LXC on host's lan running under normal user - lxc

I have set up LXC container using this manual. It's working great under root, but I can't run it under my normal user.
Start of lxc container failed with followed error:
lxc-start Test 20221009142640.181 ERROR network - network.c:lxc_create_network_unpriv_exec:2629 - lxc-user-nic failed to configure requested network: cmd/lxc_user_nic.c: 1209: main: Quota reached
lxc-start Test 20221009142640.182 ERROR start - start.c:lxc_spawn:1786 - Failed to create the network
lxc-start Test 20221009142640.182 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:859 - Received container state "ABORTING" instead of "RUNNING"
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start Test 20221009142640.184 ERROR start - start.c:__lxc_start:1999 - Failed to spawn container "Test"
I suspect that issue is from reason that normal user can't setup proprial network runed from lxc.net.0.script.up.
I'm not so familiar with Linux networking, so I'll appreciate if somebody help me.
cat default.conf
#lxc.apparmor.profile = generated
#lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.include = /etc/lxc/default.conf
######################################
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.net.0.ipv4.address = 192.168.1.13/32
lxc.net.0.ipv4.gateway = 192.168.1.10
lxc.net.0.script.up = /var/lib/lxc/netup.sh 192.168.1.13
lxc.net.0.script.down = /var/lib/lxc/netdown.sh 192.168.1.13
cat lxc-usernet
pi veth veth0 2
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fd03:d926:5f2b:0:1b5a:7e3f:e65f:cf49 prefixlen 64 scopeid 0x0<global>
inet6 fd03:d926:5f2b::10 prefixlen 128 scopeid 0x0<global>
inet6 fe80::1b9:aa6:c2f3:b99c prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:d3:22:99 txqueuelen 1000 (Ethernet)
RX packets 121141930 bytes 157518188138 (146.7 GiB)
RX errors 2 dropped 2 overruns 0 frame 0
TX packets 65951525 bytes 48575917258 (45.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lxcbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.3.1 netmask 255.255.255.0 broadcast 10.0.3.255
ether 00:16:3e:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Related

Docker container can not connect to host machine

I use docker-compose to operate with 3 containers and a network with the bridge driver.
Network is created with following command:
docker network create -d bridge --subnet 192.168.60.0/24 --gateway 192.168.60.1 mynet
The problem is that containers are not available by their address from host machine:
curl: (7) Failed to connect to 192.168.60.3 port 80: Connection refused. I know exactly that container is running and listening on the port.
From the inside of container host machine is unavailable either: curl: (7) Failed to connect to 192.168.60.1.
There must be some trouble with driver, because the network is not listed in interfaces. I did the same thing on another machine and found all docker networks with names likevethXXXXXXX. But on this machine ifconfig -a shows:
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:98:c3:b9:63 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 41250 bytes 11892280 (11.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41250 bytes 11892280 (11.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.202.43 netmask 255.255.255.0 broadcast 192.168.202.255
inet6 fe80::65e5:6492:9305:2d71 prefixlen 64 scopeid 0x20<link>
ether d4:3b:04:74:5c:48 txqueuelen 1000 (Ethernet)
RX packets 693406 bytes 537178014 (537.1 MB)
RX errors 0 dropped 884 overruns 0 frame 0
TX packets 2803399 bytes 572926991 (572.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
What kind of problem it could be? Why the network is not shown in interfaces list?

Docker container network issue

I am trying to connect my container to a device that is on a private network. I have tried using the host network and exposing a port but when I do that I get the following warning
WARNING: Published ports are discarded when using host network mode
I then tried using the following code to and tried to ping my device network from the container but still it didn't work.
docker network create -d macvlan --driver=bridge --subnet=10.112.65.0/16 --ip-range=10.112.65.0/24 --gateway=10.112.65.1 -o parent=eth0 demo_net
docker run --name DemoTest --net=demo_net --ip=10.112.65.103 --entrypoint /bin/bash -it Demo_Test
Does anyone know how I would be able correct this?
docker run --name Demo --network=host --entrypoint /bin/bash -it test
root#docker-desktop:/# ifconfig
br-0ae4bcee0a03: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.112.65.1 netmask 255.255.0.0 broadcast 10.112.255.255
inet6 fe80::42:7eff:fe95:61a6 prefixlen 64 scopeid 0x20<link>
ether 02:42:7e:95:61:a6 txqueuelen 0 (Ethernet)
RX packets 80 bytes 2632 (2.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 2040 (2.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:3bff:feef:7ff6 prefixlen 64 scopeid 0x20<link>
ether 02:42:3b:ef:7f:f6 txqueuelen 0 (Ethernet)
RX packets 1003286 bytes 68950091 (68.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2844246 bytes 4108532649 (4.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.65.3 netmask 255.255.255.0 broadcast 192.168.65.255
inet6 fe80::50:ff:fe00:1 prefixlen 64 scopeid 0x20<link>
ether 02:50:00:00:00:01 txqueuelen 1000 (Ethernet)
RX packets 3362882 bytes 4867367901 (4.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1170907 bytes 92178571 (92.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3353 bytes 1020141 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3353 bytes 1020141 (1.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
services1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.65.4 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::78ba:60ff:fe3c:17c prefixlen 64 scopeid 0x20<link>
ether 7a:ba:60:3c:01:7c txqueuelen 0 (Ethernet)
RX packets 454 bytes 58899 (58.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 456 bytes 32795 (32.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root#docker-desktop:/# ping 10.112.65.3
PING 10.112.65.3 (10.112.65.3) 56(84) bytes of data.
^C
--- 10.112.65.3 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2063ms

Connect docker containers to TAP interface

What I'm doing is connecting two docker containers using OVS-DPDK to test throughput between then (using sockperf or iperf3). For this, I've been suggested to use TAP interfaces.
What is expected is that container A passes/receives traffic from TAP0 and container B sends/receives traffic from the TAP1 interface. TAP0 must send traffic to TAP1 over userspace OVS-DPDK and vise versa.
But unfortunately, I can't get the traffic to go to the TAP interfaces.
Here is what I'm doing (based on this answer):
On the host OS:
sudo ./utilities/ovs-vsctl add-br br0 -- set bridge br0 datapath_type=netdev
sudo ./utilities/ovs-vsctl add-port br0 myeth0 -- set Interface myeth0 type=dpdk options:dpdk-devargs=net_tap0,iface=tap0
sudo ./utilities/ovs-vsctl add-port br0 myeth1 -- set Interface myeth1 type=dpdk options:dpdk-devargs=net_tap1,iface=tap1
sudo ./utilities/ovs-ofctl add-flow br0 in_port=1,action=output:2
sudo ./utilities/ovs-ofctl add-flow br0 in_port=2,action=output:1
It creates two TAP interfaces (shown in ifconfig) and two OVS-DPDK ports (myeth0 and myeth1)
Then I assign IP to the TAP interfaces:
sudo ip addr add 173.17.0.1/24 dev tap0
sudo ip addr add 173.17.1.1/24 dev tap1
sudo ip link set tap0 up
sudo ip link set tap1 up
And then run the docker containers:
docker run -it --rm --name=server -p 5201:5201 --entrypoint /bin/bash "networkstatic/iperf3"
docker run -it --rm --name=client --entrypoint /bin/bash "networkstatic/iperf3"
The traffic goes through docker created venth interfaces and nothing goes through TAP interfaces (As I check in ifconfig).
What is the correct way to connect two containers using OVS-DPDK and TAP interface in Linux?
EDIT:
Output of ifconfig:
tap0: flags=4931<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,MULTICAST> mtu 1500
inet6 fe80::3847:cbff:fe27:3c2e prefixlen 64 scopeid 0x20<link>
ether 3a:47:cb:27:3c:2e txqueuelen 1000 (Ethernet)
RX packets 16 bytes 2447 (2.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29 bytes 3545 (3.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap1: flags=4931<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,MULTICAST> mtu 1500
inet6 fe80::2835:bcff:fe4c:4f0e prefixlen 64 scopeid 0x20<link>
ether 2a:35:bc:4c:4f:0e txqueuelen 1000 (Ethernet)
RX packets 12 bytes 1203 (1.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 2447 (2.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth8f1f04e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::50bf:f2ff:fed9:e03b prefixlen 64 scopeid 0x20<link>
ether 52:bf:f2:d9:e0:3b txqueuelen 0 (Ethernet)
RX packets 2047606 bytes 135148094 (135.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2717619 bytes 119774365333 (119.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethb6e1780: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::382b:e0ff:fe8f:afa0 prefixlen 64 scopeid 0x20<link>
ether 3a:2b:e0:8f:af:a0 txqueuelen 0 (Ethernet)
RX packets 2717563 bytes 119774357789 (119.7 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2047637 bytes 135151896 (135.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Docker containers on macvlan can't ping external internet

I am trying to set up a pihole docker instance running on a macvlan on a Raspberry Pi 4B.
I am unable to ping the external internet from my container.
I've managed to reduce the problem for replication:
Create a macvlan on wlan0, which has promiscuous mode enabled.
Launch a docker container and attempt to ping the external world.
Details:
I'm running a raspberry pi 4, using the wlan0 interface. I have enabled promiscuous mode on wlan0
I create the macvlan network with docker network create -d macvlan --subnet=10.0.37.27/24 --gateway=10.0.37.1 --ip-range 10.0.37.65/29 -o parent=wlan0 --aux-address="pi4=10.0.37.69" macvlan0 - this creates a child interface called macvlan0 under wlan0. This means that containers will get assigned IP's from .65-.70
I then run a busybox container to ping my wlan0 physical IP: docker run --net=macvlan0 busybox ping 10.0.37.27. This works.
If I try to ping 1.1.1.1 or even the gateway at 10.0.37.1, it fails
I verified the routing table is correct with docker run --net=macvlan0 busybox ip route get 1.1.1.1 and I get a result 1.1.1.1 via 10.0.37.1 dev eth0 src 10.0.37.64, which is perfectly reasonable.
Analysis:
I don't understand what is going on. I'm able to ping my container from my host, and my host from my container ( I set up a macvlan-shim).
My ip route and route -n show reasonable routing tables
And yet, ping externally fails. I'm very confused.
ifconfig on the pi4
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:c5:da:e3:84 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether dc:a6:32:08:56:eb txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 483666 bytes 87269371 (87.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 483666 bytes 87269371 (87.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
macvlan-shim: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.37.69 netmask 255.255.255.248 broadcast 0.0.0.0
inet6 fe80::bcd6:6fff:fe61:4eaf prefixlen 64 scopeid 0x20<link>
ether be:d6:6f:61:4e:af txqueuelen 1000 (Ethernet)
RX packets 94178 bytes 21676941 (21.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 227298 bytes 9556744 (9.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet 10.0.37.27 netmask 255.255.255.0 broadcast 10.0.37.255
inet6 fe80::dea6:32ff:fe08:56ec prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:08:56:ec txqueuelen 1000 (Ethernet)
RX packets 401557 bytes 108910986 (108.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 719387 bytes 112456816 (112.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Q: how to set docker0 interface as externally available IP in a gcloud compute instance?

I'm have eclipse che running natively on a CentOS 7 instance at google cloud platform.
I'm able to get che interface on my browser, but cannot start a project.
from my che.properties file
machine.docker.local_node_host=172.17.0.1
api.endpoint=http://_my instance external IP_:${SERVER_PORT}/ide/api
from my /etc/hosts (putted manualy):
172.17.0.1 che-host
installed Docker as pre-requirement
Docker version 1.10.3, build 20f81dd
from my ~/.bash_profile file
export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.77-0.b03.el7_2.x86_64
export CHE_HOME=/opt/eclipse-che-4.1.0
export CHE_LOCAL_CONF_DIR=$CHE_HOME/conf
export CHE_DOCKER_MACHINE_HOST=172.17.0.1
ifconfig output
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:68ff:fe05:66b1 prefixlen 64 scopeid 0x20<link>
ether 02:42:68:05:66:b1 txqueuelen 0 (Ethernet)
RX packets 3025 bytes 334688 (326.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2563 bytes 390278 (381.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460
inet <google internal network IP for instance> netmask 255.255.255.255 broadcast 10.132.0.2
inet6 fe80::4001:aff:fe84:2 prefixlen 64 scopeid 0x20<link>
ether 42:01:0a:84:00:02 txqueuelen 1000 (Ethernet)
RX packets 402499 bytes 1381254390 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 292323 bytes 58381431 (55.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1061 bytes 57399 (56.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1061 bytes 57399 (56.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth53e0def: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1005:77ff:fe1d:83a4 prefixlen 64 scopeid 0x20<link>
ether 12:05:77:1d:83:a4 txqueuelen 0 (Ethernet)
RX packets 42 bytes 6574 (6.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 7991 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
firewalld rules for trusted zone
instance-1 ~]$ sudo firewall-cmd --permanent --zone=trusted --list-all
trusted (default, active)
interfaces: docker0
sources:
services:
ports: 32768-65535/tcp 32768-65535/udp 4243/tcp 4401/tcp 4411/tcp 4403/tcp 22/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
output from che console in browser
[STDOUT] 2016-04-05 19:40:39,511[main] [INFO] [o.a.c.http11.Http11NioProtocol 470] - Starting ProtocolHandler ["http-nio-4401"]
[STDOUT] 2016-04-05 19:40:39,515[main] [INFO] [o.a.catalina.startup.Catalina 642] - Server startup in 4795 ms
[STDOUT] 2016-04-05 19:40:39,515[main] [INFO] [o.a.catalina.startup.Catalina 642] - Server startup in 4795 ms
[STDOUT] 2016-04-05 19:40:39,712[nio-4401-exec-1] [WARN ] [i.ContainerResponse$BodyWriter 90] - Client has aborted connection. Response writing omitted.
[STDOUT] 2016-04-05 19:40:39,712[nio-4401-exec-1] [WARN ] [i.ContainerResponse$BodyWriter 90] - Client has aborted connection. Response writing omitted.
this happens in Starting workspace agent stage, after below stages
Initializing workspace ... completed
Starting workspace runtime ... completed
```
the answer I got from the guys at che github repo is that :
The problem here is that browser tries to connect to a workspace agent and it uses CHE_DOCKER_MACHINE_HOST which is also used by the server to ping ws-agent.
So, CHE_DOCKER_MACHINE_HOST should be an externally available IP.
So, I understand from that that docker0 needs to have an external IP as well,
Any idea how to switch IP from the default 172.17.0.1 IP to an external IP for docker0 interface?

Resources