Hi, Actually I said I update quire a while ago. I did rebooted since then. User namespaces were not originally available for F20 according to https://fedoraproject.org/wiki/Security_Features_Matrix but I guess it was changed in one of the updates.
Regards, Rami Rosen בתאריך 6 באפר 2014 16:33, "Michael H. Warfield" <[email protected]> כתב: > On Sun, 2014-04-06 at 09:52 +0300, Rami Rosen wrote: > > Hi, > > uname -a > > Linux n 3.12.6-300.fc20.x86_64 #1 SMP Mon Dec 23 16:44:31 UTC 2013 > > x86_64 x86_64 x86_64 GNU/Linux > > Linux hydra.wittsend.com 3.13.7-200.fc20.x86_64 #1 SMP Mon Mar 24 > 22:01:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > > Ok... I'd say that's a clue. I'm on 3.13.7-200 while you're only on > 3.12.6-300. Mine was build on Mar 24 while yours dates back all the way > to Dec 23. > > You say you just updated. Did you reboot? > > Regards, > Mike > > > [root@n containers]# lxc-checkconfig > > Kernel configuration not found at /proc/config.gz; searching... > > Kernel configuration found at /boot/config-3.12.6-300.fc20.x86_64 > > --- Namespaces --- > > Namespaces: enabled > > Utsname namespace: enabled > > Ipc namespace: enabled > > Pid namespace: enabled > > User namespace: missing > > Network namespace: enabled > > Multiple /dev/pts instances: enabled > > > > --- Control groups --- > > Cgroup: enabled > > Cgroup clone_children flag: enabled > > Cgroup device: enabled > > Cgroup sched: enabled > > Cgroup cpu account: enabled > > Cgroup memory controller: enabled > > Cgroup cpuset: enabled > > > > --- Misc --- > > Veth pair device: enabled > > Macvlan: enabled > > Vlan: enabled > > File capabilities: enabled > > > > Note : Before booting a new kernel, you can check its configuration > > usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig > > > > cat /boot/config-3.12.6-300.fc20.x86_64 | grep USER_NS > > # CONFIG_USER_NS is not set > > > > Regards, > > Rami Rosen > > http://ramirose.wix.com/ramirosen > > > > > > On Sun, Apr 6, 2014 at 2:03 AM, Michael H. Warfield <[email protected]> > wrote: > > > On Sun, 2014-04-06 at 01:40 +0300, Rami Rosen wrote: > > >> Hi, > > >> First, thanks Michael, for drawing my attention to it. I knew that > > >> Fedora 21 is going to enable user namespaces. > > > > > >> Still, I wanted to reiterate my point: with my Fedora 20, where I ran > > >> update a while ago, user namespaces were not available, according to > > >> lxc-checkonfig, and still nesting with a busybox container did work. > > > > > > So lxc-checkconfig indicated that it was NOT available? That's weird. > > > Hydra (my server) was a Fedora 19 system until I recently did an > upgrade > > > using the "yum update" method... > > > > > > http://fedoraproject.org/wiki/Upgrading_Fedora_using_yum > > > > > > It's now a Fedora 20 server and I have NOT installed a custom kernel on > > > it. So, I'm on a stock Fedora Project kernel on Fedora 20 and it is > > > enabled. I haven't tried any of the "nested containers" or a busybox > > > container, though. > > > > > > Could you post the "uname -a" of your system in question? > > > > > >> Btw, I heard that in the first release of RHEL 7, user namespaces will > > >> be enabled in kernel, for ABI compatibility, but using them will be > > >> disabled in userspace, because of security concerns. Only in later > > >> updates it will be enabled. I hope that this scheme is not used with > > >> Fedora 20. > > >> > > >> Regards, > > >> Rami Rosen > > >> > > >> > <> <בתאריך 5 באפר 2014 23:15, "Michael H. Warfield" <[email protected]> > <> <כתב: > > >> On Sat, 2014-04-05 at 22:37 +0300, Rami Rosen wrote: > > >> > Hi, Nels, > > >> > > > >> > Regarding you question, as appeared as the subject of your > > >> post: > > >> > "Do nested containers require that unprivileged container > > >> creation be > > >> > supported?" > > >> > > >> > Fedora 20 does not support user namespaces, as > > >> lxc-checkconfig shows; > > >> > so it does not support unprivileged containers. However, I > > >> had created > > >> > (with lxc-create) an LXC fedora container under Fedora 20. > > >> From within > > >> > that container I created a nested LXC busybox container, and > > >> I could > > >> > start that nested container successfully. > > >> > > >> Time out! Breaking news... Fedora 20 originally did not > > >> support user > > >> namespaces on initial install. Run yum update and reboot... > > >> Then... > > >> > > >> [root@hydra mhw]# cat /etc/redhat-release > > >> Fedora release 20 (Heisenbug) > > >> [root@hydra mhw]# uname -a > > >> Linux hydra.wittsend.com 3.13.7-200.fc20.x86_64 #1 SMP Mon > Mar > > >> 24 22:01:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > > >> [root@hydra mhw]# lxc-checkconfig > > >> Kernel configuration not found at /proc/config.gz; > > >> searching... > > >> Kernel configuration found > > >> at /boot/config-3.13.7-200.fc20.x86_64 > > >> --- Namespaces --- > > >> Namespaces: enabled > > >> Utsname namespace: enabled > > >> Ipc namespace: enabled > > >> Pid namespace: enabled > > >> User namespace: enabled > > >> Network namespace: enabled > > >> Multiple /dev/pts instances: enabled > > >> > > >> Looks to be enabled to me. > > >> > > >> > Best regards, > > >> > Rami Rosen > > >> > http://ramirose.wix.com/ramirosen > > >> > > >> Always check on the latest update. Things do change in the > > >> Fedora > > >> sphere. > > >> > > >> Regards, > > >> Mike > > >> > > >> > On Fri, Apr 4, 2014 at 8:02 PM, Nels Nelson > > >> <[email protected]> wrote: > > >> > > Hi, I'm trying to create a container nested within > > >> another. I'm sure I'm > > >> > > probably going about it incorrectly. Here's what I have > > >> so far: > > >> > > > > >> > > https://gist.github.com/nelsnelson/9978457 > > >> > > > > >> > > The error I encounter seems to be > > >> > > > > >> > > lxc-create: No such file or directory - failed to > > >> create container path > > >> > > for inner > > >> > > lxc-create: Error creating container inner > > >> > > > > >> > > Is this because the privileges in the outer container are > > >> not sufficient? > > >> > > > > >> > > Thanks, > > >> > > -Nels > > >> > > >> -- > > >> Michael H. Warfield (AI4NB) | (770) 978-7061 | > > >> [email protected] > > >> /\/\|=mhw=|\/\/ | (678) 463-0932 | > > >> http://www.wittsend.com/mhw/ > > >> NIC whois: MHW9 | An optimist believes we live in > > >> the best of all > > >> PGP Key: 0x674627FF | possible worlds. A pessimist is > > >> sure of it! > > >> > > >> > > >> _______________________________________________ > > >> lxc-users mailing list > > >> [email protected] > > >> http://lists.linuxcontainers.org/listinfo/lxc-users > > >> > > >> -- > > >> This message has been scanned for viruses and > > >> dangerous content by MailScanner, and is > > >> believed to be clean. > > >> _______________________________________________ > > >> lxc-users mailing list > > >> [email protected] > > >> http://lists.linuxcontainers.org/listinfo/lxc-users > > > > > > -- > > > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > > > /\/\|=mhw=|\/\/ | (678) 463-0932 | > http://www.wittsend.com/mhw/ > > > NIC whois: MHW9 | An optimist believes we live in the best > of all > > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of > it! > > > > > > > > > _______________________________________________ > > > lxc-users mailing list > > > [email protected] > > > http://lists.linuxcontainers.org/listinfo/lxc-users > > _______________________________________________ > > lxc-users mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-users > > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | > http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of > all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
