Le 30/01/2015 14:10, Serge Hallyn a écrit :
Quoting PONCET Anthony ([email protected]):
Le 29/01/2015 16:34, PONCET Anthony a écrit :
Le 29/01/2015 15:21, Serge Hallyn a écrit :
Quoting PONCET Anthony ([email protected]):
Le 29/01/2015 12:30, Serge Hallyn a écrit :
Quoting PONCET Anthony ([email protected]):
Dear,
I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
containers.
I try to use the lxc.network.script.up and lxc.network.script.down
for allow one container in my firewall (iptables/ip6tables).
I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
with sudo, and if I run my script manually, it run without problem.
But when I started my container, my script doesn't run (I added
"echo "test" >> test.log" on top of the script and test.log never
created, and no rules added to iptables).
I used the veth network mode, and I added my user in
/etc/lxc/lxc-usernet.
I define the lxc.logfile and lxc.loglevel = 1 but not
error are logged.
Do you have an idea to solve my problem?
Can you please show the exact commands you used to create and
start the container, the container config file, the script
contents, and the script file owner/mode (ls -l output)?
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
Yes,
lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64
Yeah, sorry, i wasn't thinking right. The network up and down
scripts do not work for unpriileged containers right now.
You can create a container started by root but with lxc.id_map
sections, so that the container will be unprivileged, but the
startup runs as root.
I'm undecided as to whether it is worth adding support for
script.up/down for unpriv containers.
-serge
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
Yeah, it's would be very cool to add this feature for unpriv container.
Ei: in this case, the firewall doesn't be to autoconf being given
the veth name is random.
And could you update the manual?
I don't see this.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
Could I disabling iptables for a bridge and manage the firewall in
unpriv container or isn't impossible to setting iptables in
unprivilege container?
you can set iptables on the devices in the container. The unpriv
user cannot set iptables rules for nics on the host.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
Ok, thank you.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
