Arch Linux

MarthaParkin

Member

Registered: 2016-03-19

Posts: 232

Problems setting up networking on unprivileged container

EDIT2: More digging and I found https://github.com/lxc/lxd/issues/4071 which seems to be it however stgraber gives a solution for lxd only whereas I use lxc. Can anyone transpose his solution of

lxc profile set default security.syscalls.blacklist "keyctl errno 38"

for the lxc equivalent to do the same thing?

EDIT: I just found out that this problem is to do with the archlinux download image as I just installed a centos 7 image on unprivileged container and networking worked fine out the gate. Perhaps someone else could better make sense of the journalctl error which I posted in the reply below. In the meantime I'm gonna try bootstrapping arch through the centos install.

Ok that didn't work

archlinux-bootstrap-2017.12.01-x86_64.tar.gz: OK
mount: permission denied

For some reason the centos7 image appears not to have # user. Seems quite a mixed bag with these downloaded images.
-----
I was able to set it up fine on privileged containers but now moving to unprivileged ones I can't get network going as yet. I followed the wiki and used the same details which worked for privileged ones, changing the respective paths to reflect their unprivileged equivalents. Below is the container's config file.

	# Template used to create this container: /usr/share/lxc/templates/lxc-download
	# Parameters passed to the template:
	# Template script checksum (SHA-1): b7de1d7259bdd66f5b8f0347f74b18c19729883a
	# For additional config options, please look at lxc.container.conf(5)
	
	# Uncomment the following line to support nesting containers:
	#lxc.include = /usr/share/lxc/config/nesting.conf
	# (Be aware this has security implications)
	
	
	# Distribution configuration
	lxc.include = /usr/share/lxc/config/archlinux.common.conf
	lxc.include = /usr/share/lxc/config/archlinux.userns.conf
	lxc.arch = x86_64
	
	# Container specific configuration
	lxc.idmap = u 0 100000 65536
	lxc.idmap = g 0 100000 65536
	lxc.rootfs.path = dir:/home/user1/.local/share/lxc/base-arch/rootfs
	lxc.uts.name = base-arch
	
	## network
	lxc.net.0.type = veth
	lxc.net.0.link = lxcbr0
	lxc.net.0.flags = up
	lxc.net.0.name = eth0
	lxc.net.0.hwaddr = ee:ec:fa:e9:56:7d

When I try and ping `network in unreachable`. `lxc-net` bridge is running.

Last edited by MarthaParkin (2017-12-31 13:20:43)

progandy

Member

Registered: 2012-05-17

Posts: 5,280

Re: Problems setting up networking on unprivileged container

You'll have to allow your user to attach network devices to lxcbr0. "man lxc-usernet" has more details.

---

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

MarthaParkin

Member

Registered: 2016-03-19

Posts: 232

Re: Problems setting up networking on unprivileged container

You'll have to allow your user to attach network devices to lxcbr0. "man lxc-usernet" has more details.

Already done that

/etc/lxc/lxc-usernet
----------
user1 veth lxcbr0 10

I have followed the wiki which I presume lays out all the necessary usual necessary steps however it still aint up. Maybe I missed something but I can't tell what.

EDIT: When I just restarted and looked in the container output

[FAILED] Failed to start Network Name Resolution.
See 'systemctl status systemd-resolved.service' for details.
[  OK  ] Stopped Network Name Resolution.
         Starting Network Name Resolution...
[FAILED] Failed to start Network Name Resolution.
See 'systemctl status systemd-resolved.service' for details.

Or that is just a symptom rather than a cause?

When I looked in journalctl in the running container I see

   

systemd-networkd.service: Failed to change ownership of session keyring: Permission denied
	systemd-networkd.service: Failed to set up kernel keyring: Permission denied
	systemd-networkd.service: Failed at step KEYRING spawning /usr/lib/systemd/systemd-networkd: Permission denied

Hmm ...

Also when I do `lspci -v` I get

   

02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 09)
	        Subsystem: ASUSTeK Computer Inc. P8 series motherboard
	        Flags: bus master, fast devsel, latency 0, IRQ 45, NUMA node 0
	        I/O ports at d000 [size=256]
	        Memory at fa104000 (64-bit, prefetchable) [size=4K]
	        Memory at fa100000 (64-bit, prefetchable) [size=16K]
	        Capabilities: <access denied>
	        Kernel driver in use: r8169

So it is showing access denied under capabilities.

Could it still be a problem with not setting enough permissions on the $HOME folder? I did it in ACL with

setfacl -m "u:100000:--x" /home/user1

. Is it still not sufficient?

Last edited by MarthaParkin (2017-12-30 19:03:13)