10 Replies Latest reply: Nov 3, 2012 7:20 AM by jwmitchell RSS

    LXC and X

    jwmitchell
      I've been able to successfuly bring up an OL6 container on an OL6 host. lxc-console works great to connect. SSH worked great until I installed the xorg-x11-xauth.x86_64 package in the container. Now everytime I connect to the container via ssh -x root@host I get the following error displayed on the console in the container:

      [root@host ~]# Unable to get valid context for root
      Last login: Wed Oct 24 21:53:20 2012
      /usr/bin/xauth: error while loading shared libraries: libXau.so.6: cannot open shared object file: Permissiion denied
      -bash: cannot set terminal process group (-1): Inapproppriate ioctl for device
      -base: no job control in this shell

      After this point the containers console is completely messed up its impossible to use. Only solution is to use lxc-kill to stop the container

      And the ssh session which was attempting to be established just hangs as well.

      I've googled around a lot but can't seem to find this exact issue. I've read several posts of people tunneling X over SSH in a container so I can't figure out what I'm doing wrong. Here is the config for the container:

      lxc.utsname = elevendbc1
      #lxc.tty = 4
      lxc.tty = 1
      lxc.pts = 1024
      lxc.rootfs = /container/elevendbc1
      lxc.mount = /etc/lxc/elevendbc1/fstab
      #networking
      lxc.network.type = veth
      lxc.network.flags = up
      lxc.network.link = virbr0
      lxc.network.name = eth0
      lxc.network.mtu = 1500
      #cgroups
      lxc.cgroup.devices.deny = a
      # /dev/null and zero
      lxc.cgroup.devices.allow = c 1:3 rwm
      lxc.cgroup.devices.allow = c 1:5 rwm
      # consoles
      lxc.cgroup.devices.allow = c 5:1 rwm
      lxc.cgroup.devices.allow = c 5:0 rwm
      lxc.cgroup.devices.allow = c 4:0 rwm
      lxc.cgroup.devices.allow = c 4:1 rwm
      # /dev/{,u}random
      lxc.cgroup.devices.allow = c 1:9 rwm
      lxc.cgroup.devices.allow = c 1:8 rwm
      lxc.cgroup.devices.allow = c 136:* rwm
      lxc.cgroup.devices.allow = c 5:2 rwm
      # rtc
      lxc.cgroup.devices.allow = c 254:0 rwm
        • 1. Re: LXC and X
          Catch-22
          A lowercase x in ssh -x like you have specified disabled X forwarding. Regarding the permission problem, have you checked if SELinux could be the reason?
          • 2. Re: LXC and X
            jwmitchell
            Yes, typo on the -x when creating the post. It's correct on the command line.

            As for SELinux, it was already disabled in the container. I also disabled it on the host, which removed one of the errors. This is what's now displayed on the console of the container:

            -bash: cannot set terminal process group (-1): Inapproppriate ioctl for device
            -bash: no job control in this shell
            • 3. Re: LXC and X
              Catch-22
              What is X server are you running on your client?
              • 4. Re: LXC and X
                jwmitchell
                Tried cygwin/X and MobaXterm. Same results with both.
                • 5. Re: LXC and X
                  Catch-22
                  Looking at your config file:

                  #lxc.tty = 4
                  lxc.tty = 1

                  What happens if you change it back to 4?
                  • 6. Re: LXC and X
                    jwmitchell
                    Doesn't make a difference. I've tried several different numbers, including 0, but nothing's helped. In fact 0 disabled the console.

                    Might be something with the distro - I've read blogs showing this successfully working on gentoo and archlinux. Following those articles still produces the same results for me on OL63. My ultimate goal was to use the containers to play with RAC. I liked that containers are much lighter weight than VirtualBox since my computer isn't the beefiest. Maybe in the next release....
                    • 7. Re: LXC and X
                      jwmitchell
                      Ok, so I found that if I comment out the line
                      lxc.pts=1024
                      from the containers config file and the line
                      devpts /container/elevenbc1/dev/pts devpts defaults 0 0
                      from the containers fstab file, X over SSH works. From what I read, these two lines give the container a private pts filesystem. Not sure why this helps, but hopefully it will save someone else hours of frustration.
                      • 8. Re: LXC and X
                        jwmitchell
                        While researching this further, I came across the following, which seems to describe the issue and solution:

                        http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/Documentation/filesystems/devpts.txt

                        To summarize, the devpts filesystem now supports to modes - single instance (legacy) and multi-instance. Multi-instance mode is enabled if
                        - CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, and
                        - '-o newinstance' mount option is specified while mounting devpts

                        1. Is CONFIG_DEVPTS_MULTIPLE_INSTANCES=Y a compile time setting of the kernel? Was EUK2 kernel compiled with this setting?

                        2. Which script on the host should be modified to include the mount option "-o newinstance" flag? I thought perhaps it might occur in the sysinit script but a search for devpts didn't yield any results. I ended up adding it to fstab but it didn't seem to do anything.
                        • 9. Re: LXC and X
                          Catch-22
                          I was actually looking into CONFIG_DEVPTS_MULTIPLE_INSTANCES prior to my last response, and therefore did not bother to mention it.
                          It is enabled in the 2.6.29 mainstream and UEK2 kernel.

                          To find out if you have it enabled in your current kernel:

                          <pre>
                          # grep "CONFIG_DEVPTS" /boot/config-$(uname -r)
                          </pre>

                          You might also want to check the mount (8) man page under "newinstance".
                          • 10. Re: LXC and X
                            jwmitchell
                            So this seems to fix it. Do it to a non-running container.

                            To the containers fstab, add newinstance to the options. I also added ptmxmode=0666 but the permissions weren't set accordingly.
                            devpts  dev/pts  devpts  newinstance,ptmxmode=0666 0 0 
                            Then:

                            rm {container_rootfs}/dev/ptmx
                            mknod -m 666 {container_rootfs}/dev/pts/ptmx
                            ln {container_rootfs}/dev/pts/ptmx {container_rootfs}/dev/ptmx
                            rm {container_rootfs}/dev/pts/ptmx

                            Also disable SELinux. Restart the container and X should be happy.