Re: [lxc-users] LXD 3.0 macvlan networking
To be able to ping a container macvlan interface, you need to have a macvlan interface configured on the host. Such as: modprobe dummy ip link set name dummy-mv dev dummy0 ip link set dev dummy-mv up ip link add link dummy-mv mv-lxd type macvlan mode bridge ip address add 192.168.4.1/24 dev mv-lxd ip link set dev mv-lxd up 2018-05-05 5:18 GMT+02:00 Mark Constable: > Has something changed re networking with LXD 3.0 such that when > using a macvlan that the host CAN ping a container? > > According to what I previously understood, and supported by this > comment.. > > https://github.com/lxc/lxd/issues/3871#issuecomment-333124249 > > and the main reason I hadn't bothered even trying out a macvlan > is because I need access to my local hosted containers and it > "just works" with a normal bridge. However, now when I finally > get around to testing macvlan I find I can immediately ping a > new macvlan based containers IP. > > Has something changed recently regarding this macvlan restriction? > > ~ apt install lxd > > ~ lxc profile copy default macvlan (which has no eth0 device yet) > > ~ ip r (to get my hosts eth0 device) > > ~ lxc profile device add macvlan eth0 nic nictype=macvlan parent=enp4s0f1 > name=eth0 > > ~ lxc launch images:ubuntu/bionic macvlantest -p macvlan > > ~ lxc list --format csv > macvlantest,RUNNING,192.168.0.206 (eth0),"fdcc:3922:7dfd::6b7 (eth0) > fdcc:3922:7dfd:0:216:3eff:fe11:9335 (eth0)",PERSISTENT,0 > > ~ ping -c1 192.168.0.206 > PING 192.168.0.206 (192.168.0.206) 56(84) bytes of data. > 64 bytes from 192.168.0.206: icmp_seq=1 ttl=64 time=1.98 ms > > > OIC, from inside the macvlantest container I can't ping the host. > > But still, from this comment I would tend to assume I should not > be able to ping the container from the host either... > > "@stgraber An even easier alternative to this would be using macvlan as it > won't require any bridging at all, but it does come with the annoying > caveat that the host will not be able to communicate with the containers." > > Would anyone care to clarify this macvlan limitation please? > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Newer upstream releases - Stable for production?
I can confirm that we for sure also depend on the stable 2.0 in xenial. It actually is very easy to install a more recent version nested in 2.0 for specific use cases. 2017-04-05 23:53 GMT+02:00 Stéphane Graber: > Yes, it would be. > > I also disagree that it's what most people would want. > > The majority of the feedback we've been getting from production users so > far is that they're very happy having an extremely stable version of LXD > that they don't need to think about and that gets frequent bugfixes and > security fixes. > > For everyone else, you just need to run: > > apt install -t xenial-backports lxd lxd-client > > On Wed, Apr 05, 2017 at 11:45:32PM +0200, Jakob Gillich wrote: > > Would it be against distribution policy to upgrade the lxd package in > > xenial? I feel like most users do not want 2.0, but that's what they get > by > > default. > > > > On Wed, Apr 5, 2017 at 1:49 AM, Stéphane Graber > wrote: > > > Hi, > > > > > > So it really depends on how tolerant you may be to accidental downtime > > > and need to occasionaly adapt scripts as new features are added. > > > > > > LXD 2.0.x only gets bugfixes and security updates and so an upgrade > will > > > never break anything that uses the LXD commands or the API. > > > > > > > > > For the newer feature releases, we don't break the REST API, only add > > > bits to it, but occasionaly those bits mean that some extra > > > configuration steps may be needed, as was the case with the network API > > > in 2.3 or the storage API in 2.9. > > > > > > Upgrading to such releases will automatically attempt to migrate your > > > setup so that it keeps working and doesn't suffer any downtime. But > it's > > > certainly not completely bug free and we do occasionaly hit issues > > > there. > > > > > > > > > If you do want the new features, I'd recommend that you at least stay > on > > > Ubuntu 16.04 LTS, then do this: > > > > > > apt install -t xenial-backports lxd lxd-client > > > > > > This will install lxd and lxd-client from "xenial-backports" which is a > > > special pocket of the main Ubuntu archive. This is far preferable from > > > using the LXD PPA. > > > > > > The LXD stable PPA is automatically generated whenever a new upstream > > > release has hit the current Ubuntu development release and has passed > > > automatic testing, which is to say that when an update hits, it would > > > have seen very little field testing. > > > > > > xenial-backports is different in that the packages in there are the > same > > > as the PPA, but I only push them through once I feel confident there > > > aren't any upgrade issues that we should address. > > > > > > > > > One recent example of that was the storage API. PPA users would have > > > gotten LXD 2.9, 2.9.1, 2.9.2, 2.10, 2.10.1 and 2.11 in quick sucession > > > as we were sorting out some upgrade issues with the storage API. > > > > > > Users of xenial-backports were on LXD 2.8 up until yesterday when I > > > pushed LXD 2.12 to it as we are now feeling confident that all upgrade > > > issues that were reported have been satisfyingly resolved. > > > > > > > > > One last note. LXD doesn't support downgrading its database, that means > > > that if you upgrade from 2.0.x to some 2.x release, there is no going > > > back. You can't downgrade back to 2.0.x afterwards. You can move LXD > > > containers from a new release to a server running an older release as > we > > > way to do a two stage downgrade, but you may need to alter their > > > configurations a bit for this to succeed (remove any option key that > > > came from a newer release). > > > > > > Stéphane > > > > > > On Tue, Apr 04, 2017 at 02:55:32PM +0200, Gabriel Marais wrote: > > > > Hi Guys > > > > > > > > I would like to take advantage in some of the new(er) features > > > > available in > > > > releases higher than 2.0.x > > > > > > > > Would it be advisable to upgrade to 2.12 to be used in a production > > > > environment? > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > Regards > > > > > > > > Gabriel Marais > > > > > > > > Office: +27 861 466 546 x 7001 > > > > Mobile: +27 83 663 > > > > Mail: gabriel.j.mar...@gmail.com > > > > > > > > Unit 11, Ground Floor, Berkley Office Park > > > > Cnr Bauhinia & Witch Hazel Str, > > > > Highveld, Centurion, South-Africa > > > > 0157 > > > > > > > > PO Box 15846, Lyttelton, South Africa, 0140 > > > > ___ > > > > lxc-users mailing list > > > > lxc-users@lists.linuxcontainers.org > > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > > -- > > > Stéphane Graber > > > Ubuntu developer > > > http://www.ubuntu.com > > > ___ > > > lxc-users mailing list > > > lxc-users@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > ___ > >
[lxc-users] Security risk of sharing /dev/net/tun and /dev/kvm in unprivileged containers
What are the security risks of enabling access to /dev/kvm and /dev/net/tun to an LXD unprivileged container? E.g. bind mount / add device to container config. Would this significantly expose the host or other containers to increased risk? Could you offer access to untrusted users? Does anyone have a pointer to more info about this? Thanks! -Janjaap ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Feature request: raw lxc utilities output format and operations with multiplie containers?
Perhaps you can even turn that into a bash alias. Op 10 nov. 2016 18:33 schreef "Ingo Baab" <i...@baab.de>: Andriy, (meanwhile) you can help yourself with (doing that sequentially).. for container in `lxc list mysql-rep --format=json | jq .[].name | tr -d '"'`; do lxc exec $container -- apt update; done -Ingo Am 10.11.2016 um 15:36 schrieb Andriy Tovstik: Thanks, Stéphane, i'm very inattentive... Now it looks better. Additional output format seems to be more comfortable than additional tools. But it insignificantly. And what do you think about the second question about ability to run commands on multiplie containers simultaneously using regexps as container name ? Is this feature looks useful? чт, 10 нояб. 2016 г. в 15:25, Stéphane Graber <stgra...@ubuntu.com>: > stgraber@castiana:~$ lxc list --format=json | jq .[].name > "android" > "lxd" > "snapcraft" > "test" > "ubuntu-core" > "ubuntu-zesty" > "xen" > "yak" > > On Thu, Nov 10, 2016 at 12:31:01PM +, Andriy Tovstik wrote: > > Hi, Janjaap Bos! > > > > I tried jq. But as i have already wrote, some useful fileds like > container > > name are missing in json output... > > > > чт, 10 нояб. 2016 г. в 14:27, Janjaap Bos <janjaap...@gmail.com>: > > > > > You can pipe the json through jq. > > > > > > See: https://stedolan.github.io/jq/tutorial > > > > > > > > > 2016-11-10 11:17 GMT+01:00 Andriy Tovstik <andriy.tovs...@gmail.com>: > > > > > > Hi all! > > > > > > During LXD learning i encountered with lack of some features. > > > > > > The first one is "raw" output format of lxc list. Currently lxc list > > > supports two formats: table and json. Unfortunately both formats are > > > unusable for scripting. > > > It is very difficult to pass to script output likes: > > > # lxc list --format table -c n > > > ++ > > > |NAME| > > > ++ > > > | mysql-rep1 | > > > ++ > > > | mysql-rep2 | > > > ++ > > > | mysql-rep3 | > > > ++ > > > > > > When i try to use json format i see that useful fields like container > name > > > are missing in output. May be it will be useful to implement feature > like: > > > > > > # lxc list --format raw -c n --no-header > > > mysql-rep1 > > > mysql-rep2 > > > mysql-rep3 > > > > > > The second feature looks useful is ability run commands on multiplie > > > containers simultaneously. For example: > > > > > > # lxc exec web-node* -- apt update > > > > > > What do you think about it? > > > -- > > > WBR, Andriy Tovstik > > > > > > ___ > > > lxc-users mailing list > > > lxc-users@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > > > > > ___ > > > lxc-users mailing list > > > lxc-users@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > > -- > > WBR, Andriy Tovstik > > > ___ > > lxc-users mailing list > > lxc-users@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-users > > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- WBR, Andriy Tovstik ___ lxc-users mailing listlxc-users@lists.linuxcontainers.orghttp://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Feature request: raw lxc utilities output format and operations with multiplie containers?
You can pipe the json through jq. See: https://stedolan.github.io/jq/tutorial 2016-11-10 11:17 GMT+01:00 Andriy Tovstik: > Hi all! > > During LXD learning i encountered with lack of some features. > > The first one is "raw" output format of lxc list. Currently lxc list > supports two formats: table and json. Unfortunately both formats are > unusable for scripting. > It is very difficult to pass to script output likes: > # lxc list --format table -c n > ++ > |NAME| > ++ > | mysql-rep1 | > ++ > | mysql-rep2 | > ++ > | mysql-rep3 | > ++ > > When i try to use json format i see that useful fields like container name > are missing in output. May be it will be useful to implement feature like: > > # lxc list --format raw -c n --no-header > mysql-rep1 > mysql-rep2 > mysql-rep3 > > The second feature looks useful is ability run commands on multiplie > containers simultaneously. For example: > > # lxc exec web-node* -- apt update > > What do you think about it? > -- > WBR, Andriy Tovstik > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Networking issue
Downgrade the kernel to verify your guess, as the other feedback you got also points to the kernel. If that solves it, go file a kernel bug. 2016-11-09 7:33 GMT+01:00 Saint Michael: > It was working fine until a week ago. > I have two sites, it happened on both, so the issue is not on my router or > my switch, since they are different sites and we did not upgrade anything. > Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64) > LXC installed from apt-get install lxc1 > iptables off in both hosts and containers. I protect my network at the > perimeter. > > All my container networking is defined > > lxc.network.type=macvlan > lxc.network.macvlan.mode=bridge > lxc.network.link=eth1 > lxc.network.name = eth0 > lxc.network.flags=up > lxc.network.hwaddr = XX:XX:XX:XX:XX:XX > lxc.network.ipv4 = 0.0.0.0/24 > > Now suppose I have a machine, not a container, in the same broadcast > domain as the containers, same subnet. > It cannot ping or ssh into a container, which is accessible from outside > my network. > However, from inside the container the packets come and go perfectly, when > the connection is originated by the container. > A container can ping that host I mentioned, but the host cannot ping back > the container. > It all started a few days ago. > Also, from the host, this test works > arping -I eth0 (container IP address) > it shows that we share the same broadcast domain. > > My guess is that the most recent kernel update in the LXC host, is > blocking the communication to the containers, but it allows connections > from the containers or connections from IP addresses not on the same > broadcast domain. > Any idea? > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] How to open a ticket with LXC
If you have a Canonical support contract you should probably go through its regular support channel, instead of this mailinglist or github. Op 8 nov. 2016 06:03 schreef "Saint Michael": > Stephane Grabber closed my report without investigating the evidence. He > says it is a firewall or a Kernel bug. If this a Kernel bug, he needs to > act, because I don't upgrade the Kernels, Ubuntu does it. And there is no > firewall in my LXC host. > I am complaining tomorrow to Canonical. > > On Mon, Nov 7, 2016 at 1:49 PM, Saint Michael wrote: > >> I already open a ticket >> https://github.com/lxc/lxc/issues/1284 >> >> On Mon, Nov 7, 2016 at 1:43 PM, Saint Michael wrote: >> >>> The issue is very simple, and it started a few days ago, after an update. >>> You cannot communicate from the same network to a container, but from >>> the container you can initiate any connection just fine. >>> Also from outside my network I can ssh into a container and ping. From >>> the same network I cannot even ping a container. >>> >>> >>> >>> On Mon, Nov 7, 2016 at 1:29 PM, Judd Meinders < >>> judd.meind...@rockwellcollins.com> wrote: >>> On Mon, Nov 7, 2016 at 12:10 PM, Saint Michael wrote: > > Does anybody know how to open a bug with LXC? > I cannot figure it out. Ubuntu does point me to another site, but I cannot see how to open a new ticket. > > > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users https://github.com/lxc/lxc/issues If you can, include steps to reproduce the issue, software versions, configs, workarounds, etc. A well formed and organized issue will get more attention. -- Judd Meinders ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users >>> >>> >>> >> > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] tun device in unprivileged Debian Stretch lxc Container
you need to map the device (lxc config), no need to do mknod in container. 2016-09-23 2:14 GMT+02:00 Paul Dino Jones: > Hi all, > > I could have sworn in the past I was able to make an unprivileged > container use openvpn, but yesterday, i started an unprivileged > container and was not able to use openvpn because I did not have a > /dev/net/tun. I was able to get it started in a normal privileged > container after performing a mknod. Which makes sense because an > unprivileged user isn't going to be able to create that tun device. > > I'm just wondering if there is something I'm missing since I think it > used to work. > > Regards, > Paul > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxd in Debian
Perhaps for other distros you can take advantage of the LXD snap package provided by Stephane. First install snapd: https://www.maketecheasier.com/run-ubuntu-snap-packages-other-distros/ Then install LXD: sudo snappy install lxd.stgraber P.S. I have not tried this, but I expect it will work. 2016-08-23 9:20 GMT+02:00 Fajar A. Nugraha: > From my experience creating lxd rpm for centos6, the hardest part is > to provide build requirements. > > Lxd uses golang, which probably makes it easier for the devs to > maintain, but also requires a bunch of go dependencies. Like > http://packages.ubuntu.com/golang-github-dustinkirkland-golang-petname-dev > > AFAIK the "normal" way is to get the build dependencies included in > debian as well, but it'll be a lot work work (if at all possible). > An "easier" way would be to include the dependencies as part of lxd > build process. Not sure how much work it would take. > > In the mean time, if you need lxd in debian, my best advice is to try > porting ubuntu's packages (including the build requirement), and build > your own, adjusting as necessary. > > -- > Fajar > > On Tue, Aug 23, 2016 at 1:58 PM, Pierre Couderc wrote: > > > > Mmm, I think that as lxd is sponsorized by Ubuntu, nobdy works on it > available on debian, abd you shold not get an answer... > > > > > > And I have success to install unpriviliged lxc containers on Jessie, but > it was not easy... > > > > > > PC > > > > > > > > On 08/09/2016 03:27 AM, Paul Dino Jones wrote: > >> > >> So, i see lxc 2.0 has made it's way into Stretch and Jessie backports, > but I don't see any activity on lxd. Is this going to happen in time for > the Stretch freeze? > >> > >> > >> Best, Paul > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Unprivileged container woes: unable to install packages
If installing the package in unprivileged mode was the problem, could you then run the image unprivileged after installing the package in privileged mode? Op 21 aug. 2016 19:11 schreef "jjs - mainphrame": > Running postfix in and of itself did not appear to be problematic, but the > maia mailguard antispam system as a whole includes postfix, clamd, > spamassassin, maiad, httpd, perl and mysql, not all of which were happy > running unprivileged. The factor that pushed me to a privileged container > was the inability to install a package which set capabilities. > Unfortunately I had a lot to do, and wasn't able to devote a lot of time to > the issue; the easy answer was to go to a privileged container. > > Jake > > > > > > On Sun, Aug 21, 2016 at 12:59 AM, Ingo Baab wrote: > >> What were the issues, running a Mailserver as an unpriviledged LXC? >> I do the same.. and it seems to work without problems.. I just made the >> Mailports forward to the LXC with iptables.. >> >> Just curriously, >> -Ingo >> >> Am 20.08.2016 um 20:52 schrieb jjs - mainphrame: >> >> Greetings, >> >> I've given up on the unprivileged container for now. I've created a new >> container with the same role, and the same configuration except that it is >> privileged. The privileged version of this container is working more or >> less as expected. >> >> This container isn't doing anything I'd have considered exotic - it's >> running postfix, clamd, and maiad (a modern derivative of amavisd-new). >> >> This is a data point which may prove useful to those who may read this at >> some point down the road. >> >> Jake >> >> On Thu, Aug 18, 2016 at 10:42 AM, jjs - mainphrame >> wrote: >> >>> Greetings, >>> >>> I had decided to build an lxd version of an lxc server which had been >>> running reliably for some time. Unfortunately, it doesn't seem to be >>> running quite as smoothly. is some sort of special permissions hacking >>> required? >>> >>> Here is one example of a problem in the new lxd container, which was >>> never seen in the lxc container, namely attempting to install a package: >>> >>> Please pardon me if this is a FAQ as I've been primarily working with >>> openvz of late - point me to TFM if there is a TFM which would enlighten me >>> on this subject. >>> >>> >>> Dependencies Resolved >>> >>> >>> == >>> Package Arch Version Repository >>> Size >>> >>> == >>> Installing: >>> httpd x86_64 2.4.6-40.el7.centos.4 updates >>> 2.7 M >>> >>> Transaction Summary >>> >>> == >>> Install 1 Package >>> >>> Total download size: 2.7 M >>> Installed size: 9.4 M >>> Is this ok [y/d/N]: y >>> Downloading packages: >>> httpd-2.4.6-40.el7.centos.4.x86_64.rpm | 2.7 MB >>> 00:00:00 >>> Running transaction check >>> Running transaction test >>> Transaction test succeeded >>> Running transaction >>> Installing : httpd-2.4.6-40.el7.centos.4.x86_64 >>> 1/1 >>> Error unpacking rpm package httpd-2.4.6-40.el7.centos.4.x86_64 >>> error: unpacking of archive failed on file /usr/sbin/suexec: cpio: >>> cap_set_file >>> Verifying : httpd-2.4.6-40.el7.centos.4.x86_64 >>> 1/1 >>> >>> Failed: >>> httpd.x86_64 0:2.4.6-40.el7.centos.4 >>> >>> Jake >>> >> >> >> >> ___ >> lxc-users mailing >> listlxc-users@lists.linuxcontainers.orghttp://lists.linuxcontainers.org/listinfo/lxc-users >> >> >> >> ___ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users >> > > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] ZeroTier Docker IPv6 6plane for LXD
Thank you for the feedback! I manually changed LXD_IPV6_ARG in /usr/lib/lxd/lxd-bridge to LXD_IPV6_ARG="--enable-ra --dhcp-range=::1, ::e825:, constructor:lxdbr0, ra-names, 12h --listen-address ${LXD_IPV6_ADDR}" However, dnsmasq requires a minimal prefix of /64: dnsmasq: bad command line options: prefix length must be at least 64 This requirement is also documented in its man page. So I think the easiest would be to manually set the ip in the container. Is it possible to provide the contents of /etc/network/interfaces.d/50-cloud-init.cfg through lxd as a config option or parameter per container? Regards. -Janjaap 2016-07-28 22:44 GMT+02:00 Stéphane Graber <stgra...@ubuntu.com>: > On Thu, Jul 28, 2016 at 05:17:13PM +0200, Janjaap Bos wrote: > > Hi, > > > > I am trying to configure 6plane mode for LXD. > > > > For background on 6plane see: > > > https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing > > > > I am able to configure a /80 network for the LXD, and also the manual > > configuration at the containers to assign an IPv6 number from that subnet > > and set the route. > > > > However, I am not able to configure LXD to provide DHCPv6 service to the > > container in this subnet. > > > > I would much appreciate guidance on how to configure LXD to provide auto > > assigned IPv6 addresses from its subnet to the containers. > > > > > > My settings for IPv6 in /etc/default/lxd-bridge: > > > > ## IPv6 address (e.g. 2001:470:b368:4242::1) > > LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1" > > > > ## IPv6 CIDR mask (e.g. 64) > > LXD_IPV6_MASK="80" > > > > ## IPv6 network (e.g. 2001:470:b368:4242::/64) > > LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80" > > > > ## NAT IPv6 traffic > > LXD_IPV6_NAT="false" > > > > # Run a minimal HTTP PROXY server > > LXD_IPV6_PROXY="false" > > > > > > Regards, > > > > -Janjaap > > Currently our dnsmasq setup only does SLAAC (stateless address > auto-configuration). That means, it announces the prefix using multicast > or on request and the kernel then computes an IPv6 address from the > container based from that. > > That computation is done using EUI64 which generates a unique IPv6 > address from the MAC address, using a 64-bit network prefix. > > Since your network is a /80 which is smaller than a /64, it's simply not > possible for EUI64 to work which is why your containers aren't getting > an IP address. > > > I suspect you may have to reconfigure dnsmasq by hand to do full > stateful DHCPv6 and then will have to configure your containers to > actually do DHCPv6 as none of the images we provide do so (they all do > SLAAC fine though). > > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] ZeroTier Docker IPv6 6plane for LXD
Hi, I am trying to configure 6plane mode for LXD. For background on 6plane see: https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing I am able to configure a /80 network for the LXD, and also the manual configuration at the containers to assign an IPv6 number from that subnet and set the route. However, I am not able to configure LXD to provide DHCPv6 service to the container in this subnet. I would much appreciate guidance on how to configure LXD to provide auto assigned IPv6 addresses from its subnet to the containers. My settings for IPv6 in /etc/default/lxd-bridge: ## IPv6 address (e.g. 2001:470:b368:4242::1) LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1" ## IPv6 CIDR mask (e.g. 64) LXD_IPV6_MASK="80" ## IPv6 network (e.g. 2001:470:b368:4242::/64) LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80" ## NAT IPv6 traffic LXD_IPV6_NAT="false" # Run a minimal HTTP PROXY server LXD_IPV6_PROXY="false" Regards, -Janjaap ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Where can i find the causes of restart problems
/var/log/lxc 2015-06-20 13:56 GMT+02:00 Thouraya TH thouray...@gmail.com: Hello all, Please, i try to run my container but it is blocked. lxc-start -n worker1 Where can i find the causes of restart problems ? (logs?) Thanks a lot. Best Regards. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] sticky ethernet device order in container
When using multiple nics in the container, the order sometimes changes after a restart. So eth0 becomes eth1, vice versa. when using LXD, how is this order determined? There is no entry for eth0 in the config, since that is a standard lxc network device. Only the additional network device is added in the container config: e.g. name: c1 profiles: - default config: raw.lxc: | lxc.mount.entry = /var/lib/lxd/lxc/c1/devices/net/tun dev/net/tun none bind,create=file 0 0 lxc.mount.entry = /var/lib/lxd/lxc/c1devices/kvm dev/kvm none bind,create=file 0 0 lxc.mount.entry = /var/lib/lxd/lxc/c1/devices/fuse dev/fuse none bind,create=file 0 0 volatile.baseImage: a4066a730e6b3d8021dcc7d0c59f2c37624ffdb60d10f1e09c336e4e1631915c volatile.eth0.hwaddr: 00:16:3e:33:3c:c2 volatile.br0.hwaddr: 00:16:3e:5b:4f:19 devices: br0: parent: br0 type: nic ephemeral: false Both nics have a volatile entry (done by lxc or lxd ?) Sometime after a restart the nics have switched order in the container. This of course messes up the network config in the container. How can I make the eth0 and eth1 order stick? Thanks for your help! -Janjaap ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] What is the best way to report bug issues with LXD rest server?
Try removing the trailing / from the url. 2015-05-23 22:17 GMT+02:00 Kevin LaTona li...@studiosola.com: add local sends back an error root@kev:/home/kev# lxc remote add local 192.168.0.50:8443 error: remote local exists as unix:///var/lib/lxd/unix.socket running just wget ( I've not used wget before ) so I am not sure how or if it's possible to send in the host name now or ?? root@kev:~/.config/lxc# wget --no-check-certificate https://192.168.0.50:8443/1.0/ --certificate=client.crt --private-key=client.key -O - -v --2015-05-23 13:12:13-- https://192.168.0.50:8443/1.0/ Connecting to 192.168.0.50:8443... connected. WARNING: cannot verify 192.168.0.50's certificate, issued by ‘O= linuxcontainer.org’: Unable to locally verify the issuer's authority. WARNING: certificate common name ‘’ doesn't match requested host name ‘192.168.0.50’. HTTP request sent, awaiting response... 404 Not Found 2015-05-23 13:12:13 ERROR 404: Not Found. Sounds like LXD server is working for you….. but still no idea why it's not for me yet. -Kevin On May 23, 2015, at 12:26 PM, Janjaap Bos janjaap...@gmail.com wrote: Remove the /finger from the url given in the example, as that is no longer a published service. This is from OSX, using wget. wget --no-check-certificate https://myhost:8443/1.0 --certificate=client.crt --private-key=client.key -O - -q {type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}} 2015-05-23 21:16 GMT+02:00 Janjaap Bos janjaap...@gmail.com: Before trying at OSX, make sure it works on your LXD host. Follow the steps for hacking on: https://github.com/lxc/lxd It works for me. Hacking Sometimes it is useful to view the raw response that LXD sends; you can do this by: lxc config set password foo lxc remote add local 127.0.0.1:8443 wget --no-check-certificate https://127.0.0.1:8443/1.0/finger --certificate=$HOME/.config/lxc/client.crt --private-key=$HOME/.config/lxc/client.key -O - -q 2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com: I noticed I did not run the lxc config trust add client.crt call as suggested earlier. So I cd /root/.config/lxc lxc config trust add client.crt then lxc config trust list and got to finger prints back Next ran curl -v -k https://192.168.0.50:8443/1.0/images * Hostname was NOT found in DNS cache * Trying 192.168.0.50... * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS alert, Server hello (2): * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate * Closing connection 0 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate root@c5:~# Unless I am missing another config step here. Sure looks like the LDX image server is sending out bad certs into the wild. -Kevin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] What is the best way to report bug issues with LXD rest server?
Yes, you are a step further now that TLS is spoken. However, I would suggest to first get your test working locally on the lxd server, since my homebrew OSX curl has further restrictions. You can only use certificates that are in the keychain: * WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Transport. The private key must be in the Keychain. * WARNING: SSL: Certificate type not set, assuming PKCS#12 format. When trying your example on my lxd server, I do the following steps (as root user). # cd /root/.config/lxc # ls client.crt client.key config.yml servercerts Now, if you don't have these files, use can get them by doing the following: # lxc remote add lxc-org images.linuxcontainers.org This should also initialise the local client certificate if it does not exist. Then: # lxc config trust add client.crt # lxc config trust list This should list the fingerprint. And it should work: # curl --key client.key --cert client.crt -v -k https://localhost:8443/1.0/images (do not use the -s option as it will suppress the output) 2015-05-23 7:53 GMT+02:00 Kevin LaTona li...@studiosola.com: On May 22, 2015, at 10:33 PM, Kevin LaTona li...@studiosola.com wrote: Ok, but you are testing with a curl that does not support TLS. That is why you cannot connect to that particular LXD instance. Depending on the OS and distribution, other LXD instances may still support SSL. I did a quick upgrade of curl to 7.42.1 Now when I try it /usr/local/Cellar/curl/7.42.1/bin/curl -s --cert server.crt --key server.key -k https://192.168.0.50:8443/1.0/images I know I don't want to mess with Apple's install of Curl for now. I get curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect So maybe I am getting closer and some thing is off with the cert I just made. Would be nice to know what version of LDX is running at linuxcontainers.org It sure might help saving lots of time chasing after another avenue that in the end may or may not solve problem. -Kevin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-ls -f problem
Sorry, I replied on the wrong thread... 2015-05-23 21:13 GMT+02:00 Janjaap Bos janjaap...@gmail.com: Use wget instead of curl on OSX. That works for me. wget --no-check-certificate https://myhost:8443/1.0 --certificate=client.crt --private-key=client.key -O - -q {type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}} 2015-05-23 20:46 GMT+02:00 david.an...@bli.uzh.ch: Hi I have the exact same problem after yesterdays update. And I suspect it is bug https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1413927 or at least closely related. root@andel2:~# cat /proc/self/cgroup 10:devices:/system.slice/ssh.service 9:perf_event:/system.slice/ssh.service 8:cpuset:/system.slice/ssh.service 7:cpu,cpuacct:/system.slice/ssh.service 6:memory:/system.slice/ssh.service 5:freezer:/system.slice/ssh.service 4:net_cls,net_prio:/system.slice/ssh.service 3:hugetlb:/system.slice/ssh.service 2:blkio:/system.slice/ssh.service 1:name=systemd:/system.slice/ssh.service root@andel2:~# service cgmanager status ● cgmanager.service - Cgroup management daemon Loaded: loaded (/lib/systemd/system/cgmanager.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2015-05-23 15:48:07 CEST; 30min ago Main PID: 2994 (cgmanager) Memory: 296.0K CGroup: /system.slice/cgmanager.service ‣ 2994 /sbin/cgmanager -m name=systemd May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path /run/cgmanager/fs/hugetlb/system.slice/ssh.service/lxc/s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/hugetlb/system.slice/ssh.servi...s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path /run/cgmanager/fs/memory/system.slice/ssh.service/lxc/s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/memory/system.slice/ssh.servic...s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path /run/cgmanager/fs/net_cls/system.slice/ssh.service/lxc/s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/net_cls/system.slice/ssh.servi...s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path /run/cgmanager/fs/perf_event/system.slice/ssh.service/lxc/s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/perf_event/system.slice/ssh.se...s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager: Invalid path /run/cgmanager/fs/none,name=systemd/system.slice/ssh.service/lxc/s0_nginx May 23 15:48:15 andel2 cgmanager[2994]: cgmanager:per_ctrl_move_pid_main: Invalid path /run/cgmanager/fs/none,name=systemd/system.slice...s0_nginx Hint: Some lines were ellipsized, use -l to show in full. The unprivileged containers could be stopped but trying to stop a running privileged container hangs and blocked the host completely. Even a reboot is not possible, the host answers only to ping requests, ssh returns with Write failed: Broken pipe. And since the machine is geographically distant (and it's weekend as usual when such stuff happens) I cannot provide the results generated from the commands below. But probably I am going to run into the same error on other machines and will provide the results. David -lxc-users lxc-users-boun...@lists.linuxcontainers.org wrote: - To: LXC users mailing-list lxc-users@lists.linuxcontainers.org From: Serge Hallyn Sent by: lxc-users Date: 05/22/2015 17:44 Subject: Re: [lxc-users] lxc-ls -f problem Quoting Dave Birch (dave.bi...@gmail.com): Dave Birch dave.birch@... writes: Further update - just discovered that lxc-start now hangs for all containers, even newly created ones using only the standard download template on lxc-create. I'm pretty much dead in the water until I can work out how to resolve this. Can you attach the results of sudo strace -f -ostrace.out -- lxc-ls -f sudo strace -f -ostrace-start.out -- lxc-start -n container sudo lxc-start -n container -l trace -o debug.out and show your exact steps, if you can remember them or have them in history, when you were originally creating these containers? ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] What is the best way to report bug issues with LXD rest server?
Before trying at OSX, make sure it works on your LXD host. Follow the steps for hacking on: https://github.com/lxc/lxd It works for me. Hacking Sometimes it is useful to view the raw response that LXD sends; you can do this by: lxc config set password foo lxc remote add local 127.0.0.1:8443 wget --no-check-certificate https://127.0.0.1:8443/1.0/finger --certificate=$HOME/.config/lxc/client.crt --private-key=$HOME/.config/lxc/client.key -O - -q 2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com: I noticed I did not run the lxc config trust add client.crt call as suggested earlier. So I cd /root/.config/lxc lxc config trust add client.crt then lxc config trust list and got to finger prints back Next ran curl -v -k https://192.168.0.50:8443/1.0/images * Hostname was NOT found in DNS cache * Trying 192.168.0.50... * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS alert, Server hello (2): * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate * Closing connection 0 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate root@c5:~# Unless I am missing another config step here. Sure looks like the LDX image server is sending out bad certs into the wild. -Kevin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] What is the best way to report bug issues with LXD rest server?
Remove the /finger from the url given in the example, as that is no longer a published service. This is from OSX, using wget. wget --no-check-certificate https://myhost:8443/1.0 --certificate=client.crt --private-key=client.key -O - -q {type:sync,status:Success,status_code:200,metadata:{api_compat:1,auth:trusted,config:{trust-password:true},environment:{backing_fs:ext4,driver:lxc,kernel_version:3.16.0-37-generic,lxc_version:1.1.0,lxd_version:0.9}}} 2015-05-23 21:16 GMT+02:00 Janjaap Bos janjaap...@gmail.com: Before trying at OSX, make sure it works on your LXD host. Follow the steps for hacking on: https://github.com/lxc/lxd It works for me. Hacking Sometimes it is useful to view the raw response that LXD sends; you can do this by: lxc config set password foo lxc remote add local 127.0.0.1:8443 wget --no-check-certificate https://127.0.0.1:8443/1.0/finger --certificate=$HOME/.config/lxc/client.crt --private-key=$HOME/.config/lxc/client.key -O - -q 2015-05-23 21:13 GMT+02:00 Kevin LaTona li...@studiosola.com: I noticed I did not run the lxc config trust add client.crt call as suggested earlier. So I cd /root/.config/lxc lxc config trust add client.crt then lxc config trust list and got to finger prints back Next ran curl -v -k https://192.168.0.50:8443/1.0/images * Hostname was NOT found in DNS cache * Trying 192.168.0.50... * Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS alert, Server hello (2): * error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate * Closing connection 0 curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate root@c5:~# Unless I am missing another config step here. Sure looks like the LDX image server is sending out bad certs into the wild. -Kevin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] What is the best way to report bug issues with LXD rest server?
You should upgrade your local curl, so it uses TLS and not SSL which is no longer secure, and therefore disabled at the server. I guess the images repo still accepts SSL. Op 23 mei 2015 02:14 schreef Kevin LaTona li...@studiosola.com: This past week or so I ran into an issue of not being able to connect a test LXD rest server on my local network. I've tested this problem out from pretty much every angle I can think of. Every thing from fresh OS, server, SSL lib installs to upgrades of current running apps on my machines. Pretty much unless I am missing some small fundamental piece that is preventing current shipping vivid server to allow connections to the LXD rest server. My take is there is a bug . If this true, what is the best way to let the LXC team know about this to see how to get to next step? To sum it up I am able to connect to a public LXD rest server. # from vivid container -- public LXD server ( container to public ) curl -k https://images.linuxcontainers.org/1.0/images # {status: Success, metadata: [/1.0/images/e7ae410ee8abeb6 No matter how and from what angle I try connecting to a local test LXD rest server it is having connections issues. # vivid container 10.0.3.5 -- 192.168.0.50:8443 ( container to host machine ) # this container can ping 192.168.0.50 curl -k https://192.168.0.50:8443/1.0/images # curl: (35) error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate # OS X term window -- vivid server(same 192.168.x.x network) curl -k https://192.168.0.50:8443/1.0/images # curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version If any one has any ideas or suggestions please send them along. -Kevin ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] add device unix-char not yet implemented?
Hi, I have problems adding a /dev/net/tun device to the container. It appears that the unix-char device is not yet supported for the command: lxc config device add ... Is that right? Or should I do something else? Thanks, -Janjaap (Using http://ppa.launchpad.net/ubuntu-lxc/lxd-git-master/ubuntu trusty) ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users