debian 8.6 lxc template with systemd - feature request

Discussion in 'Proxmox VE: Installation and configuration' started by EuroDomenii, Nov 9, 2016.

  1. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    RATIONALE

    The default proxmox debian 8 template, debian-8.0-standard_8.4-1_amd64.tar.gz 20-Apr-2016 12:16, from http://download.proxmox.com/images/system/ , ships with sysv.

    (See “If I remember correctly, there is a problem with nested systemd. Therefore the Debian 8 template ships with sysvinit instead of systemd. #2 LnxBil, Jul 31, 2016https://forum.proxmox.com/threads/systemd-not-starting-on-lxc.28447/#post-143593 ). To test your current lxc run “ ps -p 1 -o comm=” . If returns init, is sysv. If returns systemd, it’s obvious.

    On the other hand, the problem is solved now for Debian LXC : “ The versions in both jessie and stretch support systemd in the container just fine for Debian guests.https://wiki.debian.org/LXC#Incompatibility_with_systemd

    This is an important feature, I guess some applications rely on systemd. For my particular use case, installing http://www.ispconfig.org/ works with sysv, but fails to generate vhost files. My workaround is to copy manually the vhost.err generated files to the genuine vhost file and restart apache2.

    Furthermore, I consider that debian 8 template is the most important lxc template for Proxmox. Since host system is Debian8 with Ubuntu based kernel, you should be always safe if the container OS is also Debian8 ( see https://forum.proxmox.com/threads/p...stability-after-host-os-kernel-upgrade.29573/ ). Btw, Tom https://forum.proxmox.com/members/tom.193/ is runnig his production LXCs with Debian.

    There’s 2 workarounds at the moment, none of them working yet.

    WORKAROUND 1 - Using standard LXC images

    Following Dietmar's suggestion "You can also use standard LXC images: https://images.linuxcontainers.org/images/ " via https://forum.proxmox.com/threads/l...common-linux-distributions.25947/#post-130172

    I have used https://uk.images.linuxcontainers.org/images/debian/jessie/amd64/default/20161107_22:42/ ( only rootfs.tar.xz is needed.

    Take care to download the template in /var/lib/vz/template/cache, otherwise pct create will fail ( apparmor restriction)

    Isn’t so important that this image is really minimal, lacking ssh or wget ( that could be installed manually).

    Fortunately, this images ships with systemd by default. Unfortunately, I couldn’t install yet IspConfig with a standard lxc debian template, inside proxmox, because the installer hangs in different places (I didn’t have this issues with debian-8.0-standard_8.4-1_amd64.tar.gz standard proxmox).

    It’s worth mentioning that the container is no limited at cpu or memory level.

    The failing moments aren’t random. First php5-fpm, after memcached, then startup packages.

    “status half-configured php5-fpm:amd64 5.6.27+dfsg-0+deb8u1”
    “status half-configured memcached:amd64 1.4.21-1.1+deb8u1”


    Temporary workaround is to manually install those packages (php5-fpm, memcached) before the general ispconfig installer, but didn’t work for startup packages. Anyway, this is a stoopid solution. The root cause remains unknown for the moment.

    WORKAROUND 2 - replace sysv with systemd for proxmox lxc debian 8


    Following the steps from https://wiki.debian.org/systemd#Configuring_as_default

    apt-get update + apt-get install systemd
    apt-get install systemd-sysv
    reboot
    ps -p 1 -o comm=
    ( testing must be systemd)

    Can't use https://wiki.debian.org/systemd#Debugging, there's not /etc/default/grub inside container.

    Even at first glance, this looks promising, the problems shows up very soon, so I am stuck also with this branch .

    After trying apt-get install ntp ntpdate, I get

    “update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
    update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
    Failed to get D-Bus connection: No such file or directory
    Failed to get D-Bus connection: No such file or directory
    Failed to get D-Bus connection: No such file or directory
    invoke-rc.d: initscript ntp, action "start" failed.”


    Thanks!
     
    #1 EuroDomenii, Nov 9, 2016
    Last edited: Nov 9, 2016
  2. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,390
    Likes Received:
    523
    Code:
    apt install systemd-sysv
    reboot
    apt install ntp ntpdate
    
    works just fine on a container installed with our Debian Jessie template with Sys V init.

    Code:
    root@CT102:/# ps -p 1 -o comm
    COMMAND
    systemd
    root@CT102:/# apt install ntp ntpdate
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    The following extra packages will be installed:
      libopts25 lockfile-progs
    Suggested packages:
      ntp-doc
    The following NEW packages will be installed:
      libopts25 lockfile-progs ntp ntpdate
    0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
    Need to get 0 B/549 kB of archives.
    After this operation, 1,769 kB of additional disk space will be used.
    Do you want to continue? [Y/n] y
    Selecting previously unselected package libopts25:amd64.
    (Reading database ... 21422 files and directories currently installed.)
    Preparing to unpack .../libopts25_1%3a5.18.4-3_amd64.deb ...
    Unpacking libopts25:amd64 (1:5.18.4-3) ...
    Selecting previously unselected package ntp.
    Preparing to unpack .../ntp_1%3a4.2.6.p5+dfsg-7+deb8u2_amd64.deb ...
    Unpacking ntp (1:4.2.6.p5+dfsg-7+deb8u2) ...
    Selecting previously unselected package ntpdate.
    Preparing to unpack .../ntpdate_1%3a4.2.6.p5+dfsg-7+deb8u2_amd64.deb ...
    Unpacking ntpdate (1:4.2.6.p5+dfsg-7+deb8u2) ...
    Selecting previously unselected package lockfile-progs.
    Preparing to unpack .../lockfile-progs_0.1.17_amd64.deb ...
    Unpacking lockfile-progs (0.1.17) ...
    Processing triggers for man-db (2.7.0.2-5) ...
    Processing triggers for systemd (215-17+deb8u5) ...
    Setting up libopts25:amd64 (1:5.18.4-3) ...
    Setting up ntp (1:4.2.6.p5+dfsg-7+deb8u2) ...
    update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
    Setting up ntpdate (1:4.2.6.p5+dfsg-7+deb8u2) ...
    Setting up lockfile-progs (0.1.17) ...
    Processing triggers for libc-bin (2.19-18+deb8u6) ...
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    morph027 likes this.
  3. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    Following you reply, I have retested. Indeed it works in a privileged container, but it fails with an unprivileged container.
    Btw, did you upgrade from 8.4 to 8.6 ? I didn't see any apt-get dist-upgrade
     
  4. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,390
    Likes Received:
    523
    yes, of course I dist-upgrade first ;)

    it seems you are correct, the systemd contained in jessie cannot start the dbus service in unprivileged containers because of the OOMScoreAdjust directive in dbus.service (which is there to make dbus less likely to be killed in OOM situations). see https://github.com/lxc/lxc/issues/431 for details

    thanks to michael prokop, there is a backport of systemd 230 in jessie-backports, which seems to not be affected by this (see attached file for a transcript).

    note that you will see a lot of log messages stating that systemd "Failed to reset devices.list on /system.slice[...]", those are harmless (in unprivileged containers that cgroup value is not writable and systemd is very verbose in logging this ;))
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jero and EuroDomenii like this.
  5. diabolus

    diabolus New Member

    Joined:
    Mar 7, 2016
    Messages:
    6
    Likes Received:
    0
  6. morph027

    morph027 Active Member

    Joined:
    Mar 22, 2013
    Messages:
    424
    Likes Received:
    52
    Jero and diabolus like this.
  7. Jero

    Jero Member

    Joined:
    May 20, 2016
    Messages:
    33
    Likes Received:
    1

    I cant create a unpriv container with it:

    Code:
    extracting archive '/bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz'
    tar: /bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz: Cannot open: Permission denied
    tar: Error is not recoverable: exiting now
    TASK ERROR: command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf /bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz --totals --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-xattr-write' -C /var/lib/lxc/124/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
     
  8. fkh

    fkh New Member
    Proxmox Subscriber

    Joined:
    May 18, 2014
    Messages:
    24
    Likes Received:
    0
    I would suggest you take a look at DAB and create your own template. It is more secure than relying on some unknown 3rd party and it allows you to customize the template according to your requirements.

    Note however that DAB blocks the installation of systemd by default (see link1, link2). You have to edit
    /usr/share/perl5/PVE/DAB.pm and comment line 461 (link1) and remove systemd, systemd-sysv and udev from line 463 (link2).

    There are plenty of DAB makefiles available on the internet that will help you getting started (e.g. Proxmox DAB templates, Github etc.). I've also created a DAB example repo at BitBucket that has makefiles for Debian Jessie & systemd. I've been using these templates for month now with both priv. and unpriv. (unpriv only couple of weeks) LXC containers and haven't had any issues so far.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice