Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set security.nesting=true for LXD projects #591

Open
mr-cal opened this issue Jul 5, 2024 · 5 comments
Open

Set security.nesting=true for LXD projects #591

mr-cal opened this issue Jul 5, 2024 · 5 comments
Labels
Enhancement New feature or request triaged We will be doing this

Comments

@mr-cal
Copy link
Collaborator

mr-cal commented Jul 5, 2024

What needs to get done

  • set security.nesting=true in the LXD project profile
  • determine which versions of systemd are affected and which LXD images will need this set

Why it needs to get done

Newer versions of systemd does not work well in nested containers.

This needs to be fixed at least for Oracular images.

Source:

@mr-cal mr-cal added Enhancement New feature or request triaged We will be doing this labels Jul 5, 2024
Copy link

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/CRAFT-3096.

This message was autogenerated

@tomponline
Copy link
Member

Following on from this post https://discourse.ubuntu.com/t/questions-about-security-nesting-and-recent-systemd/51560

I'd like to understand the specific scenario that is causing an issue and what version(s) of LXD and host OS you are using?

Thanks

@tomponline
Copy link
Member

tomponline commented Dec 20, 2024

From looking at https://matrix.to/#/!NPPCseDHKRvSBMUEXN:ubuntu.com/$l9-msw901I7b885eH4LaGs_T9gmLKbSqE8tVrGLnAAk?via=ubuntu.com&via=matrix.org

it works locally (noble), but it fails in our CI (focal)

This seems to be more the specific problem, that you're using Focal host.

This is because systemd v256 doesn't support cgroupv1 anymore, so even with security.nesting=true, Oracular containers on a Focal host won't work (without the HWE kernel).

See canonical/lxd#13844 (comment)

See https://discourse.ubuntu.com/t/questions-about-security-nesting-and-recent-systemd/51560/3?u=tomp

@tomponline
Copy link
Member

tomponline commented Dec 20, 2024

Enabling security.nesting=true on Focal does not fix Oracular containers

lxc launch ubuntu:20.04 v1 --vm
lxc exec v1 -- snap refresh lxd --channel=5.21/stable
lxd (5.21/stable) 5.21.2-084c8c8 from Canonical✓ refreshed

lxc exec v1 -- lxd init --auto
lxc exec v1 -- lxc launch ubuntu:oracular c1
Creating c1
Starting c1                                   

lxc exec v1 -- lxc ls # No IPv4 as systemd isn't starting properly
+------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  | IPV4 |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+------+-----------------------------------------------+-----------+-----------+
| c1   | RUNNING |      | fd42:ec4f:9a40:d68e:216:3eff:fe8e:887d (eth0) | CONTAINER | 0         |
+------+---------+------+-----------------------------------------------+-----------+-----------+

lxc exec v1 -- lxc stop -f c1
lxc exec v1 -- lxc config set c1 security.nesting=true
lxc exec v1 -- lxc start c1

lxc exec v1 -- lxc ls # Still no IPv4 with security.nesting=true
+------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  | IPV4 |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+------+-----------------------------------------------+-----------+-----------+
| c1   | RUNNING |      | fd42:ec4f:9a40:d68e:216:3eff:fe8e:887d (eth0) | CONTAINER | 0         |
+------+---------+------+-----------------------------------------------+-----------+-----------+

@tomponline
Copy link
Member

So I suspect your CI runners need to be updated to run either Focal's HWE kernel or move to Jammy onwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement New feature or request triaged We will be doing this
Projects
None yet
Development

No branches or pull requests

2 participants