Search results

This is just what happens when using reject rules currently. There is some basic ebtables support, but to fully support such a confguration we also need to add a way to a) use MAC filtering on input and/or b) add a way for users to configure ebtable rules (iow. the ability to add DROP rules for...

With privileged containers device usage is very restricted. If you need a privileged container you'll need to allow the use of /dev/net/tun (the c:10:200 it's trying to allow access to, used for tunnel and tap device setup): # /etc/pve/lxc/$vmid.conf (...) lxc.cgroup.devices.allow = c 10:200 rwm...

Only root can change feature flags.

Can you try using the EPYC cpu type? According to this post[1] it should be compatible. [1] https://www.redhat.com/archives/libvir-list/2018-July/msg01242.html

The above shows a generated profile (`lxc.apparmor.profile = generated`, the new default when no custom apparmor profile is found in /etc/pve/lxc/$vmid.conf) which means that you either had the profile previously configured in /var/lib/lxc/$vmid/config manually and started with `lxc-start`, or...

The alpine config does drop a number of additional capabilities. I'd recommend using an unprivileged container which won't have that problem ;-) Alternatively you can try using the default value for lxc.cap.drop via lxc.cap.drop = lxc.cap.drop = mac_admin mac_override sys_time sys_module...

Snap requires a bit more work. There may soon be a 'fuse' flag for the features option, but fuse can be dangerous. For now you have to do this: - For unprivileged containers: 1) Put this in /etc/pve/lxc/$vmid.conf: ... features: mount=fuse,nesting=1 lxc.mount.entry = /dev/fuse dev/fuse none...

- This is a subvolume, not an ext4 image on a zvol, thus - quotas are not supported there and - you can't just write mount command line options into pve configuration files like that, there's a reason why they have their own format. please read the bugzilla entry to the end, there's only 1 more...

Please provide the container's config and, from inside the container, the output of `systemctl` and `systemctl status systemd-networkd` Also any audit message happening during the container startup would be useful.

There's a work-in-progress with some patches to get things going on the devel list which is runnable, but there's no official support or release yet (and therefore incompatibilities to be expected between versions). ARM hardware can be a bit annoying to support in a "generic" way, kernel-wise...

Das kommt an mehreren Stellen zum vorschein, zb `free` innerhalb des containers aufrufen oder /proc lesen etc., und liegt einfach daran wie die memory cgroups designed sind. In cgroup-v1 kann man Swap nicht unabhängig von Memory limitieren. Mit cgroup-v2 wird das so weit ich weiß gehen...

Curious. It's supposed to complain with a meaningful error message that you're resizing it over a maximum of 16TiB if I see this correctly. (A 32 bit count of blocks of 4k = 16TiB). The fact that it fails like that means we need to add a check. Also a way to have containers formatted with the...

You most likely want to setup ndppd to proxy the ipv6 NDP packets between vmbr1 and eth0, and tell your guest's to use the host's vmbr1 ipv6 address as gateway for ipv6.

Step 1 should not be necessary. Step 4 only needs to include step 1. The sysctl values from step 2 aren't currently namespaced. This file is used for containers without configurations, so this won't work. Containers all by default include `/usr/share/lxc/config/common.conf.d/*.conf`, so you'd...

So the image containing the container was on the disk that ran full? It probably fails to mount -you can test that via `pct mount $vmid` as root - if that fails as well, you can try running a `pct fsck $vmid`... The problem is that most regular file systems, including ext4, really are not...

Please also see the documentation for the 'keyctl' feature in the pct.conf manpage.

snapd requires a lot more than just nesting, if you look at the log output when starting it you probably see it complain about not being able to mount a squashfs file system - which you can allow by adding ',mount=squashfs' to the features line. However, in order to mount anything from files it...

Yes to that part Sorry, should be `features: nesting=1`. (Also updated my post above.) Edit: You can also check the `pct(1)` manpage for a little more info on the `features` line. If you scroll down to the `Configuration` section's `Options` subsection, there's also more details about the...

With pve-container >=2.0-28 you can start testing the `features` setting in containers. Remove any custom `lxc.apparmor.profile` lines and use `features: nesting=1` if you want to just nest lxc or lxd - if you want to nest docker in an _unprivileged_ container, you'll need to also add 'keyctl'...

Apparently neither lxc-attach nor the shell entered in the container perform any kind of reset on the signal mask here. In some templates this does seem to happen. `pct` ignores SIGPIPE, lxc-attach leaves it as it is, as does your container's shell. The result is that instead of being killed...