lxc init script should fail when it ... failed

This bug was fixed in the package lxc - 0.7.5-3ubuntu17

---------------
lxc (0.7.5-3ubuntu17) precise; urgency=low

  [ Serge Hallyn ]
  * 0032-start-check-caps.patch: exit early and with a clear error message
    if lxc-start is run with insufficient permissions. (LP: #925520)
  * debian/lxc.init: if there is a failure during lxc network setup, clean
    up and exit. (LP: #925511)

  [ Stéphane Graber ]
  * 0033-ubuntu-template-multiarch.patch: Add support for building
    containers using qemu-user-static, using multi-arch to install some
    packages of the host architecture so the container boots and works.
  * Add qemu-user-static as a Suggest of lxc.
 -- Stephane Graber <email address hidden> Thu, 02 Feb 2012 19:06:19 -0500

So how is it supposed to behave now?

I just did the upgrade and:

Setting up lxc (0.7.5-3ubuntu18) ...
Installing new version of config file /etc/init.d/lxc ...
 * Starting Linux Containers
dnsmasq: failed to create listening socket for 172.16.3.1: Address already in use
 * Failed to set up LXC network
invoke-rc.d: initscript lxc, action "start" failed.
dpkg: error processing lxc (--configure):
 subprocess installed post-installation script returned error exit status 2
Setting up ssh-askpass-gnome (1:5.9p1-2ubuntu2) ...
Setting up libcgroup1 (0.37.1-1ubuntu10) ...
Setting up cgroup-bin (0.37.1-1ubuntu10) ...
cgconfig start/running
Setting up libqtgui4 (4:4.8.0-1ubuntu5) ...

Shutting down dnsmasq allowed for the installation to complete. But now, I cannot start my dnsmasq service.

12:16:19 rrs@champaran:~$ sudo /etc/init.d/dnsmasq restart
[sudo] password for rrs:
 * Restarting DNS forwarder and DHCP server dnsmasq
dnsmasq: failed to create listening socket for port 53: Address already in use
                                                                                                                [fail]

@Ritesh,

the dnsmasq for the lxc bridge explicitly binds only lxcbr0. So if that fails, then your other dnsmasq has already bound all interfaces.

If /etc/init.d/lxc fails to start now, then lxcbr0 never had dhcp before. If you're not using lxcbr0 for your containers, then you can simply set USE_LXC_BRIDGE="false" in /etc/default/lxc.

If do want to use lxcbr0, then you should change your other dnsmasq to not bind all interfaces.

A third alternative, I suppose, would be that you want to use lxcbr0 but your statically assign addresses to your containers. We could add a USE_LXC_BRIDGE_DNSMASQ variable to /etc/default/lxc to support that use case. If that is what you want, please open a new bug against lxc and I'll add it.

On Tuesday 07 February 2012 09:19 PM, Serge Hallyn wrote:
> @Ritesh,
>
> the dnsmasq for the lxc bridge explicitly binds only lxcbr0. So if that
> fails, then your other dnsmasq has already bound all interfaces.

Yes. Because I had dnsmasq installed by default. From the dnsmasq.conf
file's documentation, it says:

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces

So any machine, where dnsmasq is installed, will bind to all the
interfaces. This is the _default_ behavior, as installed.

libvirt was doing something similar.
http://anonscm.debian.org/gitweb/?p=pkg-libvirt/libvirt.git;a=blob;f=debian/README.Debian;h=6248662c56111c4ec4a5b2c0887059ddfb5fdda6;hb=HEAD

They bind dnsmasq to the loopback interface. Since LXC's bridge also has
similar purpose, it could try to do similar things.

>
> If /etc/init.d/lxc fails to start now, then lxcbr0 never had dhcp
> before. If you're not using lxcbr0 for your containers, then you can
> simply set USE_LXC_BRIDGE="false" in /etc/default/lxc.
I haven't started using it yet. So I'm not sure how it has been behaving
up till now.

> If do want to use lxcbr0, then you should change your other dnsmasq to
> not bind all interfaces.
Yes. But would you want this to be a default?

Or actually, just adding a similar documentation into LXC's
README.Debian will also suffice. No?

> A third alternative, I suppose, would be that you want to use lxcbr0 but
> your statically assign addresses to your containers. We could add a
> USE_LXC_BRIDGE_DNSMASQ variable to /etc/default/lxc to support that use
> case. If that is what you want, please open a new bug against lxc and
> I'll add it.

--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

@Ritesh,

Unfortunately I don't know that that many people would read the README :)
It is worth adding though, thanks for the suggestion.

In addition, I will add an LXC section to the ubuntu server guide soon,
and this should be mentioned there.

I'm also marking this (and the equivalent libvirt) bugs as affecting
dnsmasq. Perhaps we can do something to its default configuration to be
less belligerant. Maybe even just an explicit
'--except-interface=virbr0,lxcbr0', though hard-coding that seems a bit
ugly.

Actually - to affect dnsmasq this should be a new bug. Opened bug 928524 to track it.

On Wednesday 08 February 2012 03:54 AM, Serge Hallyn wrote:
> @Ritesh,
>
> Unfortunately I don't know that that many people would read the README :)
> It is worth adding though, thanks for the suggestion.
>
> In addition, I will add an LXC section to the ubuntu server guide soon,
> and this should be mentioned there.
>
> I'm also marking this (and the equivalent libvirt) bugs as affecting
> dnsmasq. Perhaps we can do something to its default configuration to be
> less belligerant. Maybe even just an explicit
> '--except-interface=virbr0,lxcbr0', though hard-coding that seems a bit
> ugly.

Serge,

IMO the better option would be to just ship a binder in /etc/dnsmasq.d/

dnsmasq is a personal dns caching service. I doubt if anyone is using it
as a bind replacement.

By shipping a dnsmasq sub conf file (and making it bind to loopback
only), you eliminate the need to track the list of virtual bridges.
Then, you also don't need to spawn off your own dnsmasq proc from the
lxc init script.

--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

On 08/02/12 08:33, Ritesh Raj Sarraf wrote:
> On Wednesday 08 February 2012 03:54 AM, Serge Hallyn wrote:
>> @Ritesh,
>>
>> Unfortunately I don't know that that many people would read the README :)
>> It is worth adding though, thanks for the suggestion.
>>
>> In addition, I will add an LXC section to the ubuntu server guide soon,
>> and this should be mentioned there.
>>
>> I'm also marking this (and the equivalent libvirt) bugs as affecting
>> dnsmasq. Perhaps we can do something to its default configuration to be
>> less belligerant. Maybe even just an explicit
>> '--except-interface=virbr0,lxcbr0', though hard-coding that seems a bit
>> ugly.
>
> Serge,
>
> IMO the better option would be to just ship a binder in /etc/dnsmasq.d/
>
> dnsmasq is a personal dns caching service. I doubt if anyone is using it
> as a bind replacement.
>
> By shipping a dnsmasq sub conf file (and making it bind to loopback
> only), you eliminate the need to track the list of virtual bridges.
> Then, you also don't need to spawn off your own dnsmasq proc from the
> lxc init script.
>

There is special provision in dnsmasq to do exactly this, but it's never
made it into libvirt upstream. Please feel free to push there!

from "man dnsmasq" NOTES section:

--------------------------------------------------------------
dhcp-range may have an interface name supplied as
"interface:<interface-name>". The semantics if this are as follows: For
DHCP, if any other dhcp-range exists _without_ an interface name, then
the interface name is ignored and and dnsmasq behaves as if the
interface parts did not exist, otherwise DHCP is only provided to
interfaces mentioned in dhcp-range declarations. For DNS, if there are
no --interface or --listen-address flags, behaviour is unchanged by the
interface part. If either of these flags are present, the interfaces
mentioned in dhcp-ranges are added to the set which get DNS service.

Similarly, enable-tftp may take an interface name, which enables TFTP
only for a particular interface, ignoring --interface or
--listen-address flags. In addition --tftp-secure and --tftp-unique-root
and --tftp-no-blocksize are ignored for requests from such interfaces.
(A --tftp-root directive giving a root path and an interface should be
provided too.)

These rules may seem odd at first sight, but they
allow a single line of the form
"dhcp-range=interface:virt0,192.168.0.4,192.168.0.200" to be added to
dnsmasq configuration which then supplies DHCP and DNS services to
that interface, without affecting what services are supplied to
other interfaces and irrespective of the existance or lack of
"interface=<interface>" lines elsewhere in the dnsmasq configuration.
"enable-tftp=virt0" and "tftp-root=<root>,virt0" do the same job for TFTP.

The idea is that such a line can be added automatically by libvirt or
equivalent systems, without disturbing any manual configuration.
---------------------------------------------------------------

Cheers,

Simon.

Thanks Ritesh and Simon, sounds like a great idea.