<div dir="ltr"><div>i can't start the container and i have find 0 lines in the .log file ! <br><br><br>root@localhost:/var/log/lxc# lxc-start -n worker1 <br>^C<br>root@localhost:/var/log/lxc# vim worker1.log <br>root@localhost:/var/log/lxc# <br><br></div>Best Regards. <br><br><br><div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-20 13:00 GMT+01:00 <span dir="ltr"><<a href="mailto:lxc-users-request@lists.linuxcontainers.org" target="_blank">lxc-users-request@lists.linuxcontainers.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send lxc-users mailing list submissions to<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:lxc-users-request@lists.linuxcontainers.org">lxc-users-request@lists.linuxcontainers.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:lxc-users-owner@lists.linuxcontainers.org">lxc-users-owner@lists.linuxcontainers.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of lxc-users digest..."<br>
<br>Today's Topics:<br>
<br>
1. "mesh networking" for lxc containers (similar to weave)?<br>
(Tomasz Chmielewski)<br>
2. Re: Nested container in unpriviledged container (Xavier Gendre)<br>
3. Re: "mesh networking" for lxc containers (similar to weave)?<br>
(Christoph Lehmann)<br>
4. Re: "mesh networking" for lxc containers (similar to weave)?<br>
(Tomasz Chmielewski)<br>
5. Re: "mesh networking" for lxc containers (similar to weave)?<br>
(Janjaap Bos)<br>
6. Where can i find the causes of restart problems (Thouraya TH)<br>
7. Re: Where can i find the causes of restart problems (Janjaap Bos)<br>
<br><br>---------- Message transféré ----------<br>From: Tomasz Chmielewski <<a href="mailto:mangoo@wpkg.org">mangoo@wpkg.org</a>><br>To: <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>Cc: <br>Date: Sat, 20 Jun 2015 01:15:23 +0900<br>Subject: [lxc-users] "mesh networking" for lxc containers (similar to weave)?<br>Are there any solutions which would let one build "mesh networking" for lxc containers, similar to what weave does for docker?<br>
<br>
Assumptions:<br>
<br>
- multiple servers (hosts) which are not in the same subnet (i.e. in different DCs in different countries),<br>
- containers share the same subnet (i.e. <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a>), no matter on which host they are running<br>
- if container is migrated to a different host, it is still reachable on the same IP address without any changes in the networking<br>
<br>
<br>
I suppose the solution would run only once on each of the hosts, rather than in each container.<br>
<br>
Is there something similar for lxc?<br>
<br>
-- <br>
Tomasz Chmielewski<br>
<a href="http://wpkg.org" rel="noreferrer" target="_blank">http://wpkg.org</a><br>
<br>
<br>
<br><br>---------- Message transféré ----------<br>From: Xavier Gendre <<a href="mailto:gendre.reivax@gmail.com">gendre.reivax@gmail.com</a>><br>To: <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>Cc: <br>Date: Fri, 19 Jun 2015 18:44:14 +0200<br>Subject: Re: [lxc-users] Nested container in unpriviledged container<br>Le 18/06/2015 06:35, Serge Hallyn a écrit :<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Quoting Xavier Gendre (<a href="mailto:gendre.reivax@gmail.com" target="_blank">gendre.reivax@gmail.com</a>):<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Le 15/06/2015 17:17, Serge Hallyn a écrit :<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Quoting Xavier Gendre (<a href="mailto:gendre.reivax@gmail.com" target="_blank">gendre.reivax@gmail.com</a>):<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
i wanted to run a container in an unpriviledged container and i am<br>
glad to succes in doing it. The point is that i am not sure if what<br>
i did is acceptable from the security point of view or not...<br>
<br>
Here are the steps i did:<br>
<br>
1) create an unpriviledged container (lxc.id_map, ...) called 'test'.<br>
<br>
2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in<br>
its config file:<br>
<br>
lxc.mount.auto = cgroup:mixed<br>
<br>
3) create a basic container called 'p1' with the download template<br>
as root in 'test'.<br>
<br>
4) in the host, i chown the cgroup hierarchy of 'test' to give it to<br>
the user id mapped to the id 0 in 'test' (this id is 362144 in my<br>
example),<br>
<br>
for T in `ls /sys/fs/cgroup`; do<br>
chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test<br>
done<br>
<br>
5) succesfully start the container 'p1' in 'test' :-)<br>
<br>
I am not an expert with cgroups and i am wondering if i am letting<br>
the devil enters in my home with that...<br>
<br>
So, what is your opinion: is it a possible security break or is it safe?<br>
</blockquote>
<br>
Two things to make this safer<br>
<br>
1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe<br>
its 'tasks' and 'cgroup.procs' files. That way the container can create<br>
sub-cgroups but cannot raise its own limits.<br>
<br>
2. Only do this for the controllers you definately need. Freezer and<br>
memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf<br>
(see lxc.system.conf(5)).<br>
<br>
-serge<br>
</blockquote>
<br>
Hello Serge,<br>
<br>
thank you for your advices. Indeed, chowning only the directories is<br>
sufficient to start the nested container. I did not have to chown<br>
'tasks' and 'cgroup.procs' in order to simply start it.<br>
<br>
Your second point is more obscur for me... For now, i have to chown<br>
all the controllers:<br>
<br>
'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer'<br>
'net_cls,net_prio' 'perf_event'<br>
<br>
When you say 'need', it applies to the container 'test' or to 'p1'<br>
in my example?<br>
</blockquote>
<br>
The child one, p1. With new enough lxc you should be able to<br>
use only freezer, setting that as lxc.cgroup.use in the<br>
system lxc.conf.<br>
</blockquote>
<br>
Arf, for now, i am still working with Debian Jessie and LXC 1.0.7. I will be able to try your suggestions when more recent version of LXC will appear in Debian repositories. Thus, i continue to chown my whole list of controllers :-°<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If i plan to allow quite general containers to run in<br>
my unpriviledged container, all the controllers should be chowned or<br>
is there some that are definitely not needed?<br>
</blockquote>
<br>
General containers are fine, it's only if you need the nested containers<br>
to be more finely restricted, i.e. if you simply must be able to<br>
allocated only a subset of test1's cpus or memory.<br>
</blockquote>
<br>
Ok, thanks for this example, it is clearer for me now.<br>
<br>
Thank you for these explanations,<br>
Xavier<br>
<br>
<br><br>---------- Message transféré ----------<br>From: Christoph Lehmann <<a href="mailto:post@christophlehmann.eu">post@christophlehmann.eu</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Date: Fri, 19 Jun 2015 20:20:21 +0200<br>Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?<br><div>There is no magic with lxcs networking. Its just a bridge and some iptables rules for NAT and a dhcp server.<br>
<br>
You can setup a bridge on your public interface, configure the container to use that bridge and do the same on your second host.<br><br><div class="gmail_quote">Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski <<a href="mailto:mangoo@wpkg.org" target="_blank">mangoo@wpkg.org</a>>:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<pre>Are there any solutions which would let one build "mesh networking" for <br>lxc containers, similar to what weave does for docker?<br><br>Assumptions:<br><br>- multiple servers (hosts) which are not in the same subnet (i.e. in <br>different DCs in different countries),<br>- containers share the same subnet (i.e. <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>), no matter on which <br>host they are running<br>- if container is migrated to a different host, it is still reachable on <br>the same IP address without any changes in the networking<br><br><br>I suppose the solution would run only once on each of the hosts, rather <br>than in each container.<br><br>Is there something similar for lxc?<br></pre></blockquote></div><br>
-- <br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.</div><br><br>---------- Message transféré ----------<br>From: Tomasz Chmielewski <<a href="mailto:mangoo@wpkg.org">mangoo@wpkg.org</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Date: Sat, 20 Jun 2015 10:37:12 +0900<br>Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?<br>I know this is just "normal networking", however, there are at least two issues with your suggestions:<br>
<br>
- it assumes the hosts are in the same subnet (say, connected to the same switch), so it won't work if the hosts have two different public IPs (i.e. 46.1.2.3 and 124.8.9.10)<br>
<br>
- with just two hosts, you may overcome the above limitation with some VPN magic; however, it becomes problematic as the number of hosts grows (imagine 10 or more hosts, trying to set it up without SPOF / central VPN server; ideally, the hosts should talk to themselves using the shortest paths possible)<br>
<br>
<br>
Therefore, I'm asking if there is any better "magic", as you say, for lxc networking?<br>
Possibly it could be achieved with tinc, running on hosts only - <a href="http://www.tinc-vpn.org/" rel="noreferrer" target="_blank">http://www.tinc-vpn.org/</a> - but haven't really used it.<br>
And maybe people have other ideas?<br>
<br>
-- <br>
Tomasz Chmielewski<br>
<a href="http://wpkg.org" rel="noreferrer" target="_blank">http://wpkg.org</a><br>
<br>
<br>
On 2015-06-20 03:20, Christoph Lehmann wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
There is no magic with lxcs networking. Its just a bridge and some<br>
iptables rules for NAT and a dhcp server.<br>
<br>
You can setup a bridge on your public interface, configure the<br>
container to use that bridge and do the same on your second host.<br>
<br>
Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski<br>
<<a href="mailto:mangoo@wpkg.org" target="_blank">mangoo@wpkg.org</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Are there any solutions which would let one build "mesh networking"<br>
for<br>
lxc containers, similar to what weave does for docker?<br>
<br>
Assumptions:<br>
<br>
- multiple servers (hosts) which are not in the same subnet (i.e. in<br>
<br>
different DCs in different countries),<br>
- containers share the same subnet (i.e. <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> [1]), no matter<br>
on which<br>
host they are running<br>
- if container is migrated to a different host, it is still<br>
reachable on<br>
the same IP address without any changes in the networking<br>
<br>
I suppose the solution would run only once on each of the hosts,<br>
rather<br>
than in each container.<br>
<br>
Is there something similar for lxc?<br>
</blockquote>
<br>
--<br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail<br>
gesendet.<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
</blockquote>
<br>
<br>
<br><br>---------- Message transféré ----------<br>From: Janjaap Bos <<a href="mailto:janjaapbos@gmail.com">janjaapbos@gmail.com</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Date: Sat, 20 Jun 2015 08:16:27 +0200<br>Subject: Re: [lxc-users] "mesh networking" for lxc containers (similar to weave)?<br><div dir="ltr">Yes, ZeroTier provides peer-to-peer virtual networking. It is cloud / container / virtualiser agnostic. It will work anywhere and we use it for connecting containers & vm's across clouds. Also to provide access to users on Windows / OSX.<div><br></div><div>Within the container you need access to the /dev/net/tun device and depending on the flavour (lxc / lxd / docker) net_admin capabilities.</div><div><br></div><div>You can download it at <a href="https://www.zerotier.com" target="_blank">https://www.zerotier.com</a> or build it from <a href="https://github.com/zerotier/ZeroTierOne" target="_blank">https://github.com/zerotier/ZeroTierOne</a></div><div><br></div><div>Since it is peer-to-peer there is very little overhead. Packets destined for local peers will stay within the local net. You can create very large distributed flat ether networks. Great for the type of cloud backplane you described.</div><div><br></div><div>Also, this enables you to live migrate instances while maintaining their network configuration.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-20 3:37 GMT+02:00 Tomasz Chmielewski <span dir="ltr"><<a href="mailto:mangoo@wpkg.org" target="_blank">mangoo@wpkg.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I know this is just "normal networking", however, there are at least two issues with your suggestions:<br>
<br>
- it assumes the hosts are in the same subnet (say, connected to the same switch), so it won't work if the hosts have two different public IPs (i.e. 46.1.2.3 and 124.8.9.10)<br>
<br>
- with just two hosts, you may overcome the above limitation with some VPN magic; however, it becomes problematic as the number of hosts grows (imagine 10 or more hosts, trying to set it up without SPOF / central VPN server; ideally, the hosts should talk to themselves using the shortest paths possible)<br>
<br>
<br>
Therefore, I'm asking if there is any better "magic", as you say, for lxc networking?<br>
Possibly it could be achieved with tinc, running on hosts only - <a href="http://www.tinc-vpn.org/" rel="noreferrer" target="_blank">http://www.tinc-vpn.org/</a> - but haven't really used it.<br>
And maybe people have other ideas?<span><br>
<br>
-- <br>
Tomasz Chmielewski<br>
<a href="http://wpkg.org" rel="noreferrer" target="_blank">http://wpkg.org</a><br>
<br>
<br></span><span>
On 2015-06-20 03:20, Christoph Lehmann wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>
There is no magic with lxcs networking. Its just a bridge and some<br>
iptables rules for NAT and a dhcp server.<br>
<br>
You can setup a bridge on your public interface, configure the<br>
container to use that bridge and do the same on your second host.<br>
<br>
Am 19. Juni 2015 18:15:23 MESZ, schrieb Tomasz Chmielewski<br>
<<a href="mailto:mangoo@wpkg.org" target="_blank">mangoo@wpkg.org</a>>:<br>
<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>
Are there any solutions which would let one build "mesh networking"<br>
for<br>
lxc containers, similar to what weave does for docker?<br>
<br>
Assumptions:<br>
<br>
- multiple servers (hosts) which are not in the same subnet (i.e. in<br>
<br>
different DCs in different countries),<br></span>
- containers share the same subnet (i.e. <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> [1]), no matter<span><br>
on which<br>
host they are running<br>
- if container is migrated to a different host, it is still<br>
reachable on<br>
the same IP address without any changes in the networking<br>
<br>
I suppose the solution would run only once on each of the hosts,<br>
rather<br>
than in each container.<br>
<br>
Is there something similar for lxc?<br>
</span></blockquote><span>
<br>
--<br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail<br>
gesendet.<br></span><span>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
</span></blockquote><div><div>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></div></div></blockquote></div><br></div>
<br><br>---------- Message transféré ----------<br>From: Thouraya TH <<a href="mailto:thouraya87@gmail.com">thouraya87@gmail.com</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Date: Sat, 20 Jun 2015 12:56:03 +0100<br>Subject: [lxc-users] Where can i find the causes of restart problems<br><div dir="ltr"><div><div>Hello all,<br><br>Please, i try to run my container but it is blocked.<br><br><br>lxc-start -n worker1<br><br><br>Where can i find the causes of restart problems ? (logs?)<br><br><br></div>Thanks a lot.<br></div>Best Regards.<br></div>
<br><br>---------- Message transféré ----------<br>From: Janjaap Bos <<a href="mailto:janjaapbos@gmail.com">janjaapbos@gmail.com</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Date: Sat, 20 Jun 2015 13:57:56 +0200<br>Subject: Re: [lxc-users] Where can i find the causes of restart problems<br><div dir="ltr">/var/log/lxc<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-20 13:56 GMT+02:00 Thouraya TH <span dir="ltr"><<a href="mailto:thouraya87@gmail.com" target="_blank">thouraya87@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>Hello all,<br><br>Please, i try to run my container but it is blocked.<br><br><br>lxc-start -n worker1<br><br><br>Where can i find the causes of restart problems ? (logs?)<br><br><br></div>Thanks a lot.<br></div>Best Regards.<br></div>
<br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br></div>
<br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br></div></div></div>