Search results

Looks like a bug in the openntpd package of debian. The profile doesn't seem to list the files it wants to access. This apparently has happened before [1]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799084;msg=5

We currently do not automate this, but we might add support for this in the future. We already create symlinks to `/dev/mapper` (those are the other way round atm.). Adding this would require additionally reading out the uuids during that setup step and adding the links. Come to think of it, we...

Unprivileged containers cannot use `mknod`, you need to bind mount the devices instead.

It looks like you're sharing raw image files with multiple containers (mp0's vmid differs from that of the rootfs entry)? That'll most certainly result in unexpected breakage sooner or later. You should use a bind mounted directory instead, that should also get around the ordering issue...

Cannot reproduce. More details please: working & not-working config from `# pct config $vmid`.

That should do (unless for some reason your / is mounted with the `nodev` option). You also have to adapt the `lxc.mount.entry` lines to bind this new file instead. lxc.mount.entry = /devcontainer/net/tun dev/net/tun none bind,create=dir

The autodev hook isn't really usable with unprivileged containers. Neither the `modprobe` nor `mknod` will work. The `lxc.mount.entry` line is correct, but you the permissions will have to be updated on the host side (since you're using device nodes from the host). So you either `chown` it to...

We do want to support that in the future. It's just not implemented yet.

The nfs server is kernel-side, unprivileged containers won't have any more control over that than privileged containers. IMO it's generally not all that useful to move something which runs in the kernel anyway into a container. There's no option we provide which would "just enable" it. Better...

Lxc usually sends either a SIGPWR (30) or SIGRTMIN+3 (35), you could see if the container's init (pid 1) reacts to either of those. It would be weird though if something from inside gentoo changed that behavior of the init system...

The kernel simply generally forbids using the mknod() system call required to create device nodes, no matter what permissions you otherwise have. If this changes in the future, those will definitely be on the whitelist. There are some mechanisms available already which could be used, such as an...

Thanks for digging into this. That actually helped pinpointing an issue.

Did you also remove the 'yubico' auth type from the authentication realm when you did this? The realm's configured TFA type will conflict otherwise.

There have been some changes to the TFA handling and how the configuration is stored in the backend, but both old and new configurations should work with the new code. Can you describe the login process you see on your UI? -) Do you see the OTP input box below the password in the login window...

`features: nesting=1` sollte auch helfen und nicht ganz so extrem sein

When you're in the container as root, you are using a user which has the `CAP_DAC_OVERRIDE` capability ("bypass file permission checks", see man 7 capabilities[1]) within its namespace. The directory `git_repositories` is owned by a user for which there exists a valid mapping inside the...

Update: That said, the change seems mostly about mount point cleanliness, so there's a chance it'll at least be temporarily reverted, as the issue description[1] doesn't seem to mention any actual breakage. (Otherwise it may become configurable. But my recommendation about moving to unprivileged...

Okay so with *privileged* 14.04 containers I can reproduce this. A bisect revealed an lxc commit which causes no functional change but simply removes an unnecessary mount entry which seems to confuse upstart in some way. Considering the age and soon-to-be-EOL-ness of 14.04 I recommend moving...

Almost none of the installer ISOs come with graphics drivers. You need to add a serial socket, and connect to that via the xterm.js button. After installation, when using 'virtio' graphics, you'll be able to see the machine via novnc as well.

The problem with mounting is that the kernel simply won't allow that regardless of any apparmor rules as most file systems (including nfs) simply aren't marked to be allowed in user namespaces. (The mount option checkboxes being enabled on the UI for unprivileged containers was an oversight...