Hi Lorenzo. Thanks for coming back to me on this. I now just took the time to describe a basic Incus container setup to you by looking at my internal documentation. I appreciate that you follow up on issues like this!
Lorenzo - 11.10.24, 23:45:56 MESZ: > For the /usr/local issue, please open another bug, or start a > > > discussion in init-diversity or DNG list. > > I did some digging and I don't think I'm going to remove local from > PATH; I think having executables there to mask system's equivalent is > the intended usage, and if an attacker has write access on root > the system is already compromised.. > there was a bug about this few years ago, see > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=%23913876 > > Also, for comparison, I tested 'echo $PATH' in a getty under systemd and > sysvinit and it looks like both have local in PATH. Fair enough. I consider that one settled and won't open an extra issue about it. Regarding incus, I still did not give you any hints. It is quite simple for a basic setup, but can become more complicated when you tweak things. In Debian/Devuan Unstable/Testing install package "incus". For Stable you need to use backports. You could use "lxd" on stable. It may just work when you place each call to "incus" command with "lxd", but I do not know for sure. Do "incus admin init". It does a default network setup including "incusbr0" bridge that should be sufficient for testing. You can show it with "incus network list" and edit it with "incus network edit". It comes with a default storage. I did my own with incus storage create container btrfs source=/srv/container and removed the default one with "incus storage delete default". But I think you can just use the default storage for testing. For Incus on Devuan you need a way to start it. I use runit: % cat /usr/share/runit/sv/incus/run #!/usr/bin/env /lib/runit/invoke-run #Copyright: 2024 Martin Steigerwald <[email protected]> #License: BSD-3-Clause exec 2>&1 if [ -e /etc/runit/verbose ]; then echo "Invoke-run: starting ${PWD##*/}" fi /usr/libexec/incus/incus-apparmor-load exec /usr/libexec/incus/incusd --group incus-admin % cat /usr/share/runit/sv/incus-user/run #!/usr/bin/env /lib/runit/invoke-run #Copyright: 2024 Martin Steigerwald <[email protected]> #License: BSD-3-Clause exec 2>&1 if [ -e /etc/runit/verbose ]; then echo "Invoke-run: starting ${PWD##*/}" fi exec /usr/libexec/incus/incus-user --group incus (yeah, I still did not propose this to Incus package maintainer or create a MR for runit-services) I am going to send you the contents of those directories for easier testing. You can list available images with: % incus image list images: architecture=x86_64 You can bring up a Devuan container with: % incus launch images:devuan/daedalus devuantest And enter into its shell with: % incus exec devuantest bash I installed Runit in there with: % apt install runit-init runit-services socklog socklog-run In "/etc/runit/2" I did: 1 #!/bin/sh 2 3 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin 4 # init scripts are otherwise run with undefined/empty PATH 5 # Bug#1068922: runit-init: configuring network interfaces at boot inside LXC with runit as init system fails 6 # https://bugs.debian.org/1068922 7 export PATH There is a lot of other things to tweak and adapt for optimal container setup, but… I think for testing it would be enough. If you want a static IP address for the container you can use: % incus config device override devuantest eth0 ipv4.address=10.10.10.10 ipv6.address=fd10:10:10:10:10.10 (IP address needs to be in network range of course) For dual stack I use "dhcpcd" with "/etc/network/interfaces": auto eth0 iface eth0 inet dhcp And this needs the other fix from the bug report – otherwise no network: 1 #!/bin/sh 2 # system one time initialization tasks 3 4 PATH=/sbin:/usr/sbin:/bin:/usr/bin 5 # init scripts are otherwise run with undefined/empty PATH 6 # Bug#1068922: runit-init: configuring network interfaces at boot inside LXC with runit as init system fails 7 # https://bugs.debian.org/1068922 8 export PATH For DHCPv6 you need to set an option for the bridge: % incus network edit incusbr0 In there in group "config:" add: ipv6.dhcp.stateful: "true" (beware of YAML indenting) I think with that you have the setup to reproduce the issue and do your own testing on things. Of course no obligation in any way. I do have a solution, it is in my template, so there is no urgency. Feel free to ask back when something is missing. There is also some documentation for Incus on Debian in Debian wiki: https://wiki.debian.org/Incus Thanks, -- Martin
