View previous topic :: View next topic |
Author |
Message |
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Thu Jan 03, 2013 7:10 pm Post subject: Config_user_ns |
|
|
In the last, stable kernels, I'm unable to activate CONFIG_USER_NS. Can someone help?
Code: | │ Symbol: USER_NS [=n] │
│ Type : boolean │
│ Prompt: User namespace (EXPERIMENTAL) │
│ Defined at init/Kconfig:888 │
│ Depends on: NAMESPACES [=y] && EXPERIMENTAL [=y] && UIDGID_CONVERTED [=n] │
│ Location: │
│ -> General setup │
│ -> Namespaces support (NAMESPACES [=y]) │
│ Selects: UIDGID_STRICT_TYPE_CHECKS [=n] |
It depends on CONFIG_UIDGID_CONVERTED, but I cannot find/activate it and the help is completely empty.
Code: | │ Symbol: UIDGID_CONVERTED [=n] │
│ Type : boolean |
Googling around didn't help.
Without this, lxc is unable to work.
Code: | * Checking for suitable kernel configuration options...
* CONFIG_USER_NS: is not set when it should be.
* CONFIG_NETPRIO_CGROUP: as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting.
* Please check to make sure these options are set correctly.
* Failure to do so may cause unexpected problems. |
I tried linux-3.7.1-gentoo and linux-3.6.11-gentoo sources, with custom and alldefconfig configs.
Any help would be appreciated.
Regards,
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
s4e8 Guru
Joined: 29 Jul 2006 Posts: 311
|
Posted: Fri Jan 04, 2013 1:33 am Post subject: |
|
|
You must disable follow features:
depends on NET_9P = n
depends on 9P_FS = n
depends on AFS_FS = n
depends on AUTOFS4_FS = n
depends on CEPH_FS = n
depends on CIFS = n
depends on CODA_FS = n
depends on FUSE_FS = n
depends on GFS2_FS = n
depends on NCP_FS = n
depends on NFSD = n
depends on NFS_FS = n
depends on OCFS2_FS = n
depends on XFS_FS = n |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Fri Jan 04, 2013 2:51 am Post subject: |
|
|
The messages shown appear to be warnings. Does lxc actually fail to install? If it installs, does it fail to work? |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Fri Jan 04, 2013 12:09 pm Post subject: |
|
|
Thanks @s4e8, but disabling those features is not enough for me.
I've already seen Linux Kernel Driver DataBase about, but I'm still unable neither to find the feature in the dummy 'make menuconfig' nor to write manually a working .config.
After removing NFS_FS (the one in the list) I tried to manually write my .config, without success.
Code: | ...
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_USER_NS=y
CONFIG_UIDGID_CONVERTED=y
... |
(The make phase correct my .config, removing the last two lines listed)
@Hu, in my actual configuration(s) lxc starts, but the container has no loopback, so no network.
/VMs/lxc/moodcast/var/log/rc.log: | rc default logging started at Fri Jan 4 12:55:30 2013
* Bringing up interface lo
* ERROR: interface lo does not exist
* Ensure that you have loaded the correct kernel module for your hardware
* ERROR: net.lo failed to start
* Bringing up interface eth0
* ERROR: interface eth0 does not exist
* Ensure that you have loaded the correct kernel module for your hardware
* ERROR: net.eth0 failed to start
* ERROR: cannot start syslog-ng as net.eth0 would not start
* ERROR: cannot start sshd as net.eth0 would not start
* Starting vixie-cron ... [ ok ]
* Starting local
[ ok ] |
Consider that I was happily using lxc for my test environments until... mumble... the last lxc upgrade (I'm not sure).
Actually, I'm playing with:
=sys-kernel/gentoo-sources-3.6.11
=sys-apps/openrc-0.11.8 (both host and container)
=app-emulation/lxc-0.8.0-r1
I'm blocked
HUJuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
s4e8 Guru
Joined: 29 Jul 2006 Posts: 311
|
Posted: Fri Jan 04, 2013 1:08 pm Post subject: |
|
|
It work here, after I disable all networking FS, XFS, FUSE, auto automount fs (you should check init/Kconfig to finding out what UIDGID_CONVERTED depends on), and I got:
Code: |
.config - Linux/x86_64 3.7.1 Kernel Configuration
───────────────────────────────────────────────────────────────────────────────
┌─────────────────────────── Namespaces support ───────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus --->. │
│ Highlighted letters are hotkeys. Pressing <Y> includes, <N> excludes, │
│ <M> modularizes features. Press <Esc><Esc> to exit, <?> for Help, </> │
│ for Search. Legend: [*] built-in [ ] excluded <M> module < > module │
│ ┌──────────────────────────────────────────────────────────────────────┐ │
│ │ --- Namespaces support │ │
│ │ [*] UTS namespace │ │
│ │ [*] IPC namespace │ │
│ │ [ ] User namespace (EXPERIMENTAL) (NEW) │ │
│ │ [*] PID Namespaces │ │
│ │ [*] Network namespace
|
Through the new CONFIG_USER_NS may not work with lxc, because it's still under heavy-rewriting.
hujuice wrote: | Thanks @s4e8, but disabling those features is not enough for me.
I've already seen Linux Kernel Driver DataBase about, but I'm still unable neither to find the feature in the dummy 'make menuconfig' nor to write manually a working .config.
After removing NFS_FS (the one in the list) I tried to manually write my .config, without success.
(The make phase correct my .config, removing the last two lines listed)
|
|
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Fri Jan 04, 2013 1:44 pm Post subject: |
|
|
I really wonder.
There's a very large plethora of options to disable.
I'm quite confused. I will verify everything in this weekend.
Thanks again,
HUJuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Fri Jan 04, 2013 7:38 pm Post subject: |
|
|
I was completely in a wrong way.
I've found a rude solution.
Thanks Hu, USER_NS was not the main problem, not the problem blocking the network.
Anyway, everything is smoky to me, about the kernel configuration and about my network problem.
So, I cannot mark as "solved" the thread.
The network was stopped because the new network management (not so clear to me).
Network devices seems disappeared, even if the network works in the container.
What I did is to give a complete network configuration in the lxc configuration file and remove the 'need net' dependency from services.
Here is my new rc.log. It appears really ugly, but the wondering fact is that THE NETWORK WORKS.
/var/log/rc.log: | rc default logging started at Fri Jan 4 20:16:45 2013
* Bringing up interface lo
* ERROR: interface lo does not exist
* Ensure that you have loaded the correct kernel module for your hardware
* ERROR: net.lo failed to start
* Bringing up interface eth0
* ERROR: interface eth0 does not exist
* Ensure that you have loaded the correct kernel module for your hardware
* ERROR: net.eth0 failed to start
* ERROR: cannot start syslog-ng as net.eth0 would not start
* Starting sshd ... [ ok ]
* Starting vixie-cron ... [ ok ]
* Starting local
[ ok ]
rc default logging stopped at Fri Jan 4 20:16:45 2013 |
Here I'm logged in via SSH.
As you can see, syslog-ng failed to start because net.eth0 failed, while sshd started because I removed the 'need net' dependency.
I need to spend some time to better understand the whole mechanism.
Regards,
HUJuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Sun Jan 06, 2013 4:40 pm Post subject: |
|
|
Who's interested car read this: May I have a network connection, please?
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Mon Jan 07, 2013 1:08 pm Post subject: |
|
|
Here the complete response to my NETWORK problem: https://bugs.gentoo.org/show_bug.cgi?id=445820
The USER_NS issue is unresolved for me, but it has no consequences (for me).
Regards,
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
Kron n00b
Joined: 22 Jan 2013 Posts: 10 Location: Belarus, Minsk
|
Posted: Tue Jan 22, 2013 12:39 pm Post subject: |
|
|
Finally I found someone with the same problem.
In my case I have many lxc containers and I can`t update them anymore because the last openrc that works properly is 10.5. The newest are have broken network support.
I`m still searching for the solution. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Tue Jan 22, 2013 3:11 pm Post subject: |
|
|
Kron, you have to enable this kind of line in your container configuration:
From /etc/lxc/dev9.conf: | lxc.mount.entry=sys /VMs/lxc/dev9/sys sysfs defaults 0 0 |
Please, note that this introduces a security risk, as documented in http://blog.bofh.it/debian/id_413.
So, it makes sense if your container(s) administration is shared with the host administration.
In other words, the container adminstrator could "evade" to the host: never give the container to untrusted people.
Regards,
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
Kron n00b
Joined: 22 Jan 2013 Posts: 10 Location: Belarus, Minsk
|
Posted: Wed Jan 23, 2013 6:55 am Post subject: |
|
|
hujuice, thank you for your advice!
There is also temporary solution -> build openrc with 'newnet' USE flag. In this case it works fine. Tested with openrc 11.8.
I have`t tested yet it with multiple interfaces. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Wed Jan 23, 2013 12:44 pm Post subject: |
|
|
I read about the 'newnet' opportunity.
My personal need is to have 'quick and dirty' development environments. So, I was not interested to the newnet scenario, that I don't know and that is experimental in turn.
Kron, do you feel that it is an interesting scenario?
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
Kron n00b
Joined: 22 Jan 2013 Posts: 10 Location: Belarus, Minsk
|
Posted: Wed Jan 23, 2013 1:00 pm Post subject: |
|
|
Quote: | Kron, do you feel that it is an interesting scenario? |
Not really. It`s a bit strange, in the other hand - it works. When you use a 'newnet' - net.lo init script are no more functional.
As I remember openrc developers have plans to remove this USE flag https://bugs.gentoo.org/show_bug.cgi?id=445820#c5
I have many containers and I don`t want to mount /sys inside the container because some users have a root privileges, so it`s a bit dangerous in my situation.
I guess 'newnet' is the single solution for me for that moment. |
|
Back to top |
|
|
hujuice Guru
Joined: 16 Oct 2007 Posts: 336 Location: Rome, Italy
|
Posted: Wed Jan 23, 2013 5:40 pm Post subject: |
|
|
Thanks Kron.
HUjuice _________________ Who hasn't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo. |
|
Back to top |
|
|
Kron n00b
Joined: 22 Jan 2013 Posts: 10 Location: Belarus, Minsk
|
Posted: Wed Jan 23, 2013 5:43 pm Post subject: |
|
|
HUjuice, thank you too! |
|
Back to top |
|
|
ago Developer
Joined: 01 Mar 2008 Posts: 1527 Location: Milan, Italy
|
Posted: Wed Mar 20, 2013 11:07 am Post subject: |
|
|
hujuice wrote: | The USER_NS issue is unresolved for me, but it has no consequences (for me). |
Please use >=3.8.0, I'd suggest 3.8.3 because of bug 462172, then disable nfs and you will see USER_NS |
|
Back to top |
|
|
bonyiii n00b
Joined: 09 Mar 2013 Posts: 2
|
Posted: Fri Mar 22, 2013 10:05 pm Post subject: |
|
|
For me s4e8 answer gives the direction and here http://www.funtoo.org/Linux_Containers they recommend the same.
So i started to turn off these option in kernel and suddenly user namespace option appeared!
But then kcopy compilation failed so i took it out of my config temporarly just see a hopefully working lxc |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Fri Mar 22, 2013 11:34 pm Post subject: |
|
|
Any idea why lxc doesn't like xfs, fuse, or nfs? The nfs thing is also mentioned here by ago. Anyone know if it's planned to bring these capabilities back? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Mar 23, 2013 12:14 am Post subject: |
|
|
As far as I know, LXC has no issue with any of those features. LXC suggests, but does not require, the availability of kernel support for user namespaces. If you want user namespaces, then the kernel requires those features to be disabled in v3.8 because the patches to make those features work correctly with user namespaces were not merged for v3.8, so enabling both NFS and USER_NS would result in failure. I believe v3.9 has support for NFS with USER_NS, but still requires XFS=n. I think I saw plans for v3.10 to support XFS=y with USER_NS=y. |
|
Back to top |
|
|
boospy Guru
Joined: 07 Feb 2010 Posts: 308 Location: Austria
|
Posted: Thu May 16, 2013 9:24 pm Post subject: |
|
|
Oh my god, how crazy is this... Disable Kerneloption for other options... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Thu May 16, 2013 10:53 pm Post subject: |
|
|
boospy wrote: | Oh my god, how crazy is this... Disable Kerneloption for other options... | You resurrected a two month old thread to complain about an issue that is not all that uncommon. Kernel policy generally permits adding features which do not work with every possible permutation of other options, provided that the feature does not significantly break the others. Using a Kconfig directive to lock out USER_NS when XFS=y and vice versa is an elegant way of preventing users from configuring kernels known not to work. |
|
Back to top |
|
|
gordonp Tux's lil' helper
Joined: 23 May 2005 Posts: 102
|
Posted: Sat Jun 22, 2013 1:34 pm Post subject: |
|
|
I'm with boospy on this one: the disabling of so many fundamental kernel-options to enable LXC *is* completely crazy :-O
Sure, I'm also resurrecting an old thread, but the complaint remains as fresh as yesterday's hardened-sources / gentoo-sources (3.8.13). I've run up against showstopping Vserver limitations, and was trying LXC. After numerous kernels, and numerous config/compile/check cycles, I wound up at this (helpful) thread...
I shouldn't shoot the messenger but s4e8 has provided an extensive, helpful list that utterly kills LXC (for me). I'm looking at LXC for server-consolidation; I've used XFS for over a decade (including on IRIX), and I'm quite adamant about sticking with it. Same for NFS, AutoFS (and IPv6, CIFS, DAV, etc). While disappointing, this thread has helped me understand that LXC is still many bricks short of a full load.
I was hoping for a chroot/container-based "virtualization" scheme, but it just doesn't look like things are well-baked at this moment, for server-features of today and for the next decade. Of course, it's all there with heavier-weight paravirtualization... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Jun 22, 2013 4:31 pm Post subject: |
|
|
As I stated earlier in the thread, you do not need to enable USER_NS to use LXC. LXC may work better with USER_NS, but if you read up on USER_NS, you will see that it is in turn not fully baked. There are certain kernel components which assume that a kuid of 0 grants privilege in the initial user namespace. As a result, you cannot safely grant kuid 0 into an inner namespace. The restriction on XFS will be relaxed when XFS compiles with USER_NS enabled. For the 3.8 series kernel, you can have a working XFS or a working USER_NS, but not both.
Since you concur with his statement, would you mind explaining what you think the proper solution would be? Would you prefer that the kernel offer you the option to enable USER_NS, but have it force XFS off when you do so? Would you prefer that it let you enable both, then fail to build when the compiler discovers that the XFS code is not compatible with USER_NS? |
|
Back to top |
|
|
|