As you might have guessed I’m revisiting some LXC issues lately, as I said I’m using it in my work here in the US right now, and also because an user asked me about a few things in the past few days.
One of the issues he brought up is that I didn’t bother to update to 0.8.0 yet, which is true because when I briefly tried it from GIT last month it had some issues, and I wanted to wait for the final to be released, but maybe it’s not that good an idea since I hit another issue now, so I’m bumping it as we speak.
Interestingly enough, one feature of the latest kernel (3.3) seems to break with a feature of the new LXC. Since, as I said in the previous post the cgroup feature is getting used in new and new contexts, it seems like LXC finally decided to create hierarchical control groups, akin to what OpenRC and systemd do.
Unfortunately, it seems like you can’t create a sub-group on a netprio
control group, which is the new network priority group introduced with kernel 3.3. The previous LXC version (0.7.5) works fine with that network priority group inserted — I think this here is a bug in the Linux kernel though. I just don’t have the time to go fix it now.
Of course this is not all (you wish, huh?). One of the interesting features of LXC allows launching commands within a container, without having to launch the container itself. This is something I wanted to use here, simply because we’ll get lots of containers at that point, most likely. To do this you use the lxc-execute
command, which in turn uses a binary called lxc-init
to wait for the processes to complete before tearing down the container.
This command uses POSIX Message Queues (Posix MQs) to pass the information around, making it the second project I have ever seen using that stuff. Anyway there is now a check in the ebuild that warns you if you have the feature disabled.
You’d also think that since LXC uses its own lxc-init
to run within the container, you’ll get the binary bound by default? Nope, you’ve got to add it yourself. Well, at least it’ll be a static binary that works out of the box? Nope again, the binary is actually linked to the shared liblxc.so.0
shared object. So it’s just a matter of linking it to the static archive instead? Hahaha, we wish.
It seems like IBM (or at least Lezcano who maintains LXC) don’t like libtool
, they don’t understand it, and they don’t understand why we would need it (hint: because they don’t understand shared object versioning is already a good answer), so they simply decided to … create only the shared object library by using a dirty hack in automake that was not even supposed to work: the shared object is declared as a PROGRAM
target.
Now why would I blame IBM here? People before complained that I shouldn’t be forcing this upon IBM, as Lezcano just happen to work for them. Nope, check the AUTHORS file, it says “IBM Corporation” in there; that means the code is intended to come as a corporate contribution, and the fact that its buildsystem sucks big time is IBM’s own fault!
Would it be easy to fix this issue? Probably yes, but I know that I’ll have to maintain it forever since upstream doesn’t care. I would also probably bet that LXC could start using multi-call binaries rather than the current situation, so that you don’t have internal dependencies at least, as the library is the biggest part of all, and the commands are all at most 10KiB.
Anyway for now there is a patch in the Gentoo ebuild for 0.8.0_rc1-r1, which changes the build system to use libtool
, and link lxc-init
statically. This is disabled if you turn the vanilla USE flag on, the same way I’ve done before for the init script, since upstream is probably not going to like that.
I have a standing patch on my system that rearranges the lxc-execute/lxc-init handoff so that lxc-init is executed prior to pivot_root. The patched lxc-init then pauses until it is notified that the pivot has completed, then it runs as normal. This allows you to completely avoid placing any LXC binaries in the container. It forces use of a lazy umount of the host’s /usr/lib in the container, since the lxc-init process has a mapped file from that filesystem. However, since LXC already supported lazy unmounts and the host will never be able to unmount it while the container is open (due to lxc-execute keeping the filesystem busy), I consider this an acceptable price for keeping the container clean.
Kevin would you mind mailing me the patch? I would love to integrate it into the ebuild, while we’re at it, especially since that would make my tinderbox scripts _much_ simpler.