Re: [DNG] Any parties interested in lxc ?
On 11/10/2020 02:52, Simon Walter wrote: --snip-- > I use Qemu/KVM for Windows development. I currently use Qemu/KVM for customising\slipstreaming Windows installation image, everything else Windows related I do in a VM is just playing. Ever taken a look at ReactOS ? > What is your use case for LXC? Was to be OS installation image development for various legacy platforms that are no longer supported (since wheezy). Once I had LXC functioning fully on my x68_64 workstation I was then going to clone the configuration over to an ARM platform to build images for Marvell Kirkwood (and Raspberry Pi for fun). > Did you mention USB passthrough? No, not got that far yet. The unsurpassable stumbling block I have hit is related to lack of support for kernel interaction within a namespace, kernel <> userspace messaging fails and so does everything that depends on it. > Depending on what your developing, you > may want to have several targets including physical computers. If there wasn't any physical computers and other people using them I wouldn't spend hours sat at one mucking with software ;). ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 2020-10-11 08:10, g4sra via Dng wrote: > On 10/10/2020 21:47, Simon Walter wrote: >> On 2020-10-08 21:08, g4sra via Dng wrote: >> -- snip -- >>> >>> Anybody enlighten me about the meaning of the phrase... >>> >>> 'The controller seems to be unused by "cgfsng" cgroup driver or not enabled >>> on the cgroup hierarchy' >> >> Sorry for the late reply. > No problem. Real life comes first ;) > >> >> How have you set up cgroups? Cgroups has changed and my old set up >> didn't work after upgrading from Jessie. > > I eventually deciphered the issue, partial configuration of pam_cgfs.so in > /etc/pam.d/common-session{,-noninteractive} > > However I am finding shortfalls with cgroups and namespaces functionality, > and Debian packaging with SystemD creep. > I am being drawn to the conclusion that LXC is not suitable for system > containers (or developing systems - my intended use), and are best suited for > pure Application daemons such as HTTP or DNS. > I am currently considering rebuilding a Qemu/KVM development environment I use Qemu/KVM for Windows development. What is your use case for LXC? Did you mention USB passthrough? Depending on what your developing, you may want to have several targets including physical computers. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 10/10/2020 21:47, Simon Walter wrote: > On 2020-10-08 21:08, g4sra via Dng wrote: >-- snip -- >> >> Anybody enlighten me about the meaning of the phrase... >> >> 'The controller seems to be unused by "cgfsng" cgroup driver or not enabled >> on the cgroup hierarchy' > > Sorry for the late reply. No problem. Real life comes first ;) > > How have you set up cgroups? Cgroups has changed and my old set up > didn't work after upgrading from Jessie. I eventually deciphered the issue, partial configuration of pam_cgfs.so in /etc/pam.d/common-session{,-noninteractive} However I am finding shortfalls with cgroups and namespaces functionality, and Debian packaging with SystemD creep. I am being drawn to the conclusion that LXC is not suitable for system containers (or developing systems - my intended use), and are best suited for pure Application daemons such as HTTP or DNS. I am currently considering rebuilding a Qemu/KVM development environment ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 2020-10-08 21:08, g4sra via Dng wrote: > On 08/10/2020 04:30, Simon Walter wrote: >> On 2020-10-05 11:23, tom wrote: >> ... >>> >>> I would appreciate if we kept this on-board unless needed. Never know >>> when someone in the future might find it useful. >>> >> >> I would appreciate that too! >> > > Current issue.. loop device not accessible... > > lxc-start c1 20201007205137.329 WARN cgfsng - > cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller > lxc-start c1 20201007205137.329 ERRORcgfsng - > cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the > "devices" controller. The con > troller seems to be unused by "cgfsng" cgroup driver or not enabled on the > cgroup hierarchy > lxc-start c1 20201007205137.329 WARN cgfsng - > cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set > "devices.allow" to "b 7:* rwm" > lxc-start c1 20201007205137.329 ERRORstart - start.c:lxc_spawn:1814 - > Failed to setup legacy device cgroup controller limits > > Anybody enlighten me about the meaning of the phrase... > > 'The controller seems to be unused by "cgfsng" cgroup driver or not enabled > on the cgroup hierarchy' Sorry for the late reply. How have you set up cgroups? Cgroups has changed and my old set up didn't work after upgrading from Jessie. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 08/10/2020 04:30, Simon Walter wrote: > On 2020-10-05 11:23, tom wrote: > ... >> >> I would appreciate if we kept this on-board unless needed. Never know >> when someone in the future might find it useful. >> > > I would appreciate that too! > Current issue.. loop device not accessible... lxc-start c1 20201007205137.329 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:204 - There is no useable devices controller lxc-start c1 20201007205137.329 ERRORcgfsng - cgroups/cgfsng.c:cg_legacy_set_data:2191 - Failed to setup limits for the "devices" controller. The con troller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy lxc-start c1 20201007205137.329 WARN cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2228 - Failed to set "devices.allow" to "b 7:* rwm" lxc-start c1 20201007205137.329 ERRORstart - start.c:lxc_spawn:1814 - Failed to setup legacy device cgroup controller limits Anybody enlighten me about the meaning of the phrase... 'The controller seems to be unused by "cgfsng" cgroup driver or not enabled on the cgroup hierarchy' ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 2020-10-05 11:23, tom wrote: ... > > I would appreciate if we kept this on-board unless needed. Never know > when someone in the future might find it useful. > I would appreciate that too! I use it mainly on servers, but also some dev env. I used the LXC and Debian documentation to get started and then experimentation. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
>> Can I put attachments on emails to the dyne mailing lists? > No idea, so I attached one to see what would happen... The attachment showed up, you might as well run it and post the output (on the list or direct, whichever you prefer) to give me a starting reference. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 06/10/2020 04:36, tom wrote: > On Mon, 5 Oct 2020 11:30:10 +0100 > g4sra via Dng wrote: --snip-- > > Unprivileged containers I still have not figured out how to generate. If you would like I may be able to give guidance on generating them in Devuan. You would have to translate that into Ubuntu yourself, I only install it for other Users and do not use Ubuntu myself so lack the required familiarity. > I > have a script that creatures unprivileged containers and lxc comes with > a template downloader script. However those templates are downloaded > from some Ansible server hosted on Canonical's website. The images are > generated from /HIGHLY/ abstracted Ansible templates, not actual > source code or bash scripts. Because of this it's very difficult to > figure out what's really going on as the specifics are all abstracted > away. One of Canonical's business practices that made me veer away from Ubuntu years ago. > The difference between a script that builds a Devuan image for > a container and a script that builds a Devuan image for a container then > then 'underprivilegizes' it with subuids/subgids. Actually quite easy to unpriviledgise (is that a 'word'?) a container. I used that technique to debug my LXC configuration, copying a working container built by 'root' I knew any issues were of my creation. > Maybe you being a Redhat stuff expert Please, no, not an 'expert', more a dysfunctional geek, and not of Red Hat. There were only two true contenders for business use back then, Red Hat or SUSE. I preferred the American Style to the German Style, but it was a very close call otherwise. Red Hat was good when it was built by two guys, the pioneer of the two working from his bedroom. It was even better when the Community rallied and he built a team around him. Then commercial interests took over, and since the RHEL split with the move from Fedora Core to Fedora its been downhill ever since. I don't like Red Hat(IBM), and that is why I am here. > would be able to enlighten us > on that and I could then modify my script to be able to create > unprivileged containers too instead of relying on some Canonical > webserver always being up and accessible or having to build out a QA > server when I really don't need one just to create local containers. Ok lets have a crack at it, remote administration by proxy. Let's split the unprivileged task to avoid muddying the waters... Which would you like to try first, system (root) containers or User containers ? And does the following create a working privileged container OK ? ~ $ lxc-create -n beowulf -t download -- -d devuan -r beowulf -a amd64 > Can I put attachments on emails to the dyne mailing lists? No idea, so I attached one to see what would happen... lxc-check.sh Description: application/shellscript ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Mon, 5 Oct 2020 11:30:10 +0100 g4sra via Dng wrote: > > Hi Tom, > > This is my current thinking with regard to a LXC Container system for > building OS images and support software. The host workstation has all > the standard development tools ('build-essential' etc) that any/all > containers would normally need. This can be updated as required (in > effect, updating all containers). > > The containers must run unprivileged as the both the software being > built and the build software itself may be of dubious quality > (especially if I wrote it). > > Container1: > bind,ro mounts the host filesystem providing development tool > access overlayfs a delta filesystem on which required tools\libraries > etc can be built > > ContainerN: repeat above as often as required > > ContainerX: >bind,ro mounts the host filesystem providing development tool > access bind,ro mounts CN deltas to provide access to the > tools\libraries overlayfs a delta filesystem on which the test OS can > be built > > Can you: > see anything wrong with the proposed above where container > superuser privileges and device access would allow corruption of > either the Host or of a neighbouring container ? think of anything > builds require that I have not made allowance for ? detail a better > way for obtaining my goal ? > > Appreciate your comments Tom. > Charlie That all should be possible. As for mounting external directories, I know that's possible but I have not personally tried that. I came across that reading documentation. However I do have hypervisor mountpoints inside of a container's rootfs. Unprivileged containers I still have not figured out how to generate. I have a script that creatures unprivileged containers and lxc comes with a template downloader script. However those templates are downloaded from some Ansible server hosted on Canonical's website. The images are generated from /HIGHLY/ abstracted Ansible templates, not actual source code or bash scripts. Because of this it's very difficult to figure out what's really going on as the specifics are all abstracted away. The difference between a script that builds a Devuan image for a container and a script that builds a Devuan image for a container then then 'underprivilegizes' it with subuids/subgids. Maybe you being a Redhat stuff expert would be able to enlighten us on that and I could then modify my script to be able to create unprivileged containers too instead of relying on some Canonical webserver always being up and accessible or having to build out a QA server when I really don't need one just to create local containers. Can I put attachments on emails to the dyne mailing lists? -- _ / Suppose for a moment that the \ | automobile industry had developed at| | the same rate as computers and over the | | same period: how much cheaper and more | | efficient would the current models be? | | If you have not already heard the | | analogy, the answer is shattering. | | Today you would be able to buy a| | Rolls-Royce for $2.75, it would do | | three million miles to the gallon, and | | it would deliver enough power to drive | | the Queen Elizabeth II. And if you were | | interested in miniaturization, you | | could place half a dozen of them on a | | pinhead.| | | \ -- Christopher Evans/ - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Mon, 5 Oct 2020 12:22:27 -0400 Hendrik Boom wrote: > On Sat, Oct 03, 2020 at 11:04:23AM +0100, g4sra via Dng wrote: > > I am seeking any Devuaners with an interest in lxc to bounce ideas > > off. > > > > I wish to move to multi-fully-containerised development but am > > repeatedly stumbling along the way. Unfortunately the official lxc > > resources do not help much with the (systemd-less) issues I am > > having. I find bouncing (sometimes stupid - I find playing devils > > advocate can really help) ideas off other people often helps > > understanding and can lead to solving the problems. > > > > If anybody out there with practical experience or interest in lxc > > would like to be electronically pestered, please reply direct to me > > off list. > > No practical experience. > But is there any chance lxc can play nicely with random USB devices? > Or the built-in camera and microphone? > > -- hendrik > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng I think so, you can write hardware device exception rules, though I have not played with this myself. Only to fix containment and AppArmor breakage on a server. -- _ / Suppose for a moment that the \ | automobile industry had developed at| | the same rate as computers and over the | | same period: how much cheaper and more | | efficient would the current models be? | | If you have not already heard the | | analogy, the answer is shattering. | | Today you would be able to buy a| | Rolls-Royce for $2.75, it would do | | three million miles to the gallon, and | | it would deliver enough power to drive | | the Queen Elizabeth II. And if you were | | interested in miniaturization, you | | could place half a dozen of them on a | | pinhead.| | | \ -- Christopher Evans/ - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 16:50, g4sra via Dng wrote: > Hi Tom, Mason, Anybody else... > > Beowulf lxc 1:3.1.0+really3.0.3-8 amd64 is broken. > > Simple test I picked up from the internet: > > ~# lxc-usernsexec > Failed to find subuid or subgid allocation --snip-- > > Considering what steps to take next... None... After some tracing it seems that lxc-usernsexec is only failing for the default case. When used internally by LXC, it appears lxc-usernsexec is always passed arguments and therefore this bug has little impact. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 17:22, Hendrik Boom wrote: --snip-- > > No practical experience. > But is there any chance lxc can play nicely with random USB devices? Or > the built-in camera and microphone? Never tried, not got that far. Importing (is that the correct jargon?) a device into a LXC Container seems trivial enough. I would imagine "random" USB devices might be a bit of a struggle though, the device needs to be present before the container is spun up as far as I can tell. A KVM/QEMU VM can do it, and does frequently for me. > > -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Sat, Oct 03, 2020 at 11:04:23AM +0100, g4sra via Dng wrote: > I am seeking any Devuaners with an interest in lxc to bounce ideas off. > > I wish to move to multi-fully-containerised development but am repeatedly > stumbling along the way. > Unfortunately the official lxc resources do not help much with the > (systemd-less) issues I am having. > I find bouncing (sometimes stupid - I find playing devils advocate can really > help) ideas off other people often helps understanding and can lead to > solving the problems. > > If anybody out there with practical experience or interest in lxc would like > to be electronically pestered, please reply direct to me off list. No practical experience. But is there any chance lxc can play nicely with random USB devices? Or the built-in camera and microphone? -- hendrik ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
Hi Tom, Mason, Anybody else... Beowulf lxc 1:3.1.0+really3.0.3-8 amd64 is broken. Simple test I picked up from the internet: ~# lxc-usernsexec Failed to find subuid or subgid allocation On a host configured for unprivileged containers it should drop you into unprivileged 'root' mode: ~#./lxc-usernsexec # id uid=0(root) gid=0(root) groups=0(root) #ls -ld /root drwx-- 29 nobody nogroup 4096 Oct 5 16:43 /root The current lxc git HEAD works fine (see above, confirmation my host is correctly configured). ./init.lxc --version 4.0.0-devel Considering what steps to take next... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On 05/10/2020 03:23, tom wrote: > On Sat, 3 Oct 2020 11:04:23 +0100 > g4sra via Dng wrote: > >> I am seeking any Devuaners with an interest in lxc to bounce ideas >> off. -- snip -- > > Hello grsra, I run LXC on Devuan, and have done so even through the > ascii->beowulf migration. I have some custom scripts and such for doing > so, but found the devuan gitlab a little overwhelming and a lack of > interest by other devuaners with LXC. If your interested in > Devuan+OpenRC+LXC I'm probably your man. > > I would appreciate if we kept this on-board unless needed. Never know > when someone in the future might find it useful. > Hi Tom, This is my current thinking with regard to a LXC Container system for building OS images and support software. The host workstation has all the standard development tools ('build-essential' etc) that any/all containers would normally need. This can be updated as required (in effect, updating all containers). The containers must run unprivileged as the both the software being built and the build software itself may be of dubious quality (especially if I wrote it). Container1: bind,ro mounts the host filesystem providing development tool access overlayfs a delta filesystem on which required tools\libraries etc can be built ContainerN: repeat above as often as required ContainerX: bind,ro mounts the host filesystem providing development tool access bind,ro mounts CN deltas to provide access to the tools\libraries overlayfs a delta filesystem on which the test OS can be built Can you: see anything wrong with the proposed above where container superuser privileges and device access would allow corruption of either the Host or of a neighbouring container ? think of anything builds require that I have not made allowance for ? detail a better way for obtaining my goal ? Appreciate your comments Tom. Charlie ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Any parties interested in lxc ?
On Sat, 3 Oct 2020 11:04:23 +0100 g4sra via Dng wrote: > I am seeking any Devuaners with an interest in lxc to bounce ideas > off. > > I wish to move to multi-fully-containerised development but am > repeatedly stumbling along the way. Unfortunately the official lxc > resources do not help much with the (systemd-less) issues I am > having. I find bouncing (sometimes stupid - I find playing devils > advocate can really help) ideas off other people often helps > understanding and can lead to solving the problems. > > If anybody out there with practical experience or interest in lxc > would like to be electronically pestered, please reply direct to me > off list. > > Charlie. > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Hello grsra, I run LXC on Devuan, and have done so even through the ascii->beowulf migration. I have some custom scripts and such for doing so, but found the devuan gitlab a little overwhelming and a lack of interest by other devuaners with LXC. If your interested in Devuan+OpenRC+LXC I'm probably your man. I would appreciate if we kept this on-board unless needed. Never know when someone in the future might find it useful. -- _ / "I honestly believe that the doctrine \ | of hell was born in the glittering eyes | | of snakes that run in frightful coils | | watching for their prey. I believe it | | was born with the yelping, howling, | | growling and snarling of wild beasts... | | I despise it, I defy it, and I hate | \ it." -- Robert G. Ingersoll / - \ \ /\ /\ //\\_//\\ \_ _// / / * * \/^^^] \_\O/_/[ ] / \_[ / \ \_ / / [ [ / \/ _/ _[ [ \ /_/ ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Any parties interested in lxc ?
I am seeking any Devuaners with an interest in lxc to bounce ideas off. I wish to move to multi-fully-containerised development but am repeatedly stumbling along the way. Unfortunately the official lxc resources do not help much with the (systemd-less) issues I am having. I find bouncing (sometimes stupid - I find playing devils advocate can really help) ideas off other people often helps understanding and can lead to solving the problems. If anybody out there with practical experience or interest in lxc would like to be electronically pestered, please reply direct to me off list. Charlie. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng