Re: [lxc-users] iptabes kernel modules not loading in containers

[Gandhi, Ibha (HP Software)]

Hi John,

Even I am facing similar issue, container throws this error:
ubuntu@root-local-machine-2:~$ iptables -L
FATAL: Could not load /lib/modules/3.11.0-12-generic/modules.dep: No such file 
or directory
iptables v1.4.12: can't initialize iptables table `filter': Table does not 
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

It'll be great if you can share what changes you made in init scripts.

Thanks,
- Ibha

From: lxc-users-boun...@lists.linuxcontainers.org 
[mailto:lxc-users-boun...@lists.linuxcontainers.org] On Behalf Of John Baker
Sent: Wednesday, January 15, 2014 2:09 AM
To: LXC users mailing-list
Subject: Re: [lxc-users] iptabes kernel modules not loading in containers

Yes, that was it thanks.

On Tue, Jan 14, 2014 at 3:31 PM, Stéphane Graber 
mailto:stgra...@ubuntu.com>> wrote:
On Tue, Jan 14, 2014 at 03:00:32PM -0500, John Baker wrote:
> Hi,
>
> I'm using lxc in 12.04.4 LTS and seem to have a chronic issue with the
> iptables modfule not loading inside a container. I have found that it does
> sometimes work and my coworker never seems to have problems with it in the
> servers he runs. But it happens all the time on mine and I can't see
> anything at all that we do differently. Sometimes it will start running
> inside a container and then mysteriously have stopped next time I check in.
> I can't find any error messages pertaining to it besides the one I get when
> I try to load rules or view the set loaded.
>
> The only fix I have been able to come up with is to manually
> copy /lib/modules/-generic/modules.dep and net directory from
> the host into the container. Then it seems willing to load iptables modules
> consistently but always breaks when the kernel is updated on the host and
> has to be redone.
>
> Any ideas on what I might be missing? Is there a cgroup I should include
> for sharing iptables modules?
Kernel modules aren't loaded per-container but globally for the whole host.

It's not recommended (and usually blocked by either dropping the
capability or by having apparmor prevent it) to load modules from within
a container. Instead you should make sure all your kernel modules are
loaded from the host before you start your containers.

I suspect the difference between your server and your colleague's is
that he has some init scripts or something else calling iptables before
he starts his containers which will load any modules required by his
container.

--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users



--
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Nested containers

[brian mullan]

Marc

Not sure if you saw all the latest LXC writeups that Stephane Graber posted
in the last month on LXC.

http://voices.canonical.com/tag/lxc/

Check under the entry titled:  Container Nesting

but also do a page search fo "nest"

As nesting is discussed in several of the posts referred to by the above
URL.

Brian
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] iptabes kernel modules not loading in containers

[John Baker]

You just need to make sure that iptables is running on the host in some way
or another.If you run lsmod on it you should see these modules:

xt_multiport   12597  2
iptable_filter 12810  2
ip_tables  27473  1 iptable_filter
x_tables   29891  3 xt_multiport,iptable_filter,ip_tables

 If it's not there it's not loaded and can't share with the containers. I
have the hosts on a separate and much more secure network so I didn't think
about a firewall.

The easiest thing is to install fail2ban on the host. It just watches ssh
or whatever services you define for brute force attacks by using iptables.
It's useful and sets iptables rules. Alternately setup a firewall on the
host or load the iptables modules in /etc/modules at boot on the host.


On Wed, Jan 15, 2014 at 3:25 AM, Gandhi, Ibha (HP Software) wrote:

>  Hi John,
>
>
>
> Even I am facing similar issue, container throws this error:
>
> ubuntu@root-local-machine-2:~$ iptables -L
>
> FATAL: Could not load /lib/modules/3.11.0-12-generic/modules.dep: No such
> file or directory
>
> iptables v1.4.12: can't initialize iptables table `filter': Table does not
> exist (do you need to insmod?)
>
> Perhaps iptables or your kernel needs to be upgraded.
>
>
>
> It’ll be great if you can share what changes you made in init scripts.
>
>
>
> Thanks,
>
> - Ibha
>
>
>
> *From:* lxc-users-boun...@lists.linuxcontainers.org [mailto:
> lxc-users-boun...@lists.linuxcontainers.org] *On Behalf Of *John Baker
> *Sent:* Wednesday, January 15, 2014 2:09 AM
> *To:* LXC users mailing-list
> *Subject:* Re: [lxc-users] iptabes kernel modules not loading in
> containers
>
>
>
> Yes, that was it thanks.
>
>
>
> On Tue, Jan 14, 2014 at 3:31 PM, Stéphane Graber 
> wrote:
>
> On Tue, Jan 14, 2014 at 03:00:32PM -0500, John Baker wrote:
> > Hi,
> >
> > I'm using lxc in 12.04.4 LTS and seem to have a chronic issue with the
> > iptables modfule not loading inside a container. I have found that it
> does
> > sometimes work and my coworker never seems to have problems with it in
> the
> > servers he runs. But it happens all the time on mine and I can't see
> > anything at all that we do differently. Sometimes it will start running
> > inside a container and then mysteriously have stopped next time I check
> in.
> > I can't find any error messages pertaining to it besides the one I get
> when
> > I try to load rules or view the set loaded.
> >
> > The only fix I have been able to come up with is to manually
> > copy /lib/modules/-generic/modules.dep and net directory
> from
> > the host into the container. Then it seems willing to load iptables
> modules
> > consistently but always breaks when the kernel is updated on the host and
> > has to be redone.
> >
> > Any ideas on what I might be missing? Is there a cgroup I should include
> > for sharing iptables modules?
>
> Kernel modules aren't loaded per-container but globally for the whole host.
>
> It's not recommended (and usually blocked by either dropping the
> capability or by having apparmor prevent it) to load modules from within
> a container. Instead you should make sure all your kernel modules are
> loaded from the host before you start your containers.
>
> I suspect the difference between your server and your colleague's is
> that he has some init scripts or something else calling iptables before
> he starts his containers which will load any modules required by his
> container.
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
>
>
> --
>
> John Baker
>
> Network Administrator
>
> Marlboro College
>
> Phone: 451-7551 Cell: 490-0066
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>



-- 
John Baker
Network Administrator
Marlboro College
Phone: 451-7551 Cell: 490-0066
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Full network device access in the container

[Piotr R]

I seem to remember reading somewhere that I can expose all the host network
devices to a container by removing all network configuration in my lxc
config file. Is this correct?

Thanks,

Piotr
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Full network device access in the container

[Serge Hallyn]

Quoting Piotr R (tytu...@gmail.com):
> I seem to remember reading somewhere that I can expose all the host network
> devices to a container by removing all network configuration in my lxc
> config file. Is this correct?

that depends now on your lxc version.  That used to be the case until
pretty recently, but it is a dangerous default because your container's
init is then talking in the same abstract unix socket ns as the host.
Which means 'halt' in the container (at least in rhel or ubuntu) can halt
your host.

With new enough lxc you may have to have a

lxc.network.type = none

entry in lxc.conf.

This incidentally requires an update to lxc.conf manpage...  Adding that
now.

-serge
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Full network device access in the container

[Piotr R]

Sorry for not including lxc version. I am running lxc on Red Hat 6.4:
# rpm -qa | grep lxc
lxc-libs-0.9.0-2.el6.x86_64
lxc-0.9.0-2.el6.x86_64

When I used none for network type I got the following error:
lxc-start: invalid network type none
lxc-start: failed to read configuration file

So I presume I should just remove all lxc.network statements from my config
file to get it working.

Thanks,

Piotr




Piotr


On Wed, Jan 15, 2014 at 12:11 PM, Serge Hallyn wrote:

> Quoting Piotr R (tytu...@gmail.com):
> > I seem to remember reading somewhere that I can expose all the host
> network
> > devices to a container by removing all network configuration in my lxc
> > config file. Is this correct?
>
> that depends now on your lxc version.  That used to be the case until
> pretty recently, but it is a dangerous default because your container's
> init is then talking in the same abstract unix socket ns as the host.
> Which means 'halt' in the container (at least in rhel or ubuntu) can halt
> your host.
>
> With new enough lxc you may have to have a
>
> lxc.network.type = none
>
> entry in lxc.conf.
>
> This incidentally requires an update to lxc.conf manpage...  Adding that
> now.
>
> -serge
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Full network device access in the container

[Serge Hallyn]

Quoting Piotr R (tytu...@gmail.com):
> Sorry for not including lxc version. I am running lxc on Red Hat 6.4:
> # rpm -qa | grep lxc
> lxc-libs-0.9.0-2.el6.x86_64
> lxc-0.9.0-2.el6.x86_64
> 
> When I used none for network type I got the following error:
> lxc-start: invalid network type none
> lxc-start: failed to read configuration file
> 
> So I presume I should just remove all lxc.network statements from my config
> file to get it working.

Yes, in 0.9.0 that will work.

-serge
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Full network device access in the container

[Piotr R]

Thanks for your help Serge.

Unfortunately I hit another problem. When I start my container with
networking commented out my console does not display the login prompt and I
see the following error messages after lxc-start:
udevd[74]: bind failed: Address already in use

udevd[74]: error binding control socket, seems udevd is already running

Here is my config file:

# cat /var/lib/lxc/clp/config
#lxc.network.type = empty
#lxc.network.flags = up
lxc.rootfs = /var/lib/lxc/clp/rootfs
lxc.utsname = clp
lxc.tty = 4
lxc.pts = 1024
lxc.mount = /var/lib/lxc/clp/fstab

And I use the following fstab file:
# cat /var/lib/lxc/clp/fstab
/dev  /var/lib/lxc/clp/rootfs/dev  none bind 0 0
/dev/pts  /var/lib/lxc/clp/rootfs/dev/pts  none bind 0 0
/sys  /var/lib/lxc/clp/rootfs/sys  none bind 0 0

/clp_data/data   /var/lib/lxc/clp/rootfs/data   none bind 0
0
/clp_data/encrypted-data /var/lib/lxc/clp/rootfs/encrypted-data none bind 0
0
/clp_data/cache-data/var/lib/lxc/clp/rootfs/cache-data none bind 0 0
/clp_data/core  /var/lib/lxc/clp/rootfs/core   none bind 0 0


If I uncomment lxc.network.* statements my container comes up with no
problems and my console works as expected.
Any ideas what is udev control socket? How can I get my console login
prompt?

Thanks,

Piotr



Piotr


On Wed, Jan 15, 2014 at 12:47 PM, Serge Hallyn wrote:

> Quoting Piotr R (tytu...@gmail.com):
> > Sorry for not including lxc version. I am running lxc on Red Hat 6.4:
> > # rpm -qa | grep lxc
> > lxc-libs-0.9.0-2.el6.x86_64
> > lxc-0.9.0-2.el6.x86_64
> >
> > When I used none for network type I got the following error:
> > lxc-start: invalid network type none
> > lxc-start: failed to read configuration file
> >
> > So I presume I should just remove all lxc.network statements from my
> config
> > file to get it working.
>
> Yes, in 0.9.0 that will work.
>
> -serge
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No configuration path defined

[Geordie]

> 
> On Tue, Jan 14, 2014 at 05:21:51PM -0500, Geordie wrote:
> > Good Day
> > 
> > I started out with this 
> > lxc-create -n lxctest -t debian /etc/lxc/lxc.conf  
> 
> Did you actuall run that or did you mean:

>  lxc-create -n lxctest -t debian -f /etc/lxc/lxc.conf
Yes I did this. This morning I tried the debian template from git and
got the same message. 

Would systemd have any bearing on this? This is the one of
differences from the last time I tested lxc.

> > 
> > and this the return
> > 
> > lxc-create: no configuration path defined
> > 
> > Debian
> > kernel 3.12.1-amd64
> > 
> > lxc 0.9.0-alpha3-2+deb8ul done via apt-get
> > 
> > fresh install this week
> > 
> > I must have missed something but 2 months ago I did not have this
> > error.
> > 
> > Any help would be appreciated
> > 
> > and the lxc-debian template still has Squeeze as its main Suite
> > 
> > I even tried this
> > lxc-create -n lxctest -t debian
> > I get the same error
> > 
> > Thanks
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Looking for tech talks on lightweight containers

[Chris Westin]

I organize the speakers for the Bay Area Large-Scale Production Engineering
meetup (http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/ ;
take a look at the "PAST" tab to see the kinds of events we've had).

For our event on Thursday February 20, 2014, I'm looking for speakers on the
topic of "Lightweight Containers" (see 
http://www.meetup.com/SF-Bay-Area-Large-Scale-Production-Engineering/events/159390872/).
 I'm looking for talks
about Docker, LXC, ZeroVM, OpenVZ, and similar technologies.

As you can see from looking at our past events, I usually pick a topic, and
then try to get 2-3 talks on that topic. Talks are usually 20-25 minutes
long. This is a technical audience, and they don't appreciate a marketing
pitch. They're eager to get into the nuts and bolts of the topic, including
use cases, demos, code samples, and architecture.

If you're going to be in the Bay Area then, and would be interested in giving
a talk, please let me know here, or (preferably) through meetup.com.

Thanks,
Chris Westin
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] ./autogen ../configure make & make install

[Rami Rosen]

Hi,
The default path for libraries when running ./cofigure is /usr/local/lib

It seems to me that this path is not in the set on your host.

Do you have this error if first you set the libraries path by:

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

Regards,
Rami Rosen
http://ramirose.wix.com/ramirosen




On Thu, Jan 16, 2014 at 1:13 AM, Geordie  wrote:
> Good Day
> I thought I would try something a little different. Seeing as how
> apt-get install lxc was unsuccessful, I thought I
> give ./autogen ../configure make & make install a try from git
> Well that did not work either.
>
> /opt/lxc-master# lxc-create -n lxctest -t debian -f /etc/lxc/lxc.conf
>
> lxc-create: error while loading shared libraries: liblxc.so.1: cannot
> open shared object file: No such file or directory
>
> I have enclosed the text file of my activities
> I hope this works
> Thanks
> Geordie
>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Full network device access in the container

[Serge Hallyn]

Quoting Piotr R (tytu...@gmail.com):
> Thanks for your help Serge.
> 
> Unfortunately I hit another problem. When I start my container with
> networking commented out my console does not display the login prompt and I
> see the following error messages after lxc-start:
> udevd[74]: bind failed: Address already in use
> 
> udevd[74]: error binding control socket, seems udevd is already running

You don't want to run udevd in your container anyway - disable it.

(To discuss any further we'd need to know more details about your setup -
host distro/release and customizations, and how precisely the container
was created.)

-serge
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users