/
OpenSync running in LXC container

OpenSync running in LXC container

General

To support and run OpenSync inside an LXC container, a build time configuration option has been added:

CONFIG_RUN_IN_LXC

CONFIG_RUN_IN_LXC enables the necessary infrastructure changes to enable OpenSync to run in an LXC container. This includes:

  • changed OpenSync service startup to be launched from LXC

  • provides a base LXC configuration which runs OpenSync in the container.

The OpenSync architecture is undergoing changes to become more application-based and SDK-compliant, whereas for now, containers still require privileged access.

Implementation Outline

OpenSync service in LXC is started by default, to check the status this command can be used:

# lxc-info -n opensync Name: opensync State: RUNNING PID: 3061

The commands for manual start, stop and attach are:

# lxc-start -n opensync # lxc-stop -n opensync # lxc-attach -n opensync

Details

Sample OpenSync LXC configuration:

# OpenSync LXC config lxc.uts.name = opensync # Keep host namespaces lxc.namespace.keep = user net ipc pid # Use host root filesystem lxc.rootfs.path = dir:/ lxc.mount.entry = /dev /dev none rbind 0 0 # Use host Network lxc.net.0.type = none # Disable security restrictions #lxc.apparmor.profile = #lxc.seccomp.profile = lxc.cap.drop = # Run as privileged lxc.idmap = # Console and Logging lxc.console.path = none lxc.log.file = /usr/opensync/log_archive/lxc.log lxc.log.level = INFO # Startup Command lxc.init.cmd = /usr/opensync/scripts/lxc_opensync_svc

Further customization can be done as needed. Note however that OpenSync requires privileged access because it is managing many aspects of the system. Among the privileges requires are:

  • namespace user: OpenSync needs to be run as root without user id mapping

  • namespace net, ipc: configuration of system networking and communication with system services

  • namespace pid and /proc file system: for monitoring and reporting of system processes memory and cpu usage, ability to send signals to system processes such as for example the hw watchdog

  • file system / (root): for the ability to perform partial upgrades and general functionality

  • file system /dev: for the ability to perform a system upgrade

Northbound API

There are no northbound API changes needed for this feature.

Southbound API

There are no southbound API changes needed for this feature.

Requirements

System requirements:

  • Tested SDKs: QCA, BCM, MTK

  • Enabled LXC package

  • Some SDKs require a LXC package version upgrade, patches for upgrading the LXC version are part of the SDK overlay

  • On BCM SDK 5.04L.02p1 upgrade LXC from 3.1.0 to 3.2.1

  • On QCA SDK SPF-12: upgrade LXC from 2.1.1 to 3.0.4

  • On MTK SDK: no upgrade needed, version 4.0.12 is ok