I’m looking for some advice. I have an lxd container and I want to run a python application that’s using a chroot environment inside the container. The error I’m getting is RuntimeError: Failed to read %zi bytes from /dev/urandom
Can someone please advise how I can solve this?
Thank you.
I don’t quite understand why you’d want or need a chroot inside of a container, but you can achieve this in a privileged container:
lxc config set c1 security.privileged=true
Restart the container, enter the container and the chroot, and run /bin/mknod -m 0666 /dev/urandom c 1 9. That’ll give you a working /dev/urandom inside of the chroot.
I did look at syscall interception the other day, but unfortunately when I set the 2 entries to true I could not start the container anymore. I’ve got the below error.
Error: Failed preparing container for start: LXC doesn't support notify proxy: setting config item for the container failed Try lxc info --show-log ace for more info
Unfortunately the above command didn’t bring anything up.
Hi @tomp. I have updated today to kernel version 5.14.6-1-default and the issue is still there. Lxd/lxc is now version 4.18. What do you advise? Thank you.
The error actually suggests that liblxc is lacking that support, not the kernel.
This may happen if the version of liblxc is too old or if libseccomp is an older release.
As this is using the opensuse native packages, maybe @cyphar can help.
@radumamy can you show the full lxc info output? This should show us what kernel and LXC features are detected.
Hi @cyphar. There have been a few updates to Tumbleweed, but the issue remains. Could you please advise if I need to submit this to openSUSE directly? Thank you.
LXC has been compiled without HAVE_SECCOMP_NOTIFY. Our API extension does still advertise support for it but the seccomp codepath does check for full support too and refuses to work.
The fix for this is twofold:
don’t advertise notify support if not compiled in
make sure that the libseccomp version used to compile LXC does support the seccomp notifier
I suspect Leap doesn’t have the very newest versions of libseccomp (we don’t disable any features in the LXC build script, so if LXC doesn’t have a feature enabled that’s because of the LXC configure script).