debian 8.6 lxc template with systemd - feature request

EuroDomenii

Well-Known Member
Sep 30, 2016
144
30
48
Slatina
www.domenii.eu
RATIONALE

The default proxmox debian 8 template, debian-8.0-standard_8.4-1_amd64.tar.gz 20-Apr-2016 12:16, from http://download.proxmox.com/images/system/ , ships with sysv.

(See “If I remember correctly, there is a problem with nested systemd. Therefore the Debian 8 template ships with sysvinit instead of systemd. #2 LnxBil, Jul 31, 2016https://forum.proxmox.com/threads/systemd-not-starting-on-lxc.28447/#post-143593 ). To test your current lxc run “ ps -p 1 -o comm=” . If returns init, is sysv. If returns systemd, it’s obvious.

On the other hand, the problem is solved now for Debian LXC : “ The versions in both jessie and stretch support systemd in the container just fine for Debian guests.https://wiki.debian.org/LXC#Incompatibility_with_systemd

This is an important feature, I guess some applications rely on systemd. For my particular use case, installing http://www.ispconfig.org/ works with sysv, but fails to generate vhost files. My workaround is to copy manually the vhost.err generated files to the genuine vhost file and restart apache2.

Furthermore, I consider that debian 8 template is the most important lxc template for Proxmox. Since host system is Debian8 with Ubuntu based kernel, you should be always safe if the container OS is also Debian8 ( see https://forum.proxmox.com/threads/p...stability-after-host-os-kernel-upgrade.29573/ ). Btw, Tom https://forum.proxmox.com/members/tom.193/ is runnig his production LXCs with Debian.

There’s 2 workarounds at the moment, none of them working yet.

WORKAROUND 1 - Using standard LXC images

Following Dietmar's suggestion "You can also use standard LXC images: https://images.linuxcontainers.org/images/ " via https://forum.proxmox.com/threads/l...common-linux-distributions.25947/#post-130172

I have used https://uk.images.linuxcontainers.org/images/debian/jessie/amd64/default/20161107_22:42/ ( only rootfs.tar.xz is needed.

Take care to download the template in /var/lib/vz/template/cache, otherwise pct create will fail ( apparmor restriction)

Isn’t so important that this image is really minimal, lacking ssh or wget ( that could be installed manually).

Fortunately, this images ships with systemd by default. Unfortunately, I couldn’t install yet IspConfig with a standard lxc debian template, inside proxmox, because the installer hangs in different places (I didn’t have this issues with debian-8.0-standard_8.4-1_amd64.tar.gz standard proxmox).

It’s worth mentioning that the container is no limited at cpu or memory level.

The failing moments aren’t random. First php5-fpm, after memcached, then startup packages.

“status half-configured php5-fpm:amd64 5.6.27+dfsg-0+deb8u1”
“status half-configured memcached:amd64 1.4.21-1.1+deb8u1”


Temporary workaround is to manually install those packages (php5-fpm, memcached) before the general ispconfig installer, but didn’t work for startup packages. Anyway, this is a stoopid solution. The root cause remains unknown for the moment.

WORKAROUND 2 - replace sysv with systemd for proxmox lxc debian 8


Following the steps from https://wiki.debian.org/systemd#Configuring_as_default

apt-get update + apt-get install systemd
apt-get install systemd-sysv
reboot
ps -p 1 -o comm=
( testing must be systemd)

Can't use https://wiki.debian.org/systemd#Debugging, there's not /etc/default/grub inside container.

Even at first glance, this looks promising, the problems shows up very soon, so I am stuck also with this branch .

After trying apt-get install ntp ntpdate, I get

“update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Failed to get D-Bus connection: No such file or directory
Failed to get D-Bus connection: No such file or directory
Failed to get D-Bus connection: No such file or directory
invoke-rc.d: initscript ntp, action "start" failed.”


Thanks!
 
Last edited:
Code:
apt install systemd-sysv
reboot
apt install ntp ntpdate

works just fine on a container installed with our Debian Jessie template with Sys V init.

Code:
root@CT102:/# ps -p 1 -o comm
COMMAND
systemd
root@CT102:/# apt install ntp ntpdate
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following extra packages will be installed:
  libopts25 lockfile-progs
Suggested packages:
  ntp-doc
The following NEW packages will be installed:
  libopts25 lockfile-progs ntp ntpdate
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/549 kB of archives.
After this operation, 1,769 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Selecting previously unselected package libopts25:amd64.
(Reading database ... 21422 files and directories currently installed.)
Preparing to unpack .../libopts25_1%3a5.18.4-3_amd64.deb ...
Unpacking libopts25:amd64 (1:5.18.4-3) ...
Selecting previously unselected package ntp.
Preparing to unpack .../ntp_1%3a4.2.6.p5+dfsg-7+deb8u2_amd64.deb ...
Unpacking ntp (1:4.2.6.p5+dfsg-7+deb8u2) ...
Selecting previously unselected package ntpdate.
Preparing to unpack .../ntpdate_1%3a4.2.6.p5+dfsg-7+deb8u2_amd64.deb ...
Unpacking ntpdate (1:4.2.6.p5+dfsg-7+deb8u2) ...
Selecting previously unselected package lockfile-progs.
Preparing to unpack .../lockfile-progs_0.1.17_amd64.deb ...
Unpacking lockfile-progs (0.1.17) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u5) ...
Setting up libopts25:amd64 (1:5.18.4-3) ...
Setting up ntp (1:4.2.6.p5+dfsg-7+deb8u2) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Setting up ntpdate (1:4.2.6.p5+dfsg-7+deb8u2) ...
Setting up lockfile-progs (0.1.17) ...
Processing triggers for libc-bin (2.19-18+deb8u6) ...
 
  • Like
Reactions: morph027
Following you reply, I have retested. Indeed it works in a privileged container, but it fails with an unprivileged container.
Btw, did you upgrade from 8.4 to 8.6 ? I didn't see any apt-get dist-upgrade
 
Following you reply, I have retested. Indeed it works in a privileged container, but it fails with an unprivileged container.
Btw, did you upgrade from 8.4 to 8.6 ? I didn't see any apt-get dist-upgrade

yes, of course I dist-upgrade first ;)

it seems you are correct, the systemd contained in jessie cannot start the dbus service in unprivileged containers because of the OOMScoreAdjust directive in dbus.service (which is there to make dbus less likely to be killed in OOM situations). see https://github.com/lxc/lxc/issues/431 for details

thanks to michael prokop, there is a backport of systemd 230 in jessie-backports, which seems to not be affected by this (see attached file for a transcript).

note that you will see a lot of log messages stating that systemd "Failed to reset devices.list on /system.slice[...]", those are harmless (in unprivileged containers that cgroup value is not writable and systemd is very verbose in logging this ;))
 

Attachments

  • forum.txt
    10.6 KB · Views: 18
Another template: http://download.morph027.de/debian-8.0-minimal_8.6-1_amd64.tar.gz

- using systemd from jessie-backports
- htop
- vim
- bash-completion
- tzdata: Europe/Berlin (dpkg-reconfigure tzdata to change)
- locales: en_US.UTF-8


I cant create a unpriv container with it:

Code:
extracting archive '/bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz'
tar: /bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz: Cannot open: Permission denied
tar: Error is not recoverable: exiting now
TASK ERROR: command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf /bds/NAS/Backups/proxmox/template/cache/debian-8.0-minimal_8.6-1_amd64.tar.gz --totals --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-xattr-write' -C /var/lib/lxc/124/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
 
I would suggest you take a look at DAB and create your own template. It is more secure than relying on some unknown 3rd party and it allows you to customize the template according to your requirements.

Note however that DAB blocks the installation of systemd by default (see link1, link2). You have to edit
/usr/share/perl5/PVE/DAB.pm and comment line 461 (link1) and remove systemd, systemd-sysv and udev from line 463 (link2).

There are plenty of DAB makefiles available on the internet that will help you getting started (e.g. Proxmox DAB templates, Github etc.). I've also created a DAB example repo at BitBucket that has makefiles for Debian Jessie & systemd. I've been using these templates for month now with both priv. and unpriv. (unpriv only couple of weeks) LXC containers and haven't had any issues so far.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!