[lxc-users] Problem with lxc.network.script...

PONCET Anthony ff240 at msn.com
Fri Jan 30 13:13:53 UTC 2015


Le 30/01/2015 14:10, Serge Hallyn a écrit :
> Quoting PONCET Anthony (ff240 at msn.com):
>> Le 29/01/2015 16:34, PONCET Anthony a écrit :
>>> Le 29/01/2015 15:21, Serge Hallyn a écrit :
>>>> Quoting PONCET Anthony (ff240 at msn.com):
>>>>> Le 29/01/2015 12:30, Serge Hallyn a écrit :
>>>>>> Quoting PONCET Anthony (ff240 at msn.com):
>>>>>>> Dear,
>>>>>>> I'm using LXC on Ubuntu 14.04 (version : 1.0.7), with unprivileged
>>>>>>> containers.
>>>>>>> I try to use the lxc.network.script.up and lxc.network.script.down
>>>>>>> for allow one container in my firewall (iptables/ip6tables).
>>>>>>> I've allowed a user to execute /sbin/iptables and /sbin/ip6tables
>>>>>>> with sudo, and if I run my script manually, it run without problem.
>>>>>>> But when I started my container, my script doesn't run (I added
>>>>>>> "echo "test" >> test.log" on top of the script and test.log never
>>>>>>> created, and no rules added to iptables).
>>>>>>> I used the veth network mode, and I added my user in
>>>>>>> /etc/lxc/lxc-usernet.
>>>>>>> I define the lxc.logfile and lxc.loglevel = 1 but not
>>>>>>> error are logged.
>>>>>>> Do you have an idea to solve my problem?
>>>>>> Can you please show the exact commands you used to create and
>>>>>> start the container, the container config file, the script
>>>>>> contents, and the script file owner/mode (ls -l output)?
>>>>>> _______________________________________________
>>>>>> lxc-users mailing list
>>>>>> lxc-users at lists.linuxcontainers.org
>>>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>>> Yes,
>>>>> lxc-create -t download -n ct_name -- -d ubuntu -r trusty -a amd64
>>>> Yeah, sorry, i wasn't thinking right.  The network up and down
>>>> scripts do not work for unpriileged containers right now.
>>>>
>>>> You can create a container started by root but with lxc.id_map
>>>> sections, so that the container will be unprivileged, but the
>>>> startup runs as root.
>>>>
>>>> I'm undecided as to whether it is worth adding support for
>>>> script.up/down for unpriv containers.
>>>>
>>>> -serge
>>>> _______________________________________________
>>>> lxc-users mailing list
>>>> lxc-users at lists.linuxcontainers.org
>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>> Yeah, it's would be very cool to add this feature for unpriv container.
>>> Ei: in this case, the firewall doesn't be to autoconf being given
>>> the veth name is random.
>>> And could you update the manual?
>>>
>>> I don't see this.
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> Could I disabling iptables for a bridge and manage the firewall in
>> unpriv container or isn't impossible to setting iptables in
>> unprivilege container?
> you can set iptables on the devices in the container.  The unpriv
> user cannot set iptables rules for nics on the host.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
Ok, thank you.


More information about the lxc-users mailing list