How do I setup networking on unprivileged container? - edit- issue is with archlinux download image not the setup


#1

Edit: I just found out the issue is to do with the archlinux image because I just installed centos 7 as an unprivileged user and networking was working out of the gate.

Here are the journalctl errors in the archlinux container

systemd-networkd.service: Failed to change ownership of session keyring: Permission denied systemd-networkd.service: Failed to set up kernel keyring: Permission denied systemd-networkd.service: Failed at step KEYRING spawning /usr/lib/systemd/systemd-networkd: Permission denied

I still want arch in the container though since it is the distro I am most used to.

I was able to set it up fine on privileged containers but now moving to unprivileged ones I can’t get network going as yet. I followed the wiki and used the same details which worked for privileged ones, changing the respective paths to reflect their unprivileged equivalents. Below is the container’s config file.

[code]
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# Template script checksum (SHA-1): b7de1d7259bdd66f5b8f0347f74b18c19729883a
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/archlinux.common.conf
lxc.include = /usr/share/lxc/config/archlinux.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.rootfs.path = dir:/home/user1/.local/share/lxc/base-arch/rootfs
lxc.uts.name = base-arch

## network
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.name = eth0
lxc.net.0.hwaddr = ee:ec:fa:e9:56:7d[/code]

When I try and ping network in unreachable. lxc-net bridge is running.


#2

Do you use LXD or plain LXC? Because with LXD, you do not need lxc-net.


#3

Just using lxc. As I said I don't think it can be the setup/config since networking works on other distro images? it's only the archlinux download image which networking is not working.

I am having a nightmare of a time getting anything functional on unprivileged containers.

I thought I would avoid the problem by downloading one of the other distros and bootstrap arch inside one of those with the

vps2arch

script but this too is fraught with problems. As soon as it downloads it craps out with

archlinux-bootstrap-2017.12.01-x86_64.tar.gz: OK
mount: permission denied

Is this just normal unprivileged container operation in that you can't since I can't mount anything so I guess that means that totally blocks the bootstrapping path as an option?

I just want to get a working unprivileged arch container somehow, by whatever means, and then I can just clone it once I have one but really am stuck at the moment as to how to acheive that and been searching for two days and found almost no relevant info online.

EDIT:

I just happened to find https://github.com/lxc/lxd/issues/4071 which seems to be just the same problem but stgraber's solution gives code for lxd, not lxc

lxc profile set default security.syscalls.blacklist "keyctl errno 38"

So what would be the equivalent for lxc?


#4

You would need to write a seccomp policy file and enable it for the container.
See more at https://stgraber.org/2014/01/01/lxc-1-0-security-features/

For completeness with regards to https://github.com/lxc/lxd/issues/4071

  1. In LXD, indeed if you run lxc launch images:archlinux myarch the container does not get automatically an IPv4 IP address. You can supply the IP address statically and get going.
  2. The bug report talks about how to configure the LXD profile to blacklist a sycall. If you were to use the command on a specific container instead, it would be lxc config set myarch security.syscalls.blacklist "keyctl errno 38" and that's it.

#5

$  lxc-start -n base-arch -F
The configuration file contains legacy configuration keys.
Please update your configuration file!
lxc-start: base-arch: seccomp.c: parse_config: 666 Invalid version.
lxc-start: base-arch: start.c: lxc_init: 610 Failed loading seccomp policy.
lxc-start: base-arch: start.c: __lxc_start: 1426 Failed to initialize container "base-arch".
lxc-start: base-arch: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: base-arch: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.

The lxc.seccomp entry in my config:

lxc.seccomp = /home/user1/.local/share/lxc/base-arch/arch.seccomp

and the arch.seccomp line in the file which is in same directory and config:

security.syscalls.blacklist "keyctl errno 38"

Note that I didn't have the legacy config keys error before so it is just a result of that seccomp line.

Edit: ok so a bit more rereading and finding the lxc changelog of keys

I changed .seccomp file to

1
blacklist
38

and changed the seccomp call in config to

lxc.seccomp.profile

which got rid of loading errors but now it is complaing only whitelisting policy in supported

$  lxc-start -n base-arch -F
lxc-start: base-arch: seccomp.c: parse_config: 674 Only whitelist policy is supported.
lxc-start: base-arch: start.c: lxc_init: 610 Failed loading seccomp policy.
lxc-start: base-arch: start.c: __lxc_start: 1426 Failed to initialize container "base-arch".
lxc-start: base-arch: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: base-arch: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.

EDIT again:

ok so I got the idea more of the seccomp file formatting (I think) reading the linked post and changed in the file to

0
whitelist
38

but still invalid version error

$  lxc-start -n base-arch -F
lxc-start: base-arch: seccomp.c: parse_config: 666 Invalid version.
lxc-start: base-arch: start.c: lxc_init: 610 Failed loading seccomp policy.
lxc-start: base-arch: start.c: __lxc_start: 1426 Failed to initialize container "base-arch".
lxc-start: base-arch: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: base-arch: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.

#6

YES YES YES! Today I fixed it! after routing through github lxc issues and lucked upon the correct seccomp syntax

2
blacklist
[all]
keyctl_chown errno 38
keyctl errno 38