Re: [lxc-users] ZeroTier Docker IPv6 6plane for LXD

[Stéphane Graber]

On Thu, Jul 28, 2016 at 05:17:13PM +0200, Janjaap Bos wrote:
> Hi,
> 
> I am trying to configure 6plane mode for LXD.
> 
> For background on 6plane see:
> https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing
> 
> I am able to configure a /80 network for the LXD, and also the manual
> configuration at the containers to assign an IPv6 number from that subnet
> and set the route.
> 
> However, I am not able to configure LXD to provide DHCPv6 service to the
> container in this subnet.
> 
> I would much appreciate guidance on how to configure LXD to provide auto
> assigned IPv6 addresses from its subnet to the containers.
> 
> 
> My settings for IPv6 in /etc/default/lxd-bridge:
> 
> ## IPv6 address (e.g. 2001:470:b368:4242::1)
> LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1"
> 
> ## IPv6 CIDR mask (e.g. 64)
> LXD_IPV6_MASK="80"
> 
> ## IPv6 network (e.g. 2001:470:b368:4242::/64)
> LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80"
> 
> ## NAT IPv6 traffic
> LXD_IPV6_NAT="false"
> 
> # Run a minimal HTTP PROXY server
> LXD_IPV6_PROXY="false"
> 
> 
> Regards,
> 
> -Janjaap

Currently our dnsmasq setup only does SLAAC (stateless address
auto-configuration). That means, it announces the prefix using multicast
or on request and the kernel then computes an IPv6 address from the
container based from that.

That computation is done using EUI64 which generates a unique IPv6
address from the MAC address, using a 64-bit network prefix.

Since your network is a /80 which is smaller than a /64, it's simply not
possible for EUI64 to work which is why your containers aren't getting
an IP address.


I suspect you may have to reconfigure dnsmasq by hand to do full
stateful DHCPv6 and then will have to configure your containers to
actually do DHCPv6 as none of the images we provide do so (they all do
SLAAC fine though).


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com


signature.asc
Description: PGP signature
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] ZeroTier Docker IPv6 6plane for LXD

[Janjaap Bos]

Hi,

I am trying to configure 6plane mode for LXD.

For background on 6plane see:
https://www.zerotier.com/community/topic/67/zerotier-6plane-ipv6-addressing

I am able to configure a /80 network for the LXD, and also the manual
configuration at the containers to assign an IPv6 number from that subnet
and set the route.

However, I am not able to configure LXD to provide DHCPv6 service to the
container in this subnet.

I would much appreciate guidance on how to configure LXD to provide auto
assigned IPv6 addresses from its subnet to the containers.


My settings for IPv6 in /etc/default/lxd-bridge:

## IPv6 address (e.g. 2001:470:b368:4242::1)
LXD_IPV6_ADDR="fca0:4ab7:4617:1cf5:3ad6::1"

## IPv6 CIDR mask (e.g. 64)
LXD_IPV6_MASK="80"

## IPv6 network (e.g. 2001:470:b368:4242::/64)
LXD_IPV6_NETWORK="fca0:4ab7:4617:1cf5:3ad6::1/80"

## NAT IPv6 traffic
LXD_IPV6_NAT="false"

# Run a minimal HTTP PROXY server
LXD_IPV6_PROXY="false"


Regards,

-Janjaap
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] uid range not allowed

[Christoph Willing]

Sorry for the duplicate - I had earlier posted to the list from the 
wrong email identity and presumed it would be rejected as coming from a 
non-subscriber but looks like it has just been waved through now.


The immediate problem was solved - I needed to add an additional 
"chris:1000:1" to /etc/sub{u,g}id


chris


On 23/07/16 17:08, Chris Willing wrote:

I'm following the guide to run X apps in a container at:
 https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is
needed in this case.

I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.

I'm using:
   lxc-2.0.1
   cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] uid range not allowed

[Chris Willing]

I'm following the guide to run X apps in a container at:
 https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running 
perfectly. However when I change the id_map configuration to look like:

lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is 
needed in this case.


I set up a log file to priority DEBUG but no extra clues there - it just 
says the same thing.


I'm using:
   lxc-2.0.1
   cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris

# Template used to create this container: 
/usr/share/lxc/templates/lxc-spbuilder-1402
# Parameters passed to the template: -a x86_64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:d9:8e:4a
lxc.rootfs = /home/chris/.local/share/lxc/x11-test-x86_64/rootfs
lxc.rootfs.backend = dir

lxc.utsname = x11-test-x86_64

lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file

#lxc.hook.pre-start = /home/chris/.local/share/lxc/precise-gui/setup-pulse.sh

lxc.mount.entry = /scratch/PKG/SBo/slackbuilds mnt/slackbuilds none 
bind,ro,create=dir 0 0
#lxc.mount.entry = /var/cache/spbuilder var/cache/spbuilder none 
bind,create=dir 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup

lxc.tty = 4
lxc.pts = 1024

lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap

# you can try also this alternative to the line above, whatever suits you 
better.
#lxc.cap.drop=sys_admin
#lxc.id_map = u 0 10 65536
#lxc.id_map = g 0 10 65536

lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
#lxc.id_map = u 1000 1000 1
#lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] undefined symbol: current_config on custom-compiled lxc2

[Nikolay Borisov]

Hello List,


So I tried compiling boh lxc 2.0 from github as well as the 2.0.3 stable
package from the web page. Everything went fine:


Environment:
 - compiler: gcc
 - distribution: centos
 - init script type(s): sysvinit
 - rpath: no
 - GnuTLS: no
 - Bash integration: yes

Security features:
 - Apparmor: no
 - Linux capabilities: yes
 - seccomp: yes
 - SELinux: yes
 - cgmanager: no

Bindings:
 - lua: yes
 - python3: yes

Documentation:
 - examples: yes
 - API documentation: yes
 - user documentation: yes

Debugging:
 - tests: no
 - mutex debugging: no

Paths:
 - Logs in configpath: no


However, when I try running lxc-create or lxc-start I get the following
error: lxc-start: symbol lookup error: lxc-start: undefined symbol:
current_config. Ldd on the lxc-ls binary shows that all libraries are
resolved. This is on centos 6.7 box with 4.4 kernel. Any ideas?
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] need your help for LXC

[gzchenzhuowen]

hello, i am a student from China. I found your mail in the github of LXC. I 
need your help ,thanks .

I am trying to start lxc with the Open vSwitch. But error happen... 
I start LXC like this :  " lxc-start -n rfvm1 -o lxc.log -l DEBUG -d " and the 
log is : 

 lxc-start 1468403471.415 ERRORlxc_conf - failed to attach 'veth6Y6yEz' to 
the bridge 'lxcbr0' : Operation not supported

I google for a long time ... found this is a bug ? 
https://github.com/lxc/lxc/issues/256

How can i fix it ? 


thanks ! 

2016-07-13


gzchenzhuowen ___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] using cgroups

[Rob Edgerton]

 On Thursday, 30 June 2016, 10:36, Serge E. Hallyn  wrote:
 

 Quoting Rob Edgerton (redger...@yahoo.com.au):
> hi,I have the same problem (cgroups not working as expected) on a clean 
> Xenial build (lxc PPA NOT installed, LXD not installed)In my case I have some 
> Ubuntu Trusty containers I really need to use on Xenial, but they won't start 
> because I use cgroups.If I change the existing containers to remove the 
> "lxc.cgroup" clauses from config they start, but not otherwise.Similarly, I 
> created a new Xenial container for testing. It works, until I add 
> "lxc.cgroups" clauses at which point it also fails to start.@virt-host:~$ 
> lxc-start -n trusty_unp_ibvpn -F -l debug -o lxc.log
> lxc-start: cgfsng.c: cgfsng_setup_limits: 1662 No such file or directory - 
> Error setting cpuset.cpus to 1-3 for trusty_unp_ibvpn
> lxc-start: start.c: lxc_spawn: 1180 failed to setup the cgroup limits for 
> 'trusty_unp_ibvpn'
> lxc-start: start.c: __lxc_start: 1353 failed to spawn 'trusty_unp_ibvpn'
> lxc-start: lxc_start.c: main: 344 The container failed to start.
> lxc-start: lxc_start.c: main: 348 Additional information can be obtained by 
> setting the --logfile and --logpriority  options.
> 
> Logfile Contents=
>   lxc-start 20160628155820.562 INFO lxc_start_ui - 
> lxc_start.c:main:264 - using rcfile 
> /mnt/lxc_images/containers/trusty_unp_ibvpn/config
>   lxc-start 20160628155820.562 WARN lxc_confile - 
> confile.c:config_pivotdir:1879 - lxc.pivotdir is ignored.  It will soon 
> become an error.
>   lxc-start 20160628155820.562 INFO lxc_confile - 
> confile.c:config_idmap:1500 - read uid map: type u nsid 0 hostid 10 range 
> 65536
>   lxc-start 20160628155820.562 INFO lxc_confile - 
> confile.c:config_idmap:1500 - read uid map: type g nsid 0 hostid 10 range 
> 65536
>   lxc-start 20160628155820.564 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - 
> LSM security driver AppArmor
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .reject_force_umount  # comment 
> this to allow umount -f;  not recommended.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for reject_force_umount 
> action 0
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force 
> umounts
> 
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for reject_force_umount 
> action 0
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:do_resolve_add_rule:216 - Setting seccomp rule to reject force 
> umounts
> 
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .[all].
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .kexec_load errno 1.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for kexec_load action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for kexec_load action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .open_by_handle_at errno 1.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for open_by_handle_at 
> action 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for open_by_handle_at 
> action 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .init_module errno 1.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for init_module action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for init_module action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .finit_module errno 1.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for finit_module action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for finit_module action 
> 327681
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:342 - processing: .delete_module errno 1.
>   lxc-start 20160628155820.564 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:446 - Adding native rule for delete_module action 
> 327681
>   lxc-start 20160628155820.565 INFO lxc_seccomp - 
> seccomp.c:parse_config_v2:449 - Adding compat rule for 

Re: [lxc-users] Unprivileged container strange behaviour

[Ruzsinszky Attila]

Hi,

I found the problem description for networking.
lxc.network.veth.pair = veth-lub8 was ignored because of security.

I found this URL in the topic:
http://blog.scottlowe.org/2014/01/23/automatically-connecting-lxc-to-open-vswitch/

Is that working with unprivileged container?

Ubuntu 16.04 doesn't run dhclient without startup networking or waiting for
DHCP.
Because of the missing permanent host's ethernet interface name I can't
configure
OVS before starting lxc container so I have to run dhclient manually after
the login
prompt was appeared. It is very ugly. :-(
Any better solution? Only fix IP address for VM?

TIA,
Ruzsi
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users