[lxc-users] Unprivileged containers on Debian Jessie

Hi, following the hints given by Serge Hallyn on the lxc-devel list, I managed to run an unprivileged container on my Debian Jessie \o/ Now, I want to avoid handlings and get it works on startup. Thus, I set permanently kernel.unprivileged_userns_clone to 1 and I create a systemd service to

Re: [lxc-users] Advice for running LXC on a Debian host

Hi, I am not as categorical as Fajar and using LXC with Debian is widely feasable. I admit that the LXC version that comes with Debian Stable is not enough up to date. But I have installed Debian Jessie and I use the Debian's package that give LXC with version 1.0.6. Of course, if you need

[lxc-users] Owner of an unprivileged container

Hello, I run several containers on my server and, following the security advices, they are unprivileged. Each container belongs to one user and I am asking myself if this is a good practice... Thus my question is if there are some differences between: - an unprivileged container owned by

Re: [lxc-users] User namespaces

Hi, a priori, no problem with doing that. Simply deal with /etc/subuid and /etc/subgid (on debian-like system, at least). For the limit, I don't know but the man page for newuidmap considers integers. Thus, we could hope to deal with 2^32=4294967296 ids. In such a case, you have some room to

Re: [lxc-users] Debian stable not present in the image list of lxc-template-download

I don't know but i also can help if there is something to do... Xavier Le 03/05/2015 22:40, J Bc a écrit : Can we help with lxc package in debian? wiki for compilation and packaging? 2015-05-03 21:39 GMT+02:00 Xavier Gendre gendre.rei...@gmail.com: The package lxc 1.0.7 has recently changed

Re: [lxc-users] Debian stable not present in the image list of lxc-template-download

The package lxc 1.0.7 has recently changed from experimental to unstable, https://packages.debian.org/sid/lxc We can hope that it will be soon available in jessie-backports... After 1.0.7, the next version is 1.1.0. Thus, with a bit of patience, i think that we will see this version in some

Re: [lxc-users] Is there a guide to LXC ipv6 configuration

Hi, you can simply pass the IPv6 address you want to give to your container via the configuration file through 'lxc.network.ipv6'. For instance, if you gave the local address fe80::1 to the interface lxcbr0, you can do it with the following configuration file: # Sample config file

Re: [lxc-users] Is there a guide to LXC ipv6 configuration

Hi Brian, the IPv4 magic in LXC comes from the use of dnsmasq. According to what i have read, you can configure dnsmasq to deal with dhcpv6 but i never tried it. Maybe you can look on this side to reach your goal. Xavier Le 10/05/2015 02:42, brian mullan a écrit : Xavier I am just

Re: [lxc-users] [Unable to start using lvm backend]

It may be useful to give more details about what i am trying to do ;-) I work with a Debian Jessie and LXC 1.0.6 from the Debian repository. First, i give an ID range to root and i set the container's configuration with this range: root # grep root /etc/sub[ug]id

Re: [lxc-users] [Unable to start using lvm backend]

Hello Fajar, It may be useful to give more details about what i am trying to do ;-) I work with a Debian Jessie and LXC 1.0.6 from the Debian repository. You should realy use at least 1.0.7 from experimental, or better yet, 1.1.1. That was a good advice... with 1.0.7 from experimental,

Re: [lxc-users] [Unable to start using lvm backend]

Hi Serge, please, can you give more details about your settings of root owned unprivileged container with LVM backend? Indeed, I encounter the same problem as Andrea. I have tried to set the container as you explain but it fails to run... root # grep lxc.id_map /var/lib/lxc/test/config

Re: [lxc-users] Owner of an unprivileged container

Hi Serge, Le 03/04/2015 23:46, Serge Hallyn a écrit : Quoting Xavier Gendre (gendre.rei...@gmail.com): Hello, I run several containers on my server and, following the security advices, they are unprivileged. Each container belongs to one user and I am asking myself if this is a good practice

Re: [lxc-users] Nested container in unpriviledged container

Le 18/06/2015 06:35, Serge Hallyn a écrit : Quoting Xavier Gendre (gendre.rei...@gmail.com): Le 15/06/2015 17:17, Serge Hallyn a écrit : Quoting Xavier Gendre (gendre.rei...@gmail.com): Hi, i wanted to run a container in an unpriviledged container and i am glad to succes in doing

[lxc-users] Nested container in unpriviledged container

Hi, i wanted to run a container in an unpriviledged container and i am glad to succes in doing it. The point is that i am not sure if what i did is acceptable from the security point of view or not... Here are the steps i did: 1) create an unpriviledged container (lxc.id_map, ...) called

Re: [lxc-users] Nested container in unpriviledged container

Le 15/06/2015 17:17, Serge Hallyn a écrit : Quoting Xavier Gendre (gendre.rei...@gmail.com): Hi, i wanted to run a container in an unpriviledged container and i am glad to succes in doing it. The point is that i am not sure if what i did is acceptable from the security point of view

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

Although setting it up was not as straightforward as your tutorial: - Package "python3-all-dev" currently has dependency issues (https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1503382, http://askubuntu.com/a/683604/331398) I was able to solve this by adding a time.sleep(120) in

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

and i use this image in my Jessie host (where i tweak my cgroups through a custom systemd service in order to give ownerships to the unprivileged users). Could you maybe also share that custom systemd service configuration? Then I can continue to sit on my lazy butt and don't have to reinvent

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

Le 13/10/2015 11:49, Fajar A. Nugraha a écrit : On Tue, Oct 13, 2015 at 4:44 PM, Christian Benke wrote: On 13 October 2015 at 11:15, Fajar A. Nugraha wrote: So bottom line, don't bother unless you're willing to run a "frakenstein", unsupported distro.

Re: [lxc-users] Autostart Unpriviledged Containers

Le 06/10/2015 06:03, Paul Jones a écrit : Hi. I'm using Debian Stretch. And I would like to use unpriviledged containers. It seems by default, there is one cgroup owned by root. In order to start an unpriviledged container I need to create a new cgroup, chown it to the unpriviledged user and

[lxc-users] Capitole du Libre 2015

Hi, the sequel of this message is in french, sorry for non francophones... En plus de m'intéresser à LXC et de poster sur cette liste, je fais partie de l'association toulousaine Toulibre dont l'objectif et la promotion et la diffusion des logiciels libres. Dans ce cadre, nous organisons

Re: [lxc-users] Mounting as rw into container

Hi, an easy way is to use lxc.mount.entry with bind in the config file of the container. An example could be the following line: lxc.mount.entry = /path/to/directory/in/host path/to/directory/in/container none bind,create=dir 0 0 Note the missing '/' at the beginning of the target path in

Re: [lxc-users] Containers start without networking

Hello, I never encounter this problem with my containers. However, you should upgrade LXC to a more recent version to see if the problem persists. According to the version you mention, i assume that you run LXC in a Debian Wheezy (oldstable). If you do not plan to upgrade to Debian Jessie

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

Hello Carlos, > Once you replace systemd with sysvinit in the container, you get it > booting and starting the services, but you can't login on it (via the > login prompt) or ssh on it. I didn't know that, i always use lxc-attach to get a prompt in my containers and it works like a charm. > You

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

Hello Fajar, > Anyway, I wrote this several months ago, should be the easiest way to > get unpriv jessie on jessie: http://debian-lxc.github.io/ > The repo has lxc-1.1.5 and cgmanager, ported from ubuntu. I just discover your link and I wonder how I could miss it! Thanks a lot, it seems that

Re: [lxc-users] Status: Debian Jessie support for unprivileged containers?

Le 09/01/2016 03:23, Fajar A. Nugraha a écrit : > Anyway, I wrote this several months ago, should be the easiest way to > get unpriv jessie on jessie: http://debian-lxc.github.io/ > The repo has lxc-1.1.5 and cgmanager, ported from ubuntu. I have followed your tutorials and it works perfectly

Re: [lxc-users] Can't ssh my lxc instances and no instance console on Horizon

Hi, > I'm unable to ssh into any instance except the CirrOS. For ssh, did you try to set pam_loginuid.so to "optional" in /etc/pam.d/sshd in your containers? Regards, Xavier ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org

Re: [lxc-users] Building custom LXC templates

Hello Lars, However, I have no idea how to do that. Is it possible to create a container locally and pack it up to be extracted somewhere else? Would that even be portable? If so, is there tooling for that? I use configuration management for everything else already; LXC so far is the only thing

Re: [lxc-users] Building custom LXC templates

Yes but you can run it in a VM where you have superuser privileges. The goal is simply to obtain the two files meta.tar.xz and rootfs.tar.xz. Oh, I see. I was under the impression that I would get a template script, similar to what exists under /usr/share/lxc/templates. Are those hand-written?

Re: [lxc-users] Building custom LXC templates

a) I need superuser privileges to run this? Running this in CI would be ruled out then, and Yes but you can run it in a VM where you have superuser privileges. The goal is simply to obtain the two files meta.tar.xz and rootfs.tar.xz. b) this downloads and builds LXC from master? What do

Re: [lxc-users] HOWTO: How to run graphics-accelerated GUI apps in LXD containers on your Ubuntu desktop

Hi, > I completed the tutorial on how to run graphics-accelerated GUI apps > in (local) LXD containers, > https://blog.simos.info/how-to-run-graphics-accelerated-gui-apps-in-lxd-containers-on-your-ubuntu-desktop/ > > Compared to the previous post, this one has sound and also shows how > to

Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??

Hi, Le 21/08/2018 à 13:39, Dirk Geschke a écrit : can you check the directory permissions for /home/oxpd/.local/share/lxc/uidranges As Dirk said, your problem could be related to permissions of the rootfs itself and not to subordinate ids. Le 21/08/2018 à 12:07, Yasoda Padala a écrit

Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??

Hi Yasoda, only 10 ids is a bit short for a container. You should increase this number to cover at least the system ids 0-999. Depending on the distribution you run in your containers, you can be sharper and only involve the needed ids but they all have to be covered. Xavier Le 20/08/2018

Re: [lxc-users] unprivileged Debian Buster container on Debian Buster host fail to start: no cgroups, no controllers

Hello Lukas, unprivileged buster containers on a buster host run like a charm. Your config includes a lot of stuff that are not suited for an unprivileged container (apparmor, ...). First, you should try with a simpler configuration file as the following one. ---%<--%<--%<---

Re: [lxc-users] [Fwd: Re: unprivileged Debian Buster container on Debian Buster host fail to start: no cgroups, no controllers]

Pirl To: lxc-users@lists.linuxcontainers.org Subject: Re: [lxc-users] unprivileged Debian Buster container on Debian Buster host fail to start: no cgroups, no controllers Date: Wed, 29 May 2019 00:11:29 +0200 On Tue, 2019-05-28 21:50 +0200, Xavier Gendre wrote as excerpted: Hello Lukas