I am still faced with the situation where if I run sh inside my container then any command I try to execute such as /bin/ls returns permission denied.
Any clue as to what I need to adjust to enable me to get inside my container as to inspect and try stuff out? -- Yannick Koehler ________________________________ From: lxc-users <lxc-users-boun...@lists.linuxcontainers.org> on behalf of Saint Michael <vene...@gmail.com> Sent: June 15, 2020 8:58 AM To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org> Subject: Re: [lxc-users] Running unprotected system container I have the same issue with plain LXC. Can somebody please post a container config that would have the same rights as the host? I actually move around my app in a container, the host is immaterial. It used to work fine until I upgraded Ubuntu to 20.04, since then I get permission denied on a fifo located in /tmp. I need to load kernel modules, etc. It has to be on equal footing with the host .. On Mon, Jun 15, 2020 at 8:41 AM Koehler, Yannick <yannick.koeh...@hpe.com<mailto:yannick.koeh...@hpe.com>> wrote: First, thanks for the detailed and fast response, very appreciated. As indicated, the code that will run inside that container is our previous OS and if it does bad things, well, that means it was doing so previously so not a "bigger" issue than it was before. Since if that works, we will move more towards snap we will then have a better security system (AppArmor, SecComp, better app separation, etc) in place to remove trust for each app and get rid eventually of that container which purpose as indicated is to ease the transition and get some of the features we want from Ubuntu Core in an early release, if we do get this to work. -- Yannick Koehler ________________________________ From: lxc-users <lxc-users-boun...@lists.linuxcontainers.org<mailto:lxc-users-boun...@lists.linuxcontainers.org>> on behalf of Fajar A. Nugraha <l...@fajar.net<mailto:l...@fajar.net>> Sent: June 13, 2020 12:53 AM To: LXC users mailing-list <lxc-users@lists.linuxcontainers.org<mailto:lxc-users@lists.linuxcontainers.org>> Subject: Re: [lxc-users] Running unprotected system container On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick <yannick.koeh...@hpe.com<mailto:yannick.koeh...@hpe.com>> wrote: > > Hi, > > I am in a situation where we desire to run our old OS environment inside > Ubuntu Core. So far we have identified LXD as being a candidate to enable us > to run our past Linux OS environment within the new one. > > At this time our goal is to apply the least amount of modification to our > existing OS in order to test and validate such an approach. > > I, therefore, need to run an LXC container with pretty much zero security, as > to allow the old OS to loads kernel modules, access /proc, /sys, etc. > Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I > obtained an error as the profile 'none' was not found by the seccomp profile > reader. I am wondering if this is a problem with lxc itself or with > UbuntuCore not providing a definition of what a seccomp "none" profile would > be. Start from https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4<https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4> Then create something like /var/snap/lxd/common/lxd/extra/unrestricted.conf ------------------------------------------------ lxc.cap.drop = lxc.apparmor.profile = unconfined lxc.mount.auto = proc:rw sys:rw cgroup-full:rw lxc.cgroup.devices.allow = c *:* rwm lxc.cgroup.devices.allow = b *:* rwm lxc.seccomp.profile = /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf -------------------------------------------------------- 2 blacklist # v2 allows comments after the second line, with '#' in first column, # blacklist will allow syscalls by default Then put it on your lxd config config: raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf Totally unsupported, you're on your own if something bad happens, etc. I was able to run mknod, "losetup -a", mount, and modprobe from my container, running lxd from snap under ubuntu 20.04 host (might be relevant for you since ubuntu core also uses lxd from snap) -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org<mailto:lxc-users@lists.linuxcontainers.org> http://lists.linuxcontainers.org/listinfo/lxc-users<http://lists.linuxcontainers.org/listinfo/lxc-users> _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org<mailto:lxc-users@lists.linuxcontainers.org> http://lists.linuxcontainers.org/listinfo/lxc-users<http://lists.linuxcontainers.org/listinfo/lxc-users>
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users