Re: [lxc-users] Remaining virtual ethernet interfaces (veth) after container has been deleted
On 3/26/20 6:20 PM, steven prothero wrote: Possible somewhat related: https://discuss.linuxcontainers.org/t/is-there-a-way-to-pass-other-config-transient-true-to-vswitch/6354 https://github.com/lxc/lxd/issues/1596 https://github.com/lxc/lxc/issues/2849 https://github.com/lxc/lxc/issues/3137 https://github.com/lxc/lxc/issues/2913 https://github.com/lxc/lxc/issues/590 https://discuss.linuxcontainers.org/t/vethx-interfaces-are-not-removed-when-lxc-container-is-stopped/4816 https://discuss.linuxcontainers.org/t/serverside-veth-not-clean-shutdown-on-container-reboot-or-shutdown/4379 https://developers.redhat.com/blog/2017/12/01/open-vswitch-without-stale-ports/ I am using open vswitch and experience this issue also. Hi Steven, I used to end up with left over veth devices at times but since I've started giving them names on the host that hasn't happened. To be perfectly honest I have no idea if the renaming has anything to do with it, but I haven't experienced it since. Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Remaining virtual ethernet interfaces (veth) after container has been deleted
On 3/26/20 8:14 AM, Sebert, Holger.ext wrote: Hi, we use LXD containers on our CI-build nodes. For each build a container is created and deleted afterwards. So, container creation and deletion happens quite often. Here is the problem: After some time, many virtual ethernet interfaces (veth*) accumulate, they look like this: vethY59JK1 Link encap:Ethernet HWaddr fe:12:cc:54:20:70 inet6 addr: fe80::fc12:ccff:fe54:2070/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:60 errors:0 dropped:0 overruns:0 frame:0 TX packets:14095 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6735 (6.7 KB) TX bytes:2417738 (2.4 MB) ... vethYCP720 Link encap:Ethernet HWaddr fe:6c:d0:78:b0:63 inet6 addr: fe80::fc6c:d0ff:fe78:b063/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:61 errors:0 dropped:0 overruns:0 frame:0 TX packets:14075 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6653 (6.6 KB) TX bytes:2414750 (2.4 MB) These interfaces are not connected to any running container and cannot be removed. It seems to me that they are somehow leftovers from previous containers which don't exist anymore. Hi Holger, A technique I use is to give each container's interfaces unique names on the host, usually the same name as the container itself. If there is more than one interface I add a digit. e.g. container "zorro" has a profile named "zorro". Here is a snip from "zorro's" yaml profile: devices: eth0: host_name: zorro <--- will show up on the host An interface cannot be removed while it is up. ip link set dev zorro down (short way: ip l s zorro down) ip link del dev zorro (short way: ip l d zorro) A deleted interface is automagically removed from any bridge it's on. Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] custom style for lxd.readthedocs.io for Firefox
On 3/16/20 4:29 PM, Stéphane Graber wrote: How does https://linuxcontainers.org/lxd/docs/master/ look? We're moving away from read the docs in favor of self-hosted, so I'd prefer fixing anything that needs fixing over there. Stéphane It resizes! Sub-indexes on the right. That's great. I'll move my bookmark and start using it. If I notice any thing I'll post. Mike Wright On Sun, Mar 15, 2020 at 3:01 PM Mike Wright wrote: I find using the online docs at "lxd.readthedocs.io" tedious because the tables that show all the configuration options are narrow with the "Description" column being particularly narrow. This causes the description to wrap into several lines and reduces the rows of configuration options that can be displayed on the screen at one time. By adding a user style to Firefox you can make the tables as wide as the screen. Call it an accessibility feature for people who don't like scrolling. The two links below show before and after views of a page. Original https://pasteboard.co/IZfbCz2.png Styled https://pasteboard.co/IZfc9jq.png 1) start firefox we have to enable user styles go to about:config and search for the following key: toolkit.legacyUserProfileCustomizations.stylesheets and make it true 2) change directory to the profile currently in use cd ~/.mozilla/firefox cd $(ls -rt |tail -1) mkdir chrome (if it doesn't exist) cd chrome 3) add the following lines to userContent.css: @-moz-document domain("lxd.readthedocs.io"){ .wy-nav-content { max-width: 100% !important; } } 4) the following advice is provided because, at least on ff-73, having the namespace directive causes user styles not to work: if userContent.css previously existed and it contains a "namespace" directive comment it out using css style commenting /* ... */ or just delete it (up to you) 5) check if it works: restart firefox and go to "https://lxd.readthedocs.io/en/latest/configuration/networks; scroll down until you find a table; widen your browser window. you should see the table expand with it. Enjoy, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] custom style for lxd.readthedocs.io for Firefox
I find using the online docs at "lxd.readthedocs.io" tedious because the tables that show all the configuration options are narrow with the "Description" column being particularly narrow. This causes the description to wrap into several lines and reduces the rows of configuration options that can be displayed on the screen at one time. By adding a user style to Firefox you can make the tables as wide as the screen. Call it an accessibility feature for people who don't like scrolling. The two links below show before and after views of a page. Original https://pasteboard.co/IZfbCz2.png Styled https://pasteboard.co/IZfc9jq.png 1) start firefox we have to enable user styles go to about:config and search for the following key: toolkit.legacyUserProfileCustomizations.stylesheets and make it true 2) change directory to the profile currently in use cd ~/.mozilla/firefox cd $(ls -rt |tail -1) mkdir chrome (if it doesn't exist) cd chrome 3) add the following lines to userContent.css: @-moz-document domain("lxd.readthedocs.io"){ .wy-nav-content { max-width: 100% !important; } } 4) the following advice is provided because, at least on ff-73, having the namespace directive causes user styles not to work: if userContent.css previously existed and it contains a "namespace" directive comment it out using css style commenting /* ... */ or just delete it (up to you) 5) check if it works: restart firefox and go to "https://lxd.readthedocs.io/en/latest/configuration/networks; scroll down until you find a table; widen your browser window. you should see the table expand with it. Enjoy, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Unprivileged networking option?
On 2/28/20 5:34 AM, Ede Wolf wrote: Hello, do we have any alternatives to classical bridging right now for connecting (to) unprivileged containers? Like macvlan or ipvlan? If so, I may haved missed the documentation, otherwise, are there any plans to incorporate those options? Or maybe there are sound reasons not do at all? Containers are unprivileged by default. https://lxd.readthedocs.io/en/latest/instances/#nictype-ipvlan https://lxd.readthedocs.io/en/latest/instances/#nictype-macvlan ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] how to forbid cross-network traffic?
On 2/10/20 9:41 AM, Tomasz Chmielewski wrote: I have these two networks: # lxc network show br-staging config: ipv4.address: 10.100.0.1/24 ipv4.dhcp.ranges: 10.100.0.50-10.100.0.254 ipv4.firewall: "true" ipv4.nat: "true" description: staging network name: br-staging type: bridge # lxc network show br-testing config: ipv4.address: 10.200.0.1/24 ipv4.dhcp.ranges: 10.200.0.50-10.200.0.254 ipv4.firewall: "true" ipv4.nat: "true" description: testing network name: br-testing type: bridge Containers in these two networks have IP address assigned from DHCP and can connect out to the world - this is what I want. Unfortunately, containers from one network (staging) can also connect to containers from the other network (testing) - which is not what I want. Is there any mechanism in LXD to prevent it? Or do I have to add my own, custom iptables rules? Hi Tomasz, Staging and testing are on separate /24 subnets that normally shouldn't talk to each other. Is it possible that they're talking to each other via the nat side? Have you looked into macvlan? It has some interesting restrictions on traffic that you might be able to take advantage of. I haven't played with that nic type yet so I can't be of specific help. https://lxd.readthedocs.io/en/latest/instances/#nictype-macvlan shows the config settings but search within that page and there are descriptions of its properties. Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] LXD static IP in container
On 2/6/20 8:29 AM, Michael Eager wrote: Thanks. I had tried this, but it didn't appear to work. I just tried it again and got it to work. I assume that I can move the eth0 definition back to the profile, without the ipv4.address specification. https://lxd.readthedocs.io/en/latest/instances/#type-nic Do searches on dhcp and static. When dealing with device type=nic address assignment depends on nic type: if nic type=bridged ipv4.address is assigned via DHCP if nic type=routed ipv4.address is assigned as static Maybe that will clear up some of the confusion. :m ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxc profiles
Hi everybody, I have a question about profiles. Are they used only in the initial "lxc launch" or do they have a continuing role? Thanks for any clarification. Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] does nfs-kernel-server run in an LXC container?
Hi, I'm trying to run nfs-kernel-server in an LXC container. If I apt install nfs-kernel-server on the host it installs and starts without error. If I apt install nfs-kernel-server in an LXC guest it does not run but fails with dependency error. Can anybody tell me if it is possible to run nfs-kernel-server in an LXC container? If it is possible, can anybody help me understand what dependency is missing? Thinking it may be an incapable kernel I upgraded the host to ubuntu-19.10 with kernel 5.3.0. That doesn't solve the problem. (although it does allow nfs-kernel-server to run on the host now). Waiting for a response, Thank you, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] nfs apparmor denial
Hi all, I have an Ubuntu-19.10 fully upgraded lxc container (as in lxc-create) and am trying to use it as an nfs-kernel-server. It is down to one last error that has me stymied. In /etc/apparmor/lxc-default-cgns I have placed: (thanx google) mount fstype=nfs*, mount options=(rw, bind, ro), The errors are all apparmor DENIED: each begins with the following line, the only difference is "failed type" vs "failed flags" apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" Here are the tail end of the errors. They all are nfs related. name="/run/rpc_pipefs/" pid=28767 comm="mount" fstype="rpc_pipefs" srcname="sunrpc" name="/run/rpc_pipefs/" pid=28767 comm="mount" fstype="rpc_pipefs" srcname="sunrpc" flags="ro" name="/" pid=28783 comm="(nft)" flags="rw, rslave" name="/proc/fs/nfsd/" pid=28811 comm="mount" fstype="nfsd" srcname="nfsd" name="/proc/fs/nfsd/" pid=28811 comm="mount" fstype="nfsd" srcname="nfsd" flags="ro" name="/" pid=28867 comm="(networkd)" flags="rw, rslave" name="/" pid=29030 comm="(d-logind)" flags="rw, rslave" If somebody could point me in the right direction I'd be most grateful. Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] ZFS configuration
On 08/21/2018 11:40 AM, Stephen Brown Jr wrote: Hello, I am just getting started with LXD. I have an existing zfs pool, and want to use a ZFS dataset on that pool to store my containers on. I ran the command lxc storage create pool1 zfs source=fast/containers, and it appeared to create it, however, I do not see it in the /fast directory nor does zpool status list this. It's possible that I don't understand how this works however. I do see it created if I run the command lxc storage list, it does indeed show up: | pool1 | | zfs | fast/containers | 0 I created a container for testing thinking it would show up, but no go on that either. Would like to understand how this is implemented and what I should expect? Hi, I'm also new to zfs and lxd so my help is limited. Did you mount your zfs dataset anywhere? My ubuntu system is like /var /lib /lxd /containers ... /storage-pools /lxd<-- my lxc pool name; zfs dataset name; mountpoint /containers ... /snapshots For this to work you *must* mount your dataset before you create any containers. If you already have containers you won't be able to mount over the top of them. zfs wants an empty mountpoint AFAIK I mounted one level above /containers so I could get all the images, snapshots, deleted, and containers, etc in one place and allow for moving them as a "set". Note that /lxd was put there by the lxc storage command. Your pool1 is probably there, too. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] bridged device's name
Hi all, Is there a way to set a network device's host side name? e.g. with lxc style configs: #myContainer lxc.net.0.type = veth lxc.net.0.veth.pair = host-side-name lxc.net.0.link = myBridge brctl show myBridge myBridge 8000.025134e8ffad no host-side-name so that this happens myBridge -> host-side-name === myContainer -> eth0 instead of myBridge -> veth9OXS8PAW === myContainer -> eth0 I know that I can change the name after the fact using iproute2 but automated is better. Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxd not starting dnsmasq
Hi all, My system is ubuntu bionic, kernel 4.15, lxd 3.2 (non-snap), fully upgraded. After starting LXD (systemctl start lxd.socket lxd) I can create containers which get an eth0 that's defined in /etc/netplan/50-cloud-init.yaml as dhcp but they don't pick up an address. Further investigation shows that dnsmasq is not running on the host. I haven't been able to find any docs about this. I'd start it manually but I can't find where/how the config for it is stored/created. "lxc network list" shows this: ++--+-+-+-+ | LXD| bridge | NO | | 1 | ++--+-+-+-+ Thinking this may be the source of the problem I tried "lxc network set LXD dns.mode managed" and got "Error: Only managed networks can be modified." Câline! (thank you, netflix) I can manually add addresses to the bridge and containers and networking works but I'd prefer dhcp. I've spent days chasing this. Uninstall, purge, install, and nothing. What really perplexes me is that the first couple of times I installed lxd dnsmasq always was started when lxd was started. (Lot of (un)installs trying to figure out zfs :/ ). Now it never starts dnsmasq. Anybody have any pointers? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxd-3.2 predefined keys
Hi all, I'm trying to learn how to use lxd so I installed the lxd-3.2 snap and zfs. note: I'm new to lxd, zfs, and snaps (but familiar with lxc). Using zpool and zfs I created a zpool and a dataset, "ZFS/lxd". I think I can use that dataset as the backing store for a lxd pool: lxc storage create lxd zfs [key=value...] but I have no idea what the key names are for "mount point", "backing store for the pool", etc. In fact, without the key names, I can't inspect any of the settings except via show and info. (I did say I'm unfamiliar with lxd ;D Where can I find a list of the predefined keys used by the lxc commands? I've been spinning my wheels for at least a week and getting nowhere, so great thanks for any help or pointers, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] correction to lxc help docs
lxc version Client version: 3.2 Server version: 3.2 lxc config add --help . . . Usage: lxc config [command] . . . Incorrect usage listed. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] correction to lxc help docs
lxc version Client version: 3.2 Server version: 3.2 lxc cluster enable --help . . . Aliases: enable, rm . . . This must be an error. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] preventing multiple networks to connect to each other?
On 10/01/2017 10:59 AM, Tomasz Chmielewski wrote: I would like to have several networks on the same host - so I've created them with: # lxc network create br-testing # lxc network create br-staging Then edited to match: # lxc network show br-staging config: ipv4.address: 10.191.0.1/24 ipv4.dhcp.ranges: 10.191.0.50-10.191.0.254 ipv4.nat: "false" # lxc network show br-testing config: ipv4.address: 10.190.0.1/24 ipv4.dhcp.ranges: 10.190.0.50-10.190.0.254 ipv4.nat: "false" The problem is I'd like these network to be separated - i.e. containers using br-staging bridge should not be able to connect to br-testing containers, and the other way around. Both networks should be able to connect to hosts in the internet. Is there any easy switch for that? So far, one thing which works is write my own iptables rules, but that gets messy with more networks. Is there any reason to keep them on the same subnet? How about: to the host 10.191.0.0/23 (or larger), then the subnets: 10.191.0.0/24 and 10.191.1.0/24. Then iptables could easily block them from each other: -s 10.191.0.0/24 -d 10.191.1.0/24 -j DROP and -s 10.191.1.0/24 -d 10.191.0.0/24 -d DROP. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxd host can not access container via domain
On 09/02/2017 03:36 PM, Benjamin Asbach wrote: On 2017-09-02 06:13, Mike Wright wrote: On 09/01/2017 07:02 PM, Benjamin Asbach wrote: Hi there, I've some problems with connecting to my containers via my public domain from the host itself. I'm using bridged network by lxc network. The setup looks like this remote -> domain.com -> host -> container1 (nginx) -> container2 (app) When I curl from a remote location this works quite fine: curl https://sub.domain.com % But when I'm doing the same from the host itself: curl https://sub.domain.com curl: (7) Failed to connect to sub.domain.com port 443: Connection refused I'm a little bit confused why this happens. I though it might be connected to iptables. But the rules look good for me: Might be the issue related to the bridged network or do you've any ideas what's causing the problem?! Hi Benjamin, I'll give this a stab. Does the host have an address on the bridge? To test, give it one. If it works make sure to add iptables rules so the host only accepts EST,REL traffic from the bridge guests (barbarians at the gates, etc). If you don't want the host to have a bridge address you'll have to set up some other method such as NAT like you did for traffic coming in on ens18. thanks for your reply! I checked that the adapter has an address: ip addr 2: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:06:96:f6:16:da brd ff:ff:ff:ff:ff:ff inet 10.0.4.1/24 scope global lxdbr0 valid_lft forever preferred_lft forever inet6 fe80::5c98:e8ff:fe13:66e3/64 scope link valid_lft forever preferred_lft forever I tried to get some information what you've meant. But currently I'm a little bit confused howto apply these ESTABLISHED and RELATED rules to iptables. Do you mind if you can get a litte bit more detail in that? Those are part of the "connection tracking" part of iptables. Check out "man iptables-extensions" -> conntrack for all the details. I don't know how much you know so I'll be basic. If you already know this stuff skip down to the example rules. WRT general traffic, packets can be in 1 of 4 states: INVALID, NEW, ESTABLISHED, or RELATED. New packets create a stream. If a NOT NEW packet arrives and is not part of any known stream it is INVALID and should be DROP'd (log if curious), otherwise it is ESTABLISHED as part of a stream. A special type of NEW packet is RELATED: it's establishing a NEW connection but only as part of a pre-existing conversation such as FTP or ICMP. As far as firewalling goes: keep everybody out of your host unless they absolutely MUST be there. "Be there" includes answering responses to traffic you initiated and means you have to accept ESTABLISHED traffic or the connection dies. Here is a bare firewall: # our POLICY is that nothing gets in. # watch every connection and only accept packets for established streams: that is response data to NEW streams created remotely because you asked for something: a web page, dns address, etc. # note that having a default policy of DROP gets rid of INVALID packets iptables -P INPUT DROP iptables -A INPUT -m conntrack --ctstate EST,REL -j ACCEPT # or more specifically for a device iptables -A INPUT -i lxdbr0 -m conntrack --ctstate EST,REL -j ACCEPT iptables -A INPUT -i lxdbr0 -j DROP ## get rid of INVALID and NEW # are you a router? same thing for FORWARDing iptables -P FORWARD DROP iptables -A FORWARD -m conntrack --ctstate EST,REL -j ACCEPT # ok, I'm a nameserver so I have to accept udp and tcp on port 53 -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j ACCEPT -A INPUT -i eth0 -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT You could also DROP OUTPUT traffic and filter all outgoing packets for even more control. Anyway, those are some example rules and intro to connection tracking. As to your current problem: Do you have firewalls in the guests that might be blocking traffic from other devices on 10.4.0.0/24? Try connecting to one of your guests using lxc-attach and run tcpdump to make sure that your connection attempt is being seen. Run tcpdump on your host and watch for outgoing and incoming traffic. To not drown in data tell tcpdump what to show, e.g. tcpdump -i lxdbr0 port 80. Use -nn to see IP and port number instead of names. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxd host can not access container via domain
On 09/01/2017 07:02 PM, Benjamin Asbach wrote: Hi there, I've some problems with connecting to my containers via my public domain from the host itself. I'm using bridged network by lxc network. The setup looks like this remote -> domain.com -> host -> container1 (nginx) -> container2 (app) When I curl from a remote location this works quite fine: curl https://sub.domain.com % But when I'm doing the same from the host itself: curl https://sub.domain.com curl: (7) Failed to connect to sub.domain.com port 443: Connection refused I'm a little bit confused why this happens. I though it might be connected to iptables. But the rules look good for me: iptables-save # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017 *nat :PREROUTING ACCEPT [138088:14417714] :INPUT ACCEPT [51357:4468554] :OUTPUT ACCEPT [8593:788743] :POSTROUTING ACCEPT [8445:711271] -A PREROUTING -i ens18 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.4.187:80 -A PREROUTING -i ens18 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.4.187:443 -A PREROUTING -i ens18 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 10.0.4.116:8022 -A POSTROUTING -s 10.0.4.0/24 ! -d 10.0.4.0/24 -m comment --comment "generated for LXD network lxdbr0" -j MASQUERADE COMMIT # Completed on Sat Sep 2 02:24:33 2017 # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017 *mangle :PREROUTING ACCEPT [293993:48599155] :INPUT ACCEPT [188065:31562883] :FORWARD ACCEPT [19475:7104838] :OUTPUT ACCEPT [124159:16994042] :POSTROUTING ACCEPT [147110:24355452] -A POSTROUTING -o lxdbr0 -p udp -m udp --dport 68 -m comment --comment "generated for LXD network lxdbr0" -j CHECKSUM --checksum-fill COMMIT # Completed on Sat Sep 2 02:24:33 2017 # Generated by iptables-save v1.6.1 on Sat Sep 2 02:24:33 2017 *filter :INPUT ACCEPT [449:65419] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [274:37570] -A INPUT -i lxdbr0 -p tcp -m tcp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A INPUT -i lxdbr0 -p udp -m udp --dport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A INPUT -i lxdbr0 -p udp -m udp --dport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A FORWARD -o lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A FORWARD -i lxdbr0 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A OUTPUT -o lxdbr0 -p tcp -m tcp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A OUTPUT -o lxdbr0 -p udp -m udp --sport 53 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT -A OUTPUT -o lxdbr0 -p udp -m udp --sport 67 -m comment --comment "generated for LXD network lxdbr0" -j ACCEPT COMMIT # Completed on Sat Sep 2 02:24:33 2017 Might be the issue related to the bridged network or do you've any ideas what's causing the problem?! Hi Benjamin, I'll give this a stab. Does the host have an address on the bridge? To test, give it one. If it works make sure to add iptables rules so the host only accepts EST,REL traffic from the bridge guests (barbarians at the gates, etc). If you don't want the host to have a bridge address you'll have to set up some other method such as NAT like you did for traffic coming in on ens18. Good luck, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] instantiate_veth: 2669 failed to attach 'vethMU7OO1' to the bridge
On 05/28/2017 10:46 AM, Rick Leir wrote: Hi all, Sorry for being so terse in the last post. It has been a year since I used LXC, and everything worked easily then. Now, with a new Fedora 26 system, it is not straightforward. How would you troubleshoot this? # brctl show bridge namebridge idSTP enabledinterfaces virbr08000.525400c7428byesvirbr0-nic # lxc-checkconfig # lxc-create -n crowdsr -t fedora # lxc-start -n crowdsr -F lxc-start: conf.c: instantiate_veth: 2669 failed to attach 'vethMU7OO1' to the bridge 'lxcbr0': Operation not permitted brctl shows only virbr0; you are trying to attach to lxcbr0 which, apparently, doesn't exist. I thought lxc created that but you can add it with brctl addbr lxcbr0 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] [OT] uidmap
Hi all, Is there a similar functionality to uidmap and its kin for the RedHat world? ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] tun device in unprivileged Debian Stretch lxc Container
On 09/22/2016 05:14 PM, Paul Dino Jones wrote: Hi all, I could have sworn in the past I was able to make an unprivileged container use openvpn, but yesterday, i started an unprivileged container and was not able to use openvpn because I did not have a /dev/net/tun. I was able to get it started in a normal privileged container after performing a mknod. Which makes sense because an unprivileged user isn't going to be able to create that tun device. I'm just wondering if there is something I'm missing since I think it used to work. If it does not exist create /dev/net/tun mknod /dev/net/tun c 10 200 In lxc parlance you would add a line like this to your config file lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=file ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] tun device in unprivileged Debian Stretch lxc Container
On 09/28/2016 07:11 AM, Mike Wright wrote: On 09/22/2016 05:14 PM, Paul Dino Jones wrote: Hi all, I could have sworn in the past I was able to make an unprivileged container use openvpn, but yesterday, i started an unprivileged container and was not able to use openvpn because I did not have a /dev/net/tun If it does not exist create /dev/net/tun mknod /dev/net/tun c 10 200 In lxc parlance you would add a line like this to your config file lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=file ...damn cut and paste lxc.mount.entry = /dev/net/tun /dev/net/tun none bind,optional,create=fild ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] btrfs and LXC/LXD - disk quota exceeded
On 06/28/2016 06:32 AM, Benoit GEORGELIN - Association Web4all wrote: Hi, For once, simple question :) Hello Benoit, Please don't hijack threads. (That's where you take an existing thread and change the subject). It messes up the message flow. It's the same thing as people having a conversation and somebody walks up and changes the topic. Many consider it impolite. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] using cgroups
On 06/26/2016 06:41 PM, Serge E. Hallyn wrote: Quoting Mike Wright (nob...@nospam.hostisimo.com): Ideas on how would I go about determining the problem? Edit /lib/systemd/system/cgmanager.service and add '--debug' to the end of the ExecStart line. Do 'systemctl daemon-reload' followed by 'systemctl restart cgmanager'. Then do the above again, and do 'journalctl -u cgmanager' and list the results here. Also show the contents of /proc/self/cgroup and /proc/self/mountinfo. That should give us what we need. Following clean boot; no cli cgm commands given. Attached is journalctl -u cgmanager, /proc/self/{cgroup,mountinfo} cgm.tar.bz2 Description: application/bzip ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] How do you mount this file as an lxc rootfs?
On 06/20/2016 06:47 AM, John Lewis wrote: I have a ext4 formatted file called pmd.simg with a directory structure like this. lost+found rootfs You should be able to mount that via the loop device: mount pmd.simg -o loop Then rootfs will be available at /rootfs ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc-2.0.1 can't start unprivileged container
On 06/09/2016 12:40 PM, Stéphane Graber wrote: Sounds like your host /proc is over-mounted which triggers a protection mechanism in the kernel that prevents an unprivileged user from mounting it. Look in your host's /proc/mounts for any mountpoint under /proc, try unmounting them one by one until you find the one that's triggering the protection. Thanks Stéphane, Here's what's there: grep proc /proc/mounts: proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct 0 0 xenfs /proc/xen xenfs rw,relatime 0 0 I don't think I can safely remove any of those. Any other ideas? ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxc-2.0.1 can't start unprivileged container
Hi all, Environment: ubuntu xenial 16.04 kernel 4.4.0-22-generic lxc-2.0.1 liblxc1: Version: 2.0.1-0ubuntu1~16.04.1 fully upgraded. Created unprivileged container with: -n whitney -- -d ubuntu -r xenial -a amd64 config: { lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 lxc.include = /usr/share/lxc/config/ubuntu.common.conf lxc.include = /usr/share/lxc/config/ubuntu.userns.conf lxc.arch = x86_64 lxc.rootfs = /home/mike/.local/share/lxc/whitney/rootfs lxc.rootfs.backend = dir lxc.utsname = whitney lxc.network.type = veth lxc.network.link = LAN lxc.network.flags = down ## ensure not a network err lxc.network.hwaddr = 00:16:3e:ef:3e:d2 } lxc-start -n whitney fails with: lxc-start: utils.c: safe_mount: 1692 Operation not permitted - Failed to mount proc onto /usr/lib/x86_64-linux-gnu/lxc/proc Googling shows similar errors back in kernel 3.19. Has this resurrected itself? Recommendations? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] ppa issues
Hi all, First: thanks for all your efforts with LXC, etc. I've got to say that LXC makes accessible virtual machines more easily than any other approaches I've tried (except maybe renting one in "The Cloud" ;D ) Current running lxc-1.1.5 on wily and want to explore 2.x. I'm having problems with the ppa. 'apt-add-repository "http://ppa.launchpad.net/ubuntu-lxc/lxc-stable/ubuntu wily main"' installed without complaint. 'apt-get update' failed with the following error: "Err http://ppa.launchpad.net wily/main amd64 Packages 404 Not Found" Further errors included GPG with "public key is not available". Any helpers out there today? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] named network devices
Hi all, When using privileged containers I can name an ethernet device that shows up in iproute2, brctl, etc. e.g. lxc.network.veth.pair = myExampleNIC but when using unprivileged containers the same config option has no effect. Is this a bug or intentional? Is there a way to name them? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] request for addition
Hi all, I was trying to find out just which LXC was running and ended up looking in the apt/archives to find the version. Would it be hard to add something like "lxc-version"? Takes no args, just prints out the current lxc version number? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] [solved] is precise-gui special?
On 03/06/2016 09:10 AM, Mike Wright wrote: Hi all, I'm moving through Stéphane Graber's website LXC 1.0 series and am at LXC 1.0: GUI in containers. When it came time to install chrome the google i386 apps 404'ed but the 64s are still there. Is there anything in particular that is special about precise-gui or can I perform the experiment on any of the available 64bit ubuntu distros? And the answer is... yes you can. There is nothing special about precise-gui. I just installed google-chrome into an unprivileged container running Xenial and it came up without a hitch. Actually it came up faster from the lightweight container than it does from my actual Wily desktop. Great work Stéphane! Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] is precise-gui special?
Hi all, I'm moving through Stéphane Graber's website LXC 1.0 series and am at LXC 1.0: GUI in containers. When it came time to install chrome the google i386 apps 404'ed but the 64s are still there. Is there anything in particular that is special about precise-gui or can I perform the experiment on any of the available 64bit ubuntu distros? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] [SOLVED] problems starting unprivileged container
On 03/05/2016 05:21 PM, Mike Wright wrote: Hi all, Several pointers for the next person. An error message pointed out that the following... lxc.include = /etc/lxc/default.conf lxc.id_map = u 0 10 65536 lxc.id_map = g 0 10 65536 ...must be added to .config/lxc/default.conf (the lxc.include can be replaced by an actual network definition.) Apparently ~/.config/lxc/lxc.conf isn't necessary??? ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] problems starting unprivileged container
Hi all, First post. I think lxc is incredible. I've replaced all but one of my xen vms with containers and they have been rock solid. It is now time to take away their privileges. (sounds like being punished for being good ;) Following Stéphane Graber's website LXC 1.0 [7/10] without success. host: ubuntu-15.10 wily lxc: 1.1.5 guest ubuntu-16.04 xenial pulled from jenkins grep mike /etc/sub?id /etc/subgid:mike:10:65536 /etc/subuid:mike:10:65536 ~/.config/lxc/lxc.conf (empty) ~/.config/lxc/default.conf has lxc.network.{type,link,flags,hwaddr} ~/.local/share/lxc/XENIAL/{config,rootfs} ...XENIAL/config is standard config with correct full path to rootfs I've made it this far: As mike: lxc-start -n XENIAL -o log -l ERROR -F fails here: conf.c:setup_ttydir_console:1551 - Device or resource busy - error unlinking /usr/lib/x86_64-linux-gnu/lxc/dev/console That file didn't exist so I created it and tried again. Same failure. Any idea how to proceed from here? Thanks, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] how can I unsubscribe this mail list?
On 02/21/2016 05:37 PM, bse...@asx.co.jp wrote: Hi all how can I unsubscribe this mail list? At the bottom of every single email you receive from this list there is a link to a web page that handles mail for lxc-users. Click on that link and when the page loads go to the bottom and look for the button that says "Unsubscribe or edit options". Click on that and follow the instructions on the next page that loads. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] how can I unsubscribe this mail list?
On 02/21/2016 05:37 PM, bse...@asx.co.jp wrote: Hi all how can I unsubscribe this mail list? At the bottom of every single email you receive from this list there is a link to a web page that handles mail for lxc-users. Click on that link and when the page loads go to the bottom and look for the button that says "Unsubscribe or edit options". Click on that and follow the instructions on the next page that loads. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] re Networking issues with LXC containers in EC2
On 01/12/2016 04:24 PM, brian mullan wrote: re: I *can* ping a container in host 2 but not host 2 itself welcome to networking... its a layer 2 network and each host itself is the tunnel end point. I had kept something that explained some of it and if I can find it send it to you tomorrow. Your br0 interfaces on the 2 servers you assign an IP and are they different IP addresses? No its not expected to see that error etc. When I have it up its pretty solid. We can take this offline from the mailer list... just send email directly to each other so we don't bug the other list members. Please keep it on list. I'd like to see the solution unfold. I've had a bit of trouble following various Flockport write-ups and every additional piece of info helps me better understand the vagaries of advanced networking. Thanx, Mike Wright ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users