Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unprivileged TurnKey containers on Proxmox fail #855

Open
JedMeister opened this Issue Jun 13, 2017 · 6 comments

Comments

Projects
None yet
3 participants
@JedMeister
Copy link
Member

JedMeister commented Jun 13, 2017

Reported via email.

I am setting up gitlab for a small number of users, though it will be exposed publicly. I found that when attempting to setup an unpriv'd container, I got this message:

extracting archive
'/var/lib/vz/template/cache/debian-8-turnkey-gitlab_14.1-1_amd64.tar.gz'
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
Total bytes read: 1343600640 (1.3GiB, 82MiB/s) tar: 
   Exiting with failure status due to previous errors >Logical volume "vm-113-disk-1" successfully removed 
TASK ERROR: command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 
   -- tar xpf /var/lib/vz/template/cache/debian-8-turnkey-gitlab_14.1-1_amd64.tar.gz 
   --totals --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' 
   '--xattrs-include=security.capability' '--warning=no-xattr-write' 
   -C /var/lib/lxc/113/rootfs --skip-old-files --anchored --exclude './dev/*''
failed: exit code 2

I did not receive this if using it in a privileged container, nor did I get it when setting up an unpriv'd container using the proxmox ubuntu 16 template

@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Jun 16, 2017

FWIW, this actually appears to be an LXC bug. The newer version of one of the LXC packages (sry forget the exact name) in Stretch resolves this, so once Stretch is released and Proxmox release their v5.0 then it should be resolved.

@jodumont

This comment has been minimized.

Copy link

jodumont commented Oct 3, 2017

as Stéphane (the main LXC developper) explain here

The issue is in the template, not on side Proxmox nor LXC
Mostly; all Turnkey Linux template are not compatible

Here you will find a pretty easy way to find which will work and not

I hope TurnkeyLinux will fix that soon ;)

@jodumont

This comment has been minimized.

Copy link

jodumont commented Oct 4, 2017

In fact;

  1. If I make a Turnkey container with privilege
  2. than inside this container I remove postfix

apt-get remove postfix

  1. than I backup it
  2. than I restore this container but unprivileged

Result == Everything works well

so; I believe, the main issue is the postfix package in Turnkey

@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Oct 4, 2017

Hi @jodumont - thanks for your input!

Very interesting! Perhaps there's some bug in postfix which makes it not happy to run in a non-privileged container? I'm hoping that we'll have something Stretch based to play with soon, perhaps it's been resolved in Stretch already?

@felixlohmeier

This comment has been minimized.

Copy link

felixlohmeier commented Oct 23, 2018

solution from bogo22 in the proxmox forum works for me: https://forum.proxmox.com/threads/unprivileged-containers.26148/page-2

  1. root at turnkey container
rm /var/spool/postfix/dev/random
rm /var/spool/postfix/dev/urandom
touch /var/spool/postfix/dev/random
touch /var/spool/postfix/dev/urandom
  1. root at proxmox node
    add the following lines to container config (e.g. at /etc/pve/lxc/ct100.conf)
lxc.mount.entry: /dev/random dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom dev/urandom none bind,ro 0 0
lxc.mount.entry: /dev/random var/spool/postfix/dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom var/spool/postfix/dev/urandom none bind,ro 0 0
  1. backup container
  2. restore backup with option unprivileged container checked

@JedMeister JedMeister added core and removed gitlab labels Jan 4, 2019

@JedMeister JedMeister changed the title GitLab container (on Proxmox) errorring when launched into unprivileged container Unprivileged TurnKey containers on Proxmox fail Jan 4, 2019

@JedMeister

This comment has been minimized.

Copy link
Member Author

JedMeister commented Jan 4, 2019

I just thought I'd update this old issue with some further info.

Firstly, I've removed the 'gitlab' tag and replaced it with 'core' as this issue actually affects all TurnKey appliances when attempting to run within an unprivileged container.

Personally I still consider this a limitation/shortcoming of LXC (if not a bug). According to a comment on the LXC forums the issue is resolved properly within the kernel in v4.18. Hopefully Debian Buster will ship with a v4.18+ kernel so that it works as is within an unprivileged container (once we get to Debian Buster based systems).

In the meantime, it's clear that the specific issue is the mknod command within the default application chroot that Postfix is set up within (I assume that is the default Debian Postfix install as I'm pretty sure we don't do anything special there). It might perhaps be worth trying to install Postfix in a vanilla Debian Stretch container and see what happens?!

It may be possible to work around it template side via a mount bind (in /etc/fstab) or perhaps removing the chroot Postfix config for LXC containers? Regardless, the above workaround still works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.