Hi,
following the hints given by Serge Hallyn on the lxc-devel list, I
managed to run an unprivileged container on my Debian Jessie \o/
Now, I want to avoid handlings and get it works on startup. Thus, I set
permanently kernel.unprivileged_userns_clone to 1 and I create a systemd
service to
Hi,
I am not as categorical as Fajar and using LXC with Debian is widely
feasable. I admit that the LXC version that comes with Debian Stable is
not enough up to date. But I have installed Debian Jessie and I use the
Debian's package that give LXC with version 1.0.6.
Of course, if you need
Hello,
I run several containers on my server and, following the security
advices, they are unprivileged. Each container belongs to one user and I
am asking myself if this is a good practice...
Thus my question is if there are some differences between:
- an unprivileged container owned by
Hi,
a priori, no problem with doing that. Simply deal with /etc/subuid and
/etc/subgid (on debian-like system, at least). For the limit, I don't
know but the man page for newuidmap considers integers. Thus, we could
hope to deal with 2^32=4294967296 ids. In such a case, you have some
room to
I don't know but i also can help if there is something to do...
Xavier
Le 03/05/2015 22:40, J Bc a écrit :
Can we help with lxc package in debian?
wiki for compilation and packaging?
2015-05-03 21:39 GMT+02:00 Xavier Gendre gendre.rei...@gmail.com:
The package lxc 1.0.7 has recently changed
The package lxc 1.0.7 has recently changed from experimental to unstable,
https://packages.debian.org/sid/lxc
We can hope that it will be soon available in jessie-backports... After
1.0.7, the next version is 1.1.0. Thus, with a bit of patience, i think
that we will see this version in some
Hi,
you can simply pass the IPv6 address you want to give to your container
via the configuration file through 'lxc.network.ipv6'. For instance, if
you gave the local address fe80::1 to the interface lxcbr0, you can do
it with the following configuration file:
# Sample config file
Hi Brian,
the IPv4 magic in LXC comes from the use of dnsmasq. According to what i
have read, you can configure dnsmasq to deal with dhcpv6 but i never
tried it. Maybe you can look on this side to reach your goal.
Xavier
Le 10/05/2015 02:42, brian mullan a écrit :
Xavier
I am just
It may be useful to give more details about what i am trying to do ;-) I
work with a Debian Jessie and LXC 1.0.6 from the Debian repository.
First, i give an ID range to root and i set the container's
configuration with this range:
root # grep root /etc/sub[ug]id
Hello Fajar,
It may be useful to give more details about what i am trying to do ;-) I
work with a Debian Jessie and LXC 1.0.6 from the Debian repository.
You should realy use at least 1.0.7 from experimental, or better yet, 1.1.1.
That was a good advice... with 1.0.7 from experimental,
Hi Serge,
please, can you give more details about your settings of root owned
unprivileged container with LVM backend? Indeed, I encounter the same
problem as Andrea. I have tried to set the container as you explain but
it fails to run...
root # grep lxc.id_map /var/lib/lxc/test/config
Hi Serge,
Le 03/04/2015 23:46, Serge Hallyn a écrit :
Quoting Xavier Gendre (gendre.rei...@gmail.com):
Hello,
I run several containers on my server and, following the security
advices, they are unprivileged. Each container belongs to one user
and I am asking myself if this is a good practice
Le 18/06/2015 06:35, Serge Hallyn a écrit :
Quoting Xavier Gendre (gendre.rei...@gmail.com):
Le 15/06/2015 17:17, Serge Hallyn a écrit :
Quoting Xavier Gendre (gendre.rei...@gmail.com):
Hi,
i wanted to run a container in an unpriviledged container and i am
glad to succes in doing
Hi,
i wanted to run a container in an unpriviledged container and i am glad
to succes in doing it. The point is that i am not sure if what i did is
acceptable from the security point of view or not...
Here are the steps i did:
1) create an unpriviledged container (lxc.id_map, ...) called
Le 15/06/2015 17:17, Serge Hallyn a écrit :
Quoting Xavier Gendre (gendre.rei...@gmail.com):
Hi,
i wanted to run a container in an unpriviledged container and i am
glad to succes in doing it. The point is that i am not sure if what
i did is acceptable from the security point of view
Although setting it up was not as straightforward as your tutorial:
- Package "python3-all-dev" currently has dependency issues
(https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1503382,
http://askubuntu.com/a/683604/331398)
I was able to solve this by adding a time.sleep(120) in
and i use this image in my
Jessie host (where i tweak my cgroups through a custom systemd service in
order to give ownerships to the unprivileged users).
Could you maybe also share that custom systemd service configuration?
Then I can continue to sit on my lazy butt and don't have to reinvent
Le 13/10/2015 11:49, Fajar A. Nugraha a écrit :
On Tue, Oct 13, 2015 at 4:44 PM, Christian Benke wrote:
On 13 October 2015 at 11:15, Fajar A. Nugraha wrote:
So bottom line, don't bother unless you're willing to run a
"frakenstein", unsupported distro.
Le 06/10/2015 06:03, Paul Jones a écrit :
Hi.
I'm using Debian Stretch. And I would like to use unpriviledged containers.
It seems by default, there is one cgroup owned by root. In order to
start an unpriviledged container I need to create a new cgroup, chown it
to the unpriviledged user and
Hi,
the sequel of this message is in french, sorry for non francophones...
En plus de m'intéresser à LXC et de poster sur cette liste, je fais
partie de l'association toulousaine Toulibre dont l'objectif et la
promotion et la diffusion des logiciels libres.
Dans ce cadre, nous organisons
Hi,
an easy way is to use lxc.mount.entry with bind in the config file of
the container. An example could be the following line:
lxc.mount.entry = /path/to/directory/in/host
path/to/directory/in/container none bind,create=dir 0 0
Note the missing '/' at the beginning of the target path in
Hello,
I never encounter this problem with my containers. However, you should
upgrade LXC to a more recent version to see if the problem persists.
According to the version you mention, i assume that you run LXC in a
Debian Wheezy (oldstable). If you do not plan to upgrade to Debian
Jessie
Hello Carlos,
> Once you replace systemd with sysvinit in the container, you get it
> booting and starting the services, but you can't login on it (via the
> login prompt) or ssh on it.
I didn't know that, i always use lxc-attach to get a prompt in my
containers and it works like a charm.
> You
Hello Fajar,
> Anyway, I wrote this several months ago, should be the easiest way to
> get unpriv jessie on jessie: http://debian-lxc.github.io/
> The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I just discover your link and I wonder how I could miss it! Thanks a
lot, it seems that
Le 09/01/2016 03:23, Fajar A. Nugraha a écrit :
> Anyway, I wrote this several months ago, should be the easiest way to
> get unpriv jessie on jessie: http://debian-lxc.github.io/
> The repo has lxc-1.1.5 and cgmanager, ported from ubuntu.
I have followed your tutorials and it works perfectly
Hi,
> I'm unable to ssh into any instance except the CirrOS.
For ssh, did you try to set pam_loginuid.so to "optional" in
/etc/pam.d/sshd in your containers?
Regards,
Xavier
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
Hello Lars,
However, I have no idea how to do that. Is it possible to create a
container locally and pack it up to be extracted somewhere else? Would
that even be portable? If so, is there tooling for that? I use
configuration management for everything else already; LXC so far is the
only thing
Yes but you can run it in a VM where you have superuser privileges. The
goal is simply to obtain the two files meta.tar.xz and rootfs.tar.xz.
Oh, I see. I was under the impression that I would get a template
script, similar to what exists under /usr/share/lxc/templates. Are those
hand-written?
a) I need superuser privileges to run this? Running this in CI would be
ruled out then, and
Yes but you can run it in a VM where you have superuser privileges. The
goal is simply to obtain the two files meta.tar.xz and rootfs.tar.xz.
b) this downloads and builds LXC from master?
What do
Hi,
> I completed the tutorial on how to run graphics-accelerated GUI apps
> in (local) LXD containers,
> https://blog.simos.info/how-to-run-graphics-accelerated-gui-apps-in-lxd-containers-on-your-ubuntu-desktop/
>
> Compared to the previous post, this one has sound and also shows how
> to
Hi,
Le 21/08/2018 à 13:39, Dirk Geschke a écrit :
can you check the directory permissions for
/home/oxpd/.local/share/lxc/uidranges
As Dirk said, your problem could be related to permissions of the rootfs
itself and not to subordinate ids.
Le 21/08/2018 à 12:07, Yasoda Padala a écrit
Hi Yasoda,
only 10 ids is a bit short for a container. You should increase this
number to cover at least the system ids 0-999. Depending on the
distribution you run in your containers, you can be sharper and only
involve the needed ids but they all have to be covered.
Xavier
Le 20/08/2018
Hello Lukas,
unprivileged buster containers on a buster host run like a charm. Your
config includes a lot of stuff that are not suited for an unprivileged
container (apparmor, ...). First, you should try with a simpler
configuration file as the following one.
---%<--%<--%<---
Pirl
To: lxc-users@lists.linuxcontainers.org
Subject: Re: [lxc-users] unprivileged Debian Buster container on Debian Buster
host fail to start: no cgroups, no controllers
Date: Wed, 29 May 2019 00:11:29 +0200
On Tue, 2019-05-28 21:50 +0200, Xavier Gendre wrote as excerpted:
Hello Lukas
34 matches
Mail list logo