[Lxc-users] Working LXC templates?

Michael H. Warfield mhw at WittsEnd.com
Wed Sep 4 13:40:49 UTC 2013


This issue really belongs on -devel since it's a template development
issue that really impacts all the template writers.

On Tue, 2013-09-03 at 09:26 -0700, Tony Su wrote:
> Thx all for the replies,

> - lxc-version returns 0.8.0. Looking around, there might be a more current
> unstable, but AFAIK it's the most recently released stable.

This is not going to work.  0.8.0 will not support systemd in a
container, which all recent supported versions of Fedora are going to
require.  0.8.0 may be the more recently released stable "FROM OpenSuse"
but it is not the more recently release stable from LXC.  The most
recently released stable from LXC is 0.9.0 and even that doesn't have
some of the necessary patches to the Fedora Template.  Your best bet
would be to built from the stage branch in git.

You may need to wait until we release 1.0.0 and I'll take some of your
thoughts into consideration for the Fedora template but I have no way to
test them on OpenSuse at this time.  Once we release 1.0.0, you'll still
have the problem with what OpenSuse releases as their stable.  We have
no control over what they decide and do.

> - I'd have to re-run to get the SSL error again but I think I've described
> its error accurately, no further explanation except that the identity of
> the remote server cannot be authenticated. This would lead me to guess that
> the server is not registered properly with a public CA (eg using a CA root
> that isn't in a bootstrap Fedora) so guessing that perhaps an option should
> be offered that allows over-riding authentication? SSL encryption of course
> should still be implemented for security.

Well, I can give you an argument if the error was described accurately
enough.  I didn't see any site names I could test to see what the root
CA is.  Without that, I can't tell you why you're seeing that error.  I
understand fully what the error is (having my own private CA for private
activities) but I can't determine the origin without knowing the source.

<WAG - Wild Ass Guess>

I suspect that their certs are properly signed by a CA particular to the
Fedora Project and properly contained in the Fedora rpm root store, so
it may really be yet another cross distribution issue that depends on
the distribution peculiar packages and configurations.

Since there's probably no need (I see no need) for the Fedora
Repositories to be "registered properly with a public CA" (and pay the
extra expense), I would say the term "properly" is missued in this case.
The rpms are all signed by the Fedora Project and their gpg key so,
integrity shouldn't be an example unless someone intercepts the original
rootfs build and provides a trojaned package with the gpg keys.

</WAG>

Since this is an inter-distribution issue, I'm not sure what the proper
solution would be (assuming my WAG is true) or what LXC can do to
address it.  I also don't know why Ubuntu / Debian is not experiencing
this problem either.  But, without some example names of specific sites
exhibiting this problem (I don't run OpenSuse) I have no way to
investigate further.

Yeah, we could probably add an option to the template to ignore the SSL
check or to use and alternate rootca store (if we can avoid the
catch-22) but it may be better to investigate a more generic,
distribution agnostic, solution to these types of problems.

I do think it is an issue with the whole "distribution agnostic
template" problem that may require some help from the distros or some
innovative ideas of how we can bootstrap distros using distro agnostic
tools (like stone knives and bear skins style install of the rootfs
using nothing more than tar, gzip, gpg, and curl or wget).

> - The lxc-create issue is definitely there. At first, I encountered it
> using the openSUSE YAST LXC container applet. but then when I invoked
> lxc-create from a console, but the "help" verifies it supports few options
> and not these. But, as I described if the template requires parameters,
> it's also possible to simply provide them in the script instead of at
> runtime as command switches (but might not be apparent at first to someone
> reading your script).
> 
> Tony

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130904/a1db6e69/attachment.pgp>


More information about the lxc-users mailing list