Talk:LXC: Difference between revisions
|  (→About lxc-attach:  new section) | m (Unsigned comment attribution. Separated some comments with HR. nowiki'd a dead link.) | ||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 54: | Line 54: | ||
|   # Capabilities to drop (for instance, to stop the guest from mounting sys)     |   # Capabilities to drop (for instance, to stop the guest from mounting sys)     | ||
|   # Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704  |   # Taken from <nowiki>http://sourceforge.net/mailarchive/message.php?msg_id=28285704</nowiki> | ||
|   # sys_boot is not listed here, as it causes problems when the host tries to stop the guest |   # sys_boot is not listed here, as it causes problems when the host tries to stop the guest | ||
| Line 99: | Line 99: | ||
| ** No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan) | ** No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan) | ||
| <small><span class="autosigned">— Preceding [[Help:Signature|unsigned]] comment added by [[User:Nangel|Nangel]] ([[User talk:Nangel|{{int:talkpagelinktext}}]] • [[Special:Contributions/Nangel|{{int:contribslink}}]]) 02:00, 12 April 2013</span></small> | |||
| ----- | |||
| == About lxc-attach == | == About lxc-attach == | ||
| Line 108: | Line 110: | ||
| What did I possibly wrong?<br/> | What did I possibly wrong?<br/> | ||
| Or is it a bug in AL LXC? | Or is it a bug in AL LXC? | ||
| <small><span class="autosigned">— Preceding [[Help:Signature|unsigned]] comment added by [[User:Jch|Jch]] ([[User talk:Jch|{{int:talkpagelinktext}}]] • [[Special:Contributions/Jch|{{int:contribslink}}]]) 17:11, 3 June 2015</span></small>  | |||
| ----- | |||
| === Update about lxc-attach === | |||
| '''LXC-host: lxc-attach fail with "lxc_attach_to_ns: 270 Operation not permitted - failed to set namespace 'pid'"''' | |||
| '''Issue:''' When you try to run lxc-attach, this fails. "use of CAP_SYS_ADMIN in chroot denied for /usr/bin/lxc-attach" appears in dmesg.<br/> | |||
| '''Cause:''' This issue due to grsecurity restriction in the lxc host.<br/> | |||
| '''Workaround:''' Add the following settings to your sysctl.conf file:<br/> | |||
| <pre> | |||
| kernel.grsecurity.chroot_caps=0 | |||
| kernel.grsecurity.chroot_deny_chmod=0 | |||
| </pre> | |||
| Since those settings are read only at lxc host boot, and they have been applied in a second time, some of the lxc hosts might not have those settings loaded yet.  | |||
| A simple workaround can be: | |||
| <pre> | |||
| echo 0 > /proc/sys/kernel/grsecurity/chroot_caps  | |||
| echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot | |||
| </pre> | |||
| or simply run: | |||
| <pre>sysctl -p</pre> | |||
| <small><span class="autosigned">— Preceding [[Help:Signature|unsigned]] comment added by [[User:Fcolista|Fcolista]] ([[User talk:Fcolista|{{int:talkpagelinktext}}]] • [[Special:Contributions/Fcolista|{{int:contribslink}}]]) 02:22, 28 April 2016</span></small> | |||
| == Unprivileged containers == | |||
| To use unprivileged containers, one needs to install shadow-uidmap and add 'name:100000:65536' to both /etc/subuid and /etc/subgid. Or they will get errors like: | |||
|  unshare: Operation not permitted | |||
|  read pipe: Permission denied | |||
|  lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir | |||
|  lxc-create: tools/lxc_create.c: main: 318 Error creating container test | |||
| [[User:Pickfire|Pickfire]] ([[User talk:Pickfire|talk]]) 16:05, 23 February 2017 (UTC) | |||
Latest revision as of 01:48, 28 August 2023
Alternative Network Setup
These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. The host resides on the "OOB" network, and if the host needs to talk to a guest, it does so with lxc-console, like having a KVM. Each guest should get its address from the DHCP server on the appropriate vlan.Something like this:
Setup:
| host | dhcp on vlan 8 | 
| guest1 | dhcp on vlan 64 | 
| guest2 | dhcp on vlan 129 | 
| guest3 | dhcp on vlan64 (different address) | 
- Host's /etc/network/interfaces file
auto lo
iface lo inet loopback
 
# MGMT vlan
auto eth0.8
iface eth0.8 inet dhcp
     hostname lxchost
# USR vlan - we bring it up, but dont assign an address
auto eth0.65
iface eth0.65 inet manual
   up ip link set $IFACE addr de:ad:be:ef:ca:fe
   up ip link set $IFACE up
   down ip link set $IFACE down
# VoIP vlan - we bring it up, but dont assign an address
auto eth0.129
iface eth0.129 inet manual
   up ip link set $IFACE addr 0f:f1:ce:c0:ff:ee
   up ip link set $IFACE up
   down ip link set $IFACE down
- Here's /etc/lxc/lxc.conf
lxc.network.type   =   macvlan
# Allow guests on the same vlan to see each other                                   
lxc.network.macvlan.mode = bridge                                                    
lxc.network.link   =   eth0.65                     
lxc.network.name   =   eth0                                                                   
# lxc.network.hwaddr = de:ad:be:ef:c0:00    # macvlan will make one up, but possible if wanted                 
# lxc.network.flags  =   up                 # Do NOT bring up the interface, we will do so within the container
# lxc.network.ipv4   =   0.0.0.0            # Do NOT assign an address, we do so within the container          
                                                                                                     
# Capabilities to drop (for instance, to stop the guest from mounting sys)   
# Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704
# sys_boot is not listed here, as it causes problems when the host tries to stop the guest
# If you trust the guest, then you can get by without dropping capabilities
                                                                                  
lxc.cap.drop= sys_admin audit_control audit_write fsetid ipc_lock                 
lxc.cap.drop= ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap
lxc.cap.drop= setpcap sys_module sys_nice sys_pacct sys_ptrace sys_rawio
lxc.cap.drop= sys_tty_config sys_time  
- Create the guests
for a in `seq 1 3`; do 
  lxc-create -n guest${a} -f /etc/lxc/lxc.conf -t alpine
  ln -s /etc/init.d/lxc /etc/init.d/lxc.guest${a}
done
- vi /var/lib/lxc/guest2/config
change lxc.network.link to eth0.129
- Start and enter the first guest (this is where the fun starts)
/etc/init.d/lxc.guest1 start lxc-console -n guest1
Fun inside the guest
- /dev/null is currently created as a regular file
- /dev/zero doesn't exist
To create these, do the following from the host
rm -f /var/lib/lxc/[guest-name]/rootfs/dev/null rm -f /var/lib/lxc/[guest-name]/rootfs/dev/zero mknod /var/lib/lxc/[guest-name]/rootfs/dev/zero c 1 5 mknod /var/lib/lxc/[guest-name]/rootfs/dev/null c 1 3
We do this in the host because our default config drops mknod capabilites in the guest.
What Works, What Doesnt
- Pro
- Each guest has its own mac address
- Network connectivity between each guest
- No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan)
- if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet)
 
- Con
- No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan)
 
— Preceding unsigned comment added by Nangel (talk • contribs) 02:00, 12 April 2013
About lxc-attach
I cannot conncect to any AL LXC build under AL... the response is always
infra:~# lxc-attach --name=git -- "ps ax" lxc_container: attach.c: lxc_attach_to_ns: 196 Operation not permitted - failed to set namespace 'pid' lxc_container: attach.c: lxc_attach: 844 failed to enter the namespace
What did I possibly wrong?
Or is it a bug in AL LXC?
— Preceding unsigned comment added by Jch (talk • contribs) 17:11, 3 June 2015
Update about lxc-attach
LXC-host: lxc-attach fail with "lxc_attach_to_ns: 270 Operation not permitted - failed to set namespace 'pid'"
Issue: When you try to run lxc-attach, this fails. "use of CAP_SYS_ADMIN in chroot denied for /usr/bin/lxc-attach" appears in dmesg.
Cause: This issue due to grsecurity restriction in the lxc host.
Workaround: Add the following settings to your sysctl.conf file:
kernel.grsecurity.chroot_caps=0 kernel.grsecurity.chroot_deny_chmod=0
Since those settings are read only at lxc host boot, and they have been applied in a second time, some of the lxc hosts might not have those settings loaded yet. A simple workaround can be:
echo 0 > /proc/sys/kernel/grsecurity/chroot_caps echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
or simply run:
sysctl -p
— Preceding unsigned comment added by Fcolista (talk • contribs) 02:22, 28 April 2016
Unprivileged containers
To use unprivileged containers, one needs to install shadow-uidmap and add 'name:100000:65536' to both /etc/subuid and /etc/subgid. Or they will get errors like:
unshare: Operation not permitted read pipe: Permission denied lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir lxc-create: tools/lxc_create.c: main: 318 Error creating container test