LXC 4.0.5 to 4.0.6 /proc/sys/net
36 views
Skip to first unread message
Stefan Hartmann
Jul 1, 2021, 11:10:06 PM7/1/21
to lxc-...@lists.linuxcontainers.org
Hi,
I observed a changed behaviour in LXC and have no clue where to go further.
# System 1; LXC 4.0.5, uname Linux LESPLUS 5.4.111-0-lts #1-Alpine SMP
Mon, 12 Apr 2021 16:11:34 UTC x86_64 Linux
I am running Alpine Linux 3.12.7 physically on an x86_64 with
lxc-4.0.5-r0 as a virtualization host.
On 4.0.5 LXC-containers running I can adjust eg root@BEOWULF:/#sysctl -w
net.ipv4.conf.eth0.log_martians=1.
4.0.5: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime) <--<<
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.5: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
(same as in 4.0.6)
# System 2; LXC 4.0.6, uname Linux LESPLUS2 5.10.39-0-lts #1-Alpine SMP
Sun, 30 May 2021 18:17:12 UTC x86_64 Linux
I set up a second newer system on similar hardware with Alpine 3.13.5
and lxc lxc-4.0.6-r2
On this system if I try eg root@BEOWULF:/# sysctl -w
net.ipv4.conf.eth0.log_martians=1
sysctl: setting key "net.ipv4.conf.eth0.log_martians": Read-only file system
4.0.6: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.6: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
The system config on both hosts is the same, also the container config.
A diff on /usr/share/lxc/config/* between the two hosts shows no difference.
I want to modify some network settings eg run nftables on the new 4.0.6
system as it is possible on the 4.0.5 (i am running unprivileged
containers).
Can someone put my in the right direction?
I assume, there are defaults in lxc changed?
Or is this a kernel behaviour change?
Where can I find a changelog explaining this? git?
Can I adjust to the old behaviour with lxc.mount.auto=???
Are there security concerns?
Also on the 4.0.6 lxc there are many cgroup mounts inside the container.
Is this necessary / makes sense when I am not using nested containers.
Can I disable this?
--
Thanks
Stefan Hartmann
I observed a changed behaviour in LXC and have no clue where to go further.
# System 1; LXC 4.0.5, uname Linux LESPLUS 5.4.111-0-lts #1-Alpine SMP
Mon, 12 Apr 2021 16:11:34 UTC x86_64 Linux
I am running Alpine Linux 3.12.7 physically on an x86_64 with
lxc-4.0.5-r0 as a virtualization host.
On 4.0.5 LXC-containers running I can adjust eg root@BEOWULF:/#sysctl -w
net.ipv4.conf.eth0.log_martians=1.
4.0.5: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys/net type proc (rw,nosuid,nodev,noexec,relatime) <--<<
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.5: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
(same as in 4.0.6)
# System 2; LXC 4.0.6, uname Linux LESPLUS2 5.10.39-0-lts #1-Alpine SMP
Sun, 30 May 2021 18:17:12 UTC x86_64 Linux
I set up a second newer system on similar hardware with Alpine 3.13.5
and lxc lxc-4.0.6-r2
On this system if I try eg root@BEOWULF:/# sysctl -w
net.ipv4.conf.eth0.log_martians=1
sysctl: setting key "net.ipv4.conf.eth0.log_martians": Read-only file system
4.0.6: root@BEOWULF:/# mount
...
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
...
HOST with 4.0.6: lxc-info -n BEOWULF -c lxc.mount.auto
lxc.mount.auto = proc:mixed sys:rw cgroup:mixed
The system config on both hosts is the same, also the container config.
A diff on /usr/share/lxc/config/* between the two hosts shows no difference.
I want to modify some network settings eg run nftables on the new 4.0.6
system as it is possible on the 4.0.5 (i am running unprivileged
containers).
Can someone put my in the right direction?
I assume, there are defaults in lxc changed?
Or is this a kernel behaviour change?
Where can I find a changelog explaining this? git?
Can I adjust to the old behaviour with lxc.mount.auto=???
Are there security concerns?
Also on the 4.0.6 lxc there are many cgroup mounts inside the container.
Is this necessary / makes sense when I am not using nested containers.
Can I disable this?
--
Thanks
Stefan Hartmann
Stefan Hartmann
Jul 2, 2021, 9:23:35 AM7/2/21
to lxc-...@lists.linuxcontainers.org
The probably unintended change was introduced by
https://github.com/lxc/lxc/issues/3091
... but in general if CAP_NET_ADMIN is dropped, that should drop
/proc/sys/net too ...
and unfortunately it is present in the actual lxc-4.0.6-r2 in Alpine 3.13.
A temporarily workaround for me was
apk -v add lxc=~4.0.9 lxc-libs=~4.0.9 lxc-templates=~4.0.9
lxc-download=~4.0.9 lxc-doc=~4.0.9 lxc-openrc=~4.0.9
--repository=http://ftp.halifax.rwth-aachen.de/alpine/edge/main
--
Stefan Hartmann
https://github.com/lxc/lxc/issues/3091
... but in general if CAP_NET_ADMIN is dropped, that should drop
/proc/sys/net too ...
and unfortunately it is present in the actual lxc-4.0.6-r2 in Alpine 3.13.
A temporarily workaround for me was
apk -v add lxc=~4.0.9 lxc-libs=~4.0.9 lxc-templates=~4.0.9
lxc-download=~4.0.9 lxc-doc=~4.0.9 lxc-openrc=~4.0.9
--repository=http://ftp.halifax.rwth-aachen.de/alpine/edge/main
--
Stefan Hartmann
Reply all
Reply to author
Forward
0 new messages