From unknown Fri Mar 29 05:35:24 2024 Received: (at submit) by bugs.devuan.org; 3 Aug 2020 01:10:06 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 03 Aug 2020 01:10:06 +0000 (UTC) Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com [209.85.216.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D5421F60862 for ; Mon, 3 Aug 2020 03:04:28 +0200 (CEST) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (2048-bit key; unprotected) header.d=googlemail.com header.i=@googlemail.com header.b="lC/q/SWu"; dkim-atps=neutral Received: by mail-pj1-f66.google.com with SMTP id ep8so1180994pjb.3 for ; Sun, 02 Aug 2020 18:04:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=; b=lC/q/SWuL+t+ScAXV7n4p2u+k0M5fx2v+bHSv42xVNSt0fvqcD1FqisPYTf2hHgXpa vb0Jm98nOR7AnumT5vD+uKnRnA4mzeHi9Ol0nyZs9Uk7dldKYzNju2Xf0IXRFvyVDAEm lDCj1YC0fWm6iD/zowgPd0Bl15/2Utfa29IpbsZKTuqNosZmKRAwbXHVS21BVvKIdt83 qakn/M/hI3uGdM6ydMAq2DSaXn/eyUl6CxCwjyLB+OgITyHQcwk/cHy7XZI47owlKUks ARTyrhkxlKLPplTpzjEx+Z+cscwF2PizymznIIg3jNBw3nNzi6XF8vzXCHQtgIapr7uH Rwbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=; b=dA9MqiXakE+mxp2BwZYCdShWPeqLrfUajnsEiFfPBipxxFRWirZkFBzHPTX3+3gVPX I66tiDgLeV9Ritmm8De80sYS91xrYg1oF859PRJJSJ2X86SirghbwGzwLeM1NXBo4mxL AJ7BkNUEUykM24H6wpOWDgBXN+UoyfXiB0999cJh2wkBPeluJcnHtin/62ijJPpa9wJ9 /1mZbZyhcMvXbZ0Qq6kheyoFX1PvkUbQEgYToZ9xc5Sq/j4CEAAHT5YsKHnKVYKOtUqD abFyrz3BILhVGLQsDPUpvoF1G6DqlyBka0grh7poHt71BJhPDVjveUrnOPM7kQ0TkQHT vkwQ== X-Gm-Message-State: AOAM531+4sucNr4qpZJ4UKo/nBs8mDVi+gw1S9WU7YWJU5e4GWz/8ndS sA3qKLDBD5J73C+g+YlaRIHTMCAaL6MV8fpoOLFn0Q== X-Google-Smtp-Source: ABdhPJxyQK6ejlW3joOeXlzSQRjHNG1tv7RzRwGjxaALkgCh+ArQVmWptv60rJgCTD2iSE2S9CtDD0krCdAkJf8OtM4= X-Received: by 2002:a17:90a:2948:: with SMTP id x8mr1518427pjf.174.1596416666278; Sun, 02 Aug 2020 18:04:26 -0700 (PDT) MIME-Version: 1.0 From: Saman Behnam Date: Sun, 2 Aug 2020 19:04:11 -0600 Message-ID: Subject: LXC unprivileged containers To: submit@bugs.devuan.org Content-Type: multipart/alternative; boundary="0000000000004e9f1405abeeb811" X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org --0000000000004e9f1405abeeb811 Content-Type: text/plain; charset="UTF-8" Package: lxc Version: 1:3.1.0+really3.0.3-8 System: Devuan Beowulf After a clean install of lxc package containers do not work unless i have to do the following. add to sysctl.conf ################## # LXC Devuan unpriviliged # containers kernel.unprivileged_userns_clone = 1 # LXC kernel setting (optional) # Makes dmesg work for # non root users. kernel.dmesg_restrict = 0 create and configure #################### /etc/lxc/lxc-usernet /etc/default/lxc-net I suggest adding a file with above settings that goes to "/etc/sysctl.d" And make "sysctl.conf" include "/etc/sysctl.d" Also add files: /etc/lxc/lxc-usernet /etc/default/lxc-net ~ $ cat /etc/lxc/lxc-usernet # USERNAME TYPE BRIDGE COUNT # examplecontainer1 veth lxcbr0 1 # examplecontainer2 veth lxcbr0 2 ~ $ cat /etc/default/lxc-net # This file is auto-generated by lxc.postinst if it does not # exist. Customizations will not be overridden. # Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your # containers. Set to "false" if you'll use virbr0 or another existing # bridge, or mavlan to your host's NIC. USE_LXC_BRIDGE="false" # If you change the LXC_BRIDGE to something other than lxcbr0, then # you will also need to update your /etc/lxc/default.conf as well as the # configuration (/var/lib/lxc//config) for any containers # already created using the default config to reflect the new bridge # name. # If you have the dnsmasq daemon installed, you'll also have to update # /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon. LXC_BRIDGE="lxcbr0" LXC_ADDR="10.0.3.1" LXC_NETMASK="255.255.255.0" LXC_NETWORK="10.0.3.0/24" LXC_DHCP_RANGE="10.0.3.2,10.0.3.254" LXC_DHCP_MAX="253" # Uncomment the next line if you'd like to use a conf-file for the lxcbr0 # dnsmasq. For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have # container 'mail1' always get ip address 10.0.3.100. #LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf # Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc # domain. You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR) # to your system dnsmasq configuration file (normally /etc/dnsmasq.conf, # or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager). # Once these changes are made, restart the lxc-net and network-manager services. # 'container1.lxc' will then resolve on your host. #LXC_DOMAIN="lxc" Thank you for a great and clean distribution! Saman --0000000000004e9f1405abeeb811 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Package: lxc
Version: 1:3.1.0+really3.0.3-8

System: Devuan Beowulf

After a clean install of lxc package contain= ers do not work unless i have to do the following.
<= br>
add to sysctl.conf
##################
# LXC Devuan unprivil= iged=C2=A0
# containers
kerne= l.unprivileged_userns_clone =3D 1

# LXC kernel setting (optional)
# Makes dm= esg work for
# non root users.
kernel.dmesg_restrict =3D 0

create and configure
####################
/etc/lxc/lxc-usernet
/etc/default= /lxc-net

I suggest adding a=C2=A0file with above settings that goes to
"/etc/sysctl.d"= ;
= And make=C2=A0
"sysctl.conf"
include
"/etc/sysctl.d"

Also add files:
/etc/lxc/lxc-usernet
/etc/default/lxc-net

~ $ cat /etc/lxc/lxc-usernet
#= USERNAME TYPE BRIDGE COUNT
# examplecontainer1 veth= lxcbr0 1
# e= xamplecontainer2 veth lxcbr0 2

~ $ cat /etc/default/lxc-net
# This fil= e is auto-generated by lxc.postinst if it does not
# exist.=C2=A0 Customizations wi= ll not be overridden.
# Leave USE_LXC_BRIDGE as "true" if you want to u= se lxcbr0 for your
# containers.=C2=A0 Set to "false" if you'll use v= irbr0 or another existing
# bridge, or mavlan to your host's NIC.
<= div dir=3D"auto" style=3D"">USE_LXC_BRIDGE=3D&quo= t;false"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will a= lso need to update your /etc/lxc/default.conf as well as the
# configuration (/var/= lib/lxc/<container>/config) for any containers
# already created using the = default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed= , you'll also have to update
<= font face=3D"sans-serif"># /etc/dnsmasq.d/lxc and restart the system wide d= nsmasq daemon.
LXC_BRIDGE=3D"lxcbr0"
LXC_ADDR=3D"10.0.3.1"
LXC_NETMASK=3D"= ;255.255.255.0"
LXC_NETWORK=3D"10.0.3.0/24= "
LXC_DHCP_RANGE=3D"10.0.3.2,10.0.3.254"
LXC_DHCP_MAX=3D"253"<= /font>
# Uncomm= ent the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq.=C2= =A0 For instance, you can use 'dhcp-host=3Dmail1,10.0.3.100' to hav= e
# cont= ainer 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=3D/etc/lx= c/dnsmasq.conf

# Uncomment the next line if you want lxcbr0's dnsmasq to resolve t= he .lxc
= # domain.=C2=A0 You can then add "server=3D/lxc/10.0.3.1' (or your actual $LXC_ADDR)
# to your system dnsmasq configu= ration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.con= f on systems that use NetworkManager).
# Once these changes are made, restart the = lxc-net and network-manager services.
# 'container1.lxc' will then resolv= e on your host.
#LXC_DOMAIN=3D"lxc"
<= span style=3D"font-family:sans-serif">
Thank you for a great and clean distri= bution!

Saman



--0000000000004e9f1405abeeb811-- From unknown Fri Mar 29 05:35:24 2024 Received: (at 502) by bugs.devuan.org; 3 Aug 2020 11:50:27 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Mon, 03 Aug 2020 11:50:27 +0000 (UTC) Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 999B9F60C42 for <502@bugs.devuan.org>; Mon, 3 Aug 2020 13:48:02 +0200 (CEST) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1k2Ywj-0005V6-AF; Mon, 03 Aug 2020 12:48:01 +0100 Received: (nullmailer pid 389 invoked by uid 1000); Mon, 03 Aug 2020 11:48:01 -0000 Date: Mon, 3 Aug 2020 12:48:01 +0100 From: Mark Hindley To: Saman Behnam , 502@bugs.devuan.org Subject: Re: bug#502: LXC unprivileged containers Message-ID: <20200803114800.GS3011@hindley.org.uk> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Debbugs-No-Ack: No Thanks User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Control: tags -1 debian moreinfo On Sun, Aug 02, 2020 at 07:04:11PM -0600, Saman Behnam wrote: > Package: lxc > Version: 1:3.1.0+really3.0.3-8 > System: Devuan Beowulf > After a clean install of lxc package containers do not work unless i > have to do the following. Saman, Thanks for this. lxc is not a forked package and Devuan uses Debian's packages directly without recompilation. I (nor any of the Devuan Devs AFAIK) are active users of lxc. Do you expect this to work out of the box or is this just necessary configuration? If you really think there is a bug here to be addressed, please report it directly to Debian's BTS. Thanks. Mark From unknown Fri Mar 29 05:35:24 2024 Received: (at 502) by bugs.devuan.org; 4 Aug 2020 08:40:27 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4) for (single-drop); Tue, 04 Aug 2020 08:40:27 +0000 (UTC) Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 28E6CF60CAF for <502@bugs.devuan.org>; Tue, 4 Aug 2020 10:37:12 +0200 (CEST) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1k2sRa-0003Z9-4e; Tue, 04 Aug 2020 09:37:10 +0100 Received: (nullmailer pid 18649 invoked by uid 1000); Tue, 04 Aug 2020 08:37:08 -0000 Date: Tue, 4 Aug 2020 09:37:08 +0100 From: Mark Hindley To: Saman Behnam Cc: 502@bugs.devuan.org Subject: Re: bug#502: LXC unprivileged containers Message-ID: <20200804083708.GT3011@hindley.org.uk> References: <20200803114800.GS3011@hindley.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org On Mon, Aug 03, 2020 at 02:49:24PM -0700, Saman Behnam wrote: > Hi Mark, > It's not a LXC bug. Else i would have filed it to the LXC devs. > But it's very hard to get unprivileged running without those missing > setup defaults. > > Stephan Graber (a main lxc dev) had hard times debugging and figuring > out the problem. > It would be a very nice default for the Devuan lxc package. > I had LXC running on Ubuntu 18 and moved to Devuan. > Obviously there seems to be differences between Ubuntu and Debian > packaging. Thanks for your analysis. […] > Those settings were out of the box in Ubuntu. > What you see above is my suggestion for Devuan. > I recursively grepped /etc for those settings on Ubuntu and found > nothing. > Not sure if its just the kernel defaults in Ubuntu! > The whole thing is more of a technical packaging issue than a bug. > Since I've seen that behavior on a Devuan system I felt the Devuan > package maintainer would be the right one to address. OK, I understand that. Devuan doesn't maintain separate lxc packages. We use the Debian packages directly without recompilation. So the Debian package maintainer is the person to ask to incorporate your suggested default config. Does that make sense? Thanks. Mark