Re: [lxc-users] Create bridge between LXC Container and Ethernet device

2021-01-04 Thread Andrey Repin
Greetings, Patrick!

> I'm trying to create a bridge device between my LXC Container and my
> Ethernet Device, which has 2 public IPs. The bridge device creation fails,
> as you can see here: https://paste.debian.net/hidden/c81c8832/. I want to
> bridge the LXC Container with the secondary IP address of the Ethernet
> interface. Does somebody has an idea how to do that?

You said what you have, but you did not said, what you want to achieve.


-- 
With best regards,
Andrey Repin
Monday, January 4, 2021 18:15:52

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Running unprotected system container

2020-06-22 Thread Andrey Repin
Greetings, Koehler!

> Ok you are not helpful, not sure why you are replying.

"Your answer is invalid, you should give me the answers I expect, everything
else is useless."

Sorry, but with such attitude, you get what you deserve.

>  My os already provides kernel modules and script within init to load them
> up and that actually works already.  And yes I want those modules loaded by
> my os in the container and made available to host as well.  I have no issue
> with that, I am fine with my os  container altering the shared kernel aspect.
>  
>  I am facing an issue where I can’t sgare eth0/eth1 since lxd is unable to
> add macvlan, getting “operation not supported” which I am trying to figure
> out is likely related to my linux kernel optiona, even thought
> CONFIG_MACVLAN os set to y, likely some other  options are missing.
>  
>  Anyway thanks for you opinion but so far things are very close to working.
>    
> On Jun 17, 2020, 9:35 AM -0400, Andrey Repin , wrote:
>  
>  Greetings, Koehler!
>  
>  
> But I do not want kernel virtualization, not sure where you saw me ask for
>  that, I want the exact opposite, I want the kernel to be share, meaning same
>  kernel, same instance, with just layers on top, exactly as system containers 
> do.
>  
>  
>  Then stop mentioning kernel modules loading. You can't load kernel modules, 
> if
>  you don't drop to the kernel level.
>  
>  
> It is unconventional to run a system container without any security and
>  such, yet, as seen in the thread I am not alone, but very few.
>  
>  
>  Load kernel modules on the host and run your applications where they should
>  run.
>  Or use proper VM already.
>  
>  
>  --
>  With best regards,
>  Andrey Repin
>  Wednesday, June 17, 2020 16:23:01
>  
>  Sorry for my terrible english...
>  
>  ___
>  lxc-users mailing list
>  lxc-users@lists.linuxcontainers.org
>  http://lists.linuxcontainers.org/listinfo/lxc-users
>  
>


-- 
With best regards,
Andrey Repin
Monday, June 22, 2020 20:23:31

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Running unprotected system container

2020-06-17 Thread Andrey Repin
Greetings, Koehler!

>  But I do not want kernel virtualization, not sure where you saw me ask for
> that, I want the exact opposite, I want the kernel to be share, meaning same
> kernel, same instance, with just layers on top, exactly as system containers 
> do.

Then stop mentioning kernel modules loading. You can't load kernel modules, if
you don't drop to the kernel level.

>  It is unconventional to run a system container without any security and
> such, yet, as seen in the thread I am not alone, but very few.

Load kernel modules on the host and run your applications where they should
run.
Or use proper VM already.


-- 
With best regards,
Andrey Repin
Wednesday, June 17, 2020 16:23:01

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Running unprotected system container

2020-06-15 Thread Andrey Repin
Greetings, Koehler!

>  I am unclear how this answers my current questions.  System containers are
> marketed as being very close to a faster VM, as such, since I do have
> control over the OS I am trying to run on top, I would need more details as
> to why and which areas would cause the  technical issues to achieve such
> thing.

System container != kernel virtualization.

> The fact that the System container shares the kernel here is totally
> what I am looking for, there is also no other application running on the
> host except that container and snapd itself which should not be a problem 
> as it removes any race where one app may changes kernel-related
> configuration from under the OS within the container.

They aren't "sharing kernel", they are layer on top of it.

>  I do understand that this is unconventional and doesn't appear to fall
> under the supported scenarios.  Yet, so far the issue I am facing does not
> appear related to my final goal.

It's not "unconventional", it's not intended and contradictory.

> Can't execute any command within container -> permission denied (files are
> all uid/gid 0) this is a busybox type of OS on same CPU architecture (both
> armhf where host is arm64, yet metadata provided indicate that container
> should be armhf)Still seeing issue trying to write /proc and even though I
> say mount rw I get read-only errorsFail to load the kernel module even
> though I have clear the cap.drop as to keep cap_sys_modules.

See above. If you want kernel virtualization, use a VM.
QEMU/KVM is there for you.


-- 
With best regards,
Andrey Repin
Tuesday, June 16, 2020 2:07:03

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Running unprotected system container

2020-06-15 Thread Andrey Repin
Greetings, Saint Michael!

> I need to load kernel modules, etc. It has to be on equal footing with the 
> host
> ..

See my other reply to the thread. "I need to load kernel modules" is a direct
contradiction to kernel-agnostic premise of containers.


-- 
With best regards,
Andrey Repin
Monday, June 15, 2020 17:50:09

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Running unprotected system container

2020-06-15 Thread Andrey Repin
Greetings, Koehler!

> As indicated, the code that will run inside that container is our previous
> OS and if it does bad things, well, that means it was doing so previously so
> not a "bigger" issue than it was before.  Since if that works, we will move
> more towards snap we will then  have a better security system (AppArmor,
> SecComp, better app separation, etc) in place to remove trust for each app
> and get rid eventually of that container which purpose as indicated is to
> ease the transition and get some of the features we want from Ubuntu  Core
> in an early release, if we do get this to work.

If your intent is to run specifically **operating system**, then there's no way
around a virtual machine.

Containers is NOT the right choice for your task.


-- 
With best regards,
Andrey Repin
Monday, June 15, 2020 17:47:30

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXD - Production Hardware Guide

2020-06-05 Thread Andrey Repin
Greetings, Steven Spencer!

> Is there a good link to use for specifying hardware requirements for an LXD 
> dedicated server?

There can't be specific requirements, it all depends on what you want to do,
how many containers to run, etc.


-- 
With best regards,
Andrey Repin
Friday, June 5, 2020 22:05:54

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Cannot remove a volume that has snapshots

2020-05-09 Thread Andrey Repin
Greetings, Kees Bakker!

> Ah, I found out what is causing this. I was unfortunate to choose
> my containers name such that LXD thinks one is a snapshot of the
> other.

> Simple test

> root@rapper:~# lxc init images:ubuntu/bionic/amd64 -p pool2 test04-second
> Creating test04-second
> root@rapper:~# lxc init images:ubuntu/bionic/amd64 -p pool2 test04
> Creating test04
> root@rapper:~# lxc delete test04
> Error: Error deleting storage volume: Cannot remove a volume that has 
> snapshots

> Also renaming (moving) doesn't work for this one.

> root@rapper:~# lxc move test04 test04-first
> Error: Rename instance: Failed to run: lvrename
> /dev/rapper-vg2/containers_test04---second
> /dev/rapper-vg2/containers_test04--first---second: Existing logical volume
> "containers_test04---second" not found in volume group "rapper-vg2"

> And what interesting is that you can only use a hyphen as a separator, not
> an underscore.

> root@rapper:~# lxc init images:ubuntu/bionic/amd64 -p pool2 test04_first
> Creating test04_first
> Error: Failed instance creation: Invalid instance name: Name can only
> contain alphanumeric and hyphen characters

> Now I have to find a trick to mislead LXD so that the containers
> can be deleted.

Try renaming "test04-second" first.


-- 
With best regards,
Andrey Repin
Sunday, May 10, 2020 0:52:50

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Networking

2020-03-25 Thread Andrey Repin
Greetings, Saint Michael!

> It is a common practice to trust the DHCP server to keep track of free IPs
> in a large network, like /21, and once the DHCP assigns an IP address, we
> adopt it as static and flag it a such in the router. 
> Otherwise, you need to scan the whole network every time.

Why scan? You just say that "this IP block is assigned statically" and call it
a day.


-- 
With best regards,
Andrey Repin
Wednesday, March 25, 2020 23:50:46

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Networking

2020-03-25 Thread Andrey Repin
Greetings, Saint Michael!

> I use L2. Can somebody clarify what advantage/disadvantage is there for 
> L2,L3,L3S?
> I need also to be able to use DHCP inside the container. In a first boot I
> get an IP from DHCP, and set the interface down and turn that IP into static.

This seems to be overengineered.
Why do you need DHCP, if you are going to use static IP anyway?
Can't you do it differently?


-- 
With best regards,
Andrey Repin
Wednesday, March 25, 2020 22:09:45

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Updating to LXC 3.2.1 fails

2020-03-20 Thread Andrey Repin
Greetings, Saint Michael!

> I am using Ubuntu 18.04. In order to update to lxc 3.2.1 (since I need
> ipvlan), I downloaded the tarball and compiled, installed, etc.

How about not doing that?

https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lxc-git-master?field.series_filter=bionic

> Previously I "apt remove --purge" every package with the word lcx in the name.

> But now lxc-ls shows nothing. what am I missing?
> what is the right way to update lxc in Ubuntu from the current version?

Just update from the right source.


-- 
With best regards,
Andrey Repin
Saturday, March 21, 2020 0:55:37

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Inittab, consoles and unprivileged containers.

2020-03-06 Thread Andrey Repin
Greetings, Ben Green!

> I'm wondering if I could have my inittab set up better for my
> environment. I'm running LXC conataners, full root file systems, Debian.
> Running sysv and not systemd. I've found this the only way to properly
> get root on these machines:


>  lxcadmin@darkwing:~$ lxc-attach -n karoo
>  root@karoo:/# su -
>  mesg: ttyname failed: No such device
>  root@karoo:~#

~/.bash_aliases

  inscreen(){
if screen -S "main" -X select . 2> /dev/null 1>&2 ; then
  printf 'screen -S "main" -X screen '
  printf "'%s' " "$@" "--"
fi
  }; readonly -f inscreen
  xat(){
if [ "$2" = "-u" ]; then
  _host="$1"
  shift 2
  if [ "$1" ]; then
set -- "$_host" "$@"
  else
set -- "$_host" "$USER"
  fi
fi
eval $(inscreen -t "LXC:$*") 'sudo lxc-attach -n "${1:-dc1}" -- su -l 
"${@:2}"'

Then "xat container [ -u [user] ]" will run user's login session. Defaults to 
root, as you
could imagine, or to your current $USER, if you specify -u without a name.

> The initial login lacks the full environment without the 'su -'m that is
> bash is running, but the standard login scripts have not been run and
> ENV is not fully populated.

That's normal and even preferred for automated scripts, but I can see it being
a problem for human. So, the aliases (functions) I made.

> The warning 'mesg: ttyname failed: No such device' show that the shell
> I'm in has no access to a tty, it's a 'mesg n' command being run from
> '/root/.profile'. I guess that's fine.

More or less, yes.

> I'm interested in:

> * Is there a way I can create an accessible console for these machines?

What for? Personally, I disable creation of any consoles in a container. Even
the "/dev/console" getty gets a shot in the head for being totally useless.

> * Is there a better way of using lxc-attach to get a full normal enviroment?

See above.

> * What should inittab read and would it facilitate this? (It's currently
> the Debian default).

No idea, what do you plan to achieve.
(Also I have no idea, why you aren't running systemd.)

> As well as direct answers I'd love some resources to read around this if
> people have any recommendations.



-- 
With best regards,
Andrey Repin
Friday, March 6, 2020 22:56:26

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Unprivileged networking option?

2020-03-04 Thread Andrey Repin
Greetings, Ede Wolf!

> So please let me rephrase my question: Is there any alternative to
> standard bridging for running unprivileged lxc containers?

Is there a use case for unprivileged LXC containers?
I fail to see one, and I'm using LXC for five-or-so years. If you are using
bare LXC, you are likely spawning new ones infrequently and each have its own
unique purpose. If that's not true, you're better off using
LXD/docker-swarm/etc.


-- 
With best regards,
Andrey Repin
Wednesday, March 4, 2020 23:35:10

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] how to forbid cross-network traffic?

2020-02-10 Thread Andrey Repin
Greetings, Tomasz Chmielewski!

> I have these two networks:

> # lxc network show br-staging
> config:
>ipv4.address: 10.100.0.1/24
>ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254
>ipv4.firewall: "true"
>ipv4.nat: "true"
> description: staging network
> name: br-staging
> type: bridge

> # lxc network show br-testing
> config:
>ipv4.address: 10.200.0.1/24
>ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254
>ipv4.firewall: "true"
>ipv4.nat: "true"
> description: testing network
> name: br-testing
> type: bridge


> Containers in these two networks have IP address assigned from DHCP and 
> can connect out to the world - this is what I want.

> Unfortunately, containers from one network (staging) can also connect to 
> containers from the other network (testing) - which is not what I want.

So, fix it? iptables to your rescue. (E.g.: this is not an LXD problem.)

> Is there any mechanism in LXD to prevent it? Or do I have to add my own, 
> custom iptables rules?

You have enabled packet forwarding on the host, but not specified any
restrictions. Indeed, everything is forwarded where possible.


-- 
With best regards,
Andrey Repin
Monday, February 10, 2020 23:31:02

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXD static IP in container

2020-02-08 Thread Andrey Repin
Greetings, Michael Eager!

> Thanks.  I had tried this, but it didn't appear to work.  I just tried
> it again and got it to work.

> I assume that I can move the eth0 definition back to the profile,
> without the ipv4.address specification.

I don't know about LXD specifics, but for bare LXC, there was a difference
in lxc.net.X.flags = up/down
If you configure container network to be "up", LXC will try to configure
network from the outside. If you set the interface to be "down", it will leave
configuration to the container.


-- 
With best regards,
Andrey Repin
Saturday, February 8, 2020 16:56:47

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Converting network from LXC to LXD

2019-12-21 Thread Andrey Repin
Greetings, John Lane!

> Looking at nictype=bridged, I can set up DHCP addresses, thanks, but am
> having difficulty with static configuration.

> Looking at that document there seems to be no equivalent of the
> following lxc configuration:

> lxc.net.0.ipv4.address = 192.168.21.2/24
> lxc.net.0.ipv4.gateway = 192.168.21.1

> The "ipv4.address" entry documented as "An IPv4 address to assign to the
> container through DHCP" and not as a CIDR address as per lxc.

Because netmask is taken from bridge configuration. (Presumable.)

> I can't do this:

You don't need to.

> Also there appears to be no setting for gateway:

Gateway is served via DHCP from the bridge.

> $ lxc config device set mycontainer eth0 ipv4.gateway 192.168.21.1
> Error: Invalid devices: Invalid device option: ipv4.gateway

> I can manually add them afterwards, i.e.

> $ lxc exec mycontainer ip address add 192.168.21.2/24 dev eth0
> $ lxc exec mycontainer ip route add default via 192.168.21.1 dev eth0

> What am I missing? Can I assign static addresses with LXD configuration?

You're missing the purpose.
LXD is not supposed to be so tightly controlled on per container basis.
LXD containers supposed to be deployed en masse, with minimal individual
configuration.


-- 
With best regards,
Andrey Repin
Saturday, December 21, 2019 20:52:32

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Help with LXC Exec

2019-12-21 Thread Andrey Repin
Greetings, Bryan Christ!

> I'm trying to use an ansible plugin that controls LXC containers and it's
> ultimately failing because "lxc exec" fails.  This was a Ubuntu 16.04 system
> that was upgraded to 18.04 if that matters.  The problem looks like this:


> root@ironkite:/usr/bin# /usr/bin/lxc exec centos6-64-consolecraze 
> --mode=non-interactive -- hostname
> Error: not found

"lxc" is part of LXD, the LXC orchestration system built on top of LXC itself.

> As an observation, if I use lxc-attach to run commands it works just fine.

On the contrary, "lxc-attach" is part of LXC itself.


-- 
With best regards,
Andrey Repin
Saturday, December 21, 2019 17:54:31

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] sysctl.conf and security/limits.conf tuning for running containers

2019-09-14 Thread Andrey Repin
irmed by sshing to each container in turn and looking
>  in "ps" output for /init that two containers had no /init running, but
>  they both seem to be generally working).

Were they created from custom images?
What do they report as pid 1?

>  The total number of processes I run is, according to "ps", nearly
>  always less than 1000.  (Usually "ps -adelfww").

>  I almost wonder if that was a transitory problem in Ubuntu 18.04 which
>  gets fixed in the containers as the appropriate dist-upgrade gets done.


>  === Using USB disk on container-heavy host used to exceed some queue limit 
> ===
>  One of these changes, probably either net.core.netdev_max_backlog or
>  fs.inotify.max_queued_events, seems to have had the pleasant side effect
>  of allowing me to write backups to a USB drive without getting flakiness
>  in my user interface, also removing diagnostics which used to occur in
>  that situation about some queue limit being raised because of observed
>  lost events.

More likely the fs.inotify.max_queued_events

>  === My previous pty tweaking now raises a distinct question ===
>  Another distinct problem caused me to raise
>  /proc/sys/kernel/pty/max
>  Given the apparent value /proc/sys/kernel/pty/reserve:1024
>  does one need to set kernel/pty/max to (N*1024 plus the total number of
>  ptys you expect to allocate) where N is the number of containers
>  you expect to run concurrently?
>  /proc/sys/kernel/pty/nr
>  never seems particularly high now.
>  (/proc/sys/kernel/pty/max being another one of the apparent few
>  system parameters for which you can monitor the current usage).

Now, this is interesting.
I was routinely killing 3 default login sessions started inside container by
default. For no apparent reason. Seems like I wasn't far off doing that.

>  === Trivial observation re: sysctl which helped me when I noted it ===
>  "sysctl kernel.pty.max" <=> "cat /proc/sys/kernel/pty/max" sort of.
>  I.e. "sysctl A.B.C.D" <=> "cat /proc/sys/A/B/C/D"

Yep. sysctl is a sort of wrapper, you can achieve similar results to sysctl/-w
with simple cat/echo to the respective "files" in /proc


-- 
With best regards,
Andrey Repin
Saturday, September 14, 2019 8:55:58

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Facing issues in LXC installation

2019-07-25 Thread Andrey Repin
Greetings, Kamat!

> We have a requirement to install the lxc through source code. I am using
> the LXC-git-stable-3.0 for development purpose. I am following the steps
> given in the readme for installation. 
>  
> But facing the issues related to some libraries. Please find the attached
> snapshots for the Installation errors.

It would be far easier to help you, if you provide textual information as
text, not as an image gallery.


-- 
With best regards,
Andrey Repin
Thursday, July 25, 2019 21:59:55

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXC and Docker together?

2019-06-05 Thread Andrey Repin
Greetings, Anton Chernousov!

> About one year ago i'm tried to use Docker in LXD container with no 
> results. Now i'm try to start it again and took this error:

> root@docker:~# docker run hello-world
> Unable to find image 'hello-world:latest' locally
> latest: Pulling from library/hello-world
> 1b930d010525: Pull complete
> Digest: 
> sha256:0e11c388b664df8a27a901dce21eb89f11d8292f7fca1b3e3c4321bf7897bffe
> Status: Downloaded newer image for hello-world:latest
> docker: Error response from daemon: OCI runtime create failed: 
> container_linux.go:345: starting container process caused 
> "process_linux.go:424: container init caused \"rootfs_linux.go:58: 
> mounting \\\"proc\\\" to rootfs 
> \\\"/var/lib/docker/vfs/dir/6a8fe2649ebdd956657fc113a0e71ddb56ccfb145410dedd35ba8589bd0e1ffb\\\"
> at \\\"/proc\\\" caused \\\"permission denied\\\"\"": unknown.
> ERRO[0005] error waiting for container: context canceled

> As i can see it not working for now :(

Did you set driver to "lxc" ?


-- 
With best regards,
Andrey Repin
Wednesday, June 5, 2019 9:33:14

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXC-3.1 - console disfunctional

2019-05-30 Thread Andrey Repin
Greetings, web...@manfbraun.de!

> Hello!

> I am just trying debian buster and
> found LCX -3.1 and gave it a try.
> After making the networking configuration,
> I started the container and tried to login
> via console

>>lxc-console [-n] rxdptest1

~/.bash_aliases

  xat(){
if [ "$2" = "-u" ]; then
  _host="$1"
  shift 2
  if [ "$1" ]; then
set -- "$_host" "$@"
  else
set -- "$_host" "$USER"
  fi
fi
eval $(inscreen -t "LXC:$*") 'sudo lxc-attach -n "${1:-dc1}" -- su -l 
"${@:2}"'
  }; readonly -f xat

> A hello message appears, but that's all!
> No logon prompt at all, even not pressing enter several times.

I see no reason to even have lxc-console in the first place.


-- 
With best regards,
Andrey Repin
Friday, May 31, 2019 1:17:42

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXC and Docker together?

2019-05-25 Thread Andrey Repin
Greetings, Richard Hector!

> I installed a new KVM with LXC in it, and added Docker ... it seems that
> Docker's default iptables rules do interfere with the way I set up
> bridges for LXC, but with a bit more head scratching, I think I'll be
> able to make it work :-)

Since I normally use macvlan bridge for LXC, it's hard to have iptables
configuration that would break LXC for me :)
Not to mention my everyday alias of

  xat(){
if [ "$2" = "-u" ]; then
  _host="$1"
  shift 2
  if [ "$1" ]; then
set -- "$_host" "$@"
  else
set -- "$_host" "$USER"
  fi
fi
eval $(inscreen -t "LXC:$*") 'sudo lxc-attach -n "${1:-dc1}" -- su -l 
"${@:2}"'
  }; readonly -f xat

which does not involve networking at all to be able to reach into containers.


-- 
With best regards,
Andrey Repin
Saturday, May 25, 2019 21:51:30

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] not allowed to change kernel parameters inside container

2019-05-25 Thread Andrey Repin
Greetings, Saint Michael!

> Thanks to all. I am sorry I touched a heated point. For me using
> hard-virtualization for Linux apps is dementia. It should be kept only for
> Windows VMs.
> For me, the single point of using LXC is to be able to redeploy a complex
> app from host to host in a few minutes. I use one-host->one-Container. So
> what is the issue of giving all power to the containers?

Read the first reply to your first message.
The answer did not change, even after your repeated questioning.
And it will not change, no matter how many times you rephrase it.

The applications in container do not need direct access to the hardware, thus
do not need access to the related kernel facilities.

If application requires direct access to the hardware, it needs a different
kind of isolation. Perhaps, even virtualization.


-- 
With best regards,
Andrey Repin
Saturday, May 25, 2019 21:48:18

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] not allowed to change kernel parameters inside container

2019-05-24 Thread Andrey Repin
Greetings, Saint Michael!

> It means that the container has, or it must have all the power and rights.

No.
Container should have only enough rights to run the application.

> It seems to be impossible to achieve that.

It is not needed.


-- 
With best regards,
Andrey Repin
Friday, May 24, 2019 10:24:07

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXC and Docker together?

2019-05-23 Thread Andrey Repin
Greetings, Richard Hector!

> I've been asked by my client to set up Docker on the host I'd set up for
> them with LXC (on Debian Stretch). This is because the applications that
> run in the containers (Atlassian suite, mostly) will in the future be
> managed by a different contractor, who is familiar with Docker. So
> eventually, I expect most or all of the LXC containers will be replaced
> with Docker ones.

> It appears that I can install Docker from the Docker repo, so that's ok.

> What I'm more worried about, is if they're both using the same
> underlying technology (are they?) whether they'll interact in bad and/or
> unexpected ways.

> Am I likely to be safe doing this? Anything to watch out for?

> And will I eventually be able to uninstall LXC without disrupting Docker?

They are not related per se. They use similar kernel functionality, but
there's no conflict between them, if that's what you want to know.
Furthermore, with a little tweak you can run Docker inside LXC container.


-- 
With best regards,
Andrey Repin
Friday, May 24, 2019 1:27:10

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] not allowed to change kernel parameters inside container

2019-05-23 Thread Andrey Repin
Greetings, Saint Michael!

> In my model, the host is unimportant, the container has the app, and I have
> only one container per host. That way I can migrate the apps from server to
> server in a few minutes.

And?


-- 
With best regards,
Andrey Repin
Friday, May 24, 2019 1:26:43

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] not allowed to change kernel parameters inside container

2019-05-22 Thread Andrey Repin
Greetings, Saint Michael!

> I am trying to use sysctl -p inside an LXC container and it says 
> read only file system

Of course.

> how do I give my container all possible rights?

Don't do that.


-- 
With best regards,
Andrey Repin
Thursday, May 23, 2019 1:48:51

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] container on the same network than other devices

2019-03-31 Thread Andrey Repin
Greetings, Carmelo Ingrao!

> I'm new to this mailing list. I'm using LXD since a few months, but until
> now, my conainters were bridged in their own network.


> Now, I want the containers can obtain IP adresses on the same subnet than
> the LXD manager, and other devices in my home network.


> So : 


> Home router : 192.168.0.219
> Desktop computer : 192.168.0.100
> Domotic solution : 192.168.0.200
> LXD "manager" : 192.168.0.232


> I want the containers with IP like 192.168.0.240-250, and be able to be seen 
> and see the orher devices.

You can use macvlan bridge network on LAN interface instead of the default 
dedicated bridge.


-- 
With best regards,
Andrey Repin
Sunday, March 31, 2019 12:23:01

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] AppArmor syslog alert explanation, please?

2019-03-09 Thread Andrey Repin
Greetings, Christian Brauner!

> On Sat, Mar 09, 2019 at 10:16:40PM +0300, Andrey wrote:
>> Greetings, All.
>> 
>> Saturday, March 9, 2019, 22:11:32 you wrote:
>> 
>> AR> Greetings, All!
>> 
>> AR> Mar  9 22:09:01 ih152926 kernel: [2612590.101781] audit:
>> AR> type=1400 audit(1552158541.103:2286):
>> AR> apparmor="DENIED" operation="mount" info="failed flags match"
>> AR> error=-13 profile="lxc-container-default-cgns" name="/"
>> AR> pid=16203 comm="(ionclean)" flags="rw, rslave"

> Well this is some app

That "some app" is, without a surprize, systemd in a 16.04 Ubuntu container...

> trying to recursively remount your root directory
> as rw and rslave. Apart from that not working correctly because of how
> the kernel works this is also pretty dangerous if not run in a separate
> mount namespace. :)


-- 
With best regards,
Andrey Repin
Saturday, March 9, 2019 23:45:01

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


[lxc-users] AppArmor syslog alert explanation, please?

2019-03-09 Thread Andrey Repin
Greetings, All!

Mar  9 22:09:01 ih152926 kernel: [2612590.101781] audit:
type=1400 audit(1552158541.103:2286):
apparmor="DENIED" operation="mount" info="failed flags match"
error=-13 profile="lxc-container-default-cgns" name="/"
pid=16203 comm="(ionclean)" flags="rw, rslave"

This message appears on the host somewhat frequently.
Any way to know which container does it and what it is actually trying to do?


-- 
With best regards,
Andrey Repin
Saturday, March 9, 2019 22:10:01

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] How to have /var, /tmp etc. on separate zfs filesystems in containers?

2019-03-04 Thread Andrey Repin
Greetings, Korn András!

> I'd like to have separate zfs datasets for /var, /tmp and some other
> mountpoints inside my guests.

> What's a good way of achieving this?

> As far as I could determine from looking at the source, the zfs storage
> backend doesn't support anything like it, and lxc-create doesn't run any
> hooks.

> Should I instead write a wrapper around lxc-create that creates and mounts
> my zfs datasets just so, and calls lxc-create with the 'dir' storage
> backend?

> Or is there a better way?

If I may hazard a guess, there's two ways to achieve this:

1. Rebind the directories individually.
  Use lxc.mount.* commands in the config or specify lxc.mount.fstab file with
  your bindings.

2. Use overlayfs to merge two trees.

The end result will be different in each case, see what's best for your actual
needs.

> (Of course I can create the guest first, then move the files around
> afterwards, but I'd like to avoid this if possible.)


-- 
With best regards,
Andrey Repin
Monday, March 4, 2019 21:23:08

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] future of lxc/lxd? snap?

2019-02-23 Thread Andrey Repin
Greetings, Richard Hector!

> Yep, sure. But LXD is currently the most common way to manage LXC,
> right?

Right? Right?! Riiight???!!

Sorry, but your insistence is not going to change the facts.

> At least, when I ask LXC questions on here, people seem to be
> surprised that I'm not using LXD.

I'm not using LXD. It's just not suitable for my use cases.

> So with LXD transitioning to snap in Ubuntu, is it expected that LXD
> will only be used for snap packages?

> And if I want to continue using LXC without snap, I won't get the
> advantages of managing it with LXD?

I'd like to know the answer as well.
Snaps may be useful for distributors, but it's a maintenance headache for end
users.
Not to mention the growing disk space usage from snap packages.


-- 
With best regards,
Andrey Repin
Saturday, February 23, 2019 21:16:07

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] future of lxc/lxd? snap?

2019-02-23 Thread Andrey Repin
Greetings, Richard Hector!

> Hi all,

> I see that lxd in ubuntu cosmic and disco is a transitional package for
> snap - I see that lxd can be used for snap packages, but they're not the
> same thing, right?

> And Debian buster (even sid) still doesn't have lxd at all.

> Is lxd not the future of lxc after all?

> At least in debian-based distros? Or is it expected (by ubuntu) that we only
> use lxc for snap packages?

LXC is containers, LXD is orchestration tool.
You can't say that a flashlight is a future of lightbulb.
They are simply not the same nor a replacement of each other.

> I'm currently using lxc on debian, but wondering what happens next ...

> This all seems odd since the linuxcontainers site says the project is
> sponsored by Canonical ...


-- 
With best regards,
Andrey Repin
Saturday, February 23, 2019 18:56:07

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Static container IP with unmanaged bridge network

2019-02-10 Thread Andrey Repin
Greetings, Daniele Riccucci!

> Hello Andrey,
> thank you for the clarifications.
> I tried with a few of the available images (ubuntu, alpine, centOS) but 
> they all seemed to have some way to default to DHCP and cloud-init 
> user-data (where available) doesn't seem to allow user-data to disable 
> networking config; the setting in the profile:

> devices:
>eth0:
>  ipv4.address: 10.0.0.30/24
>  name: eth0
>  nictype: bridged
>  parent: br0
>  type: nic

> didn't seem to matter at all, hence the feasibility question.

I'm not using LXD, only plain LXC, so can't say for certain if your
configuration is sufficient.

> Intuitively the easiest option would be to edit the network config file 
> *inside* the container or hardcode the mac address of the interface and 
> put a static mapping on it from the router side.

That's not the easiest option, and yes, many images default to DHCP.
You'll have to turn that off, or set up DHCP to roll IP addresses.
I'm using both approaches, depending on situation and intended container
usage.


-- 
With best regards,
Andrey Repin
Monday, February 11, 2019 8:59:12

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Static container IP with unmanaged bridge network

2019-02-10 Thread Andrey Repin
Greetings, Daniele Riccucci!

> I'm having a bit of a hard time figuring out from the documentation if
> adding ipv4.address to devices > eth0 in the profile would work

TIAS ?
It would only take a few moments to find out.

> and if this requires a simple IP or a CIDR.

CIDR, as it sets both IP and netmask.

> Is this setup possible since the bridge device isn't managed by LXD?

Not related. container configuration sets container parameters, not bridge's
or what not.

P.S.
Remove internal container configuration of network interface, if you don't
want surprises.


-- 
With best regards,
Andrey Repin
Sunday, February 10, 2019 23:31:10

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] configuring ipv6 from container config file

2019-02-09 Thread Andrey Repin
Greetings, Richard Hector!

> Here's a section of a sample config that doesn't work:

> lxc.network.type = veth
> lxc.network.flags = up

As a sidenote, if you configure container using its own network manager, use
lxc.net.0.flags = down

Else you are running chance of having your interfaces configured twice.

> lxc.network.link = br0
> lxc.network.ipv4 = 192.168.122.112/24
> lxc.network.ipv4.gateway = 192.168.122.1
> lxc.network.ipv6 = fd75:5198:8dc2:7905::70/64
> lxc.network.ipv6.gateway = fd75:5198:8dc2:7905::1

> As I say, IPv4 is working, and has been for ages. IPv6 is newly added,
> and doesn't.

> 192.168.122.1 and fd75:5198:8dc2:7905::1 are both configured on the br0
> in the host.


-- 
With best regards,
Andrey Repin
Saturday, February 9, 2019 16:40:03

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Failed to load config for XYZ

2019-01-27 Thread Andrey Repin
Greetings, Bryan Christ!

> Andrey,


> Thanks for the reply.  Is there a resource, document, guide that can show
> me what the old items were and what the new analogs are? 

man 5 lxc.container.conf.

Just watch the lines it bark about and find equivalent lines in the manual to
change to.

> Most of my config files are from the templates so I added very little.  I
> tried starting a container manually to see what line(s) were causing
> problems but it looked like there were quite a few.

A few, in total, may be.
But overall, very few changes need to be made, amn in many cases, simple sed
could help.

P.S.
Please reply to your own sent messages at least, if you are subscribed to the
list in digest mode. Nobody likes thread breaking. It makes finding followup
mails very hard.


-- 
With best regards,
Andrey Repin
Sunday, January 27, 2019 22:21:20

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Failed to load config for XYZ

2019-01-26 Thread Andrey Repin
Greetings, Bryan Christ!

> I don't reboot my server often and I guess somewhere along the way I got
> upgraded on Bionic from LXC 2 to LXC 3.  Now, none of my containers start. 
> I get the following message when I lxc-ls --fancy


> Failed to load config for centos6-phpmyadmin

> Failed to load config for centos6-redis
> Failed to load config for centos6-web
> Failed to load config for centos7-base-db

> Failed to load config for centos7-base-php7
> Failed to load config for centos7-base-wp
> Failed to load config for trusty-64-owncloud

> Failed to load config for trusty64-mediawiki



> I need to fix this quickly and I also need to make sure it's not going to
> happen on my other Bionic servers.  What do I do?

Check for config syntax. Multiple keys got a facelift for a better structured
naming conventions.
F.e. network configuration now explicitly indexed.


-- 
With best regards,
Andrey Repin
Sunday, January 27, 2019 0:14:33

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] LXD: modify IP of snapshot before starting

2018-12-07 Thread Andrey Repin
Greetings, Steven Spencer!

> My Google search turned up empty, so I'm turning to the list to see if this 
> is possible:


> * In LXD I make a copy of a container, but want to create a new container 
> from it
> * The container has a static assigned IP address, so if I bring up the new
> container with the other one running, I'm going to end up with an IP conflict
> * What I'd like to be able to do is to change the IP of the snapshot before 
> creating a container out of it.


> Is that possible, or am I missing another method.  I've already done this
> step before, which works, but isn't the best if you want to keep systems up.

That's because you're doing it wrong.
You should have a template container which "never" online, from it you could
create copies, edit them and start them as you pleased.

> * Stop the original container
> * create the new container with the snapshot
> * modify the IP of the new container
> * start the original container 


> If it isn't possible, I'll continue on as I've been doing.


-- 
With best regards,
Andrey Repin
Friday, December 7, 2018 20:32:59

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Help with debci/lxc for local autopkgtest testing

2018-11-15 Thread Andrey Repin
Greetings, Ross Gammon!

> Hi,

> I am new to the list, as am having problems that are probably caused by
> some old lxc containers that I can't seem to get rid of.

> I would like to use the pkg-ruby/meta scripts to run the autopkgtests in
> my Debian packages locally, on my Ubuntu bionic machine. But I seem to
> have got myself in a mess with previous attempts to set up debci.

> The setup script is here:

> https://salsa.debian.org/ruby-team/meta/blob/master/setup

> It sets up some lxc parameters, and then runs: $ sudo auto-apt-proxy
> debci setup

> I get:

> Starting testbed setup: Thu Nov 15 17:10:18 CET 2018
> Error creating container autopkgtest-sid-amd64
> Failed to load config for adt-sid-amd64
> Failed to load config for autopkgtest-lxc-jnxotl
> Failed to load config for autopkgtest-lxc-pclpbt
> Failed to load config for autopkgtest-lxc-qhzbek
> Failed to load config for autopkgtest-sid
> Failed to load config for adt-sid-amd64
> Failed to load config for autopkgtest-lxc-jnxotl
> Failed to load config for autopkgtest-lxc-pclpbt
> Failed to load config for autopkgtest-lxc-qhzbek
> Failed to load config for autopkgtest-sid

> The problem has been there for a while, but I thought I would try and
> track down the issue today. Today, I followed the documentation
> https://linuxcontainers.org/lxc/getting-started/ and everything is
> working fine for general lxc usage.

> But none of the lxc commands can find the above containers or
> delete/destroy them though. I can see the named containers with:

> $ sudo ls /var/lib/lxc/
> adt-sid-amd64        autopkgtest-lxc-pclpbt    autopkgtest-sid
> autopkgtest-lxc-jnxotl    autopkgtest-lxc-qhzbek

> How can I delete them? Alternatively, does anyone know another way to
> create a suitable container called autopkgtest-sid-amd64 in Ubuntu?

First, make distinction between LXC and LXD.
LXC provide containers per se, and a minimal interface to manage them in the
form of separate "lxc-something" tools.
LXD provide a much better managements and clusterization interface in the form
of a single "lxc" tool.

Now, I think your issue is that your containers are using old config syntax.
You can either rm -rf them and try again, or manually edit each config to
match relevant configuration options to new keys.


-- 
With best regards,
Andrey Repin
Thursday, November 15, 2018 23:43:12

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


Re: [lxc-users] Does cpu cgroup has been enabled in lxc/lxd

2018-11-01 Thread Andrey Repin
Greetings, kemi!

> Yes. Using unprivileged container is a workaround, not very good though.

You're confusing containerization with virtualization.
Container not supposed to have direct access to devices on the host.
It provides a ready system for **userspace** applications to run.
Said that, what kind of hundreds of containers your customer wants to run
which require access to host hardware?


-- 
With best regards,
Andrey Repin
Thursday, November 1, 2018 19:18:15

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxd under stretch

2018-09-25 Thread Andrey Repin
Greetings, Pierre Couderc!

>> I'd recommend you try lxd snap first instead of building yourself.
>>
>> https://packages.debian.org/snapd
>> https://snapcraft.io/lxd

> Mmm, I la not ready to use a system which updates my sytem
> automatically without asking me.

It doesn't. It just installs a parallel system, effectively multiplying the
space used by your installation by the number of snap packages installed and
hiding programs under weird paths.


-- 
With best regards,
Andrey Repin
Tuesday, September 25, 2018 18:25:57

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxd under stretch

2018-09-24 Thread Andrey Repin
Greetings, Pierre Couderc!

>  I still have "instabilities" when trying to build lxd under   debian.

> And I am nearly sure is is because I have bad versions of liblxc1 liblxc-dev.
>   
> How can I build them myself ?

If you are asking such questions, you definitely should not build anything
yourself.


-- 
With best regards,
Andrey Repin
Monday, September 24, 2018 11:19:58

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Error launching first container

2018-09-23 Thread Andrey Repin
Greetings, Pierre Couderc!

> lxd just installed by apt  on a freshly installed bionic, and after lxd 
> init :

> lxc launch ubuntu:16.04 my-ubuntu
> Creating my-ubuntu
> Error: Failed container creation: Get 
> https://cloud-images.ubuntu.com/releases/streams/v1/index.json: lookup 
> cloud-images.ubuntu.com on 127.0.0.53:53: server misbehaving

This means that systemd-resolved did not initialize properly yet.

> I have checked  that the URL 
> https://cloud-images.ubuntu.com/releases/streams/v1/index.json: faiils 
> (404) but not 
> https://cloud-images.ubuntu.com/releases/streams/v1/index.json (witohut 
> last :)

> How fo I create my 1rst container ?

I would check that you don't have two name resolution daemons running at once.
All too often I've seen systemd-resolved and resolvconf running in parallel,
causing all sort of trouble.
You have to select one of them and disable another, if this is your case.


-- 
With best regards,
Andrey Repin
Sunday, September 23, 2018 22:28:22

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Why I cannot remove this (emtpy) directory ?

2018-09-23 Thread Andrey Repin
Greetings, Pierre Couderc!

> root@server:~/ls# ls -lha 
> /var/lib/lxd/storage-pools/default/containers/ajeter/
> total 0
> drwx--x--x 1 root root  0 Sep 22 15:17 .
> drwxr-xr-x 1 root root 12 Sep 23 07:09 ..
> root@server:~/ls# rmdir 
> /var/lib/lxd/storage-pools/default/containers/ajeter/
> rmdir: failed to remove 
> '/var/lib/lxd/storage-pools/default/containers/ajeter/': Operation not 
> permitted

Usually this happens when you are trying to remove mount point.

> root@server:~/ls#

> ....???


-- 
With best regards,
Andrey Repin
Sunday, September 23, 2018 12:42:58

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc container network occasional problem with bridge network on bonding device

2018-09-17 Thread Andrey Repin
Greetings, toshinao!

> Hi.

> I experienced occasional network problem of containers running on ubuntu 
> server 18.04.1. Containers
> can communicate with host IP always and they can communicate sometimes to the 
> other hosts but they
> are disconnected occasionally. When the problem occurs, the ping from the 
> container to external hosts
> does not reach at all, but very rarely they recover after, for example, 
> several hours later.
> Disconnection happens much more easily. 

> The host network is organized by using netplan in the following topology.

>+-eno1-< <--lan_cable--> >-+
> br0--bond0-+  +-- Cisco 3650
>+-en02-< <--lan_cable--> >-+

> The bonding mode is balance-a1b.

ALB
Adaptive Load Balancing

> I also found that if one of the LAN cables is physically disconnected,
> this problem has never happened.

How do you connect containers to the bridge?

> By using iptraf-ng, I watched the bridge device, the following br0, as well 
> as the slave devices.
> Even if containers send a ping to the external hosts, no ping packet is 
> detected, when they cannot
> communicate. Ping packets are detected by iptraf-ng on these devices when the 
> communication is working.

> I guess this can be a low-level problem of virtual networking. Are there any 
> suggestions to solve
> the problem ?

Can containers talk to each other when this happens?
Can host talk to the world at that same time?

> Here's the detail of the setting.

> host's netplan setting

> network:
> version: 2
> renderer: networkd
> ethernets:
>   eno1:
> dhcp4: no
>   eno2:
> dhcp4: no
> bonds:
>   bond0:
> interfaces: [eno1, eno2]
> parameters:
>   mode: balanec-a1b

And netplan did not yell at you?

> bridges:
>   br0:
> interfaces:
>   - bond0
> addresses: [10.1.2.3/24]
> gateway4: 10.1.2.254
> dhcp4: no

> host network interface status

> host# ip a s
> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
> default qlen 1000
>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>inet 127.0.0.1/8 scope host lo
>   valid_lft forever preferred_lft forever
>inet6 ::1/128 scope host
>   valid_lft forever preferred_lft forever
> 2: eno1:  mtu 1500 qdisc mq master
> bond0 state UP group default qlen 1000
>link/ether 0b:25:b5:f2:e1:34 brd ff:ff:ff:ff:ff:ff
> 3: eno2:  mtu 1500 qdisc mq master
> bond0 state UP group default qlen 1000
>link/ether 0b:25:b5:f2:e1:35 brd ff:ff:ff:ff:ff:ff
> 4: br0:  mtu 1500 qdisc noqueue state UP 
> group default qlen 1000
>link/ether 0a:1a:6c:85:ff:ed brd ff:ff:ff:ff:ff:ff
>inet 10.1.2.3/24 brd 10.1.2.255 scope global br0
>   valid_lft forever preferred_lft forever
>inet6 fe80::81a:6cff:fe85:ffed/64 scope link
>   valid_lft forever preferred_lft forever
> 5: bond0:  mtu 1500 qdisc noqueue
> master br0 state UP group default qlen 1000
>link/ether 0a:54:4b:f2:d7:10 brd ff:ff:ff:ff:ff:ff
> 7: vethK4HOFU@if6:  mtu 1500 qdisc noqueue
> master br0 state UP group default qlen 1000
>link/ether fe:ca:07:3e:2b:2d brd ff:ff:ff:ff:ff:ff link-netnsid 0
>inet6 fe80::fcca:7ff:fe3e:2b2d/64 scope link
>   valid_lft forever preferred_lft forever
> 9: veth77HJ0V@if8:  mtu 1500 qdisc noqueue
> master br0 state UP group default qlen 1000
>link/ether fe:85:f0:ef:78:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 1
>inet6 fe80::fc85:f0ff:feef:78b2/64 scope link
>   valid_lft forever preferred_lft forever

> container's network interface status

> root@bionic0:~# ip a s
> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
> default qlen 1000
>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>inet 127.0.0.1/8 scope host lo
>   valid_lft forever preferred_lft forever
>inet6 ::1/128 scope host
>   valid_lft forever preferred_lft forever
> 6: eth0@if7:  mtu 1500 qdisc noqueue state 
> UP group default qlen 1000
>link/ether 00:16:3e:cb:ef:ce brd ff:ff:ff:ff:ff:ff link-netnsid 0
>inet 10.1.2.20/24 brd 10.1.2.255 scope global eth0
>   valid_lft forever preferred_lft forever
>inet6 fe80::216:3eff:fecb:efce/64 scope link
>   valid_lft forever preferred_lft forever


-- 
With best regards,
Andrey Repin
Monday, September 17, 2018 20:41:41

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] How to recover from ERROR state

2018-09-11 Thread Andrey Repin
Greetings, Kees Bakker!

> ii  lxc-common 2.0.8-0ubuntu1~16.04.2  amd64    Linux Containers 
> userspace tools (common tools)
> ii  lxcfs  2.0.8-0ubuntu1~16.04.2  amd64    FUSE based filesystem 
> for LXC
> ii  lxd    2.0.11-0ubuntu1~16.04.4 amd64    Container hypervisor 
> based on LXC - daemon
> ii  lxd-client 2.0.11-0ubuntu1~16.04.4 amd64    Container hypervisor 
> based on LXC - client

Upgrade from PPA.
add-apt-repository ppa:ubuntu-lxc/stable

ii  lxc-common 2.1.1-0ubuntu1 amd64  Linux Containers userspace 
tools (common t
ii  lxc-templates  2.1.1-0ubuntu1 amd64  Linux Containers userspace 
tools (template
ii  lxc1   2.1.1-0ubuntu1 amd64  Linux Containers userspace 
tools
ii  lxcfs  2.0.8-1ubuntu2 amd64  FUSE based filesystem for 
LXC


-- 
With best regards,
Andrey Repin
Tuesday, September 11, 2018 22:52:22

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] How to provide device access to lxc unprivileged containers ?

2018-09-11 Thread Andrey Repin
Greetings, Yasoda Padala!

> Hi All,
> I have a usb attached to my ubuntu machine (16.04) and trying to access
> that device from unprivileged lxc container.
> By access I mean, enumerate and do I/O on that device.

What for? If it's a block device, just mount it into container FS.

> I have written a small program using libusb library and using that libusb
> executable to enumerate,read/write usb device from container
> Please find attached  lxc config file and libusb executable.
> I have found plenty of examples in various forums but nothing worked for me.


> Tried the following:
> 1. Added below entries in lxc config file
> lxc.cgroup.devices.allow = b 8:* rwm
> lxc.mount.entry = /dev/bus/usb/001/ dev/bus/usb/001/ none bind,create=dir 0 0
> lxc.mount.entry = /dev/sdc /home/oxpd/.local/share/lxc/Test/rootfs/dev/sdc 
> none bind,create=file 0 0
> lxc.mount.entry = /dev/sdc1
> /home/oxpd/.local/share/lxc/Test/rootfs/dev/sdc1 none bind,create=file 0 0


> 2. Changed device owner to 10 
> 3. changed device permission to 777.on the host


> when I run the libusb executable on host, all the attached device are
> listed, but the same when I run inside the container it says 0 devices are 
> attached.
> Is there any other configuration I am missing. Please help.


-- 
With best regards,
Andrey Repin
Tuesday, September 11, 2018 12:04:14

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc build failure

2018-08-11 Thread Andrey Repin
Greetings, Pierre Couderc!

> Thank you very much, Andrey !
>> What OS(distribution) you are using?
> Debian stretch

Then why the hell you're building anything?

> And I have used :
> https://github.com/AlbanVidal/make-deb-lxd/blob/master/00_install_required_packages.sh

Forget this shit exists.
Enable source repos.
Run
apt-get source 
apt-get build-dep 

>> Did you install sqlite3 developer package?
>>
>>
> In fact, I do not even understand why sqlit3 is required. I do not 
> intend to install test tools
> sqlite3 is not indicated here : https://github.com/lxc/lxd/

SQLite is used for LXD configuration storage, I recall.


-- 
With best regards,
Andrey Repin
Saturday, August 11, 2018 18:45:31

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc build failure

2018-08-11 Thread Andrey Repin
Greetings, Pierre Couderc!

> Trying to build lxd from sources, I get a message about sqlite3 missing, 
> and an invite to "make deps".

> But it fails too with :


> No package 'sqlite3' found

What OS(distribution) you are using?
Did you install sqlite3 developer package?

> Consider adjusting the PKG_CONFIG_PATH environment variable if you
> installed software in a non-standard prefix.

> Alternatively, you may set the environment variables sqlite_CFLAGS
> and sqlite_LIBS to avoid the need to call pkg-config.
> See the pkg-config man page for more details


> And the man pkg-config is not clear to me...

> Thanks  for help.


-- 
With best regards,
Andrey Repin
Saturday, August 11, 2018 16:36:20

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC container and Systemd

2018-08-08 Thread Andrey Repin
Greetings, Goran!

> # cat /proc/self/uid
> cat: /proc/self/uid: No such file or directory

> I do not log into the container but attach to it.

How do you attach?


-- 
With best regards,
Andrey Repin
Wednesday, August 8, 2018 14:28:13

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD share /var/lib/mysql from host to container and map user/group

2018-07-14 Thread Andrey Repin
Greetings, Tony P!

> Oh, that sounds interesting. How will that help/work?

Mount a snapshot of original (clean) database for each test run.
And destroy snapshot if all tests passed.


-- 
With best regards,
Andrey Repin
Saturday, July 14, 2018 16:25:32

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD share /var/lib/mysql from host to container and map user/group

2018-07-13 Thread Andrey Repin
Greetings, Tony P!

> Hello Andrey.

>> No. Normal testing setup includes all steps to prepare testing environment.
>> And normally, when you test database interaction, you use mocked database
>> driver, so no actual database is necessary.

> Sounds like you have an interesting setup. I'm glad it works for you.
> However, that will not work for my use case. This is not a "Normal
> testing setup". We do rapid iterations and a lot of automated testing,
> so the process has to be quick and also use an actual database which
> has been prepopulated with test data and will also process that data
> and add new data during the testing.

Then use backing file system capable of making snapshots.


-- 
With best regards,
Andrey Repin
Saturday, July 14, 2018 3:43:14

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD share /var/lib/mysql from host to container and map user/group

2018-07-09 Thread Andrey Repin
Greetings, Tony P!

> What's the correct way to share the mysql/mariadb data dir of the host
> system to a container and map the permissions correctly?

There's no correct way to *share* the database directory.
Database engine simply do not expect the shared locks in the slightest.

> I have been
> struggling with this for a couple of days. I'm sorry if this question has
> been asked before, but I have searched thoroughly and not been able to find
> the solution yet. Basically what I have done so far:


> Install mariadb-server on both host and container and:


> $ printf "lxd:$(id -u mysql):1\nroot:$(id -u mysql):1\n" | sudo tee -a 
> /etc/subuid
> $ printf "lxd:$(id -g mysql):1\nroot:$(id -g mysql):1\n" | sudo tee -a 
> /etc/subgid
> $ sudo systemctl restart lxd
> $ printf "uid $(id -u mysql) 1000\ngid $(id -g mysql) 1000" | lxc config set 
> $CONTAINER_NAME raw.idmap -
> $ lxc restart $CONTAINER_NAME
> $ sudo lxc config device add $CONTAINER_NAME mysql disk
> source=/var/lib/mysql path=/var/lib/mysql
> Unfortunately, this breaks the container and prevents it from starting since 
> the mapping isn't allowed.


> $ sudo lxc info --show-log ub1804x64-3


> Name: ub1804x64-3
> Remote: unix://
> Architecture: x86_64
> Created: 2018/07/09 15:30 UTC
> Status: Stopped
> Type: persistent
> Profiles: default


> Log:


> lxc ub1804x64-3 20180709154554.682 ERROR    lxc_conf -
> conf.c:lxc_map_ids:2919 - newuidmap failed to write mapping "newuidmap: uid
> range [1000-1001) -> [114-115) not allowed": newuidmap 6725 0 10 1000 
> 1000 114 1 1001 101001 64535
> lxc ub1804x64-3 20180709154554.682 ERROR    lxc_start -
> start.c:lxc_spawn:1661 - Failed to set up id mapping.
> lxc ub1804x64-3 20180709154554.755 WARN     lxc_network -
> network.c:lxc_delete_network_priv:2607 - Failed to remove interface
> "veth38DOB9" from "lxdbr0": Invalid argument
> lxc ub1804x64-3 20180709154554.755 ERROR    lxc_container -
> lxccontainer.c:wait_on_daemonized_start:834 - Received container state 
> "ABORTING" instead of "RUNNING"
> lxc ub1804x64-3 20180709154554.756 ERROR    lxc_start -
> start.c:__lxc_start:1887 - Failed to spawn container "ub1804x64-3"
> lxc 20180709154554.775 WARN     lxc_commands -
> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to
> receive response for command "get_state"
> I'm basically following this article
> (https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/)
> written by Stéphane Graber (the super awesome primary LXD developer) to
> achieve this. I'll admit that I don't fully understand what's going on here,
> if someone could help me understand my mistake a bit better, I'd really
> appreciate it. I have a feeling I have the range wrong (1000?). I previously
> attempted doing the same by manually adding the mysql user/group and trying
> to map those (instead of installing mysql), but that also didn't work out
> (Same error). This is what I tried before trying the mapping):


> $ sudo groupadd mysql
> $ sudo useradd -r -g mysql mysql


> I also tried with: 
> $ printf "both $(id -u mysql) $(id -u mysql)" | lxc config set 
> $CONTAINER_NAME raw.idmap -


> Then the error I get is:


> $ sudo lxc info --show-log tmp3


> Name: tmp3
> Remote: unix://
> Architecture: x86_64
> Created: 2018/07/09 20:32 UTC
> Status: Stopped
> Type: persistent
> Profiles: default


> Log:


> lxc tmp3 20180709204423.805 ERROR    lxc_conf - conf.c:lxc_map_ids:2919 -
> newgidmap failed to write mapping "newgidmap: gid range [114-115) ->
> [114-115) not allowed": newgidmap 30081 114 114 1 0 10 114 115 100115 
> 65421
> lxc tmp3 20180709204423.805 ERROR    lxc_start - start.c:lxc_spawn:1661 - 
> Failed to set up id mapping.
> lxc tmp3 20180709204423.876 WARN     lxc_network -
> network.c:lxc_delete_network_priv:2607 - Failed to remove interface
> "vethYL869L" from "lxdbr0": Invalid argument
> lxc tmp3 20180709204423.876 ERROR    lxc_container -
> lxccontainer.c:wait_on_daemonized_start:834 - Received container state 
> "ABORTING" instead of "RUNNING"
> lxc tmp3 20180709204423.877 ERROR    lxc_start - start.c:__lxc_start:1887 - 
> Failed to spawn container "tmp3"
> lxc 20180709204423.897 WARN     lxc_commands -
> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to
> receive response for command "get_state"




> I'm using LXD 3.0.1 running on host Ubuntu 18.04 amd64 and testing with a 
> Ubuntu 18.04 amd64 container


> Thanks for your help in advance!!



-- 
With best regards,
Andrey Repin
Tuesday, July 10, 2018 0:11:53

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Network instability with bridged nat and macvlan interfaces

2018-06-07 Thread Andrey Repin
Greetings, Michel Jansens!

> I’m running on Ubuntu18.04 LXC 3.0.0.

> I’ve created 5 debian9 containers with default eth0 networking on NAT:

> # lxc network show lxdbr0
> config:
>   ipv4.address: 10.1.1.1/24
>   ipv4.dhcp.ranges: 10.1.1.2-10.1.1.99
>   ipv4.nat: "true"
>   ipv6.address: fd42:6f79:c120:7701::1/64
>   ipv6.nat: "true"
> description: Natted network 0
> name: lxdbr0
> type: bridge

> One of the containers (frontal) has an additional interface configured with:

> # lxc network attach vlan7 frontal
> # lxc config show kspreprodfrontal
> …
> devices:
>   vlan7:
> nictype: macvlan
> parent: vlan7
> type: nic

> vlan7 is a flan with id: 7 configured in /etc/netplan/01-netcfg.yaml 
> ... 
> vlans:
> vlan7:
>   id: 7
>   link: enp1s0f0

I'm no expert, frankly, but it itching me to mix brctl and macvlan like that.

> I’ve changed the frontal host internal networking so that eth1 comes first
> and default route is going through eth1. 
> Everything works internal and external…except from time to time, the
> frontal starts refusing connexions from the outside for a few seconds (up to 
> 50).
> It looks like general networking because all ports suddenly stop working 
> (connexion refused)
> internally the frontal remains reachable
> I’m running haproxy on ports 80 and 443, but also tried running apache2 on
> port 8082. All ports go down at the same time.

> I’ve now installed an Ubuntu (16.04) container and added the vlan7 network
> the same way.
> It worked fine…for about an hour and stopped working again, but for good.
> What is weird is that port 80 and 443 are refused but port 22 is working
> (maybe that’s the host ssh?).

> Any idea?

Your explanation is not very clear in parts where you describe the failure.

> Thanks for any suggestion.

My first suggestion would be to rebuild your networking a little bit
different.

1. Create a dummy internal interface and bind your containers' macvlan bridges
  to it. Bind an additional bridged macvlan on host to be able to reach into
  the containers' network.
2. If your vlan7 is a dedicate network interface for your containers, pass it
  as physical to the ingress container.


-- 
With best regards,
Andrey Repin
Thursday, June 7, 2018 18:26:48

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Network instability with bridged nat and macvlan interfaces

2018-06-06 Thread Andrey Repin
Greetings, Michel Jansens!

Please don't hijack unrelated threads. If you want to post a new issue, post a
new message.


-- 
With best regards,
Andrey Repin
Wednesday, June 6, 2018 20:54:31

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXCFS installation effects

2018-06-06 Thread Andrey Repin
Greetings, Martín Fernández!

>   Stéphane, 
>  That seems to have done the trick :). Now a I see different outputs when
> running `free` on the container than in the host. At the same time,
> non-restarted containers are showing the host output which sound good as well.
>  One last question, If I don’t limit the amount of memory a container has
> it should show the host available memory right ?  
>  Asking this because I have the following situation that for sure it not 
> right.
>  Host ```  
>  total   used   free sharedbuffers cached 
> Mem: 32109  25432   6676  9   1297  18510 
> -/+ buffers/cache:   5624  26484 
> Swap:   138699893 137806 
> ``` 

>  
> Container (the restarted one): 
> ``` 
>  
>  total   used   free sharedbuffers cached 
> Mem: 32109951  31157  9  0256 
> -/+ buffers/cache:695  31414 
> Swap:   138699893 137806  
> ``` 


> The container is showing that it has 31157 megabytes free but that is
> obviously this is not true based on what the host is showing (6676).

The "free" memory is "available minus used (by non-discardable data)".
So, no, it just can't show actual free memory inside a container, no.


-- 
With best regards,
Andrey Repin
Wednesday, June 6, 2018 20:53:07

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] network isolation / per-container network

2018-06-06 Thread Andrey Repin
Greetings, Lukas Pirl!

> tl;dr: How to block traffic between containers? A bridge & subnet each?

The relevantly TL;DR answer requires a bit more than your "TL;DR".

> I have a host which masquerades all packages to/from containers, since
> I am restricted to one external IP address.

Where do you do masquerading? On the same host? On an external router?

> Currently, the containers share a subnet and can hence communicate with
> each other.

That's not necessarily true.
Neither it is necessarily bad.
Please think twice before enforcing such policies in your system.

> They have a veth each and share a bridge on the host side.

> However, I want to fully control the traffic from/to/between the
> containers from the host (i.e., iptables/netfilter).

> Would having a subnet and a bridge on the host side per container be
> the most "elegant" way to gain full control over the traffic between
> containers? It feels a bit cumbersome/overkill.

Any solution to your request would be cumbersome.
ipip tunnels, ethernet level filtering, separate interfaces.

> (Please CC me directly, since I am not subscribed to lxc-users)

You can read archives, if you are so inclined to abstain from the
conversation.
Please reply to your own mails at least to maintain threading consistency.


-- 
With best regards,
Andrey Repin
Wednesday, June 6, 2018 20:55:41

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Clarification

2018-05-27 Thread Andrey Repin
Greetings, Thouraya TH!

>  containers share the same operating system as the host.

That's not quite correct.
Containers share the host //kernel//. The definition of "OS" is a bit blurry
in this regard.
Let's just say, you can run different set of utilities (what is usually
defined as "distribution") as long as they can be run on the same kernel.

> so i cnanot do  lxc-create -n c1 -o windows on ubuntu system ? that's it ?
> i can create windows container only on windows system using docker for 
> example ?

I'm not sure, how exactly Docker does that, if at all, so can't comment.


-- 
With best regards,
Andrey Repin
Sunday, May 27, 2018 21:14:38

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD 3.0 macvlan networking

2018-05-05 Thread Andrey Repin
Greetings, Mark Constable!

> On 5/5/18 5:43 PM, Janjaap Bos wrote:
>> To be able to ping a container macvlan interface, you need to have a
>> macvlan interface configured on the host.

> Thank you for the host macvlan snippet but I CAN actually ping the
> container from the host (but not the host from inside the container)
> and that was actually my question... how come I ping the
> container from my host when I just set up that container using
> macvlan?

Only you can tell. Check your iptables rules/routing inside container.


-- 
With best regards,
Andrey Repin
Sunday, May 6, 2018 05:11:55

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Macvlan explained

2018-05-05 Thread Andrey Repin
Greetings, Michel Jansens!

> In the case of LXD, I suppose the macvlan bridge mode is used?

Last I checked, no. By default, LXC/LXD did not use macvlans.

> It also mentions that although VMs cannot directly communicate with the
> host, you can add another macvlan sub-interface and assign it to the host to 
> enable communication…

Yes. If you create macvlan bridge on the interface with containers, you will
be able to communicate with them.

I wrote an ifupdown handler to simplify this process.
https://pastebin.com/yaRH8zC9


-- 
With best regards,
Andrey Repin
Sunday, May 6, 2018 05:05:32

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] [Solved] Re: How to get rid of pesky extra dhcp IP

2018-04-22 Thread Andrey Repin
Greetings, David Favor!

> Removing Netplan will work temporarily, until all the old networking plumbing
> is completely removed.

> Better to start moving to Netplan now,

Not until they publish a sane interface to edit its config.
YAML is NOT a text format. It's a very sensitive binary format. You can't tell
if a YAML file is correct by looking at it on screen.

> before some future update removes old
> processing of your /etc/network/interfaces files + all your networking simply
> stops working.


-- 
With best regards,
Andrey Repin
Sunday, April 22, 2018 17:18:35

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC containers networking

2018-04-05 Thread Andrey Repin
Greetings, Bhangui!

> I’m pretty new to using LXC containers.
>
> I have a requirement that the solution running inside the container should
> be able to communicate to services in public cloud and also with some 
> services on the host machine.

That's a rather common requirement.

>  How do I setup the networking of this container?

However you want. For most intents and purposes, LXC/LXD container is a
complete running system. Just without real hardware.

> When it will try to communicate to the service on the host machine, will
> request be routed to machine over the physical network?

However you configure it. It's all up to you. Macvlans support everything and
more.


-- 
With best regards,
Andrey Repin
Friday, April 6, 2018 03:29:23

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD project status

2018-03-31 Thread Andrey Repin
Greetings, Saint Michael!

> I am using LCX, plain vanilla. Is there a reading the can help me move to
> LXD 3.0?

Do you NEED to move to LXD, to begin with?

> I am afraid I cannot see why would anybody use LXD vs regular LXC.

Mass deployment of similar containers.

> I can do anything I need, so far, with LXC. To copy a container to another
> server I use rsync with some special parameters.
> In general what is the great advantage of using LXD?

See above. LXD is more suitable for automated (re)deployment of likewise
containers.

If all you need is an occasional isolation of an experimental/production
environment, LXC is more than enough.


-- 
With best regards,
Andrey Repin
Sunday, April 1, 2018 01:08:24

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD - detect old configuration keys

2018-03-18 Thread Andrey Repin
Greetings, MonkZ!

> Hiho,

> i'm running LXD 2.21 on Ubuntu. With my latest upgrade i got warnings like
> "The configuration file contains legacy configuration keys.
> Please update your configuration file!"

> Is there a way to list those keys?

99,99% chances are it is lxc.raw


-- 
With best regards,
Andrey Repin
Monday, March 19, 2018 02:48:09

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC container isolation with iptables?

2018-03-04 Thread Andrey Repin
Greetings, Steven Spencer!

> Honestly, unless I'm spinning up a container on my local desktop, I always
> use the routed method.

This contradicts to…

> Because our organization always thinks of a container as a separate machine,

…this.

> it makes the build pretty similar whether the machine is on the LAN or WAN
> side of the network. It does, of course, require that each container run its
> own firewall, but that's what we would do with any machine on our network.

To me, macvlan bridging is more natural, all network devices are immediately
aware of the container, you could move containers across your network at will
and you don't have to waste your mind with routing information.


-- 
With best regards,
Andrey Repin
Sunday, March 4, 2018 21:34:40

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] On The Way To LXC 3.0: Splitting Out Templates And Language Bindings

2018-02-28 Thread Andrey Repin
Greetings, Christian Brauner!

> And if that makes you
> more likely to read it: there are asciicasts. :)

410 Gone

:(


-- 
With best regards,
Andrey Repin
Thursday, March 1, 2018 03:47:50

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD with openstack issue

2018-02-28 Thread Andrey Repin
Greetings, Alex Kavanagh!

> Hi Akshay,


> For some strange reason, I've only just received your email, despite it
> saying that it was sent on the 15th!? 

It was stuck in the internal queue.

Received: from mailman01.srv.dcmtl.stgraber.net (localhost [127.0.0.1])
by mailman01.srv.dcmtl.stgraber.net (Postfix) with ESMTP id 685014FCD2;
Wed, 28 Feb 2018 03:18:18 + (UTC)
Received: from smtpin1.stgraber.org (smtpin01.srv.dcmtl.stgraber.net
 [IPv6:2001:470:b368:1020:216:3eff:fec2:c9])
 by mailman01.srv.dcmtl.stgraber.net (Postfix) with ESMTPS id 11DF54E61D
 for <lxc-users@lists.linuxcontainers.org>;
 Thu, 15 Feb 2018 10:28:43 + (UTC)


-- 
With best regards,
Andrey Repin
Thursday, March 1, 2018 03:42:34

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC master: Legacy Config Items Have Been Removed

2018-02-12 Thread Andrey Repin
Greetings, Sean McNamara!

> For LXD, is it true that the only potential impact is if you use
> lxc.raw in a config or profile?

Supposedly yes.
If you are running current 2.x, your configuration should have been updated
already.


-- 
With best regards,
Andrey Repin
Tuesday, February 13, 2018 00:31:44

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Samba4 DC in an unprivileged container

2018-02-07 Thread Andrey Repin
Greetings, Frank Dornheim!

> im trying to setup a Samba4 AD in a unprivileged container:
>  
>  
>  
> My OS is a ubuntu 17.10 server an my container is a ubuntu 17.10.
>  
> My lxd version is:
>  
>  Package: lxd 
>  Version: 2.18-0ubuntu6

> First, I have a working setup as a "privileged container".
>  
> But I want to secure my installation and transfer samba4 in an unprivileged 
> container.

Unprivileged containers are no more secure than privileged containers,
generally speaking.

> I get the lower error message when I do the setup with samba-tool domain 
> provision.

Can you post your smb.conf before provisioning?


-- 
With best regards,
Andrey Repin
Wednesday, February 7, 2018 18:26:59

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Is anybody of this list at the cloudfest (Germany, March 10-16)

2018-01-30 Thread Andrey Repin
Greetings, Ingo Baab!

> Hello Everybody,

> LXD/LXC is cloud-computing! Is anybody of you at german "CLOUDFEST" 2018 
> in Europa-Park-Rust?
> I am there and I would like to meet interessting people :)

How's your post is related to lxcfs issue people discussing?


-- 
With best regards,
Andrey Repin
Wednesday, January 31, 2018 03:18:57

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Share base OS with multiple containers like FreeBSD jails

2018-01-01 Thread Andrey Repin
Greetings, Rajil Saraswat!

> I have been used FreeBSD jails for some time and love the fact that the
> same base image is shared with multiple jails. I was wondering if it is
> possible to do the same with lxc/lxd (running on Gentoo). At the moment
> lxd leads to lot of wasted space when using multiple containers since
> each image requires a full blown base image.

This is a question of an underlying storage backend.
ZFS/BTRFS can save quite a lot of space, so do LVM.

LESS=+/backingstore man lxc-create


-- 
With best regards,
Andrey Repin
Tuesday, January 2, 2018 04:48:47

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Question

2018-01-01 Thread Andrey Repin
Greetings, Thouraya TH!

> Please, how can i get remotely the hostname of the host hosting my container 
> "container1" ?

What exactly are you trying to achieve?
Under normal circumstances, this knowledge should be meaningless.


-- 
With best regards,
Andrey Repin
Tuesday, January 2, 2018 04:47:31

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Bonding inside container? Or any other ideas?

2017-11-22 Thread Andrey Repin
Greetings, Lai Wei-Hwa!

> I'm not sure I follow. I have multiple servers running Bond Mode 4 (for
> LACP/802.3ad).

802.3ad (mode 4) requires switch support.
Unfortunately, my switch is "managed", but does not offer this essential
specification.

> I then created a bridge, br0 which becomes the main (only) interface.

After having a hard time with some of the configurations, I avoid brctl like
plague. It may be a tool to bridge physical interfaces, but for single host it
is an extreme overhead.


-- 
With best regards,
Andrey Repin
Thursday, November 23, 2017 01:20:52

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Bonding inside container? Or any other ideas?

2017-11-21 Thread Andrey Repin
Greetings, All!

Some time ago I've managed to install a second network card into one of
my servers, and have been experimenting with bonding on host.
The field is: a host with two cards in one bond0 interface.
A number of containers sitting as macvlans on top of bond0.

Some success was achieved with bond mode 5 (balance-tlb) - approx 2:1 TX
counts with five clients, but all upload is weighted on one network card.

Attempt to change the mode to balance-alb(mode 6) immediately broke the
loading of roaming Windows profiles, the issue immediately disappear once I
switch back to mode 5.

I suppose this happens because bonding balancer creates havoc with macvlan and
own bonding MAC addresses, which the network can't easily solve, or Windows
clients got picky and refuse to load stuff from randomly changed source.

While I could turn back to internal LXC bridge and route requests between it
and bond0 on host to dissolve the MAC issue, I'd like to see if there's a more
direct solution could be found, such as creating a bonding inside container?

Or if not, is there any other way to use bonding and maintain broadcast
visibility range between containers and the rest of the network?


-- 
With best regards,
Andrey Repin
Wednesday, November 22, 2017 02:23:22

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-20 Thread Andrey Repin
Greetings, Saint Michael!

> How do you rsync over SSH when all you have is a Plain Old FTP server to 
> connect to?
> Maybe there is something I need to learn.

Remove FTP, it's insecure by definition, cumbersome in setup and not usable in
general.


-- 
With best regards,
Andrey Repin
Monday, November 20, 2017 19:56:05

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-18 Thread Andrey Repin
Greetings, Saint Michael!

> I need to do an rsync of hundreds of files very morning. The least complex
> way to achieve that is to do an rsync with some parameters that narrow down 
> what files I need.
> Is there a better way?

rsync over a network mount is the WORST POSSIBLE SOLUTION EVER.
Use normal rsync over SSH, it will be much faster, even if you do checksum
syncs.


-- 
With best regards,
Andrey Repin
Sunday, November 19, 2017 01:07:34

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc exec - support for wildcards and/or variables?

2017-11-17 Thread Andrey Repin
Greetings, Tomasz Chmielewski!

> lxc exec does not seem to support wildcards:

It's not exec, it's you.

> # lxc exec $CONTAINER -- touch /tmp/file1 /tmp/file2

> # lxc exec $CONTAINER -- ls /tmp/file*
> ls: cannot access '/tmp/file*': No such file or directory

> # lxc exec $CONTAINER -- ls /tmp/file\*
> ls: cannot access '/tmp/file*': No such file or directory

Of course.
lxc exe does exactly what you said to do.

> So let's try by setting a variable, which works:

> # lxc exec --env LSFILES=/tmp/file* $CONTAINER -- env
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> container=lxc
> TERM=xterm-256color
> USER=root
> HOME=/root
> LSFILES=/tmp/file* <- it's set, here!
> LANG=C.UTF-8


> But how to use it from lxc exec?

> - this obviously gets expanded on the host:

> # lxc exec --env LSFILES=/tmp/file* $CONTAINER -- echo $LSFILES


> - this is passed as a literal $LSFILES to the container:

> # lxc exec --env LSFILES=/tmp/file* $CONTAINER -- echo \$LSFILES
> $LSFILES


> How do I use the variables / wildcards with lxc exec? Say, I want to 
> remove all /tmp/somefile* in the container.

Do what your host do - allow shell to expand in the container.
Since wildcard expansion is done by the shell (surprize!), not by the executed
program, you'd have to run the command through shell in the container.
Which you are not doing currently. Same as if you run "ls '/tmp/file*' " on
host.


-- 
With best regards,
Andrey Repin
Saturday, November 18, 2017 07:45:47

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-17 Thread Andrey Repin
Greetings, Saint Michael!

> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> lxc.mount.entry = sysfs sys sysfs defaults  0 0
> lxc.mount.entry = /cdr cdr none bind 0 0
> lxc.mount.auto = cgroup:mixed
> lxc.tty = 10
> lxc.pts = 1024
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 1:3 rwm
> lxc.cgroup.devices.allow = c 1:5 rwm
> lxc.cgroup.devices.allow = c 5:1 rwm
> lxc.cgroup.devices.allow = c 5:0 rwm
> lxc.cgroup.devices.allow = c 4:0 rwm
> lxc.cgroup.devices.allow = c 4:1 rwm
> lxc.cgroup.devices.allow = c 1:9 rwm
> lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> lxc.cgroup.devices.allow = c 254:0 rwm
> lxc.cgroup.devices.allow = c 10:137 rwm # loop-control
> lxc.cgroup.devices.allow = b 7:* rwm    # loop*
> lxc.cgroup.devices.allow = c 10:229 rwm #fuse
> lxc.autodev = 0
> lxc.aa_profile = unconfined
> lxc.cap.drop=
> lxc.network.type = phys
> lxc.network.flags = up
> lxc.network.link = eth6
> lxc.network.name = eth0
> lxc.network.ipv4 = 0.0.0.0/27
> lxc.network.type = macvlan
> lxc.network.flags = up
> lxc.network.link = eth3
> lxc.network.name = eth1
> lxc.network.macvlan.mode = bridge
> lxc.network.ipv4 = 0.0.0.0/24

> lxc.start.auto = 1
> lxc.start.delay = 5
> lxc.start.order = 0
> lxc.rootfs = /data/iplinkcdr/rootfs
> lxc.rootfs.backend = dir
> lxc.utsname = iplinkcdr

Was there the need for it? Really?
I feel like you've dug the grave for yourself with this config.


-- 
With best regards,
Andrey Repin
Saturday, November 18, 2017 07:42:06

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-17 Thread Andrey Repin
Greetings, Saint Michael!

> The issue is with fuse, that is why I keep 
> lxc.autodev=0
> if I do not, if I set it to 1, then fuse does not mount inside a container.
> I need fuse, for I mount an FTP server inside the container.
> So I am caught between a rock and a hard place.
> I akready asked about this contradiction on the LXC developers list.

I'd strongly suggest to rethink your needs.
WHY do you mount an FTP server, in first place?


-- 
With best regards,
Andrey Repin
Saturday, November 18, 2017 07:44:00

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-16 Thread Andrey Repin
Greetings, Saint Michael!

> I use full privileged containers, since this is just a mechanism to move
> around higly complex installations.
> In my business there is one host and one container per box, which uses up
> all resources available.
> What you are saying, basically, is the root-privileged containers is not
> support by LXC, since a container does hijack the host's TTY.

No, it should not. Although I didn't use it on 16.04, but my older LTS'es use
a bunch of privileged containers to encapsulate separate services, and none
exhibit the issue described.
$  lxc-start --version
2.0.8

> Any confirmation of this? I cannot believe this is impossible to solve.

It is most likely possible to solve. Please see another branch of this thread.

OTOH, using unprivileged containers is strongly suggested for general security
considerations.


-- 
With best regards,
Andrey Repin
Thursday, November 16, 2017 16:11:02

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] TTY issue

2017-11-15 Thread Andrey Repin
Greetings, Saint Michael!

> My host is Ubuntu LTS

Which "LTS"?…

> and my container is Centos 7.

And what you are using for containers?
LXC? LXD? Which version?

> Every time the server boots, the container takes over the tty0 of the
> server, Ubuntu, and freezes the interface.
> The only way to log to the server itsef is to press ALT+F2 and use the second 
> tty.
> I tried to remove tty0 on the guest, and also this (on the guest)
> systemctl stop getty@tty1.service; systemctl mask getty@tty1.service
> but the issue continues. Any idea how can I block any container from
> hijacking te host's tty?

Your report lacking a lot of critical information. And it doesn't look like
you did a google on your problem either. I was able to easily find a number of
references to similar issues, and they all contain suggested solutions,
unfortunately, without a call back from the original poster(s) about
success/failure of applying them.


-- 
With best regards,
Andrey Repin
Thursday, November 16, 2017 05:37:58

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Suggestions regarding (ultimately) LXC 2.1.0 lxc-update-config

2017-10-06 Thread Andrey Repin
Greetings, Adrian Pepper!

> Could/should there be an lxc-config-lint (lxc-lint-config?)

lxc-lint-config, if you ask me.

> which would warn of upcoming problems?

Being able to statically analyze configuration is always a boon.
And I greatly appreciate programs that could dump their config not as the
operator write it, but as they understood it.


-- 
With best regards,
Andrey Repin
Friday, October 6, 2017 21:44:55

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] [lxc-devel] Container startup hook arguments

2017-10-06 Thread Andrey Repin
Greetings, Christian Brauner!

>> Maybe a configuration key 'lxc.hooks.version=2' ?

> I'm fine with simply keeping the arguments until 3.0 and then removing them. I
> really don't want to add configuration keys that conceptually are internal 
> keys
> but are nonetheless exposed to users. Fwiw, this is also why I didn't 
> implement
> a version key for the 2.1. config file format update. This is just going to 
> bite
> us in the long run when we have to deprecate these internal keys. TL;DR, keep
> the args for now and kill them in 3.0.

May I propose an alternative?
Fill in the environment gaps now.
Add something like "lxc.hooks.legacy" key in some future 2.x version, default
to enabled, and recommend people turning it off and see if their hooks needs
correction.
In some version prior to 3.0, change the default value of the key to disabled.
In 3.0, remove the key.


-- 
With best regards,
Andrey Repin
Friday, October 6, 2017 21:37:10

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Container startup hook arguments

2017-10-03 Thread Andrey Repin
Greetings, Serge Hallyn!

> Since the start, lxc container startup hooks have gotten some redundant
> information as command line arguments, which is also available as environment 
> variables.

> Is anyone making use of that? I'm wondering whether any existing
> installations would have broken scripts if we get rid of those.

> https://github.com/lxc/lxc/issues/1766 is one sensible request to stsending
> these args, and I suspect that CNI binaries will also not like them.

> Removing them is probably 3.0 material, as even if noone replies saying
> they use them, our community doesn't exactly work like that... but it sure 
> would be nice to drop them :) 

Consider me +1 to that.
If your script needs to know its environment, it should make use of it. Other
than that, the extra arguments unexpectedly passed to the hook are always a
source for potential confusion.


-- 
With best regards,
Andrey Repin
Tuesday, October 3, 2017 14:59:46

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc config preventing mysql

2017-08-21 Thread Andrey Repin
Greetings, Jake Black!

> So in our environment, we use lxc containers for quick test machines. We
> have a script that will spin up a container and set lxc config based on what
> we need it to do. We are running into an issue where these config settings 
> are preventing mysql from starting.

> This is how the container is created if we need to mount nfs to it.

> lxc launch "${IMAGE}" "${NAME}"
> lxc config set ${NAME} security.privileged true
> lxc config set ${NAME} raw.apparmor 'mount,'

Why not just mount the necessary structure using LXD config?

> The specific mysql error being reported by ansible is invoke-rc.d:
> initscript mysql, action \"start\" failed.

Why "invoke-rc.d" ? What is the guest OS?

> Now if I just launch the container without the two config lines then when I
> run an ansible playbook that calls and sets up mysql, there is no mysql
> error and it actually started without error. So I tested to see which one of
> these lines was causing mysql to throw a fit. But it appears to be when both
> of these configs are set. If I just run one config line (doesn't matter
> which) then there is no error. The error only appears when both of these are 
> ran.

> We initially did not suspect lxc configs to be messing with mysql. But
> found this by setting up identical containers and doing the same tasks
> except for these lines. And our playbooks that start mysql don't need nfs so
> we aren't really blocking on this, but is an interesting issue. Does anybody
> have any idea why these would be preventing mysql from starting?


-- 
With best regards,
Andrey Repin
Monday, August 21, 2017 16:44:23

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Fastest way to copy containers

2017-07-25 Thread Andrey Repin
Greetings, Ron Kelley!

> I am trying to copy sites from one LXD to another - both running BTRFS.
> The normal “lxc copy” command uses btrfs send/receive which is terribly
> slow.

btrfs send/receive is fast, when you send incremental copies of partitions.
And of course it will be slower than rsync, since it works on a different
level.

> As an aside; I think LXD should allow the user to specify which copy tool
> to leverage when doing the copying.  Is that possible?

I think there's a difference between copying within the same host and between
different hosts.


-- 
With best regards,
Andrey Repin
Tuesday, July 25, 2017 17:21:19

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] MySQL Unable to install on 14.04 Container

2017-07-05 Thread Andrey Repin
Greetings, Yonsy Solis!

> Are you installing mysql in clean state or you are upgrading an old
> install/config, because your warning  ("Using unique option prefix
> key_buffer instead of key_buffer_size is deprecated and will be removed
> in a future release. Please use the full name instead") happens with old
> /etc/my.cnf updated to mysql 5.5. I do:

This is a deficiency of the original Debian package.

> the install process ask me for the initial password and mysql get
> installed, but this was from a clean state (my host is 16.04 LTS)

I've installed Oracle MySQL on 14.04 in LXC container just fine.
I suggest trying https://dev.mysql.com/downloads/repo/apt/ , not in the small
part because 5.5 is intolerable old.


-- 
With best regards,
Andrey Repin
Wednesday, July 5, 2017 17:52:38

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Forwarding DNS requests to the host /etc/hosts file

2017-05-31 Thread Andrey Repin
Greetings, Adil Baig!

> I have several containers running on host machines. The host machine is
> part of a LAN network. Each host has an update /etc/hosts file with domain 
> names to other LAN entities.

I strongly suggest you raise local DNS server.
LXC already have a dependency on dnsmasq, you can easily configure it for
fakeresolve in addition to LXC-specific setup.

> My problem is I cannot use the hostnames defined on the host inside the
> container (without actually copying the /etc/hosts file in). I'd rather not
> copy the file as I sync /etc/hosts file using Ansible, and the Ansible
> inventory cannot manage LXD containers dynamically.


> How is it possible to set up the containers so they look up entries in the
> host machines' /etc/hosts file?

My strong opinion is that /etc/hosts is a crutch from 1960's and should not be
used, there's always a better option.


-- 
With best regards,
Andrey Repin
Wednesday, May 31, 2017 23:20:01

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] IPv6-only Bridge?

2017-05-30 Thread Andrey Repin
Greetings, Thomas Ward!


> I'm trying to set up IPv6 bridging

wat

> so that I can get my IPv6 addresses working properly on containers so they
> can just *get* IPv6 addresses that work, either by static assignment or 
> dynamic.

It's called "routing".

> Attempting to set a bridge breaks host routing for IPv4, and I'm stuck
> on using the serial console to get in.  Is there a way to achieve an
> IPv6-only bridge to the LXD container(s), that can bridge IPv6 addresses
> to an ethernet port without disrupting the IPv4 routing of the host?

> (I currently use DNAT/SNAT/FORWARD rules on the host to route specific
> IPv4 addresses' traffic via 1:1 NAT into individual containers, but I
> need similar functionality with IPv6 and DNAT/SNAT doesn't work in IPv6)

Just dedicate an IPv6 subnet for your containers and route traffic to the
required interface.


-- 
With best regards,
Andrey Repin
Tuesday, May 30, 2017 17:41:43

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] lxc-templates dependency on debootstrap

2017-05-19 Thread Andrey Repin
Greetings, All!

I've tried to roll a new template, but suddenly realized that I have no
"debootstrap" package installed.
Checking dependencies, it turned out it is listed as "recommended" dependency
of lxc-templates. Of course, I have not had it installed, since I don't want
unnecessary bloat on my host.
Which prompts a question. Shouldn't it be a hard dependency instead?


-- 
With best regards,
Andrey Repin
Saturday, May 20, 2017 03:41:18

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.0.10, LXC 2.0.8, LXCFS 2.0.7 and LXD 2.0.10 have been released!

2017-05-12 Thread Andrey Repin
Greetings, Stéphane Graber!

> Hello everyone,

> Today the LXC project is pleased to announce the release of:
>  - LXC 1.0.10
>  - LXC 2.0.8
>  - LXD 2.0.10
>  - LXCFS 2.0.7

> They each contain the accumulated bugfixes since the previous round of
> bugfix releases about four months ago.


> This includes the following security fixes for which individual patches
> were made available earlier this year:

>  - CVE-2016-10124 (backport of pts/pty isolation to LXC 1.0.x from 2.0.x)
>  - CVE-2017-5985 (lxc-usernic issue for LXC 1.0.x and 2.0.x)

> It's also worth noting that LXC templates in 2.0.10 have been modified
> such that no default (insecure) user credentials are set.

Finally. I was getting tired of "deluser" for each newly created container.

> The detailed changelogs for each project can be found at:
>  - https://linuxcontainers.org/lxc/news/
>  - https://linuxcontainers.org/lxcfs/news/
>  - https://linuxcontainers.org/lxd/news/

> As a reminder, the 2.0 series of all of those is supported for bugfix
> and security updates up until June 2021.

> The LXC 1.0.x branch is supported until June 2019 with critical bugfixes
> and security updates only, users are recommended to upgrade to 2.0.x.

> Thanks to everyone who contributed to those projects and helped make
> this possible!


> Stéphane Graber
> On behalf of the LXC, LXCFS and LXD development teams


-- 
With best regards,
Andrey Repin
Friday, May 12, 2017 15:24:54

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] More secure container

2017-05-09 Thread Andrey Repin
Greetings, T.C 吳天健!

> Its said privileged container is unsecured . For example, if a user in the
> container (suppose it's running a service toward the public) hack the system
> with some kind of root kit.

This is not specifically correct. The road to compromising the container is
rather thorny.
Even if container is privileged and the container owner has root access inside
the container, gaining any host advantage would be hard if not impossible,
unless the host configuration is far from sane.

> I am thinking of building a more secure container.  The first idea is to
> use unprivileged container;  Second is apply cgroup to limit viewing of some
> sensitive /dev files, and any recommendation?

LXD by default is "secure" in sense that even if container is compromised, the
effective UID the container user is running from has no rights on the host.

> Summary
> -use unprivileged container

Right.

> -cgroup to limit viewing of some /dev files

Unnecessary in real-world application.


-- 
With best regards,
Andrey Repin
Wednesday, May 10, 2017 00:17:31

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXD move, how to reduce downtime without live migration

2017-04-30 Thread Andrey Repin
Greetings, Spike!

> thank you for sharing Fajar, this is very helpful. A couple questions:
> 1. how do you ensure data consistency? I don't think it's safe to take a
> snap of a mysql container with mysql running for example. Other backup
> solutions I've used in the past, like bacula for example, allowed you to run
> pre-backup jobs to say make the db readonly or stuff like that. Are you doing 
> such a thing with sanoid?
> 2. related to, if you move lib/lxd, is it safe to snap with lxd running? no 
> consistency issues?

It is never a good idea to snapshot the disk of a running system.
Any files opened for writing are unlikely to backup properly.
It is less of an issue for MySQL and other applications that use journaling
for their write operations, but on any given live system there's more apps
that don't expect power interruptions.


-- 
With best regards,
Andrey Repin
Sunday, April 30, 2017 20:45:49

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Running LXD on those new ARM64 cloud servers by Scaleway

2017-04-28 Thread Andrey Repin
Greetings, Simos Xenitellis!

> 2. The Linux kernel lacks ZFS support, thus requires to compile it by
> hand. Takes time and effort (-1). Have script (+1).

Does it include BTRFS?


-- 
With best regards,
Andrey Repin
Saturday, April 29, 2017 03:39:49

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] change 'lxc [cmd]' to 'lxd [comd]' (for LXD)

2017-04-18 Thread Andrey Repin
Greetings, Simos Xenitellis!

> On Tue, Apr 18, 2017 at 11:34 AM, gunnar.wagner
> <gunnar.wag...@netcologne.de> wrote:
>> just saw it again 
>>
>> 'lxc-[cmd]'   (LXC Containers)   vs
>> 'lxc [cmd]'   (LXD Containers)
>>
>> it would be so much less confusing whether LXD would just use   'lxd [cmd]'
>> instead of   'lxc [cmd]'   syntax
>>
>> - Am I (being a total novice and all) alone with this thought?
>> - any benefit from the current   'lxc [cmd]'   command syntax for LXD
>> containers?
>>
>> just wondering. Maybe it's an age-old discussion here but as someone diving
>> new into this ... it hits you right in the face
>>

> I think the issue here is this, is there any growing interest in LXC1
> (those lxc-[cmd] commands)?
> LXD/LXC is more usable than legacy LXC (i.e. LXC1).

LXC requires less infrastructure and easier to manage.
I prefer it over LXD for persistent deployments.


-- 
With best regards,
Andrey Repin
Tuesday, April 18, 2017 13:44:27

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] [OT] emails of this mailing list are spammed

2017-03-10 Thread Andrey Repin
Greetings, Ivan Ogai!

> Hello,

> I just want to tell you what the subject of this email says.
> How do I know? Look at the dedicated email that I use only for this list.

Quote raw emails more, it helps bot crawlers to collect them.


-- 
With best regards,
Andrey Repin
Friday, March 10, 2017 20:18:09

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] DBUS connection from inside container using system dbus

2017-03-03 Thread Andrey Repin
Greetings, Adithya K!

> Hi All,

> I am usig busybox  template to create container on ubuntu. I am creating
> container as non  privilage. Attached is the config created. 


>  I am mapping var/run/duns/socket from host to container. Basically I am 
> using host dbus.


>  What  I see is when I try to run and dbus program, 
> dbus_bus_get(DBUS_BUS_SYSTEM, ); call fails. Basically I am not  able to 
> get dbus bus connection.

I suppose you're running containers with subuid?
Then the answer is obvious - your container don't have permissions to access 
the socket.

>  When I create container using privilage mode, then this issue doesn't exist. 

>  Any solution for this issue.

Don't use system dbus.


-- 
With best regards,
Andrey Repin
Friday, March 3, 2017 16:50:25

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Use lxc https api under https balancer

2017-02-15 Thread Andrey Repin
Greetings, Geaaru!

> I want to reach lxc api from remote and a reverse proxy,
> I'm not sure that I can use certificate from remote.

If you don't know something, ask. Don't guess.

> With a reverse proxy, certificate sent to
> LXD server will be certificate of reverse proxy.

Yes, now what?
You can still use client certificates on your load balancer.
The only problem I see is that you'll only see LB's authenticate on LXD.
Generally, I would advice against such setup and suggest IP-level LB.


-- 
With best regards,
Andrey Repin
Wednesday, February 15, 2017 17:12:27

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC, unionfs and short lived containers

2017-01-31 Thread Andrey Repin
Greetings, Frans Meulenbroeks!

> On Sun, Jan 29, 2017 at 4:04 AM, Frans Meulenbroeks <
> fransmeulenbroeks at gmail.com> wrote:
>> Hi,
>>
>> I'm working on migrating from LXC 1.x to LXC 2.
>> While doing so I bumped upon the following issue:
>>
>> My containers are short-lived (say an hour or so).
>> In LXC 1 we used an overlay filesystem in order to speed up the lxc create.
>> However I understood LXC 2 does not have this capability.
>>

> Where did you read that?

> Here: https://github.com/lxc/lxd/issues/1878 see the response of Stephane.
> Of course this reply is almost 10 months old.

You're linking LXD isue, not LXC.


-- 
With best regards,
Andrey Repin
Tuesday, January 31, 2017 15:00:25

Sorry for my terrible english...
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

  1   2   >