[CLOSED] ip-fou (Foo-over-UDP) on unprivileged container

[rapdodge]

Hello there!

I have an issue with my LXC container about networking things.
So, I've wanted to run ip-fou (Foo-over-UDP) on my unprivileged container, and there is kind of an error message "RTNETLINK answers: Operation not permitted"

And this is my LXC configuration file

Besides of it, I'm using this hookscript too, and of course, I've already adding modprobe fou

Any idea to make it works on unprivileged container?

Thanks!

 

[leesteken]

Containers share the kernel with the Proxmox host and unprivileged containers are design to prevent stuff like that. Kernel modules need to be loaded on the Proxmox host and you need to find out which dev-nodes you need to pass to the container. Maybe it's much easier to run that in a full VM?

 

[rapdodge]

Containers share the kernel with the Proxmox host and unprivileged containers are design to prevent stuff like that. Kernel modules need to be loaded on the Proxmox host and you need to find out which dev-nodes you need to pass to the container. Maybe it's much easier to run that in a full VM?

The host already modprobe too... I've already tried tutorial how to make openvpn working on the unprivileged container, doesn't working too

 

[leesteken]

The host already modprobe too... I've already tried tutorial how to make openvpn working on the unprivileged container, doesn't working too

Sorry, I did not realize that it was a hookscript. Maybe use the new way of passing dev-nodes: dev0: /dev/ppp,gid=0,uid=0 dev1: /dev/net/tun,gid=0,uid=0, instead of the lxc.mount.entry etc.

 

[rapdodge]

Sorry, I did not realize that it was a hookscript. Maybe use the new way of passing dev-nodes: dev0: /dev/ppp,gid=0,uid=0 dev1: /dev/net/tun,gid=0,uid=0, instead of the lxc.mount.entry etc.

Hmmm, already change lxc.mount.entry into dev-nodes, still the same, "RTNETLINK answers: Operation not permitted"

 

[BobhWasatch]

Netlink sockets are used to communicate between user space and the kernel. Systemd for example uses one to get notified when new devices are attached. I would be surprised if that was allowed in an unprivileged container.

 

[rapdodge]

Netlink sockets are used to communicate between user space and the kernel. Systemd for example uses one to get notified when new devices are attached. I would be surprised if that was allowed in an unprivileged container.

So, is that not possible to doing it on unprivileged container?
So, I need to make it privilege or make it to be a VM?

 

[BobhWasatch]

So, is that not possible to doing it on unprivileged container?
So, I need to make it privilege or make it to be a VM?

That's what I'm saying. I do not know 100% for certain if it is correct but like I said it would be surprising to allow a non-root user to send messages on a netlink socket (receiving might be ok). Since root in an unprivileged container is really just some user to the kernel sending such a message should be disallowed.

But regardless of that I think you have to ask yourself if it makes sense to load a bunch of kernel modules to support one container. What does a container actually buy you compared to running on the host directly or in a VM?

 

[rapdodge]

That's what I'm saying. I do not know 100% for certain if it is correct but like I said it would be surprising to allow a non-root user to send messages on a netlink socket (receiving might be ok). Since root in an unprivileged container is really just some user to the kernel sending such a message should be disallowed.

But regardless of that I think you have to ask yourself if it makes sense to load a bunch of kernel modules to support one container. What does a container actually buy you compared to running on the host directly or in a VM?

Ummm... So, I've wanted to make it very efficient... Since I don't have much resources (I'm using HP ThinClient T620 Plus (4C4T))

Thank you for your response... I think I'm just make it as closed post...