Devuan bug report logs - #502
LXC unprivileged containers

Package: lxc; Reported by: Saman Behnam <[email protected]>; Keywords: moreinfo debian; dated Mon, 3 Aug 2020 01:18:01 UTC; Maintainer for lxc is (unknown).

Message received at [email protected]:

Date: Tue, 4 Aug 2020 09:37:08 +0100
From: Mark Hindley <[email protected]>
To: Saman Behnam <[email protected]>
Cc: [email protected]
Subject: Re: bug#502: LXC unprivileged containers
Message-ID: <[email protected]>
References: <CAC1V7=ywTyGzvCP86XwN03RJRre5n_PsUQm_mr2wLxr2YrpDHA@mail.gmail.com>
 <[email protected]>
 <CAC1V7=z=cL8tXBOnprGP=2EV_M5Z=AF2BvCP6g0Mqte-E2HtGQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAC1V7=z=cL8tXBOnprGP=2EV_M5Z=AF2BvCP6g0Mqte-E2HtGQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)

On Mon, Aug 03, 2020 at 02:49:24PM -0700, Saman Behnam wrote:
>    Hi Mark,
>    It's not a LXC bug. Else i would have filed it to the LXC devs.
>    But it's very hard to get unprivileged running without those missing
>    setup defaults.
> 
>    Stephan Graber (a main lxc dev) had hard times debugging and figuring
>    out the problem.
>    It would be a very nice default for the Devuan lxc package.
>    I had LXC running on Ubuntu 18 and moved to Devuan.
>    Obviously there seems to be differences between Ubuntu and Debian
>    packaging.

Thanks for your analysis.

[…]

>    Those settings were out of the box in Ubuntu.
>    What you see above is my suggestion for Devuan.
>    I recursively grepped /etc for those settings on Ubuntu and found
>    nothing.
>    Not sure if its just the kernel defaults in Ubuntu!
>    The whole thing is more of a technical packaging issue than a bug.
>    Since I've seen that behavior on a Devuan system I felt the Devuan
>    package maintainer would be the right one to address.

OK, I understand that.

Devuan doesn't maintain separate lxc packages. We use the Debian packages
directly without recompilation. So the Debian package maintainer is the person
to ask to incorporate your suggested default config.

Does that make sense?

Thanks.

Mark

Acknowledgement sent to Mark Hindley <[email protected]>:
Extra info received and forwarded to list. Copy sent to [email protected]. Full text available.

Information forwarded to [email protected], [email protected]:
bug#502; Package lxc. Full text available.

Added tag(s) debian and moreinfo. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Message received at [email protected]:

Date: Mon, 3 Aug 2020 12:48:01 +0100
From: Mark Hindley <[email protected]>
To: Saman Behnam <[email protected]>, [email protected]
Subject: Re: bug#502: LXC unprivileged containers
Message-ID: <[email protected]>
References: <CAC1V7=ywTyGzvCP86XwN03RJRre5n_PsUQm_mr2wLxr2YrpDHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAC1V7=ywTyGzvCP86XwN03RJRre5n_PsUQm_mr2wLxr2YrpDHA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)

Control: tags -1 debian moreinfo

On Sun, Aug 02, 2020 at 07:04:11PM -0600, Saman Behnam wrote:
>    Package: lxc
>    Version: 1:3.1.0+really3.0.3-8
>    System: Devuan Beowulf
>    After a clean install of lxc package containers do not work unless i
>    have to do the following.

Saman,

Thanks for this.

lxc is not a forked package and Devuan uses Debian's packages directly without
recompilation. I (nor any of the Devuan Devs AFAIK) are active users of lxc. Do
you expect this to work out of the box or is this just necessary configuration?

If you really think there is a bug here to be addressed, please report it
directly to Debian's BTS.

Thanks.

Mark

Information forwarded to [email protected], [email protected]:
bug#502; Package lxc. Full text available.

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 3 Aug 2020 01:10:06 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Mon, 03 Aug 2020 01:10:06 +0000 (UTC)
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com [209.85.216.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id D5421F60862
	for <[email protected]>; Mon,  3 Aug 2020 03:04:28 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=googlemail.com [email protected] header.b="lC/q/SWu";
	dkim-atps=neutral
Received: by mail-pj1-f66.google.com with SMTP id ep8so1180994pjb.3
        for <[email protected]>; Sun, 02 Aug 2020 18:04:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=;
        b=lC/q/SWuL+t+ScAXV7n4p2u+k0M5fx2v+bHSv42xVNSt0fvqcD1FqisPYTf2hHgXpa
         vb0Jm98nOR7AnumT5vD+uKnRnA4mzeHi9Ol0nyZs9Uk7dldKYzNju2Xf0IXRFvyVDAEm
         lDCj1YC0fWm6iD/zowgPd0Bl15/2Utfa29IpbsZKTuqNosZmKRAwbXHVS21BVvKIdt83
         qakn/M/hI3uGdM6ydMAq2DSaXn/eyUl6CxCwjyLB+OgITyHQcwk/cHy7XZI47owlKUks
         ARTyrhkxlKLPplTpzjEx+Z+cscwF2PizymznIIg3jNBw3nNzi6XF8vzXCHQtgIapr7uH
         Rwbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=FcwRDlDrjVamQaT0/AVbe4oCskPcaxlfS+foak/RNb0=;
        b=dA9MqiXakE+mxp2BwZYCdShWPeqLrfUajnsEiFfPBipxxFRWirZkFBzHPTX3+3gVPX
         I66tiDgLeV9Ritmm8De80sYS91xrYg1oF859PRJJSJ2X86SirghbwGzwLeM1NXBo4mxL
         AJ7BkNUEUykM24H6wpOWDgBXN+UoyfXiB0999cJh2wkBPeluJcnHtin/62ijJPpa9wJ9
         /1mZbZyhcMvXbZ0Qq6kheyoFX1PvkUbQEgYToZ9xc5Sq/j4CEAAHT5YsKHnKVYKOtUqD
         abFyrz3BILhVGLQsDPUpvoF1G6DqlyBka0grh7poHt71BJhPDVjveUrnOPM7kQ0TkQHT
         vkwQ==
X-Gm-Message-State: AOAM531+4sucNr4qpZJ4UKo/nBs8mDVi+gw1S9WU7YWJU5e4GWz/8ndS
	sA3qKLDBD5J73C+g+YlaRIHTMCAaL6MV8fpoOLFn0Q==
X-Google-Smtp-Source: ABdhPJxyQK6ejlW3joOeXlzSQRjHNG1tv7RzRwGjxaALkgCh+ArQVmWptv60rJgCTD2iSE2S9CtDD0krCdAkJf8OtM4=
X-Received: by 2002:a17:90a:2948:: with SMTP id x8mr1518427pjf.174.1596416666278;
 Sun, 02 Aug 2020 18:04:26 -0700 (PDT)
MIME-Version: 1.0
From: Saman Behnam <[email protected]>
Date: Sun, 2 Aug 2020 19:04:11 -0600
Message-ID: <CAC1V7=ywTyGzvCP86XwN03RJRre5n_PsUQm_mr2wLxr2YrpDHA@mail.gmail.com>
Subject: LXC unprivileged containers
To: [email protected]
Content-Type: multipart/alternative; boundary="0000000000004e9f1405abeeb811"
X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

--0000000000004e9f1405abeeb811
Content-Type: text/plain; charset="UTF-8"

Package: lxc

Version: 1:3.1.0+really3.0.3-8

System: Devuan Beowulf

After a clean install of lxc package containers do not work unless i have
to do the following.

add to sysctl.conf
##################
# LXC Devuan unpriviliged
# containers
kernel.unprivileged_userns_clone = 1

# LXC kernel setting (optional)
# Makes dmesg work for
# non root users.
kernel.dmesg_restrict = 0

create and configure
####################
/etc/lxc/lxc-usernet
/etc/default/lxc-net

I suggest adding a file with above settings that goes to
"/etc/sysctl.d"
And make
"sysctl.conf"
include
"/etc/sysctl.d"

Also add files:
/etc/lxc/lxc-usernet
/etc/default/lxc-net

~ $ cat /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT
# examplecontainer1 veth lxcbr0 1
# examplecontainer2 veth lxcbr0 2

~ $ cat /etc/default/lxc-net
# This file is auto-generated by lxc.postinst if it does not
# exist.  Customizations will not be overridden.
# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="false"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq.  For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf

# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain.  You can then add "server=/lxc/10.0.3.1' (or your actual
$LXC_ADDR)
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use
NetworkManager).
# Once these changes are made, restart the lxc-net and network-manager
services.
# 'container1.lxc' will then resolve on your host.
#LXC_DOMAIN="lxc"

Thank you for a great and clean distribution!

Saman

--0000000000004e9f1405abeeb811
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div dir=3D"auto">Package: lxc</div><div dir=3D"auto"><br=
></div><div dir=3D"auto">Version: 1:3.1.0+really3.0.3-8</div><div dir=3D"au=
to"><br></div><div dir=3D"auto">System: Devuan Beowulf</div><div dir=3D"aut=
o"><br></div><div dir=3D"auto">After a clean install of lxc package contain=
ers do not work unless i have to do the following.</div><div dir=3D"auto"><=
br></div><div dir=3D"auto"><div dir=3D"auto">add to sysctl.conf</div><div d=
ir=3D"auto">##################</div><div dir=3D"auto"># LXC Devuan unprivil=
iged=C2=A0</div><div dir=3D"auto"># containers</div><div dir=3D"auto">kerne=
l.unprivileged_userns_clone =3D 1</div><div dir=3D"auto"><br></div><div dir=
=3D"auto"># LXC kernel setting (optional)</div><div dir=3D"auto"># Makes dm=
esg work for</div><div dir=3D"auto"># non root users.</div><div dir=3D"auto=
">kernel.dmesg_restrict =3D 0</div><div dir=3D"auto"><br></div><div dir=3D"=
auto">create and configure</div><div dir=3D"auto">####################</div=
><div dir=3D"auto">/etc/lxc/lxc-usernet</div><div dir=3D"auto">/etc/default=
/lxc-net</div><div dir=3D"auto"><br></div><div dir=3D"auto"><span style=3D"=
font-family:sans-serif">I suggest adding a</span><span style=3D"font-family=
:sans-serif">=C2=A0file with above settings that goes to</span></div><div d=
ir=3D"auto"><span style=3D"font-family:sans-serif">&quot;/etc/sysctl.d&quot=
;</span><br></div><div dir=3D"auto"><span style=3D"font-family:sans-serif">=
And make=C2=A0</span></div><div dir=3D"auto"><span style=3D"font-family:san=
s-serif">&quot;sysctl.conf&quot;</span></div><div dir=3D"auto"><span style=
=3D"font-family:sans-serif">include</span></div><div dir=3D"auto"><span sty=
le=3D"font-family:sans-serif">&quot;/etc/sysctl.d&quot;</span></div><div di=
r=3D"auto"><span style=3D"font-family:sans-serif"><br></span></div><div dir=
=3D"auto"><span style=3D"font-family:sans-serif">Also add files:</span></di=
v><div dir=3D"auto"><div dir=3D"auto">/etc/lxc/lxc-usernet</div><div dir=3D=
"auto">/etc/default/lxc-net</div><div dir=3D"auto"><br></div><div dir=3D"au=
to"><div dir=3D"auto">~ $ cat /etc/lxc/lxc-usernet</div><div dir=3D"auto">#=
 USERNAME TYPE BRIDGE COUNT</div><div dir=3D"auto"># examplecontainer1 veth=
 lxcbr0 1</div><div dir=3D"auto"><span style=3D"font-family:sans-serif"># e=
xamplecontainer2 veth lxcbr0 2</span><br></div><div dir=3D"auto"><span styl=
e=3D"font-family:sans-serif"><br></span></div><div dir=3D"auto"><div dir=3D=
"auto" style=3D""><font face=3D"sans-serif">~ $ cat /etc/default/lxc-net</f=
ont></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif"># This fil=
e is auto-generated by lxc.postinst if it does not</font></div><div dir=3D"=
auto" style=3D""><font face=3D"sans-serif"># exist.=C2=A0 Customizations wi=
ll not be overridden.</font></div><div dir=3D"auto" style=3D""><font face=
=3D"sans-serif"># Leave USE_LXC_BRIDGE as &quot;true&quot; if you want to u=
se lxcbr0 for your</font></div><div dir=3D"auto" style=3D""><font face=3D"s=
ans-serif"># containers.=C2=A0 Set to &quot;false&quot; if you&#39;ll use v=
irbr0 or another existing</font></div><div dir=3D"auto" style=3D""><font fa=
ce=3D"sans-serif"># bridge, or mavlan to your host&#39;s NIC.</font></div><=
div dir=3D"auto" style=3D""><font face=3D"sans-serif">USE_LXC_BRIDGE=3D&quo=
t;false&quot;</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-s=
erif"><br></font></div><div dir=3D"auto" style=3D""><font face=3D"sans-seri=
f"># If you change the LXC_BRIDGE to something other than lxcbr0, then</fon=
t></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif"># you will a=
lso need to update your /etc/lxc/default.conf as well as the</font></div><d=
iv dir=3D"auto" style=3D""><font face=3D"sans-serif"># configuration (/var/=
lib/lxc/&lt;container&gt;/config) for any containers</font></div><div dir=
=3D"auto" style=3D""><font face=3D"sans-serif"># already created using the =
default config to reflect the new bridge</font></div><div dir=3D"auto" styl=
e=3D""><font face=3D"sans-serif"># name.</font></div><div dir=3D"auto" styl=
e=3D""><font face=3D"sans-serif"># If you have the dnsmasq daemon installed=
, you&#39;ll also have to update</font></div><div dir=3D"auto" style=3D""><=
font face=3D"sans-serif"># /etc/dnsmasq.d/lxc and restart the system wide d=
nsmasq daemon.</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-=
serif">LXC_BRIDGE=3D&quot;lxcbr0&quot;</font></div><div dir=3D"auto" style=
=3D""><font face=3D"sans-serif">LXC_ADDR=3D&quot;10.0.3.1&quot;</font></div=
><div dir=3D"auto" style=3D""><font face=3D"sans-serif">LXC_NETMASK=3D&quot=
;255.255.255.0&quot;</font></div><div dir=3D"auto" style=3D""><font face=3D=
"sans-serif">LXC_NETWORK=3D&quot;<a href=3D"http://10.0.3.0/24">10.0.3.0/24=
</a>&quot;</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-seri=
f">LXC_DHCP_RANGE=3D&quot;10.0.3.2,10.0.3.254&quot;</font></div><div dir=3D=
"auto" style=3D""><font face=3D"sans-serif">LXC_DHCP_MAX=3D&quot;253&quot;<=
/font></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif"># Uncomm=
ent the next line if you&#39;d like to use a conf-file for the lxcbr0</font=
></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif"># dnsmasq.=C2=
=A0 For instance, you can use &#39;dhcp-host=3Dmail1,10.0.3.100&#39; to hav=
e</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif"># cont=
ainer &#39;mail1&#39; always get ip address 10.0.3.100.</font></div><div di=
r=3D"auto" style=3D""><font face=3D"sans-serif">#LXC_DHCP_CONFILE=3D/etc/lx=
c/dnsmasq.conf</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-=
serif"><br></font></div><div dir=3D"auto" style=3D""><font face=3D"sans-ser=
if"># Uncomment the next line if you want lxcbr0&#39;s dnsmasq to resolve t=
he .lxc</font></div><div dir=3D"auto" style=3D""><font face=3D"sans-serif">=
# domain.=C2=A0 You can then add &quot;server=3D/lxc/<a href=3D"http://10.0=
.3.1">10.0.3.1</a>&#39; (or your actual $LXC_ADDR)</font></div><div dir=3D"=
auto" style=3D""><font face=3D"sans-serif"># to your system dnsmasq configu=
ration file (normally /etc/dnsmasq.conf,</font></div><div dir=3D"auto" styl=
e=3D""><font face=3D"sans-serif"># or /etc/NetworkManager/dnsmasq.d/lxc.con=
f on systems that use NetworkManager).</font></div><div dir=3D"auto" style=
=3D""><font face=3D"sans-serif"># Once these changes are made, restart the =
lxc-net and network-manager services.</font></div><div dir=3D"auto" style=
=3D""><font face=3D"sans-serif"># &#39;container1.lxc&#39; will then resolv=
e on your host.</font></div><div dir=3D"auto" style=3D""><font face=3D"sans=
-serif">#LXC_DOMAIN=3D&quot;lxc&quot;</font></div></div><div dir=3D"auto"><=
span style=3D"font-family:sans-serif"><br></span></div><div dir=3D"auto"><s=
pan style=3D"font-family:sans-serif">Thank you for a great and clean distri=
bution!</span></div><div dir=3D"auto"><span style=3D"font-family:sans-serif=
"><br></span></div><div dir=3D"auto"><span style=3D"font-family:sans-serif"=
>Saman</span></div></div><div dir=3D"auto"><span style=3D"font-family:sans-=
serif"><br></span></div><div dir=3D"auto"><br style=3D"font-family:sans-ser=
if"></div></div></div><div dir=3D"auto"><br></div></div>

--0000000000004e9f1405abeeb811--

Acknowledgement sent to Saman Behnam <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected]. Full text available.

Report forwarded to [email protected], [email protected]:
bug#502; Package lxc. Full text available.

Devuan bug report logs - #502 LXC unprivileged containers

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Devuan bug report logs - #502
LXC unprivileged containers