Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Config_user_ns
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Thu Jan 03, 2013 7:10 pm    Post subject: Config_user_ns Reply with quote

In the last, stable kernels, I'm unable to activate CONFIG_USER_NS. Can someone help?

Code:
  │ Symbol: USER_NS [=n]                                                                                                         │ 
  │ Type  : boolean                                                                                                              │ 
  │ Prompt: User namespace (EXPERIMENTAL)                                                                                        │ 
  │   Defined at init/Kconfig:888                                                                                                │ 
  │   Depends on: NAMESPACES [=y] && EXPERIMENTAL [=y] && UIDGID_CONVERTED [=n]                                                  │ 
  │   Location:                                                                                                                  │ 
  │     -> General setup                                                                                                         │ 
  │       -> Namespaces support (NAMESPACES [=y])                                                                                │ 
  │   Selects: UIDGID_STRICT_TYPE_CHECKS [=n]


It depends on CONFIG_UIDGID_CONVERTED, but I cannot find/activate it and the help is completely empty. :roll:
Code:
  │ Symbol: UIDGID_CONVERTED [=n]                                                                                                │ 
  │ Type  : boolean


Googling around didn't help.

Without this, lxc is unable to work.
Code:
 * Checking for suitable kernel configuration options...
 *   CONFIG_USER_NS:     is not set when it should be.
 *   CONFIG_NETPRIO_CGROUP:     as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting.
 * Please check to make sure these options are set correctly.
 * Failure to do so may cause unexpected problems.


I tried linux-3.7.1-gentoo and linux-3.6.11-gentoo sources, with custom and alldefconfig configs.

Any help would be appreciated.

Regards,
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
s4e8
Apprentice
Apprentice


Joined: 29 Jul 2006
Posts: 205

PostPosted: Fri Jan 04, 2013 1:33 am    Post subject: Reply with quote

You must disable follow features:
depends on NET_9P = n
depends on 9P_FS = n
depends on AFS_FS = n
depends on AUTOFS4_FS = n
depends on CEPH_FS = n
depends on CIFS = n
depends on CODA_FS = n
depends on FUSE_FS = n
depends on GFS2_FS = n
depends on NCP_FS = n
depends on NFSD = n
depends on NFS_FS = n
depends on OCFS2_FS = n
depends on XFS_FS = n
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8854

PostPosted: Fri Jan 04, 2013 2:51 am    Post subject: Reply with quote

The messages shown appear to be warnings. Does lxc actually fail to install? If it installs, does it fail to work?
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Fri Jan 04, 2013 12:09 pm    Post subject: Reply with quote

Thanks @s4e8, but disabling those features is not enough for me.
I've already seen Linux Kernel Driver DataBase about, but I'm still unable neither to find the feature in the dummy 'make menuconfig' nor to write manually a working .config.

After removing NFS_FS (the one in the list) I tried to manually write my .config, without success.
Code:
...
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_USER_NS=y
CONFIG_UIDGID_CONVERTED=y
...

(The make phase correct my .config, removing the last two lines listed)

@Hu, in my actual configuration(s) lxc starts, but the container has no loopback, so no network.
/VMs/lxc/moodcast/var/log/rc.log:
rc default logging started at Fri Jan  4 12:55:30 2013

 * Bringing up interface lo
 *   ERROR: interface lo does not exist
 *   Ensure that you have loaded the correct kernel module for your hardware
 * ERROR: net.lo failed to start
 * Bringing up interface eth0
 *   ERROR: interface eth0 does not exist
 *   Ensure that you have loaded the correct kernel module for your hardware
 * ERROR: net.eth0 failed to start
 * ERROR: cannot start syslog-ng as net.eth0 would not start
 * ERROR: cannot start sshd as net.eth0 would not start
 * Starting vixie-cron ... [ ok ]
 * Starting local
 [ ok ]

Consider that I was happily using lxc for my test environments until... mumble... the last lxc upgrade (I'm not sure).

Actually, I'm playing with:
=sys-kernel/gentoo-sources-3.6.11
=sys-apps/openrc-0.11.8 (both host and container)
=app-emulation/lxc-0.8.0-r1

I'm blocked :?
HUJuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
s4e8
Apprentice
Apprentice


Joined: 29 Jul 2006
Posts: 205

PostPosted: Fri Jan 04, 2013 1:08 pm    Post subject: Reply with quote

It work here, after I disable all networking FS, XFS, FUSE, auto automount fs (you should check init/Kconfig to finding out what UIDGID_CONVERTED depends on), and I got:
Code:

 .config - Linux/x86_64 3.7.1 Kernel Configuration
 ───────────────────────────────────────────────────────────────────────────────
  ┌─────────────────────────── Namespaces support ───────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus --->.           │ 
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes,  │ 
  │  <M> modularizes features.  Press <Esc><Esc> to exit, <?> for Help, </>  │ 
  │  for Search.  Legend: [*] built-in  [ ] excluded  <M> module  < > module │ 
  │ ┌──────────────────────────────────────────────────────────────────────┐ │ 
  │ │    --- Namespaces support                                            │ │ 
  │ │    [*]   UTS namespace                                               │ │ 
  │ │    [*]   IPC namespace                                               │ │ 
  │ │    [ ]   User namespace (EXPERIMENTAL) (NEW)                         │ │ 
  │ │    [*]   PID Namespaces                                              │ │ 
  │ │    [*]   Network namespace   

Through the new CONFIG_USER_NS may not work with lxc, because it's still under heavy-rewriting.
hujuice wrote:
Thanks @s4e8, but disabling those features is not enough for me.
I've already seen Linux Kernel Driver DataBase about, but I'm still unable neither to find the feature in the dummy 'make menuconfig' nor to write manually a working .config.

After removing NFS_FS (the one in the list) I tried to manually write my .config, without success.
(The make phase correct my .config, removing the last two lines listed)
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Fri Jan 04, 2013 1:44 pm    Post subject: Reply with quote

I really wonder.
There's a very large plethora of options to disable.

I'm quite confused. I will verify everything in this weekend.

Thanks again,
HUJuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Fri Jan 04, 2013 7:38 pm    Post subject: Reply with quote

I was completely in a wrong way.
I've found a rude solution.

Thanks Hu, USER_NS was not the main problem, not the problem blocking the network.
Anyway, everything is smoky to me, about the kernel configuration and about my network problem.
So, I cannot mark as "solved" the thread.

The network was stopped because the new network management (not so clear to me).
Network devices seems disappeared, even if the network works in the container.
What I did is to give a complete network configuration in the lxc configuration file and remove the 'need net' dependency from services.

Here is my new rc.log. It appears really ugly, but the wondering fact is that THE NETWORK WORKS.
/var/log/rc.log:
rc default logging started at Fri Jan  4 20:16:45 2013

 * Bringing up interface lo
 *   ERROR: interface lo does not exist
 *   Ensure that you have loaded the correct kernel module for your hardware
 * ERROR: net.lo failed to start
 * Bringing up interface eth0
 *   ERROR: interface eth0 does not exist
 *   Ensure that you have loaded the correct kernel module for your hardware
 * ERROR: net.eth0 failed to start
 * ERROR: cannot start syslog-ng as net.eth0 would not start
 * Starting sshd ... [ ok ]
 * Starting vixie-cron ... [ ok ]
 * Starting local
 [ ok ]

rc default logging stopped at Fri Jan  4 20:16:45 2013


Here I'm logged in via SSH.

As you can see, syslog-ng failed to start because net.eth0 failed, while sshd started because I removed the 'need net' dependency.
I need to spend some time to better understand the whole mechanism.

Regards,
HUJuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Sun Jan 06, 2013 4:40 pm    Post subject: Reply with quote

Who's interested car read this: May I have a network connection, please?
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Mon Jan 07, 2013 1:08 pm    Post subject: Reply with quote

Here the complete response to my NETWORK problem: https://bugs.gentoo.org/show_bug.cgi?id=445820

The USER_NS issue is unresolved for me, but it has no consequences (for me).

Regards,
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Kron
n00b
n00b


Joined: 22 Jan 2013
Posts: 9
Location: Belarus, Minsk

PostPosted: Tue Jan 22, 2013 12:39 pm    Post subject: Reply with quote

Finally I found someone with the same problem.

In my case I have many lxc containers and I can`t update them anymore because the last openrc that works properly is 10.5. The newest are have broken network support.
I`m still searching for the solution.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Tue Jan 22, 2013 3:11 pm    Post subject: Reply with quote

Kron, you have to enable this kind of line in your container configuration:
From /etc/lxc/dev9.conf:
lxc.mount.entry=sys /VMs/lxc/dev9/sys sysfs defaults 0 0


Please, note that this introduces a security risk, as documented in http://blog.bofh.it/debian/id_413.
So, it makes sense if your container(s) administration is shared with the host administration.
In other words, the container adminstrator could "evade" to the host: never give the container to untrusted people.

Regards,
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Kron
n00b
n00b


Joined: 22 Jan 2013
Posts: 9
Location: Belarus, Minsk

PostPosted: Wed Jan 23, 2013 6:55 am    Post subject: Reply with quote

hujuice, thank you for your advice!

There is also temporary solution -> build openrc with 'newnet' USE flag. In this case it works fine. Tested with openrc 11.8.
I have`t tested yet it with multiple interfaces.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Wed Jan 23, 2013 12:44 pm    Post subject: Reply with quote

I read about the 'newnet' opportunity.

My personal need is to have 'quick and dirty' development environments. So, I was not interested to the newnet scenario, that I don't know and that is experimental in turn.

Kron, do you feel that it is an interesting scenario?
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Kron
n00b
n00b


Joined: 22 Jan 2013
Posts: 9
Location: Belarus, Minsk

PostPosted: Wed Jan 23, 2013 1:00 pm    Post subject: Reply with quote

Quote:
Kron, do you feel that it is an interesting scenario?

Not really. It`s a bit strange, in the other hand - it works. When you use a 'newnet' - net.lo init script are no more functional.
As I remember openrc developers have plans to remove this USE flag https://bugs.gentoo.org/show_bug.cgi?id=445820#c5
I have many containers and I don`t want to mount /sys inside the container because some users have a root privileges, so it`s a bit dangerous in my situation.
I guess 'newnet' is the single solution for me for that moment.
Back to top
View user's profile Send private message
hujuice
Apprentice
Apprentice


Joined: 16 Oct 2007
Posts: 198
Location: Rome, Italy

PostPosted: Wed Jan 23, 2013 5:40 pm    Post subject: Reply with quote

Thanks Kron.
HUjuice
_________________
Who haven't a spine, should have a method.
Chi non ha carattere, deve pur avere un metodo.
Back to top
View user's profile Send private message
Kron
n00b
n00b


Joined: 22 Jan 2013
Posts: 9
Location: Belarus, Minsk

PostPosted: Wed Jan 23, 2013 5:43 pm    Post subject: Reply with quote

HUjuice, thank you too!
Back to top
View user's profile Send private message
ago
Developer
Developer


Joined: 01 Mar 2008
Posts: 1494
Location: Cosenza, Italy

PostPosted: Wed Mar 20, 2013 11:07 am    Post subject: Reply with quote

hujuice wrote:
The USER_NS issue is unresolved for me, but it has no consequences (for me).


Please use >=3.8.0, I'd suggest 3.8.3 because of bug 462172, then disable nfs and you will see USER_NS
_________________
Contattami se vuoi contribuire in:
-Arch tester
-Chromium tester
-Traduzione doc. it
-Security
Back to top
View user's profile Send private message
bonyiii
n00b
n00b


Joined: 09 Mar 2013
Posts: 2

PostPosted: Fri Mar 22, 2013 10:05 pm    Post subject: Reply with quote

For me s4e8 answer gives the direction and here http://www.funtoo.org/Linux_Containers they recommend the same.
So i started to turn off these option in kernel and suddenly user namespace option appeared!
But then kcopy compilation failed so i took it out of my config temporarly just see a hopefully working lxc
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2439

PostPosted: Fri Mar 22, 2013 11:34 pm    Post subject: Reply with quote

Any idea why lxc doesn't like xfs, fuse, or nfs? The nfs thing is also mentioned here by ago. Anyone know if it's planned to bring these capabilities back?
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8854

PostPosted: Sat Mar 23, 2013 12:14 am    Post subject: Reply with quote

As far as I know, LXC has no issue with any of those features. LXC suggests, but does not require, the availability of kernel support for user namespaces. If you want user namespaces, then the kernel requires those features to be disabled in v3.8 because the patches to make those features work correctly with user namespaces were not merged for v3.8, so enabling both NFS and USER_NS would result in failure. I believe v3.9 has support for NFS with USER_NS, but still requires XFS=n. I think I saw plans for v3.10 to support XFS=y with USER_NS=y.
Back to top
View user's profile Send private message
boospy
Apprentice
Apprentice


Joined: 07 Feb 2010
Posts: 235
Location: Austria

PostPosted: Thu May 16, 2013 9:24 pm    Post subject: Reply with quote

Oh my god, how crazy is this... :twisted: Disable Kerneloption for other options...
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8854

PostPosted: Thu May 16, 2013 10:53 pm    Post subject: Reply with quote

boospy wrote:
Oh my god, how crazy is this... :twisted: Disable Kerneloption for other options...
You resurrected a two month old thread to complain about an issue that is not all that uncommon. Kernel policy generally permits adding features which do not work with every possible permutation of other options, provided that the feature does not significantly break the others. Using a Kconfig directive to lock out USER_NS when XFS=y and vice versa is an elegant way of preventing users from configuring kernels known not to work.
Back to top
View user's profile Send private message
gordonp
n00b
n00b


Joined: 23 May 2005
Posts: 53

PostPosted: Sat Jun 22, 2013 1:34 pm    Post subject: Reply with quote

I'm with boospy on this one: the disabling of so many fundamental kernel-options to enable LXC *is* completely crazy :-O

Sure, I'm also resurrecting an old thread, but the complaint remains as fresh as yesterday's hardened-sources / gentoo-sources (3.8.13). I've run up against showstopping Vserver limitations, and was trying LXC. After numerous kernels, and numerous config/compile/check cycles, I wound up at this (helpful) thread...

I shouldn't shoot the messenger :-) but s4e8 has provided an extensive, helpful list that utterly kills LXC (for me). I'm looking at LXC for server-consolidation; I've used XFS for over a decade (including on IRIX), and I'm quite adamant about sticking with it. Same for NFS, AutoFS (and IPv6, CIFS, DAV, etc). While disappointing, this thread has helped me understand that LXC is still many bricks short of a full load.

I was hoping for a chroot/container-based "virtualization" scheme, but it just doesn't look like things are well-baked at this moment, for server-features of today and for the next decade. Of course, it's all there with heavier-weight paravirtualization...
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8854

PostPosted: Sat Jun 22, 2013 4:31 pm    Post subject: Reply with quote

As I stated earlier in the thread, you do not need to enable USER_NS to use LXC. LXC may work better with USER_NS, but if you read up on USER_NS, you will see that it is in turn not fully baked. There are certain kernel components which assume that a kuid of 0 grants privilege in the initial user namespace. As a result, you cannot safely grant kuid 0 into an inner namespace. The restriction on XFS will be relaxed when XFS compiles with USER_NS enabled. For the 3.8 series kernel, you can have a working XFS or a working USER_NS, but not both.

Since you concur with his statement, would you mind explaining what you think the proper solution would be? Would you prefer that the kernel offer you the option to enable USER_NS, but have it force XFS off when you do so? Would you prefer that it let you enable both, then fail to build when the compiler discovers that the XFS code is not compatible with USER_NS?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum