Hostapd container

Edit: I am able to run everything after setting it to privileged using ~$lxc config set [container name] security.privileged true on the host. If anyone knows what I need to configure to allow hostapd to use the physical device, in an unprivileged container please lend your insight.

Im trying to run hostapd inside an LXD container and I wonder if it requires a privileged container. I have added wlan0 as a physical nic to the container, configured /etc/hostapd/hostapd.conf. The service fails to start and when trying to run hostapd manually it returns permission errors when trying to set the interface to ap mode. If you need additional details or the output on my config let me know.

root@hostapd:~# hostapd -d /etc/hostapd/hostapd.conf
random: Trying to read entropy from /dev/random
Configuration file: /etc/hostapd/hostapd.conf
ctrl_interface_group=0
rfkill: Cannot open RFKILL control device
nl80211: RFKILL status not available
nl80211: TDLS supported
nl80211: TDLS external setup
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-0f-ac:10
nl80211: Supported cipher 00-0f-ac:8
nl80211: Supported cipher 00-0f-ac:9
nl80211: Supported cipher 00-0f-ac:6
nl80211: Supported cipher 00-0f-ac:13
nl80211: Supported cipher 00-0f-ac:11
nl80211: Supported cipher 00-0f-ac:12
nl80211: Using driver-based off-channel TX
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: interface wlan0 in phy phy0
nl80211: Set mode ifindex 3 iftype 3 (AP)
nl80211: Failed to set interface 3 to mode 3: -1 (Operation not permitted)
nl80211: Try mode change after setting interface down
nl80211: Set mode ifindex 3 iftype 3 (AP)
nl80211: Failed to set interface 3 to mode 3: -1 (Operation not permitted)
nl80211: Interface mode change to 3 from 0 failed
nl80211: Could not configure driver mode
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
nl80211: Remove monitor interface: refcount=0
netlink: Operstate: ifindex=3 linkmode=0 (kernel-control), operstate=6 (IF_OPER_UP)
nl80211: Set mode ifindex 3 iftype 2 (STATION)
nl80211: Failed to set interface 3 to mode 2: -1 (Operation not permitted)
nl80211 driver initialization failed.
hostapd_interface_deinit_free(0x55cc4388f710)
hostapd_interface_deinit_free: num_bss=1 conf->num_bss=1
hostapd_interface_deinit(0x55cc4388f710)
wlan0: interface state UNINITIALIZED->DISABLED
hostapd_bss_deinit: deinit bss wlan0
wlan0: AP-DISABLED 
hostapd_cleanup(hapd=0x55cc43890900 (wlan0))
hostapd_free_hapd_data: Interface wlan0 wasn't started
hostapd_interface_deinit_free: driver=(nil) drv_priv=(nil) -> hapd_deinit
hostapd_interface_free(0x55cc4388f710)
hostapd_interface_free: free hapd 0x55cc43890900
hostapd_cleanup_iface(0x55cc4388f710)
hostapd_cleanup_iface_partial(0x55cc4388f710)
hostapd_cleanup_iface: free iface=0x55cc4388f710
root@hostapd:~#

if this helps

grandall@panther:~$ lxc network list
+--------+----------+---------+-------------+---------+
|  NAME  |   TYPE   | MANAGED | DESCRIPTION | USED BY |
+--------+----------+---------+-------------+---------+
| enp1s0 | physical | NO      |             | 0       |
+--------+----------+---------+-------------+---------+
| lxdbr0 | bridge   | YES     |             | 4       |
+--------+----------+---------+-------------+---------+
grandall@panther:~$ lxc exec hostapd -- ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:16:3e:7b:b7:f7  
          inet addr:10.100.100.109  Bcast:10.100.100.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe7b:b7f7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17571 (17.5 KB)  TX bytes:8265 (8.2 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:687 (687.0 B)  TX bytes:687 (687.0 B)

wlan0     Link encap:Ethernet  HWaddr 6c:71:d9:0e:9e:c5  
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

After setting the container to privileged mode I am no longer getting permission errors when trying to set wlan0 to AP mode; however it still fails to start. Im thinking I could tweak app armor to allow it to run in an unprivileged container, which would be ideal.

root@hostapd:~# hostapd -d /etc/hostapd/hostapd.conf
random: Trying to read entropy from /dev/random
Configuration file: /etc/hostapd/hostapd.conf
ctrl_interface_group=0
rfkill: Cannot open RFKILL control device
nl80211: RFKILL status not available
nl80211: TDLS supported
nl80211: TDLS external setup
nl80211: Supported cipher 00-0f-ac:1
nl80211: Supported cipher 00-0f-ac:5
nl80211: Supported cipher 00-0f-ac:2
nl80211: Supported cipher 00-0f-ac:4
nl80211: Supported cipher 00-0f-ac:10
nl80211: Supported cipher 00-0f-ac:8
nl80211: Supported cipher 00-0f-ac:9
nl80211: Supported cipher 00-0f-ac:6
nl80211: Supported cipher 00-0f-ac:13
nl80211: Supported cipher 00-0f-ac:11
nl80211: Supported cipher 00-0f-ac:12
nl80211: Using driver-based off-channel TX
nl80211: Use separate P2P group interface (driver advertised support)
nl80211: interface wlan0 in phy phy0
nl80211: Set mode ifindex 3 iftype 3 (AP)
nl80211: Setup AP(wlan0) - device_ap_sme=0 use_monitor=0
nl80211: Subscribe to mgmt frames with AP handle 0x558a809ce040
nl80211: Register frame type=0xb0 (WLAN_FC_STYPE_AUTH) nl_handle=0x558a809ce040 match=
nl80211: Register frame command failed (type=176): ret=-114 (Operation already in progress)
nl80211: Register frame match - hexdump(len=0): [NULL]
nl80211: Could not configure driver mode
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
nl80211: Remove monitor interface: refcount=0
nl80211: Remove beacon (ifindex=3)
netlink: Operstate: ifindex=3 linkmode=0 (kernel-control), operstate=6 (IF_OPER_UP)
nl80211 driver initialization failed.
hostapd_interface_deinit_free(0x558a809cd710)
hostapd_interface_deinit_free: num_bss=1 conf->num_bss=1
hostapd_interface_deinit(0x558a809cd710)
wlan0: interface state UNINITIALIZED->DISABLED
hostapd_bss_deinit: deinit bss wlan0
wlan0: AP-DISABLED 
hostapd_cleanup(hapd=0x558a809ce900 (wlan0))
hostapd_free_hapd_data: Interface wlan0 wasn't started
hostapd_interface_deinit_free: driver=(nil) drv_priv=(nil) -> hapd_deinit
hostapd_interface_free(0x558a809cd710)
hostapd_interface_free: free hapd 0x558a809ce900
hostapd_cleanup_iface(0x558a809cd710)
hostapd_cleanup_iface_partial(0x558a809cd710)
hostapd_cleanup_iface: free iface=0x558a809cd710
root@hostapd:~#

Looks to me like the kernel is what’s refusing changing interface mode when running inside an unprivileged container. I doubt that apparmor has anything to do with it in this case and it’s simply the kernel driver not allowing the operation.

If apparmor rejects something, this leads to a “DENY” entry in the kernel log (dmesg) so that’s an easy way to check.

Thanks for pointing me in the right direction. Can you recommend a work around to allow the kernel to initialize the driver for the unprivileged container; or is this something I need to live with?

When it’s a kernel check, there’s nothing you can do to work around it from userspace.
Your only option is to change the kernel to alter the check (after confirming that it’s safe to do so) and then ideally contribute that fix upstream so that others can benefit from it.