-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LXD 4.10 breaks kubernetes support due to nf_conntrack_tcp_timeout_established #3627
Comments
Hmm, LXD doesn't have any control over that. This is purely up to the kernel. |
The issue is not happening with snap install lxd --channel=4.9/stable |
This is a liblxc regression in the latest stable release. Basically In the stable-4.0 branch, that would be those two commits: |
It checks only for lxc.cap.keep, but not lxc.cap.drop. I've tried to specify lxc.cap.keep in command line, but it's impossible to set lxc.cap.keep if lxc.cap.drop is specified. Btw, due to privileged, the container already has cap_net_admin root@ubuntu-focal:~# lxc launch images:centos/7/amd64 c7 -c security.nesting=true -c security.privileged=true
Creating c7
Starting c7
root@ubuntu-focal:~# lxc exec c7 bash
[root@c7 ~]# cap
capsh captoinfo
[root@c7 ~]# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36,37+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36,37
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups= |
Fixes: lxc#3627 Cc: stable-4.0 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Should be fixed by #3628. |
Fixes: lxc#3627 Cc: stable-4.0 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fixes: #3627 Cc: stable-4.0 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Required information
Issue description
After snap refresh from 4.9 to 4.10, I'm not able to run K3S. This kubernetes distribution (and other ones) requires a specific value for
sysctl net.netfilter.nf_conntrack_tcp_timeout_established=86400
. In 4.9 it was allowed to change the value, in 4.10 the value in procfs became read-only, but LXD also is not respecting host value.Steps to reproduce
modprobe nf_conntrack
sysctl net.netfilter.nf_conntrack_tcp_timeout_established=86400
lxc launch images:centos/7/amd64 c7 -c security.nesting=true -c security.privileged=true
lxc exec c7 bash
sysctl net.netfilter.nf_conntrack_tcp_timeout_established
sysctl net.netfilter.nf_conntrack_tcp_timeout_established=86400
The text was updated successfully, but these errors were encountered: