Re: [lxc-users] lxcbr0 doesn't exist after upgrade to 15.10

2015-10-27 Thread Norberto Bensa 
2015-10-27 1:31 GMT-03:00 Fajar A. Nugraha :
> On Tue, Oct 27, 2015 at 6:20 AM, Norberto Bensa 
> wrote:
>>
>> This problem is related to network-manager (NM) or systemd.
>>
>> I tried to disable NM but I couldn't. NM started with every boot (does
>> systemd depend on it?). I switched to upstart. Now NM is down, lxcbr0
>> starts up.
>>
>> Everything works as it used to be including my routes and dns servers.
>>
>
> Workaround:
>
> - edit /etc/network/interfaces, add "iface lxcbr0 inet manual"
> - reboot
>

Tried and it fixed lxcbr0, but my /etc/resolv.conf is still b0rken.

For me, the real workaround is: disable network-manager and use upstart.

Thanks anyway Fajar. This looks like a bug in systemd/network-manager,
I'll report it.

Regards,
Norberto
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] nodejs module fs in forever failing in cloned container

2015-10-27 Thread Mittelsdorf, Bjoern 
Hi all,

I get an exception in a forever start routine in one of my containers. Funny 
thing is: It works in the original container but fails in clones of the 
original container.

I am pretty sure this is no lxc problem but a nodejs.forever or even a 
nodejs.fs problem, but maybe somebody has an idea for a hint.

My forever call starts a script and watches for file changes so it can restart 
the script. This works fine in the original but fails in the clone:

events.js:85
  throw er; // Unhandled 'error' event
^
Error: watch ENOSPC
at exports._errnoException (util.js:746:11)
at FSWatcher.start (fs.js:1172:11)
at Object.fs.watch (fs.js:1198:11)
at createFsWatchInstance 
(/var/share/nodejs/lib/node_modules/forever/node_modules/forever-monitor/node_modules/chokidar/lib/nodefs-handler.js:37:15)
at setFsWatchListener 
(/var/share/nodejs/lib/node_modules/forever/node_modules/forever-monitor/node_modules/chokidar/lib/nodefs-handler.js:80:15)
at EventEmitter.NodeFsHandler._watchWithNodeFs 
(/var/share/nodejs/lib/node_modules/forever/node_modules/forever-monitor/node_modules/chokidar/lib/nodefs-handler.js:228:14)
at EventEmitter.NodeFsHandler._handleFile 
(/var/share/nodejs/lib/node_modules/forever/node_modules/forever-monitor/node_modules/chokidar/lib/nodefs-handler.js:255:21)
at EventEmitter. 
(/var/share/nodejs/lib/node_modules/forever/node_modules/forever-monitor/node_modules/chokidar/lib/nodefs-handler.js:468:21)
at FSReqWrap.oncomplete (fs.js:95:15)


Other people having issues with forever talked about 

fs.inotify.max_user_watches=524288 in /etc/sysctl.conf

User watches are not accumulated over all containers, or are they?

Best regards

Björn
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Tomasz Chmielewski 

On 2015-10-27 23:36, Serge Hallyn wrote:

Quoting Tomasz Chmielewski (man...@wpkg.org):

Thanks, it worked.

How do I set other "lxc-style" values in lxd, like for example:

lxc.network.ipv4 = 10.0.12.2/24
lxc.network.ipv4.gateway = 10.0.12.1
lxc.network.ipv6 = :::::55
lxc.network.ipv6.gateway = :2345:6789:::2


You need to set a single lxc.raw to the whole multi-line value.


Hmm, what do you mean by that? Can you give an example?


Tomasz Chmielewski
http://wpkg.org

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Tomasz Chmielewski 

On 2015-10-27 23:54, Serge Hallyn wrote:

(...)


But it doesn't matter if it's bridged or routed - all I want to do is:

- to set static IPv4 and IPv6 addresses, without doing so in the
container (works with lxc),

- be sure lxd does not hang if I supply something incompatible in CLI 
:)


Yeah, that one is bad!  Can you open an issue for that?


Added:

https://github.com/lxc/lxd/issues/1246


Tomasz Chmielewski
http://wpkg.org

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] re lxcbr0 doesn't exist after upgrade to 15.10

2015-10-27 Thread Serge Hallyn 
Quoting brian mullan (bmullan.m...@gmail.com):
> Norberto
> 
> Great coincidence as I read your msg to the lxc-users list about the lxcbr0
> bridge
> disappearing after upgrade to Ubuntu 15.10.

Can you open a launchpad bug and describe there the system you upgraded
from?  (i.e. was it stock 14.04 with systemd?  desktop, with network-manager?
/etc/network/interfaces contents;  and what do you get when you run

journalctl -u lxc-net
/usr/lib/x86_64-linux-gnu/lxc/lxc-net stop
/usr/lib/x86_64-linux-gnu/lxc/lxc-net start
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Serge Hallyn 
Quoting Tomasz Chmielewski (man...@wpkg.org):
> On 2015-10-27 23:36, Serge Hallyn wrote:
> 
> >>Same "lxc config set containername", i.e.:
> >>
> >>lxc config set x1 raw.lxc "lxc.network.ipv4 = 10.0.12.2/24"
> >>lxc config set x1 raw.lxc "lxc.network.ipv4.gateway = 10.0.12.1"
> >>lxc config set x1 raw.lxc "lxc.network.ipv6 = :::::55"
> >>lxc config set x1 raw.lxc "lxc.network.ipv6.gateway =
> >>:2345:6789:::2"
> >>
> >>Or is there some other, more recommended way?
> >
> >Can you show fully what you want to do?  Are you aiming for a
> >routed config, or are you moidfying a bridged nic device?
> 
> The above is mixed: routed IPv4 and bridged IPv6 config.
> 
> But it doesn't matter if it's bridged or routed - all I want to do is:
> 
> - to set static IPv4 and IPv6 addresses, without doing so in the
> container (works with lxc),
> 
> - be sure lxd does not hang if I supply something incompatible in CLI :)

Yeah, that one is bad!  Can you open an issue for that?
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Serge Hallyn 
Quoting Tomasz Chmielewski (man...@wpkg.org):
> On 2015-10-27 23:36, Serge Hallyn wrote:
> >Quoting Tomasz Chmielewski (man...@wpkg.org):
> >>Thanks, it worked.
> >>
> >>How do I set other "lxc-style" values in lxd, like for example:
> >>
> >>lxc.network.ipv4 = 10.0.12.2/24
> >>lxc.network.ipv4.gateway = 10.0.12.1
> >>lxc.network.ipv6 = :::::55
> >>lxc.network.ipv6.gateway = :2345:6789:::2
> >
> >You need to set a single lxc.raw to the whole multi-line value.
> 
> Hmm, what do you mean by that? Can you give an example?

cat | lxc config set w64 raw.lxc -
lxc.network.type = veth
lxc.network.ipv4 = 10.0.3.18
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Configuration for a bridged LXC container as a proxy web server

2015-10-27 Thread Itamar Gal 
Hey lxc gang,

Here's the short version of my problem.

I have two LXC containers: lxc-proxy and lxc-app. I want to put lxc-proxy
on br0 with a (static) public IP address and on lxcbr0 (with a private IP),
and I want to put lxc-server on lxcbr0. Then I want to run Apache on
lxc-proxy as a proxy server to relay requests to a web application on
lxc-app.

I'm tinkering with both the lxc container configuration on the host and the
network interface configuration in the proxy container and I can get
different parts of this setup working at different times, but unfortunately
I can't seem to get everything working at once.


-


Now here's the longer version.

I'm a junior systems administrator working in a (very) small department
with a mostly-inherited environment; I'm new to Linux containers.

I have a server running Ubuntu 12.04.5 LTS (Precise Pangolin) with kernel
3.2.0-24-generic. I want to set up an LXC container to function as a proxy
web server with a public IP address and then have separate containers for
individual web applications on the private network. My thinking is that the
proxy server will be attached to the public interface as well as the lxc
virtual bridge (i.e. br0 and lxcbr0) and that the other containers will
only be attached to the virtual network (i.e. lxcbr0 only). If someone has
any advice regarding better ways to achieve this kind of separation then
I'd be interested in hearing that as well, but I'm primarily interested in
understanding what mistakes I'm making in trying to implement this solution.

There are two configuration files that I'm tinkering with. One is the lxc
configuration file (on the host) for the proxy server:

host:/var/lib/lxc/proxy-server/config

and the other is the network interface configuration file (in the
container):

proxy-server:/etc/network/interfaces

or equivalently:

host:/var/lib/lxc/proxy-server/rootfs/etc/network/interfaces

In order to put the proxy server on the public network I initially had the
following two configurations:

# lxc-proxy:/etc/network/interfaces - version 1

# The loopback network interface
auto lo
iface lo inet loopback

# The public network interface (i.e. br0 on the host)
auto eth0
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.224
network 1.2.3.0
broadcast 1.2.3.31
gateway 1.2.3.1
dns-nameservers 5.6.7.8 9.10.11.12
dns-search some.domain.com

and:

# host:/var/lib/lxc/lxc-proxy/config - version 1

lxc.network.type = veth
lxc.network.link = br0
lxc.network.name = eth0

[...]

This seems to work, in that I can access the proxy server at its public
address (e.g. 1.2.3.4) both on the local network and from elsewhere on the
internet. Then I try to add the virtual interface as well; so I have:

# lxc-proxy:/etc/network/interfaces - version 2

# The loopback network interface
auto lo
iface lo inet loopback

# The public network interface (i.e. br0 on the host)
auto eth0
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.224
network 1.2.3.0
broadcast 1.2.3.31
gateway 1.2.3.1
dns-nameservers 5.6.7.8 9.10.11.12
dns-search some.domain.com

# The virtual network interface (i.e. lxcbr0 on the host)
auto eth1
iface eth1 inet static
address 10.0.3.2
netmask 255.255.255.0
network 10.0.3.255
broadcast 10.0.3.255
gateway 10.0.3.1
dns-nameservers 5.6.7.8 9.10.11.12
dns-search some.domain.com

and:

# host:/var/lib/lxc/lxc-proxy/config - version 2

# The public network interface
lxc.network.type=veth
lxc.network.link=br0
lxc.network.name = eth0

# The virtual network interface
lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.name = eth1

[...]

Unfortunately with this configuration I can't even access the lxc-proxy
console (i.e. sudo lxc-console -n lxc-proxy); I get a blank screen.

After a little bit of web-searching I found some blog posts that suggest
avoiding the local /etc/network/interfaces files in the containers, and
performing all of the network configuration inside of the lxc configuration
files. My next iteration looks like this:


# lxc-proxy:/etc/network/interfaces - version 3

# The loopback network interface
auto lo
iface lo inet loopback

and:

# host:/var/lib/lxc/lxc-proxy/config - version 3

# The public network interface
lxc.network.type=veth
lxc.network.link=br0
lxc.network.ipv4=1.2.3.4/27 1.2.3.31
lxc.network.name = eth0
lxc.network.flags=up

# The virtual network interface
lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.ipv4=10.0.3.2/24
lxc.network.name = eth1
lxc.network.flags=up

[...]

With this configuration I'm able to access the lxc-proxy console and
everything appears to be working on the local network; lxc-proxy is
accessible via its private and public ip addresses and the Apache proxy
server on lxc-proxy is able to communicate with the application running on
lxc-app. However lxc-proxy is not publicly accessible by its public ip.

At this point I'm pretty thoroughly confused and I figure this

Re: [lxc-users] Configuration for a bridged LXC container as a proxy web server

2015-10-27 Thread Fajar A. Nugraha 
On Wed, Oct 28, 2015 at 12:00 AM, Itamar Gal  wrote:

> I have two LXC containers: lxc-proxy and lxc-app. I want to put lxc-proxy
> on br0 with a (static) public IP address and on lxcbr0 (with a private IP),
> and I want to put lxc-server on lxcbr0. Then I want to run Apache on
> lxc-proxy as a proxy server to relay requests to a web application on
> lxc-app.
>
>
If you need a private network with static IP assigned, create your own
bridge. Don't use lxcbr0.
Using lxcbr0 might work, but that's not what it's intended for, and may
lead to some unexpected problems. For example, one of your "normal"
containers can get a DHCP IP which you also use statically in your
"server", leading to IP conflict.



> iface eth0 inet static
> gateway 1.2.3.1
>


> iface eth1 inet static
> gateway 10.0.3.1
>


This isn't lxc issue. You should spend some time learning networking
basics. On most normal configurations, no matter which OS you use, there
can only be one active gateway.

Unless you REALLY know what you're dong, remove the gateway line from your
private network interface.


> lxc.network.ipv4=1.2.3.4/27 1.2.3.31
> 
>

For clarity and simplicity, use only ONE of lxc-configuration (the "config"
file), or container-OS-side configuration (e.g /etc/network/interfaces) to
specify IP address. Don't use both. In your case you'd probably better of
with the container-OS-side.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Tomasz Chmielewski 

Interesting - this doesn't really work and hangs lxd:

1) first try:

root@srv7 ~ # lxc config set testct raw.lxc 
"lxc.network.ipv4=10.0.3.228/24"

error: problem applying raw.lxc, perhaps there is a syntax error?
root@srv7 ~ #

2) second try - it never returns:

root@srv7 ~ # lxc config set testct raw.lxc 
"lxc.network.ipv4=10.0.3.228/24"

(hangs here, no prompt)


3) in a different shell - also hangs and never returns:

root@srv7 ~ # lxc list


4) this also hangs and never returns:

root@srv7 ~ # service lxd stop



In the log, I can see:

lxc 1445956132.156 ERRORlxc_confile - 
confile.c:network_netdev:544 - network is not created for 
'lxc.network.ipv4' = '10.0.3.228/.24' option
lxc 1445956132.156 ERRORlxc_parse - 
parse.c:lxc_file_for_each_line:57 - Failed to parse config: 
lxc.network.ipv4=10.0.3.228/.24



Tomasz




On 2015-10-27 10:02, Tomasz Chmielewski wrote:

Thanks, it worked.

How do I set other "lxc-style" values in lxd, like for example:

lxc.network.ipv4 = 10.0.12.2/24
lxc.network.ipv4.gateway = 10.0.12.1
lxc.network.ipv6 = :::::55
lxc.network.ipv6.gateway = :2345:6789:::2


Same "lxc config set containername", i.e.:

lxc config set x1 raw.lxc "lxc.network.ipv4 = 10.0.12.2/24"
lxc config set x1 raw.lxc "lxc.network.ipv4.gateway = 10.0.12.1"
lxc config set x1 raw.lxc "lxc.network.ipv6 = :::::55"
lxc config set x1 raw.lxc "lxc.network.ipv6.gateway = 
:2345:6789:::2"



Or is there some other, more recommended way?

Tomasz


On 2015-10-27 02:35, Serge Hallyn wrote:

That's an ideal use for 'lxc.raw'.

lxc config set x1 raw.lxc "lxc.aa_allow_incomplete=1"

The lxc configuration for lxd containers is auto-generated on each 
container
start, as is the apparmor policy.  The contents of the 'lxc.raw' 
config

item are appended to the auto-generated config.

Quoting Tomasz Chmielewski (man...@wpkg.org):

I get the following when starting a container with lxd:

 Incomplete AppArmor support in your kernel
 If you really want to start this container, set
 lxc.aa_allow_incomplete = 1
 in your container configuration file


Where exactly do I set this with lxd? I don't really see a "config"
file, like with lxc. Is it "metadata.yaml"? If so - how to set it
there?


Tomasz Chmielewski
http://wpkg.org

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] set "lxc.aa_allow_incomplete = 1" - where do I add it for lxd?

2015-10-27 Thread Serge Hallyn 
Quoting Tomasz Chmielewski (man...@wpkg.org):
> Thanks, it worked.
> 
> How do I set other "lxc-style" values in lxd, like for example:
> 
> lxc.network.ipv4 = 10.0.12.2/24
> lxc.network.ipv4.gateway = 10.0.12.1
> lxc.network.ipv6 = :::::55
> lxc.network.ipv6.gateway = :2345:6789:::2

You need to set a single lxc.raw to the whole multi-line value.

> Same "lxc config set containername", i.e.:
> 
> lxc config set x1 raw.lxc "lxc.network.ipv4 = 10.0.12.2/24"
> lxc config set x1 raw.lxc "lxc.network.ipv4.gateway = 10.0.12.1"
> lxc config set x1 raw.lxc "lxc.network.ipv6 = :::::55"
> lxc config set x1 raw.lxc "lxc.network.ipv6.gateway =
> :2345:6789:::2"
> 
> 
> Or is there some other, more recommended way?

Can you show fully what you want to do?  Are you aiming for a
routed config, or are you moidfying a bridged nic device?

for the simple case you'd do

lxc config device add eth1 nic nictype=bridged hwaddr=...

but the things you want to set are not implemented.  They ought to
be, though.  Would you mind opening an issue at
github.com/lxc/lxd/issues
listing all the things you need?  (I'd like to first have stgraber
specify detailed configuration to make sure I don't come up with bad
keys that later become ambiguous or something)

> Tomasz
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users