Devuan bug report logs - #502
LXC unprivileged containers

Package: lxc; Maintainer for lxc is (unknown); Source for lxc is src:lxc.

Reported by: Saman Behnam <sbehnam73@googlemail.com>

Date: Mon, 3 Aug 2020 01:18:01 UTC

Severity: normal

Tags: debian, moreinfo

Full log


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

Received: (at submit) by bugs.devuan.org; 3 Aug 2020 01:10:06 +0000
Return-Path: <sbehnam73@googlemail.com>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 03 Aug 2020 01:10:06 +0000 (UTC)
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com [209.85.216.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D5421F60862
	for <submit@bugs.devuan.org>; Mon,  3 Aug 2020 03:04:28 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=googlemail.com header.i=@googlemail.com header.b="lC/q/SWu";
	dkim-atps=neutral
Received: by mail-pj1-f66.google.com with SMTP id ep8so1180994pjb.3
        for <submit@bugs.devuan.org>; Sun, 02 Aug 2020 18:04:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=;
        b=lC/q/SWuL+t+ScAXV7n4p2u+k0M5fx2v+bHSv42xVNSt0fvqcD1FqisPYTf2hHgXpa
         vb0Jm98nOR7AnumT5vD+uKnRnA4mzeHi9Ol0nyZs9Uk7dldKYzNju2Xf0IXRFvyVDAEm
         lDCj1YC0fWm6iD/zowgPd0Bl15/2Utfa29IpbsZKTuqNosZmKRAwbXHVS21BVvKIdt83
         qakn/M/hI3uGdM6ydMAq2DSaXn/eyUl6CxCwjyLB+OgITyHQcwk/cHy7XZI47owlKUks
         ARTyrhkxlKLPplTpzjEx+Z+cscwF2PizymznIIg3jNBw3nNzi6XF8vzXCHQtgIapr7uH
         Rwbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=;
        b=dA9MqiXakE+mxp2BwZYCdShWPeqLrfUajnsEiFfPBipxxFRWirZkFBzHPTX3+3gVPX
         I66tiDgLeV9Ritmm8De80sYS91xrYg1oF859PRJJSJ2X86SirghbwGzwLeM1NXBo4mxL
         AJ7BkNUEUykM24H6wpOWDgBXN+UoyfXiB0999cJh2wkBPeluJcnHtin/62ijJPpa9wJ9
         /1mZbZyhcMvXbZ0Qq6kheyoFX1PvkUbQEgYToZ9xc5Sq/j4CEAAHT5YsKHnKVYKOtUqD
         abFyrz3BILhVGLQsDPUpvoF1G6DqlyBka0grh7poHt71BJhPDVjveUrnOPM7kQ0TkQHT
         vkwQ==
X-Gm-Message-State: AOAM531+4sucNr4qpZJ4UKo/nBs8mDVi+gw1S9WU7YWJU5e4GWz/8ndS
	sA3qKLDBD5J73C+g+YlaRIHTMCAaL6MV8fpoOLFn0Q==
X-Google-Smtp-Source: ABdhPJxyQK6ejlW3joOeXlzSQRjHNG1tv7RzRwGjxaALkgCh+ArQVmWptv60rJgCTD2iSE2S9CtDD0krCdAkJf8OtM4=
X-Received: by 2002:a17:90a:2948:: with SMTP id x8mr1518427pjf.174.1596416666278;
 Sun, 02 Aug 2020 18:04:26 -0700 (PDT)
MIME-Version: 1.0
From: Saman Behnam <sbehnam73@googlemail.com>
Date: Sun, 2 Aug 2020 19:04:11 -0600
Message-ID: <CAC1V7=ywTyGzvCP86XwN03RJRre5n_PsUQm_mr2wLxr2YrpDHA@mail.gmail.com>
Subject: LXC unprivileged containers
To: submit@bugs.devuan.org
Content-Type: multipart/alternative; boundary="0000000000004e9f1405abeeb811"
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org
[Message part 1 (text/plain, inline)]
Package: lxc

Version: 1:3.1.0+really3.0.3-8

System: Devuan Beowulf

After a clean install of lxc package containers do not work unless i have
to do the following.

add to sysctl.conf
##################
# LXC Devuan unpriviliged
# containers
kernel.unprivileged_userns_clone = 1

# LXC kernel setting (optional)
# Makes dmesg work for
# non root users.
kernel.dmesg_restrict = 0

create and configure
####################
/etc/lxc/lxc-usernet
/etc/default/lxc-net

I suggest adding a file with above settings that goes to
"/etc/sysctl.d"
And make
"sysctl.conf"
include
"/etc/sysctl.d"

Also add files:
/etc/lxc/lxc-usernet
/etc/default/lxc-net

~ $ cat /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT
# examplecontainer1 veth lxcbr0 1
# examplecontainer2 veth lxcbr0 2

~ $ cat /etc/default/lxc-net
# This file is auto-generated by lxc.postinst if it does not
# exist.  Customizations will not be overridden.
# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="false"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq.  For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf

# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain.  You can then add "server=/lxc/10.0.3.1' (or your actual
$LXC_ADDR)
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use
NetworkManager).
# Once these changes are made, restart the lxc-net and network-manager
services.
# 'container1.lxc' will then resolve on your host.
#LXC_DOMAIN="lxc"

Thank you for a great and clean distribution!

Saman
[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Mon Nov 25 22:50:57 2024;