<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hi,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I am in a situation where we desire to run our old OS environment inside Ubuntu Core. So far we have identified LXD as being a candidate to enable us to run our past Linux OS environment within the new one.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
At this time our goal is to apply the least amount of modification to our existing OS in order to test and validate such an approach.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I, therefore, need to run an LXC container with pretty much zero security, as to allow the old OS to loads kernel modules, access /proc, /sys, etc.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I was able to disable AppArmor and remove any capability drop using</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span>printf "lxc.cap.keep = ''\nlxc.apparmor.profile = unconfined" | sudo lxd.lxc config set c1raw.lxc -</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<div>sudo lxd.lxc config set c1 security.privileged true</div>
</div>
</blockquote>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span></span><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Yet, when I tried to disable seccomp using lxc.seccomp.profile = none, I obtained an error as the profile 'none' was not found by the seccomp profile reader. I am wondering if this is a problem with lxc itself or with UbuntuCore not providing a definition
of what a seccomp "none" profile would be. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I am taking the information as to disable seccomp from this page <a href="https://ubuntu.com/server/docs/containers-lxd" style="">https://ubuntu.com/server/docs/containers-lxd</a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<h2 style="max-width: 40em; font-weight: 100; margin-top: 0px; font-size: 2.22819rem; line-height: 3rem; margin-bottom: 0.8rem; padding-top: 1.7rem; font-family: Ubuntu, -apple-system, "Segoe UI", Roboto, Oxygen, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; color: rgb(17, 17, 17); background-color: rgb(255, 255, 255);">
Seccomp</h2>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<p style="line-height: 1.5rem; margin-top: 0px; padding-top: 0.4005rem; margin-bottom: 1.1rem; max-width: 40em; font-family: Ubuntu, -apple-system, "Segoe UI", Roboto, Oxygen, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 18px; font-weight: 300; color: rgb(17, 17, 17); background-color: rgb(255, 255, 255);">
All containers are confined by a default seccomp policy. This policy prevents some dangerous actions such as forced umounts, kernel module loading and unloading, kexec, and the<span> </span><code style="font-family: "Ubuntu Mono", Consolas, Monaco, Courier, monospace; font-size: 1em; box-shadow: rgb(229, 229, 229) 0px 0px 0px 0.25rem; margin-left: 0.25rem; margin-right: 0.25rem; text-align: left; hyphens: none; tab-size: 4; word-spacing: normal; overflow-wrap: break-word; background-color: rgb(229, 229, 229);">open_by_handle_at</code><span> </span>system
call. The seccomp configuration cannot be modified, however a completely different seccomp policy – or none – can be requested using<span> </span><code style="font-family: "Ubuntu Mono", Consolas, Monaco, Courier, monospace; font-size: 1em; box-shadow: rgb(229, 229, 229) 0px 0px 0px 0.25rem; margin-left: 0.25rem; margin-right: 0.25rem; text-align: left; hyphens: none; tab-size: 4; word-spacing: normal; overflow-wrap: break-word; background-color: rgb(229, 229, 229);">raw.lxc</code><span> </span>(see
below).</p>
</div>
</blockquote>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Another issue I am facing is that I am getting lots of permission denied/read-only fs for /proc and /sys, I was intending to go play with the option lxc.mount.auto, setting it to a value such as "proc:rw sys:rw" do I need to put more into that config item as
to get the container to see the system as close as possible as if it was not running inside a system container?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Finally, a problem I am seeing is that whenever I try to launch a shell within my image (which is RUNNING), I get permission denied on any binary I tried to run</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
sudo lxd.lxc exec c1 /bin/ash</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
~ # ls</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
ls: permission denied</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Yet, ls is a link to busybox and so is /sbin/init which was successfully executed as to get to the RUNNING state. I can run ubuntu and execute a shell in it, so I am guessing this has to do with configuration. My image is a tarball I constructed with --owner=0
--group=0 as to enforce all files to be using UID/GID = 0.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Any help on any of those would be appreciated, again, my goal here is to ease a transition and I do not need LXC for the security aspect, but more for the system container aspect and being able to run other environments within it.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
--</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Yannick Koehler</div>
</body>
</html>