Mailinglist Archive: opensuse-buildservice (120 mails)

< Previous Next >
Re: [opensuse-buildservice] HowTo build with LXC for OBS
  • From: "Bernhard M. Wiedemann" <bernhardout@xxxxxxxx>
  • Date: Thu, 28 Jul 2011 12:33:49 +0200
  • Message-id: <>
Hash: SHA1

On 07/28/2011 11:59 AM, Dinar Valeev wrote:
On Thu, Jul 28, 2011 at 11:49 AM, Bernhard M. Wiedemann
<bernhardout@xxxxxxxx> wrote:
Hi OBSers,

Last week I played with the current obs unstable version and used the
LXC build backend.
In this course I was stumbling over some problems, so to make it easier
for people, I document my findings in this OBS LXC HowTo

Hint: to build with LXC without all the OBS magic, you just run
osc build --vm-type=lxc
on any OBS checkout. Good for testing & debugging.

First, when you just install the obs-worker package or the
worker-appliance, it lacks the LXC user-space tools, complaing about not
finding lxc-create.
That's could be added to OBS Worker appliance. (Done for ppc appliance)

LXC also needs the special cgroup pseudo-fs mounted to work.
So you need to run once as root:

zypper -n install lxc
mkdir -p /var/lib/lxc /cgroup
echo none /cgroup cgroup defaults 2 0 >> /etc/fstab
mount /cgroup
echo mount /cgroup >> /etc/init.d/boot.local

# note: openSUSE's /etc/init.d/boot.cgroup did not help for me
I'm not yet found a way how to put it in appliance.

I think, you can add it to your Kiwi's
.../root/build-custom script

However I found some packages failing for two different reasons.
One reason is that packages like udev and mdadm contain device nodes and
the /usr/lib/build/lxc.conf forbids most operations on devices.
This results in failure messages like
Preparing packages for installation...
error: unpacking of archive failed on file
/lib/udev/devices/md0;4e311c7f: cpio: mknod failed - Operation not permitted

The other problem I encountered is with packages like yast2-core and
perl-IO-Tty that run testsuites as part of their build script and
complain about openpty failing.
Good catch!

To fix both those problems, I needed to add these lines to
/usr/lib/build/lxc.conf :

# allow to create any device nodes - but not access
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rw
lxc.tty = 1
Is this secure?

I understood the lxc config format to have "rw" for read+write access
to devices but the top two lines only have the "m" flag to allow only
mknod - unluckily man lxc.conf does not tell.
The lower two lines _could_ allow access to the host's pseudo
terminals. Not sure how dangerous that is.

Bernhard M.
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE -

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >