Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Serge Hallyn! > Quoting Andrey Repin (anrdae...@yandex.ru): >> Greetings, Serge Hallyn! >> >> >> >> What lxc version did you say you were using? >> >> > >> >> > Were using - 1.1.2. >> >> > Then I got an upgrade and my DC didn't came up after a host reboot. >> >> > Had to roll back to

[lxc-users] Dotted container names now invalid?

lxc v0.19 on Ubuntu 15.10 host. ~ lxc launch wily abc Creating abc done. Starting abc done. ~ lxc launch wily abc.lxc Creating abc.lxc error: Invalid container name The 2nd one above used to work. Why are dotted domain-like container names now invalid?

Re: [lxc-users] Autostart Unpriviledged Containers

Le 06/10/2015 06:03, Paul Jones a écrit : Hi. I'm using Debian Stretch. And I would like to use unpriviledged containers. It seems by default, there is one cgroup owned by root. In order to start an unpriviledged container I need to create a new cgroup, chown it to the unpriviledged user and

Re: [lxc-users] Networking not working in unconfined overlayfs container

Hi Serge, Yes, I downloaded a fresh template for ubuntu and its overlay clones start okay, and I'm able to attach and run commands on them. However, eth0 has no IP assigned when unconfined. I think the problem might be related to changes in systemd (I'm using version 219) and overlayfs on vivid.

[lxc-users] Mounts in shared folder not seen in container

Hi, I share a folder from host to container. That folder contains mounts. Below is a simple usecase of what I do. # On host mkdir -p /shared/mount1 mount some.iso /shared/mount1 # In the config of my container lxc.mount.entry = /shared shared none bind 0 0 # On the host tree /shared /shared/

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Serge Hallyn! > What does 'sudo aa-status' show? This is with fully up to date system, including fresh LXC 1.1.3: # aa-status apparmor module is loaded. 7 profiles are loaded. 6 profiles are in enforce mode. /sbin/dhclient /usr/lib/NetworkManager/nm-dhcp-client.action

Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

On Mon, Oct 5, 2015 at 11:58 PM, Fabio Tudone (fa...@paralleluniverse.co) wrote: > On 09/30/2015 08:38 PM, Serge Hallyn wrote: >>> >>> On a more practical level what could be the security implications? >>> Are there host resources that a malicious program could

[lxc-users] Autostart Unpriviledged Containers

Hi. I'm using Debian Stretch. And I would like to use unpriviledged containers. It seems by default, there is one cgroup owned by root. In order to start an unpriviledged container I need to create a new cgroup, chown it to the unpriviledged user and then move the current tty process into that

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Serge Hallyn! >> >> lxc-start 1443630810.241 WARN lxc_confile - >> >> confile.c:config_pivotdir:1825 - lxc.pivotdir is ignored. It will soon >> >> become an error. >> >> lxc-start 1443630810.247 WARN lxc_cgmanager - >> >> cgmanager.c:cgm_get:993 - do_cgm_get

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

On Mon, Oct 5, 2015 at 5:01 PM, Andrey Repin wrote: > # dpkg --list \*lxc\* \*apparmor\* > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) >

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

On Mon, Oct 5, 2015 at 9:19 PM, Andrey Repin wrote: >> What lxc version did you say you were using? > > Were using - 1.1.2. > Then I got an upgrade and my DC didn't came up after a host reboot. > Had to roll back to 1.1.2 to recover operation. So to reconfirm, you now run

[lxc-users] LXC Unprivileged Containers Over NFS

I am running a Ubuntu 14.04 host with LXC v1.1.3. On it I have mounted an NFS export at /home/[user]/.local/share/lxc/. When I cd into the mount I can create files and directories. I can chown to change the ownership on them. I can delete them. However when I do lxc-create I get: newgidmap:

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Quoting Fajar A. Nugraha (l...@fajar.net): > On Mon, Oct 5, 2015 at 9:19 PM, Andrey Repin wrote: > >> What lxc version did you say you were using? > > > > Were using - 1.1.2. > > Then I got an upgrade and my DC didn't came up after a host reboot. > > Had to roll back to 1.1.2

Re: [lxc-users] Mounts in shared folder not seen in container

Quoting Bertrand NOEL (bertrand.noel...@gmail.com): > Hi, > I share a folder from host to container. That folder contains mounts. > Below is a simple usecase of what I do. > > # On host > mkdir -p /shared/mount1 > mount some.iso /shared/mount1 > > # In the config of my container >

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Quoting Andrey Repin (anrdae...@yandex.ru): > Greetings, Serge Hallyn! > > >> >> lxc-start 1443630810.241 WARN lxc_confile - > >> >> confile.c:config_pivotdir:1825 - lxc.pivotdir is ignored. It will soon > >> >> become an error. > >> >> lxc-start 1443630810.247 WARN

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Fajar A. Nugraha! >>> What lxc version did you say you were using? >> >> Were using - 1.1.2. >> Then I got an upgrade and my DC didn't came up after a host reboot. >> Had to roll back to 1.1.2 to recover operation. > So to reconfirm, you now run 1.1.2, which is fine? > The earlier

Re: [lxc-users] Networking not working in unconfined overlayfs container

Quoting Frederico Araujo (arau...@gmail.com): > Hi, > > I've been using LXC for over two years without problems. This week, I > upgraded my Ubuntu from Trusty to Vivid, and I noticed that my overlayfs > containers stopped getting IP assigned. In my machine the error can be > reproduced in this

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Serge Hallyn! >>lxc-container-default (1612) >>lxc-container-default (2488) > ... > What does running the following in python3 as root show? > import lxc > c = lxc.Container("dc1-1") > c.get_config_item("lxc.aa_profile") #!/usr/bin/env python3 import lxc c =

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Greetings, Serge Hallyn! >> >> What lxc version did you say you were using? >> > >> > Were using - 1.1.2. >> > Then I got an upgrade and my DC didn't came up after a host reboot. >> > Had to roll back to 1.1.2 to recover operation. >> >> So to reconfirm, you now run 1.1.2, which is fine? >

Re: [lxc-users] Mounting additional volume on container

Quoting Christian Benke (benkoka...@gmail.com): > Hello! > > Planning to move from OpenVZ to LXC, I started playing with containers > on my workstation yesterday. In the past hours I've been trying to > mount an additional volume to a container, but don't seem to get this > apparently trivial

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Quoting Andrey Repin (anrdae...@yandex.ru): > Greetings, Serge Hallyn! > > >> >> What lxc version did you say you were using? > >> > > >> > Were using - 1.1.2. > >> > Then I got an upgrade and my DC didn't came up after a host reboot. > >> > Had to roll back to 1.1.2 to recover operation. > >> >

Re: [lxc-users] Is an unprivileged LXC where the host user itself is mapped to 0 less secure of one where one of its subids is mapped to 0, and why?

On 09/30/2015 08:38 PM, Serge Hallyn wrote: On a more practical level what could be the security implications? Are there host resources that a malicious program could compromise when running in a container with the capabilities of a regular host user mapped in there? Even because of

Re: [lxc-users] LXC 1.1.3 update blocks container startup.

Quoting Andrey Repin (anrdae...@yandex.ru): > Greetings, Serge Hallyn! > > >>lxc-container-default (1612) > >>lxc-container-default (2488) > > ... > > > What does running the following in python3 as root show? > > > import lxc > > c = lxc.Container("dc1-1") > >