-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/28/2011 11:59 AM, Dinar Valeev wrote:
On Thu, Jul 28, 2011 at 11:49 AM, Bernhard M. Wiedemann <bernhardout@lsmod.de> wrote: Hi OBSers,
Last week I played with the current obs unstable version and used the LXC build backend. In this course I was stumbling over some problems, so to make it easier for people, I document my findings in this OBS LXC HowTo
Hint: to build with LXC without all the OBS magic, you just run osc build --vm-type=lxc on any OBS checkout. Good for testing & debugging.
First, when you just install the obs-worker package or the worker-appliance, it lacks the LXC user-space tools, complaing about not finding lxc-create.
That's could be added to OBS Worker appliance. (Done for ppc appliance)
LXC also needs the special cgroup pseudo-fs mounted to work. So you need to run once as root:
zypper -n install lxc mkdir -p /var/lib/lxc /cgroup echo none /cgroup cgroup defaults 2 0 >> /etc/fstab mount /cgroup echo mount /cgroup >> /etc/init.d/boot.local
# note: openSUSE's /etc/init.d/boot.cgroup did not help for me
I'm not yet found a way how to put it in appliance.
I think, you can add it to your Kiwi's .../root/build-custom script
However I found some packages failing for two different reasons. One reason is that packages like udev and mdadm contain device nodes and the /usr/lib/build/lxc.conf forbids most operations on devices. This results in failure messages like Preparing packages for installation... mdadm-3.0.3-0.22.4 error: unpacking of archive failed on file /lib/udev/devices/md0;4e311c7f: cpio: mknod failed - Operation not permitted
The other problem I encountered is with packages like yast2-core and perl-IO-Tty that run testsuites as part of their build script and complain about openpty failing.
Good catch!
To fix both those problems, I needed to add these lines to /usr/lib/build/lxc.conf :
# allow to create any device nodes - but not access lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m # /dev/pts/* lxc.cgroup.devices.allow = c 136:* rw lxc.tty = 1
Is this secure?
I understood the lxc config format to have "rw" for read+write access to devices but the top two lines only have the "m" flag to allow only mknod - unluckily man lxc.conf does not tell. The lower two lines _could_ allow access to the host's pseudo terminals. Not sure how dangerous that is. Ciao Bernhard M. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4xOw0ACgkQSTYLOx37oWT3pQCeNeLCC/n9NdZXL5OPQZ0J+OkB Gy8AoJNczNtun0/Be17p/3ICFIwuEmjp =0NI4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org