[lxc-users] Problem with lxc.network.script...

Serge Hallyn serge.hallyn at ubuntu.com
Fri Jan 30 13:10:18 UTC 2015 

Quoting PONCET Anthony (ff240 at msn.com):
> Le 29/01/2015 16:34, PONCET Anthony a écrit :
> >Le 29/01/2015 15:21, Serge Hallyn a écrit :
> >>Quoting PONCET Anthony (ff240 at msn.com):
> >>>Le 29/01/2015 12:30, Serge Hallyn a écrit :
> >>>>Quoting PONCET Anthony (ff240 at msn.com):
> >>>>>Dear,
> >>>>>I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
> >>>>>containers.
> >>>>>I try to use the lxc.network.script.up and lxc.network.script.down
> >>>>>for allow one container in my firewall (iptables/ip6tables).
> >>>>>I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
> >>>>>with sudo, and if I run my script manually, it run without problem.
> >>>>>But when I started my container, my script doesn't run (I added
> >>>>>"echo "test" >> test.log" on top of the script and test.log never
> >>>>>created, and no rules added to iptables).
> >>>>>I used the veth network mode, and I added my user in
> >>>>>/etc/lxc/lxc-usernet.
> >>>>>I define the lxc.logfile and lxc.loglevel = 1 but not
> >>>>>error are logged.
> >>>>>Do you have an idea to solve my problem?
> >>>>Can you please show the exact commands you used to create and
> >>>>start the container, the container config file, the script
> >>>>contents, and the script file owner/mode (ls -l output)?
> >>>>_______________________________________________
> >>>>lxc-users mailing list
> >>>>lxc-users at lists.linuxcontainers.org
> >>>>http://lists.linuxcontainers.org/listinfo/lxc-users
> >>>Yes,
> >>>lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64
> >>Yeah, sorry, i wasn't thinking right.  The network up and down
> >>scripts do not work for unpriileged containers right now.
> >>
> >>You can create a container started by root but with lxc.id_map
> >>sections, so that the container will be unprivileged, but the
> >>startup runs as root.
> >>
> >>I'm undecided as to whether it is worth adding support for
> >>script.up/down for unpriv containers.
> >>
> >>-serge
> >>_______________________________________________
> >>lxc-users mailing list
> >>lxc-users at lists.linuxcontainers.org
> >>http://lists.linuxcontainers.org/listinfo/lxc-users
> >Yeah, it's would be very cool to add this feature for unpriv container.
> >Ei: in this case, the firewall doesn't be to autoconf being given
> >the veth name is random.
> >And could you update the manual?
> >
> >I don't see this.
> >_______________________________________________
> >lxc-users mailing list
> >lxc-users at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-users
> Could I disabling iptables for a bridge and manage the firewall in
> unpriv container or isn't impossible to setting iptables in
> unprivilege container?

you can set iptables on the devices in the container.  The unpriv
user cannot set iptables rules for nics on the host.

More information about the lxc-users mailing list