Re: [lxc-users] LXD 3.0 macvlan networking

[Janjaap Bos]

To be able to ping a container macvlan interface, you need to have a
macvlan interface configured on the host.

Such as:

modprobe dummy
ip link set name dummy-mv dev dummy0
ip link set dev dummy-mv up
ip link add link dummy-mv mv-lxd type macvlan mode bridge
ip address add 192.168.4.1/24 dev mv-lxd
ip link set dev mv-lxd up

2018-05-05 5:18 GMT+02:00 Mark Constable :

> Has something changed re networking with LXD 3.0 such that when
> using a macvlan that the host CAN ping a container?
>
> According to what I previously understood, and supported by this
> comment..
>
> https://github.com/lxc/lxd/issues/3871#issuecomment-333124249
>
> and the main reason I hadn't bothered even trying out a macvlan
> is because I need access to my local hosted containers and it
> "just works" with a normal bridge. However, now when I finally
> get around to testing macvlan I find I can immediately ping a
> new macvlan based containers IP.
>
> Has something changed recently regarding this macvlan restriction?
>
> ~ apt install lxd
>
> ~ lxc profile copy default macvlan (which has no eth0 device yet)
>
> ~ ip r (to get my hosts eth0 device)
>
> ~ lxc profile device add macvlan eth0 nic nictype=macvlan parent=enp4s0f1
> name=eth0
>
> ~ lxc launch images:ubuntu/bionic macvlantest -p macvlan
>
> ~ lxc list --format csv
> macvlantest,RUNNING,192.168.0.206 (eth0),"fdcc:3922:7dfd::6b7 (eth0)
> fdcc:3922:7dfd:0:216:3eff:fe11:9335 (eth0)",PERSISTENT,0
>
> ~ ping -c1 192.168.0.206
> PING 192.168.0.206 (192.168.0.206) 56(84) bytes of data.
> 64 bytes from 192.168.0.206: icmp_seq=1 ttl=64 time=1.98 ms
>
>
> OIC, from inside the macvlantest container I can't ping the host.
>
> But still, from this comment I would tend to assume I should not
> be able to ping the container from the host either...
>
> "@stgraber An even easier alternative to this would be using macvlan as it
> won't require any bridging at all, but it does come with the annoying
> caveat that the host will not be able to communicate with the containers."
>
> Would anyone care to clarify this macvlan limitation please?
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Newer upstream releases - Stable for production?

[Janjaap Bos]

I can confirm that we for sure also depend on the stable 2.0 in xenial.

It actually is very easy to install a more recent version nested in 2.0 for
specific use cases.

2017-04-05 23:53 GMT+02:00 Stéphane Graber :

> Yes, it would be.
>
> I also disagree that it's what most people would want.
>
> The majority of the feedback we've been getting from production users so
> far is that they're very happy having an extremely stable version of LXD
> that they don't need to think about and that gets frequent bugfixes and
> security fixes.
>
> For everyone else, you just need to run:
>
> apt install -t xenial-backports lxd lxd-client
>
> On Wed, Apr 05, 2017 at 11:45:32PM +0200, Jakob Gillich wrote:
> > Would it be against distribution policy to upgrade the lxd package in
> > xenial? I feel like most users do not want 2.0, but that's what they get
> by
> > default.
> >
> > On Wed, Apr 5, 2017 at 1:49 AM, Stéphane Graber 
> wrote:
> > > Hi,
> > >
> > > So it really depends on how tolerant you may be to accidental downtime
> > > and need to occasionaly adapt scripts as new features are added.
> > >
> > > LXD 2.0.x only gets bugfixes and security updates and so an upgrade
> will
> > > never break anything that uses the LXD commands or the API.
> > >
> > >
> > > For the newer feature releases, we don't break the REST API, only add
> > > bits to it, but occasionaly those bits mean that some extra
> > > configuration steps may be needed, as was the case with the network API
> > > in 2.3 or the storage API in 2.9.
> > >
> > > Upgrading to such releases will automatically attempt to migrate your
> > > setup so that it keeps working and doesn't suffer any downtime. But
> it's
> > > certainly not completely bug free and we do occasionaly hit issues
> > > there.
> > >
> > >
> > > If you do want the new features, I'd recommend that you at least stay
> on
> > > Ubuntu 16.04 LTS, then do this:
> > >
> > > apt install -t xenial-backports lxd lxd-client
> > >
> > > This will install lxd and lxd-client from "xenial-backports" which is a
> > > special pocket of the main Ubuntu archive. This is far preferable from
> > > using the LXD PPA.
> > >
> > > The LXD stable PPA is automatically generated whenever a new upstream
> > > release has hit the current Ubuntu development release and has passed
> > > automatic testing, which is to say that when an update hits, it would
> > > have seen very little field testing.
> > >
> > > xenial-backports is different in that the packages in there are the
> same
> > > as the PPA, but I only push them through once I feel confident there
> > > aren't any upgrade issues that we should address.
> > >
> > >
> > > One recent example of that was the storage API. PPA users would have
> > > gotten LXD 2.9, 2.9.1, 2.9.2, 2.10, 2.10.1 and 2.11 in quick sucession
> > > as we were sorting out some upgrade issues with the storage API.
> > >
> > > Users of xenial-backports were on LXD 2.8 up until yesterday when I
> > > pushed LXD 2.12 to it as we are now feeling confident that all upgrade
> > > issues that were reported have been satisfyingly resolved.
> > >
> > >
> > > One last note. LXD doesn't support downgrading its database, that means
> > > that if you upgrade from 2.0.x to some 2.x release, there is no going
> > > back. You can't downgrade back to 2.0.x afterwards. You can move LXD
> > > containers from a new release to a server running an older release as
> we
> > > way to do a two stage downgrade, but you may need to alter their
> > > configurations a bit for this to succeed (remove any option key that
> > > came from a newer release).
> > >
> > > Stéphane
> > >
> > > On Tue, Apr 04, 2017 at 02:55:32PM +0200, Gabriel Marais wrote:
> > > >  Hi Guys
> > > >
> > > >  I would like to take advantage in some of the new(er) features
> > > > available in
> > > >  releases higher than 2.0.x
> > > >
> > > >  Would it be advisable to upgrade to 2.12 to be used in a production
> > > >  environment?
> > > >
> > > >
> > > >
> > > >  --
> > > >
> > > >
> > > >
> > > >
> > > >  Regards
> > > >
> > > >  Gabriel Marais
> > > >
> > > >  Office: +27 861 466 546 x 7001
> > > >  Mobile: +27 83 663 
> > > >  Mail: gabriel.j.mar...@gmail.com
> > > >
> > > >  Unit 11, Ground Floor, Berkley Office Park
> > > >  Cnr Bauhinia & Witch Hazel Str,
> > > >  Highveld, Centurion, South-Africa
> > > >  0157
> > > >
> > > >  PO Box 15846, Lyttelton, South Africa, 0140
> > > >  ___
> > > >  lxc-users mailing list
> > > >  lxc-users@lists.linuxcontainers.org
> > > >  http://lists.linuxcontainers.org/listinfo/lxc-users
> > >
> > > --
> > > Stéphane Graber
> > > Ubuntu developer
> > > http://www.ubuntu.com
> > > ___
> > > lxc-users mailing list
> > > lxc-users@lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > ___
> > 

[lxc-users] Security risk of sharing /dev/net/tun and /dev/kvm in unprivileged containers

[Janjaap Bos]

What are the security risks of enabling access to /dev/kvm and /dev/net/tun
to an LXD unprivileged container?
E.g. bind mount / add device to container config.

Would this significantly expose the host or other containers to increased
risk?

Could you offer access to untrusted users?

Does anyone have a pointer to more info about this?

Thanks!

-Janjaap
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Feature request: raw lxc utilities output format and operations with multiplie containers?

[Janjaap Bos]

Perhaps you can even turn that into a bash alias.

Op 10 nov. 2016 18:33 schreef "Ingo Baab" <i...@baab.de>:

Andriy, (meanwhile) you can help yourself with (doing that sequentially)..

for container in `lxc list mysql-rep --format=json | jq .[].name | tr -d
'"'`; do lxc exec $container -- apt update; done

-Ingo


Am 10.11.2016 um 15:36 schrieb Andriy Tovstik:

Thanks, Stéphane, i'm very inattentive... Now it looks better. Additional
output format seems to be more comfortable than additional tools. But it
insignificantly.

And what do you think about the second question about ability to run
commands on multiplie containers simultaneously using regexps as container
name ? Is this feature looks useful?


чт, 10 нояб. 2016 г. в 15:25, Stéphane Graber <stgra...@ubuntu.com>:

> stgraber@castiana:~$ lxc list --format=json | jq .[].name
> "android"
> "lxd"
> "snapcraft"
> "test"
> "ubuntu-core"
> "ubuntu-zesty"
> "xen"
> "yak"
>
> On Thu, Nov 10, 2016 at 12:31:01PM +, Andriy Tovstik wrote:
> > Hi, Janjaap Bos!
> >
> > I tried jq. But as i have already wrote, some useful fileds like
> container
> > name are missing in json output...
> >
> > чт, 10 нояб. 2016 г. в 14:27, Janjaap Bos <janjaap...@gmail.com>:
> >
> > > You can pipe the json through jq.
> > >
> > > See: https://stedolan.github.io/jq/tutorial
> > >
> > >
> > > 2016-11-10 11:17 GMT+01:00 Andriy Tovstik <andriy.tovs...@gmail.com>:
> > >
> > > Hi all!
> > >
> > > During LXD learning i encountered with lack of some features.
> > >
> > > The first one is "raw" output format of lxc list. Currently lxc list
> > > supports two formats: table and json. Unfortunately both formats are
> > > unusable for scripting.
> > > It is very difficult to pass to script output likes:
> > > # lxc list --format table -c n
> > > ++
> > > |NAME|
> > > ++
> > > | mysql-rep1 |
> > > ++
> > > | mysql-rep2 |
> > > ++
> > > | mysql-rep3 |
> > > ++
> > >
> > > When i try to use json format i see that useful fields like container
> name
> > > are missing in output. May be it will be useful to implement feature
> like:
> > >
> > > # lxc list --format raw -c n --no-header
> > > mysql-rep1
> > > mysql-rep2
> > > mysql-rep3
> > >
> > > The second feature looks useful is ability run commands on multiplie
> > > containers simultaneously. For example:
> > >
> > > # lxc exec web-node* -- apt update
> > >
> > > What do you think about it?
> > > --
> > > WBR, Andriy Tovstik
> > >
> > > ___
> > > lxc-users mailing list
> > > lxc-users@lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> > >
> > >
> > > ___
> > > lxc-users mailing list
> > > lxc-users@lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > --
> > WBR, Andriy Tovstik
>
> > ___
> > lxc-users mailing list
> > lxc-users@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
WBR, Andriy Tovstik


___
lxc-users mailing
listlxc-users@lists.linuxcontainers.orghttp://lists.linuxcontainers.org/listinfo/lxc-users



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Feature request: raw lxc utilities output format and operations with multiplie containers?

[Janjaap Bos]

You can pipe the json through jq.

See: https://stedolan.github.io/jq/tutorial


2016-11-10 11:17 GMT+01:00 Andriy Tovstik :

> Hi all!
>
> During LXD learning i encountered with lack of some features.
>
> The first one is "raw" output format of lxc list. Currently lxc list
> supports two formats: table and json. Unfortunately both formats are
> unusable for scripting.
> It is very difficult to pass to script output likes:
> # lxc list --format table -c n
> ++
> |NAME|
> ++
> | mysql-rep1 |
> ++
> | mysql-rep2 |
> ++
> | mysql-rep3 |
> ++
>
> When i try to use json format i see that useful fields like container name
> are missing in output. May be it will be useful to implement feature like:
>
> # lxc list --format raw -c n --no-header
> mysql-rep1
> mysql-rep2
> mysql-rep3
>
> The second feature looks useful is ability run commands on multiplie
> containers simultaneously. For example:
>
> # lxc exec web-node* -- apt update
>
> What do you think about it?
> --
> WBR, Andriy Tovstik
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Networking issue

[Janjaap Bos]

Downgrade the kernel to verify your guess, as the other feedback you got
also points to the kernel. If that solves it, go file a kernel bug.

2016-11-09 7:33 GMT+01:00 Saint Michael :

> It was working fine until a week ago.
> I have two sites, it happened on both, so the issue is not on my router or
> my switch, since they are different sites and we did not upgrade anything.
> Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
> LXC installed from apt-get install lxc1
> iptables off in both hosts and containers. I protect my network at the
> perimeter.
>
> All my container networking is defined
>
> lxc.network.type=macvlan
> lxc.network.macvlan.mode=bridge
> lxc.network.link=eth1
> lxc.network.name = eth0
> lxc.network.flags=up
> lxc.network.hwaddr = XX:XX:XX:XX:XX:XX
> lxc.network.ipv4 = 0.0.0.0/24
>
> Now suppose I have a machine, not a container, in the same broadcast
> domain as the containers, same subnet.
> It cannot ping or ssh into a container, which is accessible from outside
> my network.
> However, from inside the container the packets come and go perfectly, when
> the connection is originated by the container.
> A container can ping that host I mentioned, but the host cannot ping back
> the container.
> It all started a few days ago.
> Also, from the host, this test works
> arping -I eth0 (container IP address)
> it shows that we share the same broadcast domain.
>
> My guess is that the most recent kernel update in the LXC host, is
> blocking the communication to the containers, but it allows connections
> from the containers or connections from IP addresses not on the same
> broadcast domain.
> Any idea?
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] How to open a ticket with LXC

[Janjaap Bos]

If you have a Canonical support contract you should probably go through its
regular support channel, instead of this mailinglist or github.

Op 8 nov. 2016 06:03 schreef "Saint Michael" :

> Stephane Grabber closed my report without investigating the evidence. He
> says it is a firewall or a Kernel bug. If this a Kernel bug, he needs to
> act, because I don't upgrade the Kernels, Ubuntu does it. And there is no
> firewall in my LXC host.
> I am complaining tomorrow to Canonical.
>
> On Mon, Nov 7, 2016 at 1:49 PM, Saint Michael  wrote:
>
>> I already open a ticket
>> https://github.com/lxc/lxc/issues/1284
>>
>> On Mon, Nov 7, 2016 at 1:43 PM, Saint Michael  wrote:
>>
>>> The issue is very simple, and it started a few days ago, after an update.
>>> You cannot communicate from the same network to a container, but from
>>> the container you can initiate any connection just fine.
>>> Also from outside my network I can ssh into a container and ping. From
>>> the same network I cannot even ping a container.
>>>
>>>
>>>
>>> On Mon, Nov 7, 2016 at 1:29 PM, Judd Meinders <
>>> judd.meind...@rockwellcollins.com> wrote:
>>>
 On Mon, Nov 7, 2016 at 12:10 PM, Saint Michael 
 wrote:
 >
 > Does anybody know how to open a bug with LXC?
 > I cannot figure it out. Ubuntu does point me to another site, but I
 cannot see how to open a new ticket.
 >
 >
 >
 > ___
 > lxc-users mailing list
 > lxc-users@lists.linuxcontainers.org
 > http://lists.linuxcontainers.org/listinfo/lxc-users

 https://github.com/lxc/lxc/issues

 If you can, include steps to reproduce the issue, software versions,
 configs, workarounds, etc.  A well formed and organized issue will get
 more attention.

 --
 Judd Meinders
 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users
>>>
>>>
>>>
>>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] tun device in unprivileged Debian Stretch lxc Container

[Janjaap Bos]

you need to map the device (lxc config), no need to do mknod in container.

2016-09-23 2:14 GMT+02:00 Paul Dino Jones :

> Hi all,
>
> I could have sworn in the past I was able to make an unprivileged
> container use openvpn, but yesterday, i started an unprivileged
> container and was not able to use openvpn because I did not have a
> /dev/net/tun. I was able to get it started in a normal privileged
> container after performing a mknod. Which makes sense because an
> unprivileged user isn't going to be able to create that tun device.
>
> I'm just wondering if there is something I'm missing since I think it
> used to work.
>
> Regards,
> Paul
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxd in Debian

[Janjaap Bos]

Perhaps for other distros you can take advantage of the LXD snap package
provided by Stephane.

First install snapd:

https://www.maketecheasier.com/run-ubuntu-snap-packages-other-distros/

Then install LXD:

sudo snappy install lxd.stgraber


P.S. I have not tried this, but I expect it will work.

2016-08-23 9:20 GMT+02:00 Fajar A. Nugraha :

> From my experience creating lxd rpm for centos6, the hardest part is
> to provide build requirements.
>
> Lxd uses golang, which probably makes it easier for the devs to
> maintain, but also requires a bunch of go dependencies. Like
> http://packages.ubuntu.com/golang-github-dustinkirkland-golang-petname-dev
>
> AFAIK the "normal" way is to get the build dependencies included in
> debian as well, but it'll be a lot work work (if at all possible).
> An "easier" way would be to include the dependencies as part of lxd
> build process. Not sure how much work it would take.
>
> In the mean time, if you need lxd in debian, my best advice is to try
> porting ubuntu's packages (including the build requirement), and build
> your own, adjusting as necessary.
>
> --
> Fajar
>
> On Tue, Aug 23, 2016 at 1:58 PM, Pierre Couderc  wrote:
> >
> > Mmm, I think that as lxd is sponsorized by Ubuntu,  nobdy works on it
> available on debian, abd you shold not get an answer...
> >
> >
> > And I have success to install unpriviliged lxc containers on Jessie, but
> it was not easy...
> >
> >
> > PC
> >
> >
> >
> > On 08/09/2016 03:27 AM, Paul Dino Jones wrote:
> >>
> >> So, i see lxc 2.0 has made it's way into Stretch and Jessie backports,
> but I don't see any activity on lxd. Is this going to happen in time for
> the Stretch freeze?
> >>
> >>
> >> Best, Paul
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Unprivileged container woes: unable to install packages

[Janjaap Bos]

If installing the package in unprivileged mode was the problem, could you
then run the image unprivileged after installing the package in privileged
mode?

Op 21 aug. 2016 19:11 schreef "jjs - mainphrame" :

> Running postfix in and of itself did not appear to be problematic, but the
> maia mailguard antispam system as a whole includes postfix, clamd,
> spamassassin, maiad, httpd, perl and mysql, not all of which were happy
> running unprivileged. The factor that pushed me to a privileged container
> was the inability to install a package which set capabilities.
> Unfortunately I had a lot to do, and wasn't able to devote a lot of time to
> the issue; the easy answer was to go to a privileged container.
>
> Jake
>
>
>
>
>
> On Sun, Aug 21, 2016 at 12:59 AM, Ingo Baab  wrote:
>
>> What were the issues, running a Mailserver as an unpriviledged LXC?
>> I do the same.. and it seems to work without problems.. I just made the
>> Mailports forward to the LXC with iptables..
>>
>> Just curriously,
>> -Ingo
>>
>> Am 20.08.2016 um 20:52 schrieb jjs - mainphrame:
>>
>> Greetings,
>>
>> I've given up on the unprivileged container for now. I've created a new
>> container with the same role, and the same configuration except that it is
>> privileged. The privileged version of this container is working more or
>> less as expected.
>>
>> This container isn't doing anything I'd have considered exotic - it's
>> running postfix, clamd, and maiad (a modern derivative of amavisd-new).
>>
>> This is a data point which may prove useful to those who may read this at
>> some point down the road.
>>
>> Jake
>>
>> On Thu, Aug 18, 2016 at 10:42 AM, jjs - mainphrame 
>> wrote:
>>
>>> Greetings,
>>>
>>> I had decided to build an lxd version of an lxc server which had been
>>> running reliably for some time. Unfortunately, it doesn't seem to be
>>> running quite as smoothly. is some sort of special permissions hacking
>>> required?
>>>
>>> Here is one example of a problem in the new lxd container, which was
>>> never seen in the lxc container, namely attempting to install a package:
>>>
>>> Please pardon me if this is a FAQ as I've been primarily working with
>>> openvz of late - point me to TFM if there is a TFM which would enlighten me
>>> on this subject.
>>>
>>>
>>> Dependencies Resolved
>>>
>>> 
>>> ==
>>>  Package   Arch   Version   Repository
>>> Size
>>> 
>>> ==
>>> Installing:
>>>  httpd x86_64 2.4.6-40.el7.centos.4 updates
>>> 2.7 M
>>>
>>> Transaction Summary
>>> 
>>> ==
>>> Install  1 Package
>>>
>>> Total download size: 2.7 M
>>> Installed size: 9.4 M
>>> Is this ok [y/d/N]: y
>>> Downloading packages:
>>> httpd-2.4.6-40.el7.centos.4.x86_64.rpm | 2.7 MB
>>>  00:00:00
>>> Running transaction check
>>> Running transaction test
>>> Transaction test succeeded
>>> Running transaction
>>>   Installing : httpd-2.4.6-40.el7.centos.4.x86_64
>>>   1/1
>>> Error unpacking rpm package httpd-2.4.6-40.el7.centos.4.x86_64
>>> error: unpacking of archive failed on file /usr/sbin/suexec: cpio:
>>> cap_set_file
>>>   Verifying  : httpd-2.4.6-40.el7.centos.4.x86_64
>>>   1/1
>>>
>>> Failed:
>>>   httpd.x86_64 0:2.4.6-40.el7.centos.4
>>>
>>> Jake
>>>
>>
>>
>>
>> ___
>> lxc-users mailing 
>> listlxc-users@lists.linuxcontainers.orghttp://lists.linuxcontainers.org/listinfo/lxc-users
>>
>>
>>
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] ZeroTier Docker IPv6 6plane for LXD

[Janjaap Bos]

Thank you for the feedback!

I manually changed LXD_IPV6_ARG in /usr/lib/lxd/lxd-bridge to

LXD_IPV6_ARG="--enable-ra --dhcp-range=::1, ::e825:,
constructor:lxdbr0, ra-names, 12h --listen-address ${LXD_IPV6_ADDR}"

However, dnsmasq requires a minimal prefix of /64:
dnsmasq: bad command line options: prefix length must be at least 64

This requirement is also documented in its man page.

So I think the easiest would be to manually set the ip in the container.

Is it possible to provide the contents
of /etc/network/interfaces.d/50-cloud-init.cfg through lxd as a config
option or parameter per container?

Regards.

-Janjaap


2016-07-28 22:44 GMT+02:00 Stéphane Graber <stgra...@ubuntu.com>:

> On Thu, Jul 28, 2016 at 05:17:13PM +0200, Janjaap Bos wrote:
> > Hi,
> >
> > I am trying to configure 6plane mode for LXD.
> >
> > For background on 6plane see:
> >
> https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing
> >
> > I am able to configure a /80 network for the LXD, and also the manual
> > configuration at the containers to assign an IPv6 number from that subnet
> > and set the route.
> >
> > However, I am not able to configure LXD to provide DHCPv6 service to the
> > container in this subnet.
> >
> > I would much appreciate guidance on how to configure LXD to provide auto
> > assigned IPv6 addresses from its subnet to the containers.
> >
> >
> > My settings for IPv6 in /etc/default/lxd-bridge:
> >
> > ## IPv6 address (e.g. 2001:470:b368:4242::1)
> > LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1"
> >
> > ## IPv6 CIDR mask (e.g. 64)
> > LXD_IPV6_MASK="80"
> >
> > ## IPv6 network (e.g. 2001:470:b368:4242::/64)
> > LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80"
> >
> > ## NAT IPv6 traffic
> > LXD_IPV6_NAT="false"
> >
> > # Run a minimal HTTP PROXY server
> > LXD_IPV6_PROXY="false"
> >
> >
> > Regards,
> >
> > -Janjaap
>
> Currently our dnsmasq setup only does SLAAC (stateless address
> auto-configuration). That means, it announces the prefix using multicast
> or on request and the kernel then computes an IPv6 address from the
> container based from that.
>
> That computation is done using EUI64 which generates a unique IPv6
> address from the MAC address, using a 64-bit network prefix.
>
> Since your network is a /80 which is smaller than a /64, it's simply not
> possible for EUI64 to work which is why your containers aren't getting
> an IP address.
>
>
> I suspect you may have to reconfigure dnsmasq by hand to do full
> stateful DHCPv6 and then will have to configure your containers to
> actually do DHCPv6 as none of the images we provide do so (they all do
> SLAAC fine though).
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] ZeroTier Docker IPv6 6plane for LXD

[Janjaap Bos]

Hi,

I am trying to configure 6plane mode for LXD.

For background on 6plane see:
https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing

I am able to configure a /80 network for the LXD, and also the manual
configuration at the containers to assign an IPv6 number from that subnet
and set the route.

However, I am not able to configure LXD to provide DHCPv6 service to the
container in this subnet.

I would much appreciate guidance on how to configure LXD to provide auto
assigned IPv6 addresses from its subnet to the containers.


My settings for IPv6 in /etc/default/lxd-bridge:

## IPv6 address (e.g. 2001:470:b368:4242::1)
LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1"

## IPv6 CIDR mask (e.g. 64)
LXD_IPV6_MASK="80"

## IPv6 network (e.g. 2001:470:b368:4242::/64)
LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80"

## NAT IPv6 traffic
LXD_IPV6_NAT="false"

# Run a minimal HTTP PROXY server
LXD_IPV6_PROXY="false"


Regards,

-Janjaap
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Where can i find the causes of restart problems

[Janjaap Bos]

/var/log/lxc

2015-06-20 13:56 GMT+02:00 Thouraya TH thouray...@gmail.com:

 Hello all,

 Please, i try to run my container but it is blocked.


 lxc-start -n worker1


 Where can i find the causes of restart problems ? (logs?)


 Thanks a lot.
 Best Regards.

 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] sticky ethernet device order in container

[Janjaap Bos]

When using multiple nics in the container, the order sometimes changes
after a restart.
So eth0 becomes eth1, vice versa.

when using LXD, how is this order determined?
There is no entry for eth0 in the config, since that is a standard lxc
network device.
Only the additional network device is added in the container config:
e.g.

name: c1
profiles:
- default
config:
  raw.lxc: |
lxc.mount.entry = /var/lib/lxd/lxc/c1/devices/net/tun dev/net/tun none
bind,create=file 0 0
lxc.mount.entry = /var/lib/lxd/lxc/c1devices/kvm dev/kvm none
bind,create=file 0 0
lxc.mount.entry = /var/lib/lxd/lxc/c1/devices/fuse dev/fuse none
bind,create=file 0 0
  volatile.baseImage:
a4066a730e6b3d8021dcc7d0c59f2c37624ffdb60d10f1e09c336e4e1631915c
  volatile.eth0.hwaddr: 00:16:3e:33:3c:c2
  volatile.br0.hwaddr: 00:16:3e:5b:4f:19
devices:
  br0:
parent: br0
type: nic
ephemeral: false


Both nics have a volatile entry (done by lxc or lxd ?)

Sometime after a restart the nics have switched order in the container.
This of course messes up the network config in the container.

How can I make the eth0 and eth1 order stick?

Thanks for your help!

-Janjaap
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] What is the best way to report bug issues with LXD rest server?

[Janjaap Bos]

Try removing the trailing / from the url.

2015-05-23 22:17 GMT+02:00 Kevin LaTona li...@studiosola.com:


  add local sends back an error

 root@kev:/home/kev# lxc remote add local 192.168.0.50:8443

 error: remote local exists as unix:///var/lib/lxd/unix.socket




 running just wget ( I've not used wget before )  so I am not sure how or
 if it's possible to send in the host name now or ??




 root@kev:~/.config/lxc# wget --no-check-certificate
 https://192.168.0.50:8443/1.0/ --certificate=client.crt
 --private-key=client.key -O - -v

 --2015-05-23 13:12:13--  https://192.168.0.50:8443/1.0/

 Connecting to 192.168.0.50:8443... connected.
 WARNING: cannot verify 192.168.0.50's certificate, issued by ‘O=
 linuxcontainer.org’:
   Unable to locally verify the issuer's authority.
 WARNING: certificate common name ‘’ doesn't match requested host name
 ‘192.168.0.50’.
 HTTP request sent, awaiting response... 404 Not Found
 2015-05-23 13:12:13 ERROR 404: Not Found.



 Sounds like LXD server is working for you….. but still no idea why it's
 not for me yet.


 -Kevin




 On May 23, 2015, at 12:26 PM, Janjaap Bos janjaap...@gmail.com wrote:

 Remove the /finger from the url given in the example, as that is no longer
 a published service.

 This is from OSX, using wget.

 wget --no-check-certificate https://myhost:8443/1.0 --certificate=client.crt
 --private-key=client.key -O - -q


 {type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}}


 2015-05-23 21:16 GMT+02:00 Janjaap Bos janjaap...@gmail.com:

 Before trying at OSX, make sure it works on your LXD host.

 Follow the steps for hacking on:

 https://github.com/lxc/lxd

 It works for me.
 Hacking

 Sometimes it is useful to view the raw response that LXD sends; you can
 do this by:

 lxc config set password foo
 lxc remote add local 127.0.0.1:8443
 wget --no-check-certificate https://127.0.0.1:8443/1.0/finger 
 --certificate=$HOME/.config/lxc/client.crt 
 --private-key=$HOME/.config/lxc/client.key -O - -q



 2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com:



 I noticed I did not run the lxc config trust add client.crt call as
 suggested earlier.

 So I

 cd
 /root/.config/lxc

 lxc config trust add client.crt


 then

 lxc config trust list

 and got to finger prints back



 Next ran


 curl -v -k https://192.168.0.50:8443/1.0/images

 * Hostname was NOT found in DNS cache
 *   Trying 192.168.0.50...
 * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: none
   CApath: /etc/ssl/certs
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server key exchange (12):
 * SSLv3, TLS handshake, Request CERT (13):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS alert, Server hello (2):
 * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
 * Closing connection 0
 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
 certificate


 root@c5:~#




 Unless I am missing another config step here.

 Sure looks like the LDX image server is sending out bad certs into the
 wild.


 -Kevin
 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users



 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users



 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] What is the best way to report bug issues with LXD rest server?

[Janjaap Bos]

Yes, you are a step further now that TLS is spoken. However, I would
suggest to first get your test working locally on the lxd server, since my
homebrew OSX curl has further restrictions. You can only use certificates
that are in the keychain:
* WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Transport. The private
key must be in the Keychain.
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.

When trying your example on my lxd server, I do the following steps (as
root user).

# cd /root/.config/lxc
# ls
client.crt  client.key  config.yml  servercerts

Now, if you don't have these files, use can get them by doing the following:
# lxc remote add lxc-org images.linuxcontainers.org

This should also initialise the local client certificate if it does not
exist.

Then:
# lxc config trust add client.crt
# lxc config trust list
This should list the fingerprint.

And it should work:
# curl --key client.key --cert client.crt -v -k
https://localhost:8443/1.0/images

(do not use the -s option as it will suppress the output)


2015-05-23 7:53 GMT+02:00 Kevin LaTona li...@studiosola.com:


 On May 22, 2015, at 10:33 PM, Kevin LaTona li...@studiosola.com wrote:

 Ok, but you are testing with a curl that does not support TLS. That is why
 you cannot connect to that particular LXD instance. Depending on the OS and
 distribution, other LXD instances may still support SSL.





 I did a quick upgrade of curl to 7.42.1

 Now when I try it

 /usr/local/Cellar/curl/7.42.1/bin/curl -s --cert server.crt --key
 server.key -k https://192.168.0.50:8443/1.0/images

 I know I don't want to mess with Apple's install of Curl for now.


 I get  curl: (35) SSL peer handshake failed, the server most likely
 requires a client certificate to connect

 So maybe I am getting closer and some thing is off with the cert I just
 made.


 Would be nice to know what version of LDX is running at
 linuxcontainers.org

 It sure might help saving lots of time chasing after another avenue that
 in the end may or may not solve problem.

 -Kevin

 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] lxc-ls -f problem

[Janjaap Bos]

Sorry, I replied on the wrong thread...

2015-05-23 21:13 GMT+02:00 Janjaap Bos janjaap...@gmail.com:

 Use wget instead of curl on OSX. That works for me.

 wget --no-check-certificate https://myhost:8443/1.0
 --certificate=client.crt --private-key=client.key -O - -q


 {type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}}


 2015-05-23 20:46 GMT+02:00 david.an...@bli.uzh.ch:

 Hi

 I have the exact same problem after yesterdays update.

 And I suspect it is bug
 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1413927 or at
 least closely related.

 root@andel2:~# cat /proc/self/cgroup
 10:devices:/system.slice/ssh.service
 9:perf_event:/system.slice/ssh.service
 8:cpuset:/system.slice/ssh.service
 7:cpu,cpuacct:/system.slice/ssh.service
 6:memory:/system.slice/ssh.service
 5:freezer:/system.slice/ssh.service
 4:net_cls,net_prio:/system.slice/ssh.service
 3:hugetlb:/system.slice/ssh.service
 2:blkio:/system.slice/ssh.service
 1:name=systemd:/system.slice/ssh.service

 root@andel2:~# service cgmanager status
 ● cgmanager.service - Cgroup management daemon
Loaded: loaded (/lib/systemd/system/cgmanager.service; disabled;
 vendor preset: enabled)
Active: active (running) since Sat 2015-05-23 15:48:07 CEST; 30min ago
  Main PID: 2994 (cgmanager)
Memory: 296.0K
CGroup: /system.slice/cgmanager.service
‣ 2994 /sbin/cgmanager -m name=systemd

 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path
 /run/cgmanager/fs/hugetlb/system.slice/ssh.service/lxc/s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main:
 Invalid path /run/cgmanager/fs/hugetlb/system.slice/ssh.servi...s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path
 /run/cgmanager/fs/memory/system.slice/ssh.service/lxc/s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main:
 Invalid path /run/cgmanager/fs/memory/system.slice/ssh.servic...s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path
 /run/cgmanager/fs/net_cls/system.slice/ssh.service/lxc/s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main:
 Invalid path /run/cgmanager/fs/net_cls/system.slice/ssh.servi...s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path
 /run/cgmanager/fs/perf_event/system.slice/ssh.service/lxc/s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main:
 Invalid path /run/cgmanager/fs/perf_event/system.slice/ssh.se...s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path
 /run/cgmanager/fs/none,name=systemd/system.slice/ssh.service/lxc/s0_nginx
 May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main:
 Invalid path /run/cgmanager/fs/none,name=systemd/system.slice...s0_nginx
 Hint: Some lines were ellipsized, use -l to show in full.

 The unprivileged containers could be stopped but trying to stop a running
 privileged container hangs and blocked the host completely.
 Even a reboot is not possible, the host answers only to ping requests,
 ssh returns with Write failed: Broken pipe.
 And since the machine is geographically distant (and it's weekend as
 usual when such stuff happens) I cannot provide the results generated
 from the commands below.

 But probably I am going to run into the same error on other machines and
 will provide the results.

 David


 -lxc-users lxc-users-boun...@lists.linuxcontainers.org wrote:
 -
 To: LXC users mailing-list lxc-users@lists.linuxcontainers.org
 From: Serge Hallyn
 Sent by: lxc-users
 Date: 05/22/2015 17:44
 Subject: Re: [lxc-users] lxc-ls -f problem

 Quoting Dave Birch (dave.bi...@gmail.com):
  Dave Birch dave.birch@... writes:
 
  Further update - just discovered that lxc-start now hangs for all
  containers, even newly created ones using only the standard download
  template on lxc-create.
 
  I'm pretty much dead in the water until I can work out how to resolve
  this.

 Can you attach the results of

 sudo strace -f -ostrace.out -- lxc-ls -f
 sudo strace -f -ostrace-start.out -- lxc-start -n container
 sudo lxc-start -n container -l trace -o debug.out

 and show your exact steps, if you can remember them or have them in
 history, when you were originally creating these containers?
 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users

 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] What is the best way to report bug issues with LXD rest server?

[Janjaap Bos]

Before trying at OSX, make sure it works on your LXD host.

Follow the steps for hacking on:

https://github.com/lxc/lxd

It works for me.
Hacking

Sometimes it is useful to view the raw response that LXD sends; you can do
this by:

lxc config set password foo
lxc remote add local 127.0.0.1:8443
wget --no-check-certificate https://127.0.0.1:8443/1.0/finger
--certificate=$HOME/.config/lxc/client.crt
--private-key=$HOME/.config/lxc/client.key -O - -q



2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com:



 I noticed I did not run the lxc config trust add client.crt call as
 suggested earlier.

 So I

 cd
 /root/.config/lxc

 lxc config trust add client.crt


 then

 lxc config trust list

 and got to finger prints back



 Next ran


 curl -v -k https://192.168.0.50:8443/1.0/images

 * Hostname was NOT found in DNS cache
 *   Trying 192.168.0.50...
 * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: none
   CApath: /etc/ssl/certs
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server key exchange (12):
 * SSLv3, TLS handshake, Request CERT (13):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS alert, Server hello (2):
 * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
 * Closing connection 0
 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
 certificate


 root@c5:~#




 Unless I am missing another config step here.

 Sure looks like the LDX image server is sending out bad certs into the
 wild.


 -Kevin
 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] What is the best way to report bug issues with LXD rest server?

[Janjaap Bos]

Remove the /finger from the url given in the example, as that is no longer
a published service.

This is from OSX, using wget.

wget --no-check-certificate https://myhost:8443/1.0 --certificate=client.crt
--private-key=client.key -O - -q

{type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}}


2015-05-23 21:16 GMT+02:00 Janjaap Bos janjaap...@gmail.com:

 Before trying at OSX, make sure it works on your LXD host.

 Follow the steps for hacking on:

 https://github.com/lxc/lxd

 It works for me.
 Hacking

 Sometimes it is useful to view the raw response that LXD sends; you can do
 this by:

 lxc config set password foo
 lxc remote add local 127.0.0.1:8443
 wget --no-check-certificate https://127.0.0.1:8443/1.0/finger 
 --certificate=$HOME/.config/lxc/client.crt 
 --private-key=$HOME/.config/lxc/client.key -O - -q



 2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com:



 I noticed I did not run the lxc config trust add client.crt call as
 suggested earlier.

 So I

 cd
 /root/.config/lxc

 lxc config trust add client.crt


 then

 lxc config trust list

 and got to finger prints back



 Next ran


 curl -v -k https://192.168.0.50:8443/1.0/images

 * Hostname was NOT found in DNS cache
 *   Trying 192.168.0.50...
 * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0)
 * successfully set certificate verify locations:
 *   CAfile: none
   CApath: /etc/ssl/certs
 * SSLv3, TLS handshake, Client hello (1):
 * SSLv3, TLS handshake, Server hello (2):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server key exchange (12):
 * SSLv3, TLS handshake, Request CERT (13):
 * SSLv3, TLS handshake, Server finished (14):
 * SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Client key exchange (16):
 * SSLv3, TLS change cipher, Client hello (1):
 * SSLv3, TLS handshake, Finished (20):
 * SSLv3, TLS alert, Server hello (2):
 * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
 * Closing connection 0
 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
 certificate


 root@c5:~#




 Unless I am missing another config step here.

 Sure looks like the LDX image server is sending out bad certs into the
 wild.


 -Kevin
 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] What is the best way to report bug issues with LXD rest server?

[Janjaap Bos]

You should upgrade your local curl, so it uses TLS and not SSL which is no
longer  secure, and therefore disabled at the server. I guess the images
repo still accepts SSL.
 Op 23 mei 2015 02:14 schreef Kevin LaTona li...@studiosola.com:


 This past week or so I ran into an issue of not being able to connect a
 test LXD rest server on my local network.

 I've tested this problem out from pretty much every angle I can think of.

 Every thing from fresh OS, server, SSL lib installs to upgrades of current
 running apps on my machines.


 Pretty much unless I am missing some small fundamental piece that is
 preventing current shipping vivid server to allow connections to the LXD
 rest server.

 My take is there is a bug .

 If this true, what is the best way to let the LXC team know about this to
 see how to get to next step?


 To sum it up I am able to connect to a public LXD rest server.

 # from vivid container -- public LXD server (
 container to public )
 curl -k https://images.linuxcontainers.org/1.0/images
 # {status: Success, metadata: [/1.0/images/e7ae410ee8abeb6


 No matter how and from what angle I try connecting to a local test LXD
 rest server it is having connections issues.

 # vivid container 10.0.3.5 -- 192.168.0.50:8443 ( container to host
 machine )
 # this container can ping 192.168.0.50
 curl -k https://192.168.0.50:8443/1.0/images
 # curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
 certificate



 # OS X term window -- vivid server(same 192.168.x.x
 network)
 curl -k https://192.168.0.50:8443/1.0/images
 # curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
 alert protocol version



 If any one has any ideas or suggestions please send them along.

 -Kevin



 ___
 lxc-users mailing list
 lxc-users@lists.linuxcontainers.org
 http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] add device unix-char not yet implemented?

[Janjaap Bos]

Hi,

I have problems adding a /dev/net/tun device to the container.

It appears that the unix-char device is not yet supported for the command:
lxc config device add ...

Is that right? Or should I do something else?

Thanks,

-Janjaap

(Using http://ppa.launchpad.net/ubuntu-lxc/lxd-git-master/ubuntu trusty)
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users