OpenVZ Forum


Home » Mailing lists » Users » How to determine a container from the filesystem?
How to determine a container from the filesystem? [message #45910] Fri, 13 April 2012 20:07 Go to next message
Brad Alexander is currently offline  Brad Alexander
Messages: 11
Registered: October 2011
Junior Member
I just found out through the proxmox-ve forums that running ntp on a
container is considered a Bad Thing. So I am reworking my puppet
installation to disable ntp on the containers...But I was trying to
figure out a foolproof way of looking on the machine and determining
if it is a container or not. The only thing I have found so far is
that /proc/mtrr exists on the physical servers, but not on the
containers. Is this a viable way to make this determination or is
there a better way?

Thanks,
--b
Re: How to determine a container from the filesystem? [message #45912 is a reply to message #45910] Fri, 13 April 2012 22:24 Go to previous messageGo to next message
fruitwerks is currently offline  fruitwerks
Messages: 4
Registered: March 2011
Junior Member
You could run ifconfig and grep for venetX:X or by mac address (all zero)
unless you have chenged that specifically. I physical machine should not
have venetX:X, simply venetX. This may be distribution dependent though, I
am not sure.

- C

On Fri, Apr 13, 2012 at 8:07 PM, Brad Alexander <storm16@gmail.com> wrote:

> I just found out through the proxmox-ve forums that running ntp on a
> container is considered a Bad Thing. So I am reworking my puppet
> installation to disable ntp on the containers...But I was trying to
> figure out a foolproof way of looking on the machine and determining
> if it is a container or not. The only thing I have found so far is
> that /proc/mtrr exists on the physical servers, but not on the
> containers. Is this a viable way to make this determination or is
> there a better way?
>
> Thanks,
> --b
--
____________________________________________________________ ___________________
Any use, dissemination, distribution, posting on Internet bulletin boards,
disclosure or copying of this e-mail or any information contained herein by
or to anyone other than the intended recipient(s) is strictly prohibited.
Use of this content for any other purpose is a violation of International
Copyright Laws.
Re: How to determine a container from the filesystem? [message #45913 is a reply to message #45912] Fri, 13 April 2012 22:36 Go to previous messageGo to next message
jjs - mainphrame is currently offline  jjs - mainphrame
Messages: 44
Registered: January 2012
Member
Unfortunately that won't work if you are using only bridged networking - I
don't have any venet devices on my servers.

My host has only lo, ethx, brx, and vethnnxx devices, and the containers
have only lo and ethx devices.

The puppet "facter" program is able to figure out if if a machine is a vz
CT or a vz host, but I haven't looked into how it does it.

Joe

On Fri, Apr 13, 2012 at 3:24 PM, Corey Carpenter <fruitwerks@gmail.com>wrote:

> You could run ifconfig and grep for venetX:X or by mac address (all zero)
> unless you have chenged that specifically. I physical machine should not
> have venetX:X, simply venetX. This may be distribution dependent though, I
> am not sure.
>
> - C
>
>
> On Fri, Apr 13, 2012 at 8:07 PM, Brad Alexander <storm16@gmail.com> wrote:
>
>> I just found out through the proxmox-ve forums that running ntp on a
>> container is considered a Bad Thing. So I am reworking my puppet
>> installation to disable ntp on the containers...But I was trying to
>> figure out a foolproof way of looking on the machine and determining
>> if it is a container or not. The only thing I have found so far is
>> that /proc/mtrr exists on the physical servers, but not on the
>> containers. Is this a viable way to make this determination or is
>> there a better way?
>>
>> Thanks,
>> --b
> --
>
> ____________________________________________________________ ___________________
> Any use, dissemination, distribution, posting on Internet bulletin boards,
> disclosure or copying of this e-mail or any information contained herein by
> or to anyone other than the intended recipient(s) is strictly prohibited.
> Use of this content for any other purpose is a violation of International
> Copyright Laws.
>
>


http://static.openvz.org/userbars/openvz-user.png
Re: How to determine a container from the filesystem? [message #45914 is a reply to message #45910] Fri, 13 April 2012 22:33 Go to previous messageGo to next message
efball is currently offline  efball
Messages: 41
Registered: September 2006
Location: Santa Rosa, California
Member
On Fri, Apr 13, 2012 at 04:07:58PM -0400, Brad Alexander wrote:
> I just found out through the proxmox-ve forums that running ntp on a
> container is considered a Bad Thing. So I am reworking my puppet
> installation to disable ntp on the containers...But I was trying to
> figure out a foolproof way of looking on the machine and determining
> if it is a container or not. The only thing I have found so far is
> that /proc/mtrr exists on the physical servers, but not on the
> containers. Is this a viable way to make this determination or is
> there a better way?

if [ -d /proc/vz -a ! -d /proc/bc ]

/proc/vz - always exists if OpenVZ kernel is running (inside
and outside container) /proc/bc - exists on node, but not
inside container.


--

E Frank Ball efball@efball.com


E Frank Ball efball@efball.com
Re: How to determine a container from the filesystem? [message #45915 is a reply to message #45912] Fri, 13 April 2012 22:39 Go to previous messageGo to next message
Martin Dobrev is currently offline  Martin Dobrev
Messages: 14
Registered: November 2006
Junior Member
Better way to do it is to look for /proc/user_beancounters. If it exists then it's a distro with OpenVZ kernel installation. In it there is a info about different parameters of the container (if you look into it inside the container) or containers (if checked from the HN). Container 0: is the HN, so if you have it listed in the file then you run outside of the container.

Martin Dobrev

Sent from iPhonespam SPAMSPAM 4

On 14.04.2012, at 01:24, Corey Carpenter <fruitwerks@gmail.com> wrote:

> You could run ifconfig and grep for venetX:X or by mac address (all zero) unless you have chenged that specifically. I physical machine should not have venetX:X, simply venetX. This may be distribution dependent though, I am not sure.
>
> - C
>
> On Fri, Apr 13, 2012 at 8:07 PM, Brad Alexander <storm16@gmail.com> wrote:
> I just found out through the proxmox-ve forums that running ntp on a
> container is considered a Bad Thing. So I am reworking my puppet
> installation to disable ntp on the containers...But I was trying to
> figure out a foolproof way of looking on the machine and determining
> if it is a container or not. The only thing I have found so far is
> that /proc/mtrr exists on the physical servers, but not on the
> containers. Is this a viable way to make this determination or is
> there a better way?
>
> Thanks,
> --b
> --
> ____________________________________________________________ ___________________
> Any use, dissemination, distribution, posting on Internet bulletin boards, disclosure or copying of this e-mail or any information contained herein by or to anyone other than the intended recipient(s) is strictly prohibited. Use of this content for any other purpose is a violation of International Copyright Laws.
>
Re: How to determine a container from the filesystem? [message #45916 is a reply to message #45913] Sat, 14 April 2012 01:40 Go to previous messageGo to next message
Brad Alexander is currently offline  Brad Alexander
Messages: 11
Registered: October 2011
Junior Member
Thanks Joe!

I didn't realize that facter had that level of detail. For my opevz
hosts, virtual => openvzhn, but the containers all have virtual =>
openvzve...

--b

On Fri, Apr 13, 2012 at 6:36 PM, jjs - mainphrame <jjs@mainphrame.com> wrote:
> Unfortunately that won't work if you are using only bridged networking - I
> don't have any venet devices on my servers.
>
> My host has only lo, ethx, brx, and vethnnxx devices, and the containers
> have only lo and ethx devices.
>
> The puppet "facter" program is able to figure out if if a machine is a vz CT
> or a vz host, but I haven't looked into how it does it.
>
> Joe
>
>
> On Fri, Apr 13, 2012 at 3:24 PM, Corey Carpenter <fruitwerks@gmail.com>
> wrote:
>>
>> You could run ifconfig and grep for venetX:X or by mac address (all zero)
>> unless you have chenged that specifically. I physical machine should not
>> have venetX:X, simply venetX. This may be distribution dependent though, I
>> am not sure.
>>
>> - C
>>
>>
>> On Fri, Apr 13, 2012 at 8:07 PM, Brad Alexander <storm16@gmail.com> wrote:
>>>
>>> I just found out through the proxmox-ve forums that running ntp on a
>>> container is considered a Bad Thing. So I am reworking my puppet
>>> installation to disable ntp on the containers...But I was trying to
>>> figure out a foolproof way of looking on the machine and determining
>>> if it is a container or not. The only thing I have found so far is
>>> that /proc/mtrr exists on the physical servers, but not on the
>>> containers. Is this a viable way to make this determination or is
>>> there a better way?
>>>
>>> Thanks,
>>> --b
>> --
>>
>> ____________________________________________________________ ___________________
>> Any use, dissemination, distribution, posting on Internet bulletin boards,
>> disclosure or copying of this e-mail or any information contained herein by
>> or to anyone other than the intended recipient(s) is strictly prohibited.
>> Use of this content for any other purpose is a violation of International
>> Copyright Laws.
>>
>>
Re: How to determine a container from the filesystem? [message #45917 is a reply to message #45915] Sat, 14 April 2012 03:19 Go to previous messageGo to next message
jjs - mainphrame is currently offline  jjs - mainphrame
Messages: 44
Registered: January 2012
Member
That's another good tip.

Joe

On Fri, Apr 13, 2012 at 3:39 PM, Martin Dobrev <martin@dobrev.eu> wrote:

> Better way to do it is to look for /proc/user_beancounters. If it exists
> then it's a distro with OpenVZ kernel installation. In it there is a info
> about different parameters of the container (if you look into it inside the
> container) or containers (if checked from the HN). Container 0: is the HN,
> so if you have it listed in the file then you run outside of the container.
>
> Martin Dobrev
>
> Sent from iPhonespam SPAMSPAM 4
>
> On 14.04.2012, at 01:24, Corey Carpenter <fruitwerks@gmail.com> wrote:
>
> You could run ifconfig and grep for venetX:X or by mac address (all zero)
> unless you have chenged that specifically. I physical machine should not
> have venetX:X, simply venetX. This may be distribution dependent though, I
> am not sure.
>
> - C
>
> On Fri, Apr 13, 2012 at 8:07 PM, Brad Alexander <storm16@gmail.com> wrote:
>
>> I just found out through the proxmox-ve forums that running ntp on a
>> container is considered a Bad Thing. So I am reworking my puppet
>> installation to disable ntp on the containers...But I was trying to
>> figure out a foolproof way of looking on the machine and determining
>> if it is a container or not. The only thing I have found so far is
>> that /proc/mtrr exists on the physical servers, but not on the
>> containers. Is this a viable way to make this determination or is
>> there a better way?
>>
>> Thanks,
>> --b
> --
>
> ____________________________________________________________ ___________________
> Any use, dissemination, distribution, posting on Internet bulletin boards,
> disclosure or copying of this e-mail or any information contained herein by
> or to anyone other than the intended recipient(s) is strictly prohibited.
> Use of this content for any other purpose is a violation of International
> Copyright Laws.
>


http://static.openvz.org/userbars/openvz-user.png
Re: How to determine a container from the filesystem? [message #45924 is a reply to message #45910] Tue, 17 April 2012 07:29 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

On 04/14/2012 12:07 AM, Brad Alexander wrote:
> I just found out through the proxmox-ve forums that running ntp on a
> container is considered a Bad Thing.

Not necessarily. In fact, it's a good thing to run ntpd inside a
container, it's just you need to

1. Have only ONE container doing that.
2. Grant that container sys_time capability, so it will be able to set
system time.

This is because time is not virtualized, ie all the containers share the
same time (because indeed there's only one time -- time zones of course
can be different).

> So I am reworking my puppet
> installation to disable ntp on the containers...But I was trying to
> figure out a foolproof way of looking on the machine and determining
> if it is a container or not. The only thing I have found so far is
> that /proc/mtrr exists on the physical servers, but not on the
> containers. Is this a viable way to make this determination or is
> there a better way?

Solutions provided here in this thread by E Frank Ball and Martin Dobrev
are both good.


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Re: How to determine a container from the filesystem? [message #45925 is a reply to message #45924] Tue, 17 April 2012 11:07 Go to previous messageGo to next message
Brad Alexander is currently offline  Brad Alexander
Messages: 11
Registered: October 2011
Junior Member
Thanks Kir.

On Tue, Apr 17, 2012 at 3:29 AM, Kir Kolyshkin <kir@openvz.org> wrote:
> On 04/14/2012 12:07 AM, Brad Alexander wrote:
>>
>> I just found out through the proxmox-ve forums that running ntp on a
>> container is considered a Bad Thing.
>
>
> Not necessarily. In fact, it's a good thing to run ntpd inside a container,
> it's just you need to
>
> 1. Have only ONE container doing that.

So that one container can be Container 0 (the HN)?

> 2. Grant that container sys_time capability, so it will be able to set
> system time.

Perhaps I misunderstood the sys_time flag, it was my understanding
that it was better to turn off ntp on the containers, make sure it is
on in container 0 (the hardware node), then turn on sys_time on the
remaining containers.

> This is because time is not virtualized, ie all the containers share the
> same time (because indeed there's only one time -- time zones of course can
> be different).

Thanks,
--b
Re: How to determine a container from the filesystem? [message #45926 is a reply to message #45925] Tue, 17 April 2012 11:14 Go to previous message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

On 04/17/2012 03:07 PM, Brad Alexander wrote:
> Thanks Kir.
>
> On Tue, Apr 17, 2012 at 3:29 AM, Kir Kolyshkin<kir@openvz.org> wrote:
>> On 04/14/2012 12:07 AM, Brad Alexander wrote:
>>> I just found out through the proxmox-ve forums that running ntp on a
>>> container is considered a Bad Thing.
>>
>> Not necessarily. In fact, it's a good thing to run ntpd inside a container,
>> it's just you need to
>>
>> 1. Have only ONE container doing that.
> So that one container can be Container 0 (the HN)?

Yes, but from the privilege separation perspective it might make sense
to have a dedicated container for that, so you don't clog HN with all
sorts of services and daemons.

>
>> 2. Grant that container sys_time capability, so it will be able to set
>> system time.
> Perhaps I misunderstood the sys_time flag, it was my understanding
> that it was better to turn off ntp on the containers

Right, it doesn't make sense to run ntpd in more than one container (or HN).

> , make sure it is
> on in container 0 (the hardware node)

Right. Or any other _single_ container.

> , then turn on sys_time on the
> remaining containers.

Ughm. That way, root user of any of those container can change system
time (and affect other users of CTs on the same HN).

>
>> This is because time is not virtualized, ie all the containers share the
>> same time (because indeed there's only one time -- time zones of course can
>> be different).
> Thanks,
> --b


Kir Kolyshkin
http://static.openvz.org/userbars/openvz-developer.png
Previous Topic: Run From Backup - pty issue
Next Topic: CfP 7th Workshop on Virtualization in High-Performance Cloud Computing (VHPC'12)
Goto Forum:
  


Current Time: Tue Dec 03 08:22:32 GMT 2024

Total time taken to generate the page: 0.24575 seconds