Closed AhmadFazliIsmail closed 6 years ago
Hi,
can you test with the kernel-lt or kernel-ml package?
If that works, then it's a sign that https://bugs.centos.org/view.php?id=13265&nbn=9 is not yet fixed in the default Centos kernel.
Thanks @hallyn for your prompt response. I am still performing test using my current kernel but that issue seems has disappear! /var/log/messages
and dmesg
for that container does not show any weird logs. Besides that was the 1st run after installing LXCFS, now is the 2nd run. Will continuously test and monitor. Not yet try kernel-lt or kernel-ml, may try on kernel-lt later.
Thanks again for your advice.
After some checking, found this in the host /var/log/messages
;
Oct 18 22:18:14 lxc01 python: SELinux is preventing /usr/bin/find from using the dac_read_search capability.#012#012***** Plugin dac_override (91.4 confidence) suggests **********************#012#012If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system#012Then turn on full auditing to get path information about the offending file and generate the error again.#012Do#012#012Turn on full auditing#012# auditctl -w /etc/shadow -p w#012Try to recreate AVC. Then execute#012# ausearch -m avc -ts recent#012If you see PATH record check ownership/permissions on file, and fix it,#012otherwise report as a bugzilla.#012#012***** Plugin catchall (9.59 confidence) suggests **************************#012#012If you believe that find should have the dac_read_search capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'find' --raw | audit2allow -M my-find#012# semodule -i my-find.pp#012
Then after doing that sealert
and permit that blocking, this issue occurred again.
Now the host is using kernel-ml Linux lxc01.local.domain 4.13.7-1.el7.elrepo.x86_64 #1 SMP Sat Oct 14 11:46:13 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
. I reboot, start that container, test the uptime, cpuinfo and meminfo, and this issue not yet happen. Look like this issue is related to the kernel version and SELinux. However will continuously test the container and report the result here within next week.
Thank you once again @hallyn for your advise to update the kernel.
As previously promised, I come again with a report during the test that was performed last week.
I have to integrate LXC to Libvirt-LXC because;
I am suspecting that issue is related to LXC and not LXCFS. As mentioned above I am using lxc-1.0.10-2.el7.x86_64 from EPEL repo. There are no problem for LXCFS to run in Libvirt-LXC so I think that switching to Libvirt-LXC with LXCFS is the best option for me.
Many thank you for the great LXCFS. I can make my container running like KVM.
Hi,
I am running CentOS 7 kernel 3.10.0-693.2.2.el7.x86_64 and manually compile LXCFS (have just download the current release today) using
./configure --bindir=/bin --sbindir=/sbin --with-init-script=systemd --libdir=/usr/lib --with-pamdir=none
I installed lxc-1.0.10-2.el7.x86_64 from EPEL repo using yum
The installation was successful. I created a container and run it using the config file below;
It is showing the correct uptime, cpuinfo, and memory when it started as shown below;
I let it run for about 2 hours, check their status and found;
It is showing the RAM and Swap at the host and not the container. Appreciate any advice on this matter.
Thanks.