[lxc-users] instantiate_veth: 2669 failed to attach 'vethMU7OO1' to the bridge

Fajar A. Nugraha list at fajar.net
Mon May 29 19:01:37 UTC 2017


On Mon, May 29, 2017 at 2:56 PM, Rick Leir <rleir at leirtech.com> wrote:

>
> IMHO the easiest way to use lxc is with lxd. Unofficial packages exists
> (at least it did in the past) for fedora, but the easiest way to get
> started with lxd is on ubuntu (a live trial is available on
> https://linuxcontainers.org/lxd/try-it/).
>
> Fajar,
> I did consider using LXD, but it did not seem to have significant benefits
> compared with LXC so I went with the tried-and-true. The welcome page could
> have a better comparison of LXD vs plain LXC, and I could have been
> persuaded!.
>


Which welcome page?
https://linuxcontainers.org/ should list some of them already.


> Oh, and I use Fedora for my servers for various reasons which might only
> matter to me. And Ubuntu on my desktops and Chromebook.
>


It all comes down to what you're comfortable with, and what the devs are
using.
Most lxc1 features should be consistent accross all distros. However when
it comes to new features, or things lxd-related (like zfs integration), it
should be easier (as a user) to work on ubuntu.



>
>
> Libvirt has its own lxc driver (http://libvirt.org/drvlxc.html), and you
> manage it using 'virsh'. lxc1 has its own userland tools (e.g. lxc-create),
> and by default should include an init script which creates lxcbr0 (with its
> appropriate NAT rules). The wiki link you mentioned mix both, using libvirt
> ONLY for the bridge, while using lxc1 userland tools to manage the
> container. IMHO not an ideal setup.
>
> Another thing, the page says 'debootstrap is necessary in order to build
> Debian-based containers'. That is true if you want to build a debian/ubuntu
> container from scratch, but for most users the 'download' template should
> be enough (and MUCH faster to create) and it doesn't need debootstrap/dpkg
> installed on the host.
>
> I used 'debootstrap', for a debian container, but I might have used
> 'download' if I knew more about it. For a person choosing an option without
> more info, a fair guess would be 'use download if no other choice is an
> option'. How could the cli communicate this better? Now I have tried
> 'download', it is the old cli which I am used to.
>
>

https://linuxcontainers.org/lxc/getting-started/ does list "-t download" as
its only example. And around halfway:

"
Creating unprivileged containers as a user
Unprivileged containers are the safest containers.
Those use a map of uid and gid to allocate a range of uids and gids to a
container.
That means that uid 0 (root) in the container is actually something like
uid 100000
outside the container. So should something go very wrong and an attacker
manages
to escape the container, they'll find themselves with about as many rights
as a nobody user.

Unfortunately this also means that the following common operations aren't
allowed:

mounting most of filesystems
creating device nodes
any operation against a uid/gid outside of the mapped set
Because of that, most distribution templates simply won't work with those.
Instead you should use the "download" template which will provide you with
pre-built images
of the distributions that are known to work in such an environment.
"


> My, the debian containers are basic.
>   # ls -al
>   bash: ls: command not found
>
>
Something's wrong with your setup. I just tested both debian and download
template (jessie/amd64, privileged), both can run "ls" just fine.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170530/5e8b05ad/attachment.html>


More information about the lxc-users mailing list