Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Serge Hallyn!

> Quoting Andrey Repin (anrdae...@yandex.ru):
>> Greetings, Serge Hallyn!
>> 
>> >> >> What lxc version did you say you were using?
>> >> >
>> >> > Were using - 1.1.2.
>> >> > Then I got an upgrade and my DC didn't came up after a host reboot.
>> >> > Had to roll back to 1.1.2 to recover operation.
>> >> 
>> >> So to reconfirm, you now run 1.1.2, which is fine?
>> 
>> > D'oh, so was the aa-status output from 1.1.3 too?
>> 
>> No, that was with 1.1.2 active.
>> If it is essential to get status from 1.1.3 installed, I can arrange it, but
>> I'll need to schedule a maintenance window.

> Well hold on.  Is this trusty?  Can you show the contents of any
> /etc/apt/sources.list.d/* and /etc/apt/sources.list?  I'll try on a
> vm with all the same stuff enabled before you do that.

It is Precise (12.04) running Trusty kernel (linux-generic-lts-trusty)
Now, that you've said it. I probably have screwed something.
The two "backports" repos shouldn't be there. I think. I'm now trying to get
rid of them and reinstall whatever I've pulled from them.

$  grep -v "^#" /etc/apt/sources.list

deb http://ru.archive.ubuntu.com/ubuntu precise main restricted
deb http://ru.archive.ubuntu.com/ubuntu precise-updates main restricted
deb http://ru.archive.ubuntu.com/ubuntu precise universe
deb http://ru.archive.ubuntu.com/ubuntu precise-updates universe
deb http://ru.archive.ubuntu.com/ubuntu precise multiverse
deb http://ru.archive.ubuntu.com/ubuntu precise-updates multiverse
deb http://ru.archive.ubuntu.com/ubuntu precise-security main restricted
deb http://ru.archive.ubuntu.com/ubuntu precise-security universe
deb http://ru.archive.ubuntu.com/ubuntu precise-security multiverse


$  grep -v "^#" /etc/apt/sources.list.d/*.list

/etc/apt/sources.list.d/9v-shaun-42-samba4-precise.list
deb http://ppa.launchpad.net/9v-shaun-42/samba4/ubuntu precise main
deb-src http://ppa.launchpad.net/9v-shaun-42/samba4/ubuntu precise main

/etc/apt/sources.list.d/debian-backports.list
deb http://mirror.yandex.ru/debian-backports/ squeeze-backports main non-free

/etc/apt/sources.list.d/ubuntu-backports.list
deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe 
multiverse

/etc/apt/sources.list.d/ubuntu-lxc-stable-precise.list
deb http://ppa.launchpad.net/ubuntu-lxc/stable/ubuntu precise main
deb-src http://ppa.launchpad.net/ubuntu-lxc/stable/ubuntu precise main

/etc/apt/sources.list.d/webmin.list
deb http://download.webmin.com/download/repository sarge contrib

-- 
With best regards,
Andrey Repin
Monday, October 5, 2015 21:01:26

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Dotted container names now invalid?

2015-10-05 Thread Mark Constable 

lxc v0.19 on Ubuntu 15.10 host.

~ lxc launch wily abc
Creating abc done.
Starting abc done.

~ lxc launch wily abc.lxc
Creating abc.lxc error: Invalid container name

The 2nd one above used to work.

Why are dotted domain-like container names now invalid?
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Autostart Unpriviledged Containers

2015-10-05 Thread Xavier Gendre 

Le 06/10/2015 06:03, Paul Jones a écrit :

Hi.

I'm using Debian Stretch. And I would like to use unpriviledged containers.

It seems by default, there is one cgroup owned by root. In order to
start an unpriviledged container I need to create a new cgroup, chown it
to the unpriviledged user and then move the current tty process into
that cgroup. Then start the container from there.

If this is the case, how will it be possible to autostart containers on
boot?

Or am I going about this all wrong?


Hi Paul,

to start an unprivileged container on boot, you run some steps similar 
to what you describe but in a script that you call through a systemd 
service.


Here are the step i do:
- set clone_children to 1
- create a dedicated cgroup and give it to my user
- start the container

Xavier
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Networking not working in unconfined overlayfs container

2015-10-05 Thread Frederico Araujo 
Hi Serge,

Yes, I downloaded a fresh template for ubuntu and its overlay clones start
okay, and I'm able to attach and run commands on them. However, eth0 has no
IP assigned when unconfined.

I think the problem might be related to changes in systemd (I'm using
version 219) and overlayfs on vivid. I do see many permission denied
messages in the boot logs of the container (please see attached an example
output), but couldn't find much help online.

lxc-attach -n test -- ifconfig -a
eth0  Link encap:Ethernet  HWaddr 00:16:3e:23:59:24
  inet6 addr: fe80::216:3eff:fe23:5924/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:29 errors:0 dropped:0 overruns:0 frame:0
  TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:4285 (4.2 KB)  TX bytes:648 (648.0 B)

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING  MTU:65536  Metric:1
  RX packets:24 errors:0 dropped:0 overruns:0 frame:0
  TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:1888 (1.8 KB)  TX bytes:1888 (1.8 KB)

lxc-attach -n test -- ps -ef
UIDPID  PPID  C STIME TTY  TIME CMD
root 1 0  0 15:45 ?00:00:00 /sbin/init
root   352 1  0 15:45 ?00:00:00
/lib/systemd/systemd-journald
root   613 1  0 15:45 ?00:00:00 /usr/sbin/cron -f
syslog 673 1  0 15:45 ?00:00:00 /usr/sbin/rsyslogd -n
root   710 1  0 15:45 ?00:00:00 /usr/sbin/sshd -D
root   760 1  0 15:45 pts/100:00:00 /sbin/agetty --noclear
--keep-baud pts/1 115200 38400 9600 vt220
root   770 1  0 15:45 lxc/console 00:00:00 /sbin/agetty --noclear
--keep-baud console 115200 38400 9600 v
root   780 1  0 15:45 pts/200:00:00 /sbin/agetty --noclear
--keep-baud pts/2 115200 38400 9600 vt220
root   790 1  0 15:45 pts/000:00:00 /sbin/agetty --noclear
--keep-baud pts/0 115200 38400 9600 vt220
root   800 1  0 15:45 pts/300:00:00 /sbin/agetty --noclear
--keep-baud pts/3 115200 38400 9600 vt220
root   913 0  0 15:50 pts/200:00:00 ps -ef

Thanks!

Best,
Fred


On Mon, Oct 5, 2015 at 11:49 AM, Serge Hallyn 
wrote:

> Quoting Frederico Araujo (arau...@gmail.com):
> > Hi,
> >
> > I've been using LXC for over two years without problems. This week, I
> > upgraded my Ubuntu from Trusty to Vivid, and I noticed that my overlayfs
> > containers stopped getting IP assigned. In my machine the error can be
> > reproduced in this way:
> >
> > 1. lxc-create -n base -t ubuntu
>
> Do you have this problem if you use the download template?
>
> > 2. Edit ubuntu/config to add  lxc.aa_profile = unconfined
>
> interesting that it has to be unconfined.
>
> if you tail -f /var/log/syslog and then start the container, does
> the tail -f output show any DENIED messages?
>
> > 3. lxc-clone -s -B overlayfs ubuntu tmp
>
> Does the 'ubuntu' container start ok?
>
> > 4. lxc-start -n tmp -d
> > 5. lxc-ls -f shows:
> >
> > NAME   STATEIPV4IPV6  GROUPS  AUTOSTART
> > ---
> > tmpRUNNING  - *(no IP)*   - -   NO
> > ubuntu STOPPED  -   - -   NO
>
> Are you able to lxc-attach -n tmp and look around?  what does 'ps -ef'
> and 'ifconfig -a' show?
>
> > Interestingly, I don't run into this issue when running the container in
> > confined mode (without lxc.aa_profile = unconfined). I checked past
> threads
> > in this list and in launchpad, and noticed that some people had problems
> > with overlayfs when upgrading to vivid, but it seems that these problems
> > were fixed in LXC 1.1 release. I'm running on LXC 1.1.2.
> >
> > Any thoughts?
> >
> > Thanks,
> > Fred
>
> > ___
> > lxc-users mailing list
> > lxc-users@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


test.log
Description: Binary data
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Mounts in shared folder not seen in container

2015-10-05 Thread Bertrand NOEL 
Hi,
I share a folder from host to container. That folder contains mounts.
Below is a simple usecase of what I do.

# On host
mkdir -p /shared/mount1
mount some.iso /shared/mount1

# In the config of my container
lxc.mount.entry = /shared shared none bind 0 0

# On the host
tree /shared
/shared/
 └── mount1
  └── file

# On the container
tree /shared
/shared/
 └── mount1

I do see the folder and the subfolders, but not the contents of the mounts.
Is it expected behaviour? How can I share a folder containing mounts?

If I share the mount directly, and not its containing folder
(lxc.mount.entry = /shared/mount1 shared/mount1 none bind 0 0), it
works - I can see the files.
But I have lots of mount points, and they could change.

I have read that webpage [1] and discussions on this mailing list [2]
about sharing mounts. It works, but only for mounts mounted *after*
the container has started.

System is Ubuntu 14.04.3, with LXC 1.0.7

[1] https://s3hh.wordpress.com/2011/09/22/sharing-mounts-with-a-container/
[2] 
https://lists.linuxcontainers.org/pipermail/lxc-users/2014-February/006168.html
[2] https://lists.linuxcontainers.org/pipermail/lxc-users/2014-March/006337.html
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Serge Hallyn!

> What does 'sudo aa-status' show?

This is with fully up to date system, including fresh LXC 1.1.3:

# aa-status
apparmor module is loaded.
7 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cupsd
   /usr/sbin/mysqld
1 profiles are in complain mode.
   /usr/sbin/ntpd
3 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/cupsd (1165)
   /usr/sbin/mysqld (1605)
1 processes are in complain mode.
   /usr/sbin/ntpd (1872)
0 processes are unconfined but have a profile defined.

> #!/usr/bin/python3
> import lxc
> c = lxc.Container("dc1-1")
> c.get_config_item("lxc.aa_profile")

This still throws an error, but if I change the container name to

> #!/usr/bin/python3
> import lxc
> c = lxc.Container("dc1")
> c.get_config_item("lxc.aa_profile")

It executes silently and do not return any output. (Which, I presume, was one
of the desired outcomes?)

The loglevel=debug log is attached. And, ...

# grep -R "lxc-container-default" /etc
...
/etc/apparmor.d/lxc/lxc-default:profile lxc-container-default 
flags=(attach_disconnected,mediate_deleted) {



-- 
With best regards,
Andrey Repin
Tuesday, October 6, 2015 02:36:13

Sorry for my terrible english...

dc1-2015-10-06.log
Description: Binary data
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

2015-10-05 Thread Fajar A. Nugraha 
On Mon, Oct 5, 2015 at 11:58 PM, Fabio Tudone
(fa...@paralleluniverse.co)  wrote:
> On 09/30/2015 08:38 PM, Serge Hallyn wrote:
>>>
>>> On a more practical level what could be the security implications?
>>> Are there host resources that a malicious program could compromise
>>> when running in a container with the capabilities of a regular host
>>> user mapped in there? Even because of (hypothetical) system issues /
>>> bugs / vulnerabilities. Can someone think of actual examples?
>>
>> yes.
>
>
> Could you expand on that? What could happen for example? I'm no security
> expert but I'm interested in understanding the implications.

I believe the simplest example would probably be from Stephane's blog:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ . User
1000 in the host is mapped to the same uid on the container, for the
purpose of easy configuration of X and sound access from the
container.

Should some security vulnerability occur that allows the user to
escape the container (or run arbitrary command inside the host), the
"escaped" user will be restricted as uid 1000, which is theoretically
still much safer compared to privileged container.

However even that non-root-on-the-host user might still cause problems:
- If you have assigned additinal permission for that user (e.g. If uid
1000 on the host is a member of "disk" group, which has write access
to block devices), the user can wreak havoc using that additional
permission
- If that user has created several containers, the "escaped" user can
compromise other containers belong to that user

So short version:
- much safer than privileged container
- can potentially still cause problems as that uid
- use different id_map (with uids not used on the host) for each
container if you want maximum security

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] Autostart Unpriviledged Containers

2015-10-05 Thread Paul Jones 
Hi.

I'm using Debian Stretch. And I would like to use unpriviledged containers.

It seems by default, there is one cgroup owned by root. In order to start
an unpriviledged container I need to create a new cgroup, chown it to the
unpriviledged user and then move the current tty process into that cgroup.
Then start the container from there.

If this is the case, how will it be possible to autostart containers on
boot?

Or am I going about this all wrong?
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Serge Hallyn!

>> >>   lxc-start 1443630810.241 WARN lxc_confile - 
>> >> confile.c:config_pivotdir:1825 - lxc.pivotdir is ignored.  It will soon 
>> >> become an error.
>> >>   lxc-start 1443630810.247 WARN lxc_cgmanager - 
>> >> cgmanager.c:cgm_get:993 - do_cgm_get exited with error
>> >>   lxc-start 1443630810.672 ERRORlxc_apparmor - 
>> >> lsm/apparmor.c:apparmor_process_label_set:183 - No such file or directory 
>> >> - failed to change apparmor profile to lxc-container-default
>> >>   lxc-start 1443630810.672 ERRORlxc_sync - sync.c:__sync_wait:51 
>> >> - invalid sequence number 1. expected 4
>> >>   lxc-start 1443630810.672 ERRORlxc_start - 
>> >> start.c:__lxc_start:1172 - failed to spawn 'dc1'
>> >>   lxc-start 1443630810.672 WARN lxc_commands - 
>> >> commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive 
>> >> response
>> >>   lxc-start 1443630810.673 WARN lxc_cgmanager - 
>> >> cgmanager.c:cgm_get:993 - do_cgm_get exited with error
>> >>   lxc-start 1443630810.674 ERRORlxc_cgmanager - 
>> >> cgmanager.c:cgm_remove_cgroup:523 - call to cgmanager_remove_sync failed: 
>> >> invalid request
>> >>   lxc-start 1443630810.674 ERRORlxc_cgmanager - 
>> >> cgmanager.c:cgm_remove_cgroup:525 - Error removing all:lxc/dc1-1
>> >>   lxc-start 1443630815.678 ERRORlxc_start_ui - 
>> >> lxc_start.c:main:344 - The container failed to start.
>> >>   lxc-start 1443630815.679 ERRORlxc_start_ui - 
>> >> lxc_start.c:main:346 - To get more details, run the container in 
>> >> foreground mode.
>> >>   lxc-start 1443630815.679 ERRORlxc_start_ui - 
>> >> lxc_start.c:main:348 - Additional information can be obtained by setting 
>> >> the --logfile and --logpriority options.
>> >> 
>> >> Anyone have ideas?
>> 
>> > The problem is that the lxc-container-default apparmor profile isn't
>> > loaded on your machine.
>> 
>> > You may want to restart apparmor to see if it then loads it properly.
>> 
>> Ok, let me ask a different question.
>> Can anyone walk me through some basic checks on this issue?
>> I've already tried a number of things, but I can't quite figure out, what's
>> wrong with the host. Everything seems normal and identical to the other hosts
>> I have.

> What does 'sudo aa-status' show?

# dpkg --list \*lxc\* \*apparmor\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  apparmor   2.7.102-0ubuntu3.1 User-space parser utility for AppArmor
ii  apparmor-docs  2.7.102-0ubuntu3.1 Documentation for AppArmor
un  apparmor-parser (no description available)
ii  apparmor-profiles  2.7.102-0ubuntu3.1 Profiles for AppArmor Security 
policies
ii  apparmor-utils 2.7.102-0ubuntu3.1 Utilities for controlling AppArmor
ii  dh-apparmor2.7.102-0ubuntu3.1 AppArmor debhelper routines
un  libapache2-mod-app  (no description available)
ii  libapparmor-perl   2.7.102-0ubuntu3.1 AppArmor library Perl bindings
ii  libapparmor1   2.7.102-0ubuntu3.1 changehat AppArmor library
un  liblxc0 (no description available)
ii  liblxc11.1.2-0ubuntu3~ubu Linux Containers userspace tools 
(library)
ii  lxc1.1.2-0ubuntu3~ubu Linux Containers userspace tools
ii  lxc-templates  1.1.3-0ubuntu1~ubu Linux Containers userspace tools 
(templates)
ii  lxcfs  0.10-0ubuntu1~ubun FUSE based filesystem for LXC
un  lxcguest(no description available)
un  lxctl   (no description available)
ii  python3-lxc1.1.2-0ubuntu3~ubu Linux Containers userspace tools 
(Python 3.x binding

# lxc-ls -f
NAME  STATEIPV4  IPV6  GROUPS  AUTOSTART

dc1   RUNNING  192.168.35.4  - -   YES

# aa-status
apparmor module is loaded.
11 profiles are loaded.
10 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/sbin/cupsd
   /usr/sbin/mysqld
   lxc-container-default
   lxc-container-default-with-mounting
   lxc-container-default-with-nesting
1 profiles are in complain mode.
   /usr/sbin/ntpd
37 processes have profiles defined.
36 processes are in enforce mode.
   /usr/bin/lxc-start (1571)
   /usr/sbin/cupsd (1047)
   /usr/sbin/mysqld (1555)
   lxc-container-default (1612)
   lxc-container-default (2488)
   lxc-container-default (2641)
   lxc-container-default (2731)
   lxc-container-default (2787)
   lxc-container-default (2931)
   lxc-container-default (3141)
   lxc-container-default (3479)

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Fajar A. Nugraha 
On Mon, Oct 5, 2015 at 5:01 PM, Andrey Repin  wrote:
> # dpkg --list \*lxc\* \*apparmor\*
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name   VersionDescription
> +++-==-==-
> ii  apparmor   2.7.102-0ubuntu3.1 User-space parser utility for 
> AppArmor

Is this ubuntu precise?

I had some intermittent problems with ubuntu precise containers
(different one from yours though, my containers would sometime hand
during startup with "Give root password for maintenance"), and ended
upgrading both the host and and the container to trusty. Never had the
problem again since. Might not be a feasible solution for you, but at
least it's something to think about.

Anyway, http://packages.ubuntu.com/search?keywords=apparmor says
latest apparmor is on 2.7.102-0ubuntu3.10, so you might want to
upgrade (or was it just output trucation issue, and you're already
running 2.7.102-0ubuntu3.10?)


> ii  liblxc11.1.2-0ubuntu3~ubu Linux Containers userspace tools 
> (library)
> ii  lxc1.1.2-0ubuntu3~ubu Linux Containers userspace tools

What lxc version did you say you were using?

You said "why 1.1.2 start fine", so I had thought you were using
1.1.3. Yet those lines show you're still using 1.1.2. If 1.1.2 works
fine, then what version are you having problems with?

> ii  lxc-templates  1.1.3-0ubuntu1~ubu Linux Containers userspace tools 
> (templates)

... and that one has a different version all by itself.

> ii  lxcfs  0.10-0ubuntu1~ubun FUSE based filesystem for LXC

If you use ppa:ubuntu-lxc/lxc-stable, the simplest "fix" would
probably be to run "apt-get upgrade" (which should upgrade everything,
including lxc to 1.1.3), verify that packages are up to date
(including cgmanager, which should be on 0.37), and then reboot.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Fajar A. Nugraha 
On Mon, Oct 5, 2015 at 9:19 PM, Andrey Repin  wrote:
>> What lxc version did you say you were using?
>
> Were using - 1.1.2.
> Then I got an upgrade and my DC didn't came up after a host reboot.
> Had to roll back to 1.1.2 to recover operation.

So to reconfirm, you now run 1.1.2, which is fine?

The earlier error report was when you use 1.1.3?


>
>> You said "why 1.1.2 start fine", so I had thought you were using
>> 1.1.3. Yet those lines show you're still using 1.1.2. If 1.1.2 works
>> fine, then what version are you having problems with?
>
> LXC 1.1.3 - doesn't start with system boot, nor after boot.

It should. If not, then it's a bug.

>> the simplest "fix" would probably be to run "apt-get upgrade" (which should
>> upgrade everything, including lxc to 1.1.3),
>
> And break it again, third time in a row?...

This is where a test system would be handy.

If you're willing to contribute some effort, you could setup another
machine (or, VM. 1GB memory is more than enough), setup a similar
system, and at least verify whether or not the errors with 1.1.3 and
precise is reproducable. You'd going to need it anyway if you're going
to follow Serge's troubleshooting steps, since I believe it should be
run on 1.1.3.

... and for the record, I'm not a developer, so this would most likely
be my last reply to this thread.

> That's how I landed at current situation.
> God bless my preparations, I had a backup plan to login to the host after
> container did not start with a reboot.
> And God bless apt cache, I were able to downgrade LXC to get container back
> running.

Good catch with the backup plan.

If you use btrfs or zfs root, there's also alternate root setup with
snapshot/clone that would help in this situation, but that's a
different story for another time.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] LXC Unprivileged Containers Over NFS

2015-10-05 Thread Nicholas J Ingrassellino 
I am running a Ubuntu 14.04 host with LXC v1.1.3. On it I have mounted 
an NFS export at /home/[user]/.local/share/lxc/.


When I cd into the mount I can create files and directories. I can chown 
to change the ownership on them. I can delete them. However when I do 
lxc-create I get:

newgidmap: write to gid_map failed: Invalid argument
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: do_create_container_dir: 875 Failed to chown 
container dir
lxc-create: lxc_create.c: main: 274 Error creating container [container 
name]


I see LXC created a directory for the container but it is empty. 
lxc-create works file if I unmount the export and use the local filesystem.


How can I keep my unprivileged on an NFS mount?

Nicholas J Ingrassellino 
LifebloodNetworks.com 

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Serge Hallyn 
Quoting Fajar A. Nugraha (l...@fajar.net):
> On Mon, Oct 5, 2015 at 9:19 PM, Andrey Repin  wrote:
> >> What lxc version did you say you were using?
> >
> > Were using - 1.1.2.
> > Then I got an upgrade and my DC didn't came up after a host reboot.
> > Had to roll back to 1.1.2 to recover operation.
> 
> So to reconfirm, you now run 1.1.2, which is fine?

D'oh, so was the aa-status output from 1.1.3 too?

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Mounts in shared folder not seen in container

2015-10-05 Thread Serge Hallyn 
Quoting Bertrand NOEL (bertrand.noel...@gmail.com):
> Hi,
> I share a folder from host to container. That folder contains mounts.
> Below is a simple usecase of what I do.
> 
> # On host
> mkdir -p /shared/mount1
> mount some.iso /shared/mount1
> 
> # In the config of my container
> lxc.mount.entry = /shared shared none bind 0 0
> 
> # On the host
> tree /shared
> /shared/
>  └── mount1
>   └── file
> 
> # On the container
> tree /shared
> /shared/
>  └── mount1
> 
> I do see the folder and the subfolders, but not the contents of the mounts.
> Is it expected behaviour? How can I share a folder containing mounts?
> 
> If I share the mount directly, and not its containing folder
> (lxc.mount.entry = /shared/mount1 shared/mount1 none bind 0 0), it
> works - I can see the files.
> But I have lots of mount points, and they could change.
> 
> I have read that webpage [1] and discussions on this mailing list [2]
> about sharing mounts. It works, but only for mounts mounted *after*
> the container has started.

You want rbind (recursive bind), just bind is only the mount itself.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Serge Hallyn 
Quoting Andrey Repin (anrdae...@yandex.ru):
> Greetings, Serge Hallyn!
> 
> >> >>   lxc-start 1443630810.241 WARN lxc_confile - 
> >> >> confile.c:config_pivotdir:1825 - lxc.pivotdir is ignored.  It will soon 
> >> >> become an error.
> >> >>   lxc-start 1443630810.247 WARN lxc_cgmanager - 
> >> >> cgmanager.c:cgm_get:993 - do_cgm_get exited with error
> >> >>   lxc-start 1443630810.672 ERRORlxc_apparmor - 
> >> >> lsm/apparmor.c:apparmor_process_label_set:183 - No such file or 
> >> >> directory - failed to change apparmor profile to lxc-container-default
> >> >>   lxc-start 1443630810.672 ERRORlxc_sync - 
> >> >> sync.c:__sync_wait:51 - invalid sequence number 1. expected 4
> >> >>   lxc-start 1443630810.672 ERRORlxc_start - 
> >> >> start.c:__lxc_start:1172 - failed to spawn 'dc1'
> >> >>   lxc-start 1443630810.672 WARN lxc_commands - 
> >> >> commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to 
> >> >> receive response
> >> >>   lxc-start 1443630810.673 WARN lxc_cgmanager - 
> >> >> cgmanager.c:cgm_get:993 - do_cgm_get exited with error
> >> >>   lxc-start 1443630810.674 ERRORlxc_cgmanager - 
> >> >> cgmanager.c:cgm_remove_cgroup:523 - call to cgmanager_remove_sync 
> >> >> failed: invalid request
> >> >>   lxc-start 1443630810.674 ERRORlxc_cgmanager - 
> >> >> cgmanager.c:cgm_remove_cgroup:525 - Error removing all:lxc/dc1-1
> >> >>   lxc-start 1443630815.678 ERRORlxc_start_ui - 
> >> >> lxc_start.c:main:344 - The container failed to start.
> >> >>   lxc-start 1443630815.679 ERRORlxc_start_ui - 
> >> >> lxc_start.c:main:346 - To get more details, run the container in 
> >> >> foreground mode.
> >> >>   lxc-start 1443630815.679 ERRORlxc_start_ui - 
> >> >> lxc_start.c:main:348 - Additional information can be obtained by 
> >> >> setting the --logfile and --logpriority options.
> >> >> 
> >> >> Anyone have ideas?
> >> 
> >> > The problem is that the lxc-container-default apparmor profile isn't
> >> > loaded on your machine.
> >> 
> >> > You may want to restart apparmor to see if it then loads it properly.
> >> 
> >> Ok, let me ask a different question.
> >> Can anyone walk me through some basic checks on this issue?
> >> I've already tried a number of things, but I can't quite figure out, what's
> >> wrong with the host. Everything seems normal and identical to the other 
> >> hosts
> >> I have.
> 
> > What does 'sudo aa-status' show?
...
> 10 profiles are in enforce mode.
...
>lxc-container-default
...
> 36 processes are in enforce mode.
>/usr/bin/lxc-start (1571)
>/usr/sbin/cupsd (1047)
>/usr/sbin/mysqld (1555)
>lxc-container-default (1612)
>lxc-container-default (2488)
...

What does running the following in python3 as root show?

import lxc
c = lxc.Container("dc1-1")
c.get_config_item("lxc.aa_profile")

?

Assuming it's either '' or lxc-container-default, I think the next step
will need to be  building your own package so we can add some debugging
output  to apparmor_process_label_set()

-serge
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Fajar A. Nugraha!

>>> What lxc version did you say you were using?
>>
>> Were using - 1.1.2.
>> Then I got an upgrade and my DC didn't came up after a host reboot.
>> Had to roll back to 1.1.2 to recover operation.

> So to reconfirm, you now run 1.1.2, which is fine?

> The earlier error report was when you use 1.1.3?

Yes. Exactly.

>>> You said "why 1.1.2 start fine", so I had thought you were using
>>> 1.1.3. Yet those lines show you're still using 1.1.2. If 1.1.2 works
>>> fine, then what version are you having problems with?
>>
>> LXC 1.1.3 - doesn't start with system boot, nor after boot.

> It should. If not, then it's a bug.

Was afraid so. >.<

>>> the simplest "fix" would probably be to run "apt-get upgrade" (which should
>>> upgrade everything, including lxc to 1.1.3),
>>
>> And break it again, third time in a row?...

> This is where a test system would be handy.

> If you're willing to contribute some effort, you could setup another
> machine (or, VM. 1GB memory is more than enough), setup a similar

Unfortunately, I can't reproduce it on a test VM, from which the configuration
was created, nor on two live systems, that run similar setups.

For reference, this is a prototype VM:

# dpkg --list '*lxc*' '*cgmanager*' '*apparmor*' | cat -
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version   Description
+++--=-==
ii  apparmor 2.7.102-0ubuntu3.10   User-space parser 
utility for AppArmor
ii  apparmor-utils   2.7.102-0ubuntu3.10   Utilities for 
controlling AppArmor
ii  cgmanager0.37-1ubuntu1~ubuntu12.04.1~ppa1  Central cgroup manager 
daemon
ii  libapparmor-perl 2.7.102-0ubuntu3.10   AppArmor library Perl 
bindings
ii  libapparmor1 2.7.102-0ubuntu3.10   changehat AppArmor 
library
ii  libcgmanager00.37-1ubuntu1~ubuntu12.04.1~ppa1  Central cgroup manager 
daemon (client library)
ii  liblxc1  1.1.3-0ubuntu2~ubuntu12.04.1~ppa1 Linux Containers 
userspace tools (library)
ii  lxc  1.1.3-0ubuntu2~ubuntu12.04.1~ppa1 Linux Containers 
userspace tools
ii  lxc-templates1.1.3-0ubuntu2~ubuntu12.04.1~ppa1 Linux Containers 
userspace tools (templates)
ii  lxcfs0.10-0ubuntu1~ubuntu12.04.1~ppa1  FUSE based filesystem 
for LXC
ii  python3-lxc  1.1.3-0ubuntu2~ubuntu12.04.1~ppa1 Linux Containers 
userspace tools (Python 3.x bindings)

> system, and at least verify whether or not the errors with 1.1.3 and
> precise is reproducable. You'd going to need it anyway if you're going
> to follow Serge's troubleshooting steps, since I believe it should be
> run on 1.1.3.

I've started from that, as it was more than just a momentary "hey, let's run
some containers!" idea.
Unfortunately, whatever is happening, happening only to that one live system.

> ... and for the record, I'm not a developer, so this would most likely
> be my last reply to this thread.

I know :) Your help is nonetheless appreciated.

>> That's how I landed at current situation.
>> God bless my preparations, I had a backup plan to login to the host after
>> container did not start with a reboot.
>> And God bless apt cache, I were able to downgrade LXC to get container back
>> running.

> Good catch with the backup plan.

> If you use btrfs or zfs root, there's also alternate root setup with
> snapshot/clone that would help in this situation, but that's a
> different story for another time.

I did mean an alternate login to the host. Which is a little less convenient
to use (it is key-restricted), but allows me to login in the events like this,
when domain controller is unavailable for whatever reason.


-- 
With best regards,
Andrey Repin
Monday, October 5, 2015 18:25:26

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Networking not working in unconfined overlayfs container

2015-10-05 Thread Serge Hallyn 
Quoting Frederico Araujo (arau...@gmail.com):
> Hi,
> 
> I've been using LXC for over two years without problems. This week, I
> upgraded my Ubuntu from Trusty to Vivid, and I noticed that my overlayfs
> containers stopped getting IP assigned. In my machine the error can be
> reproduced in this way:
> 
> 1. lxc-create -n base -t ubuntu

Do you have this problem if you use the download template?

> 2. Edit ubuntu/config to add  lxc.aa_profile = unconfined

interesting that it has to be unconfined.

if you tail -f /var/log/syslog and then start the container, does
the tail -f output show any DENIED messages?

> 3. lxc-clone -s -B overlayfs ubuntu tmp

Does the 'ubuntu' container start ok?

> 4. lxc-start -n tmp -d
> 5. lxc-ls -f shows:
> 
> NAME   STATEIPV4IPV6  GROUPS  AUTOSTART
> ---
> tmpRUNNING  - *(no IP)*   - -   NO
> ubuntu STOPPED  -   - -   NO

Are you able to lxc-attach -n tmp and look around?  what does 'ps -ef'
and 'ifconfig -a' show?

> Interestingly, I don't run into this issue when running the container in
> confined mode (without lxc.aa_profile = unconfined). I checked past threads
> in this list and in launchpad, and noticed that some people had problems
> with overlayfs when upgrading to vivid, but it seems that these problems
> were fixed in LXC 1.1 release. I'm running on LXC 1.1.2.
> 
> Any thoughts?
> 
> Thanks,
> Fred

> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Serge Hallyn!

>>lxc-container-default (1612)
>>lxc-container-default (2488)
> ...

> What does running the following in python3 as root show?

> import lxc
> c = lxc.Container("dc1-1")
> c.get_config_item("lxc.aa_profile")

#!/usr/bin/env python3
import lxc
c = lxc.Container("dc1-1")
c.get_config_item("lxc.aa_profile")


Traceback (most recent call last):
  File "/tmp/lxc-test.py", line 4, in 
c.get_config_item("lxc.aa_profile")
  File "/usr/lib/python3/dist-packages/lxc/__init__.py", line 298, in 
get_config_item
value = _lxc.Container.get_config_item(self, key)
KeyError: 'Invalid configuration key'

> ?

I hope I didn't botched it too much? >.<

> Assuming it's either '' or lxc-container-default, I think the next step
> will need to be  building your own package so we can add some debugging
> output  to apparmor_process_label_set()

I could do that. Probably. Given instructions and a little hand-holding.
Just not at the work days. I can't really shutdown domain controller at will
for unknown amount of time.


-- 
With best regards,
Andrey Repin
Monday, October 5, 2015 18:21:01

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Andrey Repin 
Greetings, Serge Hallyn!

>> >> What lxc version did you say you were using?
>> >
>> > Were using - 1.1.2.
>> > Then I got an upgrade and my DC didn't came up after a host reboot.
>> > Had to roll back to 1.1.2 to recover operation.
>> 
>> So to reconfirm, you now run 1.1.2, which is fine?

> D'oh, so was the aa-status output from 1.1.3 too?

No, that was with 1.1.2 active.
If it is essential to get status from 1.1.3 installed, I can arrange it, but
I'll need to schedule a maintenance window.


-- 
With best regards,
Andrey Repin
Monday, October 5, 2015 18:43:19

Sorry for my terrible english...

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Mounting additional volume on container

2015-10-05 Thread Serge Hallyn 
Quoting Christian Benke (benkoka...@gmail.com):
> Hello!
> 
> Planning to move from OpenVZ to LXC, I started playing with containers
> on my workstation yesterday. In the past hours I've been trying to
> mount an additional volume to a container, but don't seem to get this
> apparently trivial task right and I have difficulties identifying the
> cause of the issue.
> 
> This is my mostly vanilla container-config (Using LVM as backingstore):
> 
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> lxc.arch = x86_64
> lxc.id_map = u 0 10 65536
> lxc.id_map = g 0 10 65536
> lxc.rootfs = /dev/lxc/lxc_test_ubuntu
> lxc.utsname = lxc_test_ubuntu
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = lxcbr0
> lxc.network.hwaddr = 00:16:3e:b5:11:fb
> lxc.cgroup.devices.allow = b 252:2 rwm
> lxc.mount.entry = /media/benke/755f788b-3930-44e9-b7b8-cb93a3ec5af0
> bla none bind 0 0
> 
> 
> When the mount-point "/bla" has not been created in the container, the error 
> is:
> 
> "lxc-start 1443952415.367 ERRORlxc_utils - utils.c:safe_mount:1419
> - No such file or directory - Mount of
> '/media/benke/755f788b-3930-44e9-b7b8-cb93a3ec5af0' onto
> '/usr/lib/x86_64-linux-gnu/lxc/bla' failed"

The 'lxc.mount.entry's are mounted after the user namespace unshare,
therefore you are not allowed to mount a device.  You could mount the
device somewhere onto the host and bind-mount it into the container.

How to enable this is not clear.  In lxd we can support this
using the 'disk' device, which is mounted into place by first
mounting it, on the host, into a directory which is ms-shared
with the container, then mount --moving it in the container.  In
lxc we aren't guaranteed to have such a shared directory.  You
can certainly do it yourself, but I don't know that we can do it
generically.

> and when I create the mount-point "/bla" in the container, I get the error:
> 
> "lxc-start 1443952688.974 ERRORlxc_utils - utils.c:safe_mount:1419
> - Permission denied - Mount of
> '/media/benke/755f788b-3930-44e9-b7b8-cb93a3ec5af0' onto
> '/usr/lib/x86_64-linux-gnu/lxc/bla' failed."
> 
> 
> Using "lxc.mount.entry = /dev/lxc/mount_test bla ext4 defaults 0 0"
> instead of bind gives error "Operation not permitted" as well.
> I've also tried to use "dir=create" as a mount-option, mounting a
> block-device instead of using bind or a lv (WIth the correct
> cgroup-settings of course), tested it on a container with the regular
> filesystem as backingstore instead of lvm, tried "lxc.aa_profile =
> unconfined", used  and manually created
> "/usr/lib/x86_64-linux-gnu/lxc/bla" chmodded with the unprivileged
> users rights out of desperation, even tried it with a privileged
> container, but none of that made a difference. The error-messages
> where always the same.
> 
> Reading all the threads and blogposts about this issue make it out to
> be straightforward after ironing out typos or
> cgroup-settings[1][2][3][4], but I'm not getting anywhere with the
> changes.
> 
> What confuses me is the intransparency of how the mount is supposed to
> work according to the lxc-logfile. Why is it trying to mount to
> "/usr/lib/x86_64-linux-gnu/lxc/bla", not mounting to
> /var/lib/lxc/lxc_test_ubuntu/rootfs/ or the real lvm-root?

/var/lib/lxc/lxc_test_ubuntu/rootfs is the source of the rootfs mount
(when using a directory backed container), not the destination.  The
container rootfs is always mounted onto /usr/lib/x86_64-linux-gnu/lxc.

-serge
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Serge Hallyn 
Quoting Andrey Repin (anrdae...@yandex.ru):
> Greetings, Serge Hallyn!
> 
> >> >> What lxc version did you say you were using?
> >> >
> >> > Were using - 1.1.2.
> >> > Then I got an upgrade and my DC didn't came up after a host reboot.
> >> > Had to roll back to 1.1.2 to recover operation.
> >> 
> >> So to reconfirm, you now run 1.1.2, which is fine?
> 
> > D'oh, so was the aa-status output from 1.1.3 too?
> 
> No, that was with 1.1.2 active.
> If it is essential to get status from 1.1.3 installed, I can arrange it, but
> I'll need to schedule a maintenance window.

Well hold on.  Is this trusty?  Can you show the contents of any
/etc/apt/sources.list.d/* and /etc/apt/sources.list?  I'll try on a
vm with all the same stuff enabled before you do that.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

2015-10-05 Thread Fabio Tudone (fa...@paralleluniverse.co) 

On 09/30/2015 08:38 PM, Serge Hallyn wrote:

On a more practical level what could be the security implications?
Are there host resources that a malicious program could compromise
when running in a container with the capabilities of a regular host
user mapped in there? Even because of (hypothetical) system issues /
bugs / vulnerabilities. Can someone think of actual examples?

yes.


Could you expand on that? What could happen for example? I'm no security 
expert but I'm interested in understanding the implications.


Thanks,

-- Fabio

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

2015-10-05 Thread Serge Hallyn 
Quoting Andrey Repin (anrdae...@yandex.ru):
> Greetings, Serge Hallyn!
> 
> >>lxc-container-default (1612)
> >>lxc-container-default (2488)
> > ...
> 
> > What does running the following in python3 as root show?
> 
> > import lxc
> > c = lxc.Container("dc1-1")
> > c.get_config_item("lxc.aa_profile")
> 
> #!/usr/bin/env python3
> import lxc
> c = lxc.Container("dc1-1")
> c.get_config_item("lxc.aa_profile")
> 
> 
> Traceback (most recent call last):
>   File "/tmp/lxc-test.py", line 4, in 
> c.get_config_item("lxc.aa_profile")
>   File "/usr/lib/python3/dist-packages/lxc/__init__.py", line 298, in 
> get_config_item
> value = _lxc.Container.get_config_item(self, key)

that is messed up.  I was wanting the result with a container that was
failing, but you're not running the right lxc anyway.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users