LXC firewall logging and udev upgrade in Ubuntu

Today I’m going to write about a couple of major gotchas with LXC. Now these issues are documented in various places but I wanted to put all the relevant information together in one place to make it easier for people.

Before going any further it’s important to note that I created my LXC container with the official Ubuntu template from the latest “stable” LXC release i.e. I downloaded the tarball and put the template in the correct place as Ubuntu 10.04’s LXC package doesn’t contain said template. This helps minimise all sorts of problems especially ones related to the LXC console crashing and the like.

Firstly you will find when running “apt-get upgrade” (if you have Lucid updates enabled in /etc/apt/sources.list) that you get this error on upgrading udev:-

mknod: `/lib/udev/devices/ppp': Operation not permitted

To get around this issue we need to change the cgroup permissions so that the udev nodes can be created by the package upgrade, on the host type:-

cat > /var/cgroup/server/devices.allow
c 108:0 rwm
b 7:0 rwm
c 10:200 rwm

and then “ctrl + d”, where “server” is the containers name.¬†This will update the permissions on the fly. We then need to add same into the container config so the correct permissions are restored upon container restart. Here is my container config in “/var/lib/lxc/server/config”:-

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.veth.pair = vethserver
lxc.network.mtu = 1500
lxc.network.ipv4 =
lxc.utsname = server
lxc.tty = 0
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/server/rootfs
lxc.mount  = /var/lib/lxc/server/fstab
lxc.cgroup.devices.deny = a

# /dev/null and zero</div>
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm

# consoles</div>
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm

# /dev/{,u}random</div>
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm

# rtc</div>
lxc.cgroup.devices.allow = c 254:0 rwm

# Mods to allow udev upgrade
lxc.cgroup.devices.allow = c 108:0 rwm
lxc.cgroup.devices.allow = b 7:0 rwm
lxc.cgroup.devices.allow = c 10:200 rwm

You probably already know this but if you want to finish the failed upgrade type

apt-get -f install

And remember to rename “/etc/udev/udev.conf” afterwards.

There is a problem with the latest ifupdown package in Ubuntu which will stop the container getting into it’s proper runlevel, upon reboot, after the upgrade. To fix that downgrade ifupdown in the container by running:-

aptitude install ifupdown=0.6.8ubuntu29

and stop the package from being updated in future by running:-

echo ifupdown hold | dpkg --set-selections

You may also find that you cannot get into the console (via lxc-console or lxc-start) after the update. Simply edit /etc/init/tty1.conf in the container and change “tty1” to “console” so tty1.conf reads:-

# tty1 - getty
# This service maintains a getty on tty1 from the point the system is
# started until it is shut down again.
start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]
exec /sbin/getty -8 38400 console

On to the second problem. If you happen to have iptables/firewall running on the host you will notice that you get loads of garbage messages in “/var/log/syslog” both on the host and container. This basically stems from both the host and container trying to log kernel messages, the output getting mixed up and producing lines that start with “palsdne” or similar (confused me for a while, turns out to be a non-anagram of “iptables denied”).

Simply install syslogd in the container and remove klogd from startup like so:-

apt-get remove rsyslog
apt-get install syslogd
update-rc.d -f klogd remove

After this iptables/firewall messages will only appear on the host, stopping the garbage.

I hope this helps.





Leave a Reply