Mailinglist Archive: opensuse-buildservice (120 mails)

< Previous Next >
[opensuse-buildservice] HowTo build with LXC for OBS
  • From: "Bernhard M. Wiedemann" <bernhardout@xxxxxxxx>
  • Date: Thu, 28 Jul 2011 11:49:01 +0200
  • Message-id: <>
Hash: SHA1

Hi OBSers,

Last week I played with the current obs unstable version and used the
LXC build backend.
In this course I was stumbling over some problems, so to make it easier
for people, I document my findings in this OBS LXC HowTo

Hint: to build with LXC without all the OBS magic, you just run
osc build --vm-type=lxc
on any OBS checkout. Good for testing & debugging.

First, when you just install the obs-worker package or the
worker-appliance, it lacks the LXC user-space tools, complaing about not
finding lxc-create.
LXC also needs the special cgroup pseudo-fs mounted to work.
So you need to run once as root:

zypper -n install lxc
mkdir -p /var/lib/lxc /cgroup
echo none /cgroup cgroup defaults 2 0 >> /etc/fstab
mount /cgroup
echo mount /cgroup >> /etc/init.d/boot.local

# note: openSUSE's /etc/init.d/boot.cgroup did not help for me

To make OBS build with it, you then
edit /etc/sysconfig/obs-worker

This allows to build most (>95%) packages alright and if it works for
you or if you are reading this after below fix went upstream, you can
stop here.

However I found some packages failing for two different reasons.
One reason is that packages like udev and mdadm contain device nodes and
the /usr/lib/build/lxc.conf forbids most operations on devices.
This results in failure messages like
Preparing packages for installation...
error: unpacking of archive failed on file
/lib/udev/devices/md0;4e311c7f: cpio: mknod failed - Operation not permitted

The other problem I encountered is with packages like yast2-core and
perl-IO-Tty that run testsuites as part of their build script and
complain about openpty failing.

To fix both those problems, I needed to add these lines to
/usr/lib/build/lxc.conf :

# allow to create any device nodes - but not access
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rw
lxc.tty = 1

but since this file would be replaced on next update of the "build" rpm,
those need to be added to the package by the maintainer.

I also added this line to lxc.conf:
# forbid dangerous operations
lxc.cap.drop = sys_module sys_boot sys_rawio sys_time net_raw

but I am not sure if all of them are needed.

Finally I want to thank Dinar for his work on LXC and to Adrian and all
the others making OBS as good as it already is.

Bernhard M.
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE -

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups