Quoting PONCET Anthony ([email protected]): > Le 29/01/2015 16:34, PONCET Anthony a écrit : > >Le 29/01/2015 15:21, Serge Hallyn a écrit : > >>Quoting PONCET Anthony ([email protected]): > >>>Le 29/01/2015 12:30, Serge Hallyn a écrit : > >>>>Quoting PONCET Anthony ([email protected]): > >>>>>Dear, > >>>>>I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged > >>>>>containers. > >>>>>I try to use the lxc.network.script.up and lxc.network.script.down > >>>>>for allow one container in my firewall (iptables/ip6tables). > >>>>>I've allowed a user to execute /sbin/iptables and /sbin/ip6tables > >>>>>with sudo, and if I run my script manually, it run without problem. > >>>>>But when I started my container, my script doesn't run (I added > >>>>>"echo "test" >> test.log" on top of the script and test.log never > >>>>>created, and no rules added to iptables). > >>>>>I used the veth network mode, and I added my user in > >>>>>/etc/lxc/lxc-usernet. > >>>>>I define the lxc.logfile and lxc.loglevel = 1 but not > >>>>>error are logged. > >>>>>Do you have an idea to solve my problem? > >>>>Can you please show the exact commands you used to create and > >>>>start the container, the container config file, the script > >>>>contents, and the script file owner/mode (ls -l output)? > >>>>_______________________________________________ > >>>>lxc-users mailing list > >>>>[email protected] > >>>>http://lists.linuxcontainers.org/listinfo/lxc-users > >>>Yes, > >>>lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64 > >>Yeah, sorry, i wasn't thinking right. The network up and down > >>scripts do not work for unpriileged containers right now. > >> > >>You can create a container started by root but with lxc.id_map > >>sections, so that the container will be unprivileged, but the > >>startup runs as root. > >> > >>I'm undecided as to whether it is worth adding support for > >>script.up/down for unpriv containers. > >> > >>-serge > >>_______________________________________________ > >>lxc-users mailing list > >>[email protected] > >>http://lists.linuxcontainers.org/listinfo/lxc-users > >Yeah, it's would be very cool to add this feature for unpriv container. > >Ei: in this case, the firewall doesn't be to autoconf being given > >the veth name is random. > >And could you update the manual? > > > >I don't see this. > >_______________________________________________ > >lxc-users mailing list > >[email protected] > >http://lists.linuxcontainers.org/listinfo/lxc-users > Could I disabling iptables for a bridge and manage the firewall in > unpriv container or isn't impossible to setting iptables in > unprivilege container?
you can set iptables on the devices in the container. The unpriv user cannot set iptables rules for nics on the host. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
