Hi Hackers,
Is it any possibility to get ACL, SECOMP and mostly all the needed CONFIG for LXC available mainline to the espressobin board ?
Is it a must and can be a verry good improvment of the v19.07 soon to come.
Is someone already tested this, can upstream a patchset to the github, please ?
Thanks...
Okay, found the sub parameters in make menuconfig...
I get a kernel panic while I am trying to start a LXC debian container ;
root@OpenWrt:/# [ 431.295839] ------------[ cut here ]------------
[ 431.300705] WARNING: CPU: 0 PID: 2294 at __nf_unregister_net_hook+0x50/0x288
[ 431.308043] Modules linked in: pppoe ppp_async pppox ppp_generic nf_conntrack_ipv6 iptable_nat ipt_REJECT ipt_MASQUERADE xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xtg
[ 431.372316] CPU: 0 PID: 2294 Comm: kworker/u4:0 Not tainted 4.14.131 #0
[ 431.379111] Hardware name: Globalscale Marvell ESPRESSOBin Board V7 (eMMC) (DT)
[ 431.386815] Workqueue: netns cleanup_net
[ 431.390907] task: ffffffc03e0ae300 task.stack: ffffff800aec0000
[ 431.396893] PC is at __nf_unregister_net_hook+0x50/0x288
[ 431.402494] LR is at __nf_unregister_net_hook+0x48/0x288
[ 431.408008] pc : [<ffffff8008525c30>] lr : [<ffffff8008525c28>] pstate: 80400145
[ 431.415686] sp : ffffff800aec3c70
[ 431.419034] x29: ffffff800aec3c70 x28: ffffffffffffffff
[ 431.424637] x27: dead000000000200 x26: ffffff800884c000
[ 431.430154] x25: 0000000000000002 x24: ffffff80006d2000
[ 431.435669] x23: ffffffc038e08000 x22: ffffff800884f000
[ 431.441183] x21: ffffffc038e08e00 x20: 0000000000000000
[ 431.446698] x19: ffffff800884f2a0 x18: 0000000000000000
[ 431.452213] x17: 0000007f99931278 x16: ffffff800809db68
[ 431.457727] x15: 0000000000000004 x14: 0000000000800000
[ 431.463244] x13: ffffffffffffff00 x12: ffffffffffffffff
[ 431.468758] x11: 0000000000000008 x10: 7f7f7f7f7f7f7f7f
[ 431.474277] x9 : fefefefefefeff71 x8 : 0000000000000000
[ 431.479791] x7 : 0000000000000000 x6 : ffffffc03e803800
[ 431.485307] x5 : ffffffbf00f77900 x4 : 0000000000000000
[ 431.490822] x3 : 0000000000000000 x2 : ffffffc03e0ae300
[ 431.496336] x1 : 0000000000000000 x0 : ffffff800884f2a0
[ 431.501852] Call trace:
[ 431.504390] Exception stack(0xffffff800aec3b30 to 0xffffff800aec3c70)
[ 431.510994] 3b20: ffffff800884f2a0 0000000000000000
[ 431.519309] 3b40: ffffffc03e0ae300 0000000000000000 0000000000000000 ffffffbf00f77900
[ 431.527468] 3b60: ffffffc03e803800 0000000000000000 0000000000000000 fefefefefefeff71
[ 431.535625] 3b80: 7f7f7f7f7f7f7f7f 0000000000000008 ffffffffffffffff ffffffffffffff00
[ 431.543782] 3ba0: 0000000000800000 0000000000000004 ffffff800809db68 0000007f99931278
[ 431.551939] 3bc0: 0000000000000000 ffffff800884f2a0 0000000000000000 ffffffc038e08e00
[ 431.560097] 3be0: ffffff800884f000 ffffffc038e08000 ffffff80006d2000 0000000000000002
[ 431.568254] 3c00: ffffff800884c000 dead000000000200 ffffffffffffffff ffffff800aec3c70
[ 431.576412] 3c20: ffffff8008525c28 ffffff800aec3c70 ffffff8008525c30 0000000080400145
[ 431.584568] 3c40: ffffff800aec3c50 ffffff8008149f5c ffffffffffffffff ffffff8008307964
[ 431.592722] 3c60: ffffff800aec3c70 ffffff8008525c30
[ 431.597623] [<ffffff8008525c30>] __nf_unregister_net_hook+0x50/0x288
[ 431.604310] [<ffffff8008525eb8>] nf_unregister_net_hook+0x50/0x60
[ 431.610639] [<ffffff8008525ef8>] nf_unregister_net_hooks+0x30/0x50
[ 431.616985] [<ffffff80006d0040>] 0xffffff80006d0040
[ 431.622034] [<ffffff80084e2c50>] ops_exit_list.isra.3+0x48/0x80
[ 431.628181] [<ffffff80084e3564>] cleanup_net+0x17c/0x290
[ 431.633792] [<ffffff80080b1fb4>] process_one_work+0x1ec/0x320
[ 431.639847] [<ffffff80080b2330>] worker_thread+0x248/0x440
[ 431.645559] [<ffffff80080b79f0>] kthread+0x120/0x130
[ 431.650733] [<ffffff8008084430>] ret_from_fork+0x10/0x18
[ 431.656170] ---[ end trace aaab9329036cdc70 ]---
root@OpenWrt:/# lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
--- Control groups ---
Cgroups: enabled
Cgroup v1 mount points:
/sys/fs/cgroup
Cgroup v2 mount points:
Cgroup v1 systemd controller: /usr/bin/lxc-checkconfig: line 167: printf \033[1;31m: not found
Cgroup v1 freezer controller: /usr/bin/lxc-checkconfig: line 174: printf \033[1;31m: not found
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: missing
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: missingCONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, loaded
FUSE (for use with lxcfs): missing
--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: missing
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: missing
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
EBINDEV/OWRT/19.07/openwrt$ cat .config | grep LXC
CONFIG_KERNEL_LXC_MISC=y
CONFIG_LXC_KERNEL_OPTIONS=y
CONFIG_LXC_BUSYBOX_OPTIONS=y
CONFIG_LXC_SECCOMP=y
CONFIG_LXC_NETWORKING=y
EBINDEV/OWRT/19.07/openwrt$ cat .config | grep CGROUP
CONFIG_KERNEL_CGROUPS=y
# CONFIG_KERNEL_CGROUP_DEBUG is not set
CONFIG_KERNEL_CGROUP_FREEZER=y
CONFIG_KERNEL_CGROUP_DEVICE=y
CONFIG_KERNEL_CGROUP_PIDS=y
CONFIG_KERNEL_CGROUP_CPUACCT=y
# CONFIG_KERNEL_CGROUP_PERF is not set
CONFIG_KERNEL_CGROUP_SCHED=y
CONFIG_KERNEL_BLK_CGROUP=y
# CONFIG_KERNEL_DEBUG_BLK_CGROUP is not set
CONFIG_KERNEL_NET_CLS_CGROUP=y
CONFIG_KERNEL_NETPRIO_CGROUP=y
root@OpenWrt:/# cat /etc/lxc/default.conf
lxc.net.0.type = empty
root@OpenWrt:/# cat /etc/lxc/lxc.conf
lxc.lxcpath = /srv/lxc
root@OpenWrt:/# opkg list-installed | egrep "lxc|veth"
kmod-veth - 4.14.131-1
liblxc - 2.1.1-3
luci-app-lxc - git-19.189.59008-7fca406-1
lxc - 2.1.1-3
lxc-attach - 2.1.1-3
lxc-auto - 2.1.1-3
lxc-autostart - 2.1.1-3
lxc-cgroup - 2.1.1-3
lxc-checkconfig - 2.1.1-3
lxc-common - 2.1.1-3
lxc-config - 2.1.1-3
lxc-configs - 2.1.1-3
lxc-console - 2.1.1-3
lxc-copy - 2.1.1-3
lxc-create - 2.1.1-3
lxc-destroy - 2.1.1-3
lxc-device - 2.1.1-3
lxc-execute - 2.1.1-3
lxc-freeze - 2.1.1-3
lxc-hooks - 2.1.1-3
lxc-info - 2.1.1-3
lxc-init - 2.1.1-3
lxc-ls - 2.1.1-3
lxc-lua - 2.1.1-3
lxc-monitor - 2.1.1-3
lxc-monitord - 2.1.1-3
lxc-snapshot - 2.1.1-3
lxc-start - 2.1.1-3
lxc-stop - 2.1.1-3
lxc-templates - 2.1.1-3
lxc-top - 2.1.1-3
lxc-unfreeze - 2.1.1-3
lxc-unprivileged - 2.1.1-3
lxc-unshare - 2.1.1-3
lxc-user-nic - 2.1.1-3
lxc-usernsexec - 2.1.1-3
lxc-wait - 2.1.1-3
rpcd-mod-lxc - 20171206
Solved, the SECCOMP and SECCOMP_FILTER support in KERNEL was missing :
CONFIG_KERNEL_SECCOMP_FILTER=y
CONFIG_KERNEL_SECCOMP=y
CONFIG_LXC_SECCOMP=y
Now the lxc-attach and lxc-start works fine and no more do kernel panic.
In first time I had only LXC_SECCOMP added...
system
Closed
July 23, 2019, 7:46am
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.