Error using conntrack in container

(K Workman) #1

Hello, I am attempting to use conntrackd in FT-FW mode using my Chromebook (crostini, Ubuntu 18.04 container). I’ve tried both using Multicast and UDP. In both cases, I receive the error shown at the bottom of this message. It would appear that conntrackd is performing a privileged operation that requires the container to operate in privileged mode. Unfortunately, it also seems as though Crostini won’t allow privileged containers to run. I am going to attempt nested containers to see if I can bypass this restriction. But, I thought it might be a good idea to post a general question to see if I’m missing something or if anyone might have an alternative suggestion.

Thanks in advance!

[Sat Mar 2 00:49:57 2019] (pid=632) [ERROR] conntrackd cannot start, please review your configuration
[Sat Mar 2 00:49:58 2019] (pid=633) [warning] Cannot set nice level -20: Operation not permitted
[Sat Mar 2 00:49:58 2019] (pid=633) [ERROR] can’t open channel socket: Operation not permitted
[Sat Mar 2 00:49:58 2019] (pid=633) [ERROR] initialization failed
[Sat Mar 2 00:49:58 2019] (pid=633) [ERROR] conntrackd cannot start, please review your configuratio

(Stéphane Graber) #2

I suspect this is either a missing kernel module/feature or just that the kernel doesn’t allow root inside an unprivileged container to do that.

Given how well network stuff is usually namespaced, missing kernel support or missing kernel module seems more likely. If you know what module you need and it’s present in the VM (termina) then you could set it as linux.kernel_modules so LXD loads the module on startup.

(K Workman) #3


I tried loading the modules (nf_conntrack, nf_conntrack_ftp) both in the container configuration and the default profile, but the problem seems to persist. Additionally, I am still not able to to execute a lsmod within the container to verify the module is loaded. When I attempt the lsmod command, I receive the error at the end of this message.

LXD within the Termina VM does not give me an error when I set the linux.kernel_modules configuration item, so I can only assume the container sees the module as properly loaded.

Thanks for the help! It is very much appreciated!

root@lab1-fw1:~# lsmod
libkmod: ERROR …/libkmod/libkmod-module.c:1657 kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory

(Stéphane Graber) #4

Hmm, lack of /proc/modules means that the kernel used on the Chromebook doesn’t use modules at all, that’s going to be a problem.

You may still be able to look at /sys/modules for what’s available in the kernel, but lack of module loading capabilities will mean that what’s supported out of the box is the extent of what you’ll get.

You may want to file a bug against chromiumos and have them enable what’s needed in the kernel:

(K Workman) #5

Interesting. You have definitely given me something to pursue.

Thank you very much for taking the time to respond to my query. You definitely helped me isolated the issue.

If I can discover a workaround, then I’ll definitely post it to this thread, in case others encounter the same issue.

Thanks again!