Page MenuHomePhabricator
Create Task
Maniphest T154294

Make lxc provider work with a Jessie base image
Closed, ResolvedPublic
Actions

Details

SubjectRepoBranchLines +/-
Enable Jessie LXC containermediawiki/vagrantjessie-migration+3 -3
vagrant: Update LXC packages and apparmor conf for systemdoperations/puppetproduction+70 -6
Enable Jessie LXC containermediawiki/vagrantmaster+3 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Dec 29 2016, 7:18 PM
bd808 added a comment.Dec 30 2016, 2:09 AM

The version of LXC that is being installed on our Trusty labs instances (1.0.8-0ubuntu0.4) does not support running containers with systemd init (https://github.com/lxc/lxc/issues/685).

There are newer versions of LXC available in trusty-backports. Rather than just the LXC 1.1.4 mentioned in the upstream bug the current backport version is 2.0.6-0ubuntu1~ubuntu14.04.1.

bd808 added a comment.Dec 30 2016, 5:52 AM

I've manually hacked up a testing instance in Labs. I upgraded the LXC install using sudo apt-get -t trusty-backports install lxc lxc-templates. Unfortunately Puppet's package define doesn't support this type of pinning. We will need to figure out the exact dependency packages and pin all of them with apt config.

I haven't figured out the exact apparmor policy changes that are needed. Upon creation, this error is logged in syslog:

audit(1483072595.366:61): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=18924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

Following this, the container is created, but it does not have networking support or the systemd init system running. Vagrant can not talk to the container properly either because of certain probe commands that it sends which rely on networking being up inside the container.

Just to prove to myself that things will work eventually I used lxc.customize 'aa_profile', 'unconfined' in the lxc section of Vagrantfile to disable apparmor for the generated container. With this change the container comes up as expected with a systemd init system and working networking and wiki!

bd808 claimed this task.Dec 30 2016, 5:52 AM
Restricted Application added a project: User-bd808. · View Herald TranscriptDec 30 2016, 5:52 AM
bd808 moved this task from Backlog to In Progress on the MediaWiki-Vagrant board.Dec 30 2016, 5:54 AM
gerritbot subscribed.Dec 30 2016, 7:22 PM

Change 329702 had a related patch set uploaded (by BryanDavis):
vagrant: Update LXC packages and apparmor conf for systemd

https://gerrit.wikimedia.org/r/329702

gerritbot added a project: Patch-For-Review.Dec 30 2016, 7:22 PM
gerritbot added a comment.Dec 30 2016, 7:30 PM

Change 329704 had a related patch set uploaded (by BryanDavis):
Enable Jessie LXC container

https://gerrit.wikimedia.org/r/329704

gerritbot added a comment.Dec 30 2016, 7:32 PM

Change 329704 abandoned by BryanDavis:
Enable Jessie LXC container

Reason:
Not intended to be on master

https://gerrit.wikimedia.org/r/329704

gerritbot added a comment.Dec 30 2016, 7:35 PM

Change 329705 had a related patch set uploaded (by BryanDavis):
Enable Jessie LXC container

https://gerrit.wikimedia.org/r/329705

bd808 mentioned this in T154340: Make role::labs::mediawiki_vagrant work on Debian Jessie host systems.Dec 30 2016, 11:07 PM
bd808 moved this task from To Do to In Dev/Progress on the User-bd808 board.
bd808 moved this task from In Dev/Progress to Needs Review/Feedback on the User-bd808 board.
gerritbot added a comment.Jan 11 2017, 12:27 PM

Change 329702 merged by Alexandros Kosiaris:
vagrant: Update LXC packages and apparmor conf for systemd

https://gerrit.wikimedia.org/r/329702

gerritbot added a comment.Feb 1 2017, 3:40 AM

Change 329705 merged by jenkins-bot:
Enable Jessie LXC container

https://gerrit.wikimedia.org/r/329705

bd808 closed this task as Resolved.Feb 1 2017, 3:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL