Docker OCI Incus port mapping fails

Scott_T · July 25, 2024, 11:02pm

@stgraber What does this error mean and how can I correct it?

 scott  demo-1  ~  incus launch docker:jgraph/drawio Draw-3

 scott  demo-1  ~  incus profile create proxy-8080
Profile proxy-8080 created

 scott  demo-1  ~  incus profile device add proxy-8080 hostport8080 proxy connect="tcp:127.0.0.1:8080" listen="tcp:0.0.0.0:8080"
Device hostport8080 added to proxy-8080

 scott  demo-1  ~  incus profile add Draw-3 proxy-8080
Error: Failed to start device "hostport8080": Error occurred when starting proxy device: Error: Permission denied - Failed setns to connector network namespace

stgraber · July 26, 2024, 7:21pm

No idea, I’ve had no luck reproducing this error here so far.
Maybe look at dmesg for any DENIED entries?

Apparmor in Ubuntu 24.04’s stock kernel is really weird and broken in a few ways…

Scott_T · July 26, 2024, 8:50pm

I just discovered that

security.privileged=true

fixed this. Does that explain anything?

stgraber · July 26, 2024, 10:43pm

Not really and that’s likely a very bad idea

Though privileged fixing it may make it more likely to be a subtle apparmor issue on Ubuntu.

Scott_T · July 26, 2024, 10:49pm

Yes, I am aware. Not what I wanted to do.

Scott_T · July 26, 2024, 11:01pm

If I have two OCI containers running on the default incus NAT, how would I get say a sql container to talk to an app? Is it like docker where the container names themselves allows for the connection?

stgraber · July 27, 2024, 1:27am

NAME.incus should work fine

Scott_T · July 27, 2024, 2:29am

I am not sure that I understand. Can you give me an example? If I have a docker compose file with an app container and a sql container I might have a depends_on directive. Is NAME.incus a -c switch for the container?

stgraber · July 27, 2024, 2:38am

We don’t have dependencies but we have working DNS.

stgraber@dakara:~$ incus launch images:ubuntu/24.04 c1
Launching c1
stgraber@dakara:~$ incus launch images:ubuntu/24.04 c2
Launching c2
stgraber@dakara:~$ incus exec c2 bash
root@c2:~# ping c1.incus -c1
PING c1.incus (2602:fc62:c:250:216:3eff:fe7e:3ab8) 56 data bytes
64 bytes from c1.incus (2602:fc62:c:250:216:3eff:fe7e:3ab8): icmp_seq=1 ttl=64 time=0.084 ms

--- c1.incus ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.084/0.084/0.084/0.000 ms
root@c2:~#