I have the same issue with plain LXC. Can somebody please post a container config that would have the same rights as the host? I actually move around my app in a container, the host is immaterial. It used to work fine until I upgraded Ubuntu to 20.04, since then I get permission denied on a fifo located in /tmp. I need to load kernel modules, etc. It has to be on equal footing with the host ..
On Mon, Jun 15, 2020 at 8:41 AM Koehler, Yannick <yannick.koeh...@hpe.com> wrote: > First, thanks for the detailed and fast response, very appreciated. > > As indicated, the code that will run inside that container is our previous > OS and if it does bad things, well, that means it was doing so previously > so not a "bigger" issue than it was before. Since if that works, we will > move more towards snap we will then have a better security system > (AppArmor, SecComp, better app separation, etc) in place to remove trust > for each app and get rid eventually of that container which purpose as > indicated is to ease the transition and get some of the features we want > from Ubuntu Core in an early release, if we do get this to work. > > -- > Yannick Koehler > ------------------------------ > *From:* lxc-users <lxc-users-boun...@lists.linuxcontainers.org> on behalf > of Fajar A. Nugraha <l...@fajar.net> > *Sent:* June 13, 2020 12:53 AM > *To:* LXC users mailing-list <lxc-users@lists.linuxcontainers.org> > *Subject:* Re: [lxc-users] Running unprotected system container > > On Sat, Jun 13, 2020 at 9:41 AM Koehler, Yannick > <yannick.koeh...@hpe.com> wrote: > > > > Hi, > > > > I am in a situation where we desire to run our old OS environment inside > Ubuntu Core. So far we have identified LXD as being a candidate to enable > us to run our past Linux OS environment within the new one. > > > > At this time our goal is to apply the least amount of modification to > our existing OS in order to test and validate such an approach. > > > > I, therefore, need to run an LXC container with pretty much zero > security, as to allow the old OS to loads kernel modules, access /proc, > /sys, etc. > > > > Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I > obtained an error as the profile 'none' was not found by the seccomp > profile reader. I am wondering if this is a problem with lxc itself or > with UbuntuCore not providing a definition of what a seccomp "none" profile > would be. > > Start from > https://urldefense.proofpoint.com/v2/url?u=https-3A__discuss.linuxcontainers.org_t_lxd-2Draw-2Dlxc-2Dlxc-2Dnet-2Di-2Dscript-2Dup_1131_4&d=DwIGaQ&c=C5b8zRQO1miGmBeVZ2LFWg&r=FOkYh2A8dNYYVi_BKN0oqYGgcvyiDQG4YX4Znrq6J3Q&m=DxXj36z9AKg0EUHoeBUL1lNES4ucPwMA592Spcehchc&s=zuqn99Y_QD8MjiGI1_Jq3wdGJKaLW0Bj4BOm_zLjWoM&e= > <https://discuss.linuxcontainers.org/t/lxd-raw-lxc-lxc-net-i-script-up/1131/4> > > Then create something like > > /var/snap/lxd/common/lxd/extra/unrestricted.conf > ------------------------------------------------ > lxc.cap.drop = > lxc.apparmor.profile = unconfined > lxc.mount.auto = proc:rw sys:rw cgroup-full:rw > lxc.cgroup.devices.allow = c *:* rwm > lxc.cgroup.devices.allow = b *:* rwm > lxc.seccomp.profile = > /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf > > > /var/snap/lxd/common/lxd/extra/unrestricted-seccomp.conf > -------------------------------------------------------- > 2 > blacklist > # v2 allows comments after the second line, with '#' in first column, > # blacklist will allow syscalls by default > > > Then put it on your lxd config > config: > raw.lxc: lxc.include=/var/snap/lxd/common/lxd/extra/unrestricted.conf > > > Totally unsupported, you're on your own if something bad happens, etc. > I was able to run mknod, "losetup -a", mount, and modprobe from my > container, running lxd from snap under ubuntu 20.04 host (might be > relevant for you since ubuntu core also uses lxd from snap) > > -- > Fajar > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users >
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users