-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set security.nesting=true
for LXD projects
#591
Comments
Thank you for reporting us your feedback! The internal ticket has been created: https://warthogs.atlassian.net/browse/CRAFT-3096.
|
Following on from this post https://discourse.ubuntu.com/t/questions-about-security-nesting-and-recent-systemd/51560 I'd like to understand the specific scenario that is causing an issue and what version(s) of LXD and host OS you are using? Thanks |
From looking at https://matrix.to/#/!NPPCseDHKRvSBMUEXN:ubuntu.com/$l9-msw901I7b885eH4LaGs_T9gmLKbSqE8tVrGLnAAk?via=ubuntu.com&via=matrix.org
This seems to be more the specific problem, that you're using Focal host. This is because systemd v256 doesn't support cgroupv1 anymore, so even with security.nesting=true, Oracular containers on a Focal host won't work (without the HWE kernel). See canonical/lxd#13844 (comment) See https://discourse.ubuntu.com/t/questions-about-security-nesting-and-recent-systemd/51560/3?u=tomp |
Enabling lxc launch ubuntu:20.04 v1 --vm
lxc exec v1 -- snap refresh lxd --channel=5.21/stable
lxd (5.21/stable) 5.21.2-084c8c8 from Canonical✓ refreshed
lxc exec v1 -- lxd init --auto
lxc exec v1 -- lxc launch ubuntu:oracular c1
Creating c1
Starting c1
lxc exec v1 -- lxc ls # No IPv4 as systemd isn't starting properly
+------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+------+-----------------------------------------------+-----------+-----------+
| c1 | RUNNING | | fd42:ec4f:9a40:d68e:216:3eff:fe8e:887d (eth0) | CONTAINER | 0 |
+------+---------+------+-----------------------------------------------+-----------+-----------+
lxc exec v1 -- lxc stop -f c1
lxc exec v1 -- lxc config set c1 security.nesting=true
lxc exec v1 -- lxc start c1
lxc exec v1 -- lxc ls # Still no IPv4 with security.nesting=true
+------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+------+-----------------------------------------------+-----------+-----------+
| c1 | RUNNING | | fd42:ec4f:9a40:d68e:216:3eff:fe8e:887d (eth0) | CONTAINER | 0 |
+------+---------+------+-----------------------------------------------+-----------+-----------+ |
So I suspect your CI runners need to be updated to run either Focal's HWE kernel or move to Jammy onwards. |
To sum up: according to the lxd team, setting https://discourse.ubuntu.com/t/questions-about-security-nesting-and-recent-systemd/51560/4 |
What needs to get done
security.nesting=true
in the LXD project profilesystemd
are affected and which LXD images will need this setWhy it needs to get done
Newer versions of systemd does not work well in nested containers.
This needs to be fixed at least for Oracular images.
Source:
security.nesting
by default for unprivileged containers and modern enough images lxd#13631The text was updated successfully, but these errors were encountered: