Re: Configuring LXC containers
On 3/13/24 04:45, Patrick O'Callaghan wrote: On Tue, 2024-03-12 at 15:36 -0700, Mike Wright wrote: On 3/11/24 14:41, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 16:39 +, Patrick O'Callaghan wrote: I'd like to play with LXC but I find the docs not very newbie- friendly. I'm trying to follow a guide at: https://brandonrozek.com/blog/lxc-fedora-38/ (basically because it mentions Fedora). I followed the steps closely and rebooted, but I get the following error: $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-start test Running scope as unit: my-unit.scope lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 877 Received container state "ABORTING" instead of "RUNNING" lxc-start: test: tools/lxc_start.c: main: 306 The container failed to start lxc-start: test: tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode lxc-start: test: tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and -- logpriority options Any insights would be welcome. (Just in case, I tried running with SElinux turned off, but it made no difference.) One thing: on running lxc-checkconfig I get: ... Cgroup v1 systemd controller: missing Cgroup v1 freezer controller: missing Cgroup ns_cgroup: required ... (everything else is OK). The first two are irrelevant. It uses cgroup2 now. 3rd one I don't understand. How is your test container working? It isn't. I still get the same errors on startup. I've been playing along over here and now have a container that reports "UNPRIVILEGED true" using lxc-ls -f. It starts and runs but is unusable. lxc-start -n C1 -F shows the bootup sequence and it is full of [FAILED] sections. root can't even change to /root: permission denied. Almost everything is owned by 65534:65534. If I manually set an IP and default route I have networking and it uses my DNS container successfully. I found this: https://brandonrozek.com/blog/lxc-fedora-38/ "Setting up unprivileged containers with LXC on Fedora 38" and how to use systemd to start and stop the containers. It works but doesn't solve the other problems I'm seeing. Yes, I'd found that page a couple of days ago and tried following it. Same problems as before. I'm thinking this isn't worth the hassle. I reached the same conclusion wrt unprivileged containers. Nonetheless, I'm still very happy using privileged containers. They're up in a second, none have ever crashed or become unstable. I find them ideal for isolating individual services on my network and for conducting quick experiments. My main interest in lxc was to run a small containerised VPN, but Fedora seems to have much better support for docker (via podman) so I'll probably concentrate on that. Good luck! -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Tue, 2024-03-12 at 15:36 -0700, Mike Wright wrote: > On 3/11/24 14:41, Patrick O'Callaghan wrote: > > On Sun, 2024-03-10 at 16:39 +, Patrick O'Callaghan wrote: > > > I'd like to play with LXC but I find the docs not very newbie- > > > friendly. > > > I'm trying to follow a guide at: > > > > > > https://brandonrozek.com/blog/lxc-fedora-38/ > > > > > > (basically because it mentions Fedora). I followed the steps > > > closely > > > and rebooted, but I get the following error: > > > > > > $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" > > > -- > > > lxc-start test > > > Running scope as unit: my-unit.scope > > > lxc-start: test: lxccontainer.c: wait_on_daemonized_start: > > > 877 > > > Received container state "ABORTING" instead of "RUNNING" > > > lxc-start: test: tools/lxc_start.c: main: 306 The container > > > failed > > > to start > > > lxc-start: test: tools/lxc_start.c: main: 309 To get more > > > details, > > > run the container in foreground mode > > > lxc-start: test: tools/lxc_start.c: main: 311 Additional > > > information can be obtained by setting the --logfile and -- > > > logpriority options > > > > > > Any insights would be welcome. (Just in case, I tried running > > > with > > > SElinux turned off, but it made no difference.) > > > > One thing: on running lxc-checkconfig I get: > > ... > > Cgroup v1 systemd controller: missing > > Cgroup v1 freezer controller: missing > > Cgroup ns_cgroup: required > > > > ... > > > > (everything else is OK). > > The first two are irrelevant. It uses cgroup2 now. 3rd one I don't > understand. > > How is your test container working? > It isn't. I still get the same errors on startup. > I've been playing along over here and now have a container that > reports > "UNPRIVILEGED true" using lxc-ls -f. It starts and runs but is > unusable. lxc-start -n C1 -F shows the bootup sequence and it is > full > of [FAILED] sections. root can't even change to /root: permission > denied. Almost everything is owned by 65534:65534. If I manually > set > an IP and default route I have networking and it uses my DNS > container > successfully. > > I found this: https://brandonrozek.com/blog/lxc-fedora-38/ "Setting > up > unprivileged containers with LXC on Fedora 38" and how to use systemd > to > start and stop the containers. It works but doesn't solve the other > problems I'm seeing. Yes, I'd found that page a couple of days ago and tried following it. Same problems as before. I'm thinking this isn't worth the hassle. My main interest in lxc was to run a small containerised VPN, but Fedora seems to have much better support for docker (via podman) so I'll probably concentrate on that. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/11/24 14:41, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 16:39 +, Patrick O'Callaghan wrote: I'd like to play with LXC but I find the docs not very newbie- friendly. I'm trying to follow a guide at: https://brandonrozek.com/blog/lxc-fedora-38/ (basically because it mentions Fedora). I followed the steps closely and rebooted, but I get the following error: $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-start test Running scope as unit: my-unit.scope lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 877 Received container state "ABORTING" instead of "RUNNING" lxc-start: test: tools/lxc_start.c: main: 306 The container failed to start lxc-start: test: tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode lxc-start: test: tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and -- logpriority options Any insights would be welcome. (Just in case, I tried running with SElinux turned off, but it made no difference.) One thing: on running lxc-checkconfig I get: ... Cgroup v1 systemd controller: missing Cgroup v1 freezer controller: missing Cgroup ns_cgroup: required ... (everything else is OK). The first two are irrelevant. It uses cgroup2 now. 3rd one I don't understand. How is your test container working? I've been playing along over here and now have a container that reports "UNPRIVILEGED true" using lxc-ls -f. It starts and runs but is unusable. lxc-start -n C1 -F shows the bootup sequence and it is full of [FAILED] sections. root can't even change to /root: permission denied. Almost everything is owned by 65534:65534. If I manually set an IP and default route I have networking and it uses my DNS container successfully. I found this: https://brandonrozek.com/blog/lxc-fedora-38/ "Setting up unprivileged containers with LXC on Fedora 38" and how to use systemd to start and stop the containers. It works but doesn't solve the other problems I'm seeing. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Mon, 2024-03-11 at 15:08 -0700, Mike Wright wrote: > Try this ( works with lxc.apparmor.context ). > > lxc.selinux.context = generated > Same result. > ...and also ~/.local/lxc/default.conf with these contents: > > lxc.include = /etc/lxc/default.conf The local default.conf was copied from /etc/lxc and edited. > lxc.idmap = u 0 10 65536 > lxc.idmap = g 0 10 65536 > Those lines are already there. This is the complete file: $ cat ~/.config/lxc/default.conf lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx lxc.idmap = u 0 10 65536 lxc.idmap = g 0 10 65536 lxc.cgroup.devices.allow=a lxc.selinux.context = generated poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/11/24 14:41, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 16:39 +, Patrick O'Callaghan wrote: I'd like to play with LXC but I find the docs not very newbie- friendly. I'm trying to follow a guide at: https://brandonrozek.com/blog/lxc-fedora-38/ (basically because it mentions Fedora). I followed the steps closely and rebooted, but I get the following error: $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-start test Running scope as unit: my-unit.scope lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 877 Received container state "ABORTING" instead of "RUNNING" lxc-start: test: tools/lxc_start.c: main: 306 The container failed to start lxc-start: test: tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode lxc-start: test: tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and -- logpriority options Any insights would be welcome. (Just in case, I tried running with SElinux turned off, but it made no difference.) One thing: on running lxc-checkconfig I get: ... Cgroup v1 systemd controller: missing Cgroup v1 freezer controller: missing Cgroup ns_cgroup: required I get the same results over here. The first two are irrelevant since current systems are using v2. I don't know if ns_required is a WARN or ERROR or a threat :) -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/11/24 14:38, Patrick O'Callaghan wrote: > On Mon, 2024-03-11 at 09:16 -0700, Mike Wright wrote: >> On 3/11/24 08:41, Mike Wright wrote: >>> On 3/11/24 04:33, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote: > On 3/10/24 15:40, Patrick O'Callaghan wrote: >> On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: >>> The last two lines are key. Add these flags: -F -o >>> logfile. The >>> default loglevel is ERROR. If you want more detail include >>> -l >>> LEVEL. >>> >> AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system in the container are Fedora 39. >> >>> That one puzzles me, too. However, there is no corresponding >>> lxc.selinux setting. lxc was a canonical/ubuntu creation so my >>> first >>> reaction was the same as yours but from some of the comments I've >>> read >>> on https://discuss.linuxcontainers.org ( another forum with *lots* >>> of >>> empty space ) that it or something like it may have been integrated >>> into >>> lxc. >> >> CORRECTION: the above paragraph is wrong. >> >> A much easier to read manpage: >> >> https://manpages.ubuntu.com/manpages/bionic/en/man5/lxc.container.conf.5.html >> > > This appears to the manpage at lxc-container.conf(5). Yes, sans-serif is easier for me to read. White BG (although I prefer dark theme) is also a lot better for me than white on black manpages. > >> § SELINUX CONTEXT >> >> lxc.selinux.context >> >> Specify the SELinux context under which the container should be run >> or >> unconfined_t. For example >> >> lxc.selinux.context = system_u:system_r:lxc_t:s0:c22 >> > > I added that to the config file. It made no difference. Try this ( works with lxc.apparmor.context ). lxc.selinux.context = generated ...and also ~/.local/lxc/default.conf with these contents: lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 10 65536 lxc.idmap = g 0 10 65536 That way the lxc.idmap lines are not required in each config. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Sun, 2024-03-10 at 16:39 +, Patrick O'Callaghan wrote: > I'd like to play with LXC but I find the docs not very newbie- > friendly. > I'm trying to follow a guide at: > > https://brandonrozek.com/blog/lxc-fedora-38/ > > (basically because it mentions Fedora). I followed the steps closely > and rebooted, but I get the following error: > > $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- > lxc-start test > Running scope as unit: my-unit.scope > lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 877 > Received container state "ABORTING" instead of "RUNNING" > lxc-start: test: tools/lxc_start.c: main: 306 The container failed > to start > lxc-start: test: tools/lxc_start.c: main: 309 To get more details, > run the container in foreground mode > lxc-start: test: tools/lxc_start.c: main: 311 Additional > information can be obtained by setting the --logfile and -- > logpriority options > > Any insights would be welcome. (Just in case, I tried running with > SElinux turned off, but it made no difference.) One thing: on running lxc-checkconfig I get: ... Cgroup v1 systemd controller: missing Cgroup v1 freezer controller: missing Cgroup ns_cgroup: required ... (everything else is OK). poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Mon, 2024-03-11 at 09:16 -0700, Mike Wright wrote: > On 3/11/24 08:41, Mike Wright wrote: > > On 3/11/24 04:33, Patrick O'Callaghan wrote: > > > On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote: > > > > On 3/10/24 15:40, Patrick O'Callaghan wrote: > > > > > On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: > > > > > > The last two lines are key. Add these flags: -F -o > > > > > > logfile. The > > > > > > default loglevel is ERROR. If you want more detail include > > > > > > -l > > > > > > LEVEL. > > > > > > > > > > AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system > > > in the > > > container are Fedora 39. > > > That one puzzles me, too. However, there is no corresponding > > lxc.selinux setting. lxc was a canonical/ubuntu creation so my > > first > > reaction was the same as yours but from some of the comments I've > > read > > on https://discuss.linuxcontainers.org ( another forum with *lots* > > of > > empty space ) that it or something like it may have been integrated > > into > > lxc. > > CORRECTION: the above paragraph is wrong. > > A much easier to read manpage: > > https://manpages.ubuntu.com/manpages/bionic/en/man5/lxc.container.conf.5.html > This appears to the manpage at lxc-container.conf(5). > § SELINUX CONTEXT > > lxc.selinux.context > > Specify the SELinux context under which the container should be run > or > unconfined_t. For example > > lxc.selinux.context = system_u:system_r:lxc_t:s0:c22 > I added that to the config file. It made no difference. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/11/24 08:41, Mike Wright wrote: On 3/11/24 04:33, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote: On 3/10/24 15:40, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL. AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system in the container are Fedora 39. That one puzzles me, too. However, there is no corresponding lxc.selinux setting. lxc was a canonical/ubuntu creation so my first reaction was the same as yours but from some of the comments I've read on https://discuss.linuxcontainers.org ( another forum with *lots* of empty space ) that it or something like it may have been integrated into lxc. CORRECTION: the above paragraph is wrong. A much easier to read manpage: https://manpages.ubuntu.com/manpages/bionic/en/man5/lxc.container.conf.5.html § SELINUX CONTEXT lxc.selinux.context Specify the SELinux context under which the container should be run or unconfined_t. For example lxc.selinux.context = system_u:system_r:lxc_t:s0:c22 -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/11/24 04:33, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote: On 3/10/24 15:40, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL. e.g. lxc-start -n containerName -F -o containerName.log -l WARN This is what I get: $ lxc-start -n test -F -o test.log -l WARN $ cat test.log lxc-start test 20240310223702.913 ERROR cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start test 20240310223702.934 ERROR cgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 I use this: lxc.apparmor.profile=unconfined which runs the container as root. That setting doesn't stop you from adding profiles. AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system in the container are Fedora 39. That one puzzles me, too. However, there is no corresponding lxc.selinux setting. lxc was a canonical/ubuntu creation so my first reaction was the same as yours but from some of the comments I've read on https://discuss.linuxcontainers.org ( another forum with *lots* of empty space ) that it or something like it may have been integrated into lxc. -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Sun, 2024-03-10 at 22:56 -0700, Mike Wright wrote: > On 3/10/24 15:40, Patrick O'Callaghan wrote: > > On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: > > > The last two lines are key. Add these flags: -F -o logfile. The > > > default loglevel is ERROR. If you want more detail include -l > > > LEVEL. > > > > > > e.g. lxc-start -n containerName -F -o containerName.log -l WARN > > > > > > > This is what I get: > > > > $ lxc-start -n test -F -o test.log -l WARN > > > $ cat test.log > > lxc-start test 20240310223702.913 ERROR cgfsng - > > cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or > > resource busy - Could not enable "+cpu +io +memory +pids" > > controllers in the unified cgroup 9 > > lxc-start test 20240310223702.934 ERROR cgfsng - > > cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or > > resource busy - Could not enable "+cpu +io +memory +pids" > > controllers in the unified cgroup 9 > > > I use this: > > lxc.apparmor.profile=unconfined > > which runs the container as root. That setting doesn't stop you from > adding profiles. > > AFAIK 'apparmor' is a Ubuntu-ism. Both my system and the system in the container are Fedora 39. > If I disable that line I get a cgfsng WARN and the container won't > start. ( My containers are used for local services so I'm pretty lax > about running them as root. They are also heavily firewalled behind a > router (also a container which starts the firewall then puts an IP on > the WAN and sets the default route. Until the router container comes > up > my host has no network connectivity at all) ) > > Also, you're remapping IDs. What happens if you comment those out? > I thought that was part of the whole point of using separate namespaces. > My thought here is to get it running as root first then begin the > process of securing it as you see fit. > > > I don't have this in my configs but I found this: > > lxc.cgroup.devices.allow=a > I'll try that. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Sun, 2024-03-10 at 19:37 -0700, Mike Wright wrote: > On 3/10/24 15:40, Patrick O'Callaghan wrote: > > On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: > > > The last two lines are key. Add these flags: -F -o logfile. The > > > default loglevel is ERROR. If you want more detail include -l > > > LEVEL. > > > > > > e.g. lxc-start -n containerName -F -o containerName.log -l WARN > > > > > > > This is what I get: > > > > $ lxc-start -n test -F -o test.log -l WARN > ... > > lxc-start test 20240310223702.945 ERROR start - > > start.c:print_top_failing_dir:99 - Permission denied - Could not > > access /home/poc/.local. Please grant it x access, or add an ACL > > for the container root > > This one looks interesting > $ ls -ld /home/poc/.local drwx--. 1 poc poc 56 Aug 28 2021 /home/poc/.local IOW, it already has x access (and lxc-start is not setuid so it's running as me). poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/10/24 15:40, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL. e.g. lxc-start -n containerName -F -o containerName.log -l WARN This is what I get: $ lxc-start -n test -F -o test.log -l WARN $ cat test.log lxc-start test 20240310223702.913 ERRORcgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start test 20240310223702.934 ERRORcgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 I use this: lxc.apparmor.profile=unconfined which runs the container as root. That setting doesn't stop you from adding profiles. If I disable that line I get a cgfsng WARN and the container won't start. ( My containers are used for local services so I'm pretty lax about running them as root. They are also heavily firewalled behind a router (also a container which starts the firewall then puts an IP on the WAN and sets the default route. Until the router container comes up my host has no network connectivity at all) ) Also, you're remapping IDs. What happens if you comment those out? My thought here is to get it running as root first then begin the process of securing it as you see fit. I don't have this in my configs but I found this: lxc.cgroup.devices.allow=a -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/10/24 15:40, Patrick O'Callaghan wrote: On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL. e.g. lxc-start -n containerName -F -o containerName.log -l WARN This is what I get: $ lxc-start -n test -F -o test.log -l WARN ... lxc-start test 20240310223702.945 ERRORstart - start.c:print_top_failing_dir:99 - Permission denied - Could not access /home/poc/.local. Please grant it x access, or add an ACL for the container root This one looks interesting -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On Sun, 2024-03-10 at 11:13 -0700, Mike Wright wrote: > The last two lines are key. Add these flags: -F -o logfile. The > default loglevel is ERROR. If you want more detail include -l LEVEL. > > e.g. lxc-start -n containerName -F -o containerName.log -l WARN > This is what I get: $ lxc-start -n test -F -o test.log -l WARN lxc-start: test: cgroups/cgfsng.c: __cgfsng_delegate_controllers: 2921 Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start: test: cgroups/cgfsng.c: __cgfsng_delegate_controllers: 2921 Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start: test: start.c: print_top_failing_dir: 99 Permission denied - Could not access /home/poc/.local. Please grant it x access, or add an ACL for the container root lxc-start: test: sync.c: sync_wait: 34 An error occurred in another process (expected sequence number 1) lxc-start: test: start.c: __lxc_start: 2074 Failed to spawn container "test" lxc-start: test: tools/lxc_start.c: main: 306 The container failed to start lxc-start: test: tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options $ cat test.log lxc-start test 20240310223702.913 ERRORcgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start test 20240310223702.934 ERRORcgfsng - cgroups/cgfsng.c:__cgfsng_delegate_controllers:2921 - Device or resource busy - Could not enable "+cpu +io +memory +pids" controllers in the unified cgroup 9 lxc-start test 20240310223702.944 WARN cgfsng - cgroups/cgfsng.c:fchowmodat:1251 - No such file or directory - Failed to fchownat(15, memory.oom.group, 65536, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc-start test 20240310223702.944 WARN cgfsng - cgroups/cgfsng.c:fchowmodat:1251 - No such file or directory - Failed to fchownat(15, memory.reclaim, 65536, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW ) lxc-start test 20240310223702.945 ERRORstart - start.c:print_top_failing_dir:99 - Permission denied - Could not access /home/poc/.local. Please grant it x access, or add an ACL for the container root lxc-start test 20240310223702.945 ERRORsync - sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 1) lxc-start test 20240310223702.945 ERRORstart - start.c:__lxc_start:2074 - Failed to spawn container "test" lxc-start test 20240310223702.945 WARN start - start.c:lxc_abort:1039 - No such process - Failed to send SIGKILL via pidfd 16 for process 148416 lxc-start test 20240310223702.958 ERRORlxc_start - tools/lxc_start.c:main:306 - The container failed to start I guess the first two lines are the key to the problem. My default config file is: $ cat ~/.config/lxc/default.conf lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx lxc.idmap = u 0 10 65536 lxc.idmap = g 0 10 65536 The 'test' container is a Fedora 39 instance. poc -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Configuring LXC containers
On 3/10/24 09:39, Patrick O'Callaghan wrote: I'd like to play with LXC but I find the docs not very newbie-friendly. I'm trying to follow a guide at: https://brandonrozek.com/blog/lxc-fedora-38/ (basically because it mentions Fedora). I followed the steps closely and rebooted, but I get the following error: $ systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-start test Running scope as unit: my-unit.scope lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 877 Received container state "ABORTING" instead of "RUNNING" lxc-start: test: tools/lxc_start.c: main: 306 The container failed to start lxc-start: test: tools/lxc_start.c: main: 309 To get more details, run the container in foreground mode lxc-start: test: tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options Any insights would be welcome. (Just in case, I tried running with SElinux turned off, but it made no difference.) I use lxc all the time. The last two lines are key. Add these flags: -F -o logfile. The default loglevel is ERROR. If you want more detail include -l LEVEL. e.g. lxc-start -n containerName -F -o containerName.log -l WARN My experience has been that there is a disconnect between the container and the host's bridge usually caused by misconfigured network options in the config file or perhaps the default bridge is not up. Here's a section from my Archlinux config. This particular bridge is named WWW. The veth.pair isn't necessary but it puts a name on the interface and makes it easier to identify with "ip link list (ip l l )". The generated names, eth-VLXWORL eg. aren't helpful at all. Same thing about hwaddr. If you don't provide a MAC one will be provided for you. # Network configuration lxc.net.0.type = veth lxc.net.0.link = WWW lxc.net.0.flags = up # not required lxc.net.0.veth.pair = WWW-rch lxc.net.0.hwaddr = 00:16:3e:00:05:10 hth, :m -- ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue