/etc/init.d/net.lo requires sysfs to start. this is ok for standalone installation. This is NOT ok for lxc-guest, when sysfs is mounted and managed by host. Reproducible: Always Steps to Reproduce: 1. setup lxc gentoo container with externally mounted sysfs 2. install =openrc-0.10.5 in container 3. reboot container Actual Results: net.lo and symlinks to it cannot be started because of dependency on sysfs Expected Results: successfully started net.lo As a workaround I commented out lines # if [ "$RC_UNAME" = Linux ]; then # need sysfs # fi and continer starts as expected. This lines appeared after updating from openrc-0.9.8.4 to openrc-0.10.5 after I migrated one of my containers to unstable branch. Again: the problem is specific for the case when sysfs is mounted from outside lxc container and attempted to be mounted from within comtainer because of starting network subsystem, when many subsystems should not start (for example, udev).
Created attachment 317906 [details] lxc.conf file lxc.conf I uses for starting container. lxc host is Kubuntu 12.04 amd64 with 0.7.5-3ubuntu59 package installed I can upload container image tarball to my VPS by request.
Hmmmm. It looks like problem is located elsewhere, since without failed attempt to start /etc/init.d/sysfs network (/etc/init.d/net.eth0) does not start.
the problem is somehow related to mount_cgroup call in sysfs.
I need to see a startup log from the container if possible. Uncomment the line in /etc/rc.conf that says rc_logger="YES", reboot the container, then attach /var/log/rc.log to the bug. Thanks, William
Created attachment 317940 [details] rc.log whit errors I added rc.log. With lxc I also see console output from container.
http://main.permeakra.co.cc/dserv.tar.gz here you can find image of my container. It has slightly modified /etc/init.d stuff.
Created attachment 321886 [details] 0001-sysfs-add-lxc-keyword.patch This patch, along with adding sysfs to the boot runlevel, should fix the issue.
@flameeyes: Please put openrc git into an lxc, apply this patch, add sysfs to the boot runlevel, and let me know if everything boots successfully.
@flameeyes: Thinking about this more after seeing your comment on irc, you might be able to apply the patch to ~arch OpenRC. If that applies cleanly, go ahead and test there.
@flameeyes: What is your status on this bug? Have you been able to look at it? Thanks, William
Note mounting sysfs in lxc guests is sometimes a security hole - see http://blog.bofh.it/debian/id_413
(The good news is that I was able to fix Excelsior and the two tinderboxes so I can test it this weekend, finally!) As for sysfs mounting.. yes it's a security hole, no it's definitely not the only one. I already said that giving root on an LXC guest is just as bad as having root on the host, and until they make _huge_ changes that's not going to change.
@flameeyes: I applied the first part of this patch in commit ae9acfa. Now, sysfs will not run in an lxc guest. To make only this happen on your box to test, which is what I recommend at this point, add the following to /etc/conf.d/sysfs: rc_keyword="-lxc" Once you get that added, let me know what happens. I can tell you that networking might fail because there are a couple of places in the oldnet scripts where we rely on sysfs. But, once we know where those are, we can fix them.
The original issue on this bug was that the sysfs script was running inside the container, which should not be happening. This is fixed in commit ae9acf and will be included in OpenRC 0.11.
(In reply to comment #14) > The original issue on this bug was that the sysfs script was running > inside the container, which should not be happening. This is fixed in > commit ae9acf and will be included in OpenRC 0.11. Yeah, indeed. Checked it, worked fine. Thanks.
