using dependency based boot sequencing" | \
 				grep -v "update-rc.d: error: cannot find a LSB script for mountroot" || true
+		# Let lxc-start manage the loopback interface
+		sed -e "s|\(auto lo\)|#\1|" /etc/network/interfaces > /etc/network/interfaces.tmp
+		mv -f /etc/network/interfaces.tmp /etc/network/interfaces
+		# Disable hwclock access
+		sed -e "s|#\?\(HWCLOCKACCESS\)=.*|\1=no|" /etc/default/hwclock > /etc/default/hwclock.tmp
+		mv -f /etc/default/hwclock.tmp /etc/default/hwclock
 		# Revert /etc/inittab
 		cp -p /usr/share/sysvinit/inittab /etc/inittab
-		# Renable services
+		# Re-enable services
 			if [ -e "/etc/init.d/${_SERVICE}" ]
@@ -163,5 +179,13 @@ case "${_LXC_ENABLE}" in
 				grep -v "update-rc.d: error: cannot find a LSB script for mountroot" || true
+		# Re-enable the loopback interface
+		sed -e "s|#\(auto lo\)|\1|" /etc/network/interfaces > /etc/network/interfaces.tmp
+		mv -f /etc/network/interfaces.tmp /etc/network/interfaces
+		# Re-enable hwclock access
+		sed -e "s|#\?\(HWCLOCKACCESS\)=.*|#\1=yes|" /etc/default/hwclock > /etc/default/hwclock.tmp
+		mv -f /etc/default/hwclock.tmp /etc/default/hwclock
diff --git a/scripts/debconfig/0030-sysvinit.templates b/scripts/debconfig/0030-sysvinit.templates
index 58fe618..bab4ad5 100644
--- a/scripts/debconfig/0030-sysvinit.templates
+++ b/scripts/debconfig/0030-sysvinit.templates
@@ -20,9 +20,9 @@ Description: live-debconfig: How many consoles for LXC?
 Template: live-debconfig/sysvinit/lxc-disable-services
 Type: string
-Default: checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools umountfsumountroot
+Default: checkroot.sh module-init-tools mountkernfs.sh mountall.sh umountfs umountroot
 Description: live-debconfig: Which services to disable for LXC?
  Some services are not useful in containers and should be disabled.
- This defaults to checkroot.sh hwclockfirst.sh hwclock.sh module-init-tools
+ This defaults to checkroot.sh module-init-tools mountkernfs.sh mountall.sh
  umountfs umountroot.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: