agris | the brewmaster I would assume | 02:36 |
---|---|---|
agris | Why would a LXC template not be able to be used in unprivileged mode? | 02:56 |
agris | root@vm2:~# ls /usr/share/lxc/templates/ | 02:56 |
agris | lxc-alpine lxc-centos lxc-devuan.old lxc-gentoo lxc-plamo lxc-ubuntu | 02:56 |
agris | lxc-altlinux lxc-cirros lxc-devuanstock lxc-openmandriva lxc-slackware lxc-ubuntu-cloud | 02:56 |
agris | lxc-archlinux lxc-debian lxc-download lxc-opensuse lxc-sparclinux | 02:56 |
agris | lxc-busybox lxc-devuan lxc-fedora lxc-oracle lxc-sshd | 02:56 |
agris | root@vm2:~# lxc-create -n postgres -t devuan | 02:56 |
agris | This template can't be used for unprivileged containers. | 02:56 |
agris | You may want to try the "download" template instead. | 02:56 |
agris | Is there something I have to change in the template itself? | 02:57 |
agris | also, how is 'download' a valid template | 02:57 |
agris | that's not a distro | 02:57 |
specing | agris: yes, you need to modify it | 02:59 |
specing | download downloads pre-prepared images | 03:00 |
agris | I see | 03:00 |
agris | What modifications need to be put in place to make it work in non-privileged mode? | 03:00 |
agris | with uid/gid mappings | 03:01 |
agris | It's just a simple bootstrapping bash script | 03:01 |
agris | or is the unsupported message in there just for show? | 03:01 |
agris | I'm going to comment out that warning code and see what happens | 03:10 |
specing | agris: https://github.com/specing/lxc-gentoo/blob/master/lxc-gentoo-userns | 03:17 |
agris | my issue isn't converting an existing container to a userns one | 03:18 |
agris | it's making the devuan lxc template i've worked on create a userns container on creation if the system is configured to be able to | 03:19 |
specing | agris: that script illustrates how a userns one differs from a normal one | 03:19 |
agris | I see | 03:19 |
agris | I know the uid is different | 03:20 |
agris | but what I do not understand is how the template needs to change to simply support a uid map | 03:20 |
agris | my configuration is already setup to support that | 03:20 |
agris | hold on, I'll upload my patches to git.devuan.org | 03:21 |
agris | What is there left to do on beowulf? | 03:43 |
agris | I wish I was not the only one using LXC on Devuan | 03:50 |
agris | with apparmor | 03:50 |
specing | agris: you are probably the only one using apparmor, too | 03:51 |
agris | It really shows | 03:51 |
agris | >lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1306 Path "/sys/fs/cgroup/memory//lxc/matterbridge" already existed. | 03:52 |
agris | lxc-start: cgroups/cgfsng.c: cgfsng_create: 1363 No such file or directory - Failed to create /sys/fs/cgroup/memory//lxc/matterbridge: No such file or directory | 03:52 |
specing | few people actually care about security | 03:52 |
agris | I had to write the lxc template myself to work with openrc | 03:53 |
agris | and then to even start at all with apparmor | 03:53 |
specing | there are only two major distros enforcing selinux, apparmor hangs in the air and grsecurity is now unobtaining | 03:53 |
specing | all the while software is as shitty as ever | 03:53 |
agris | even than I'm still forced to use lxc.aa_allow_incomplete = 1 | 03:53 |
agris | and if I try turning full enforcing back on to test something, all the old cgroups are still there, preventing containers from booting again until the hypervisor kernel is cold-rebooted | 03:54 |
specing | I have lxc working on grsec gentoo | 03:54 |
agris | specing, does LXC even support SELinux? | 03:55 |
specing | lxc is silly if you have selinux | 03:55 |
specing | selinux can separate things very well | 03:55 |
agris | dude, I'm not using LXC for security's sake | 03:55 |
agris | the apparmor is supposed to make LXC secure | 03:55 |
specing | well then, SELinux should transparently work with LXC via file contexts | 03:56 |
agris | by preventing containers from manipulating the hardware | 03:56 |
agris | specing, How do I get SE Linux working with LXC on Devuan? | 03:56 |
specing | no idea | 03:56 |
agris | I mean if what your saying is true I'd drop this cononical broken crap right now and reboot the server with SE | 03:57 |
agris | this sucks so bad | 03:58 |
specing | you'd still have to tag the files | 03:58 |
agris | here I am | 03:58 |
agris | having to define allowed devices by MAJOR:MINOR by hand | 03:58 |
specing | maybe redhat has an out-of-the-box working solution | 03:58 |
agris | redhat has their own problems | 03:58 |
specing | or fedora (so redhat) | 03:58 |
agris | plus they want to push their 'kuberneties' which I don't need | 03:59 |
specing | they are the only ones apart from Google seriously using selinux | 03:59 |
agris | I was first using LXC containers on RedHat | 03:59 |
agris | but I stopped immediately because I realized they were shipping version on of LXC | 04:00 |
agris | *version one | 04:00 |
agris | which has like, no security at all | 04:00 |
agris | and this is all I have to go by | 04:01 |
agris | https://wiki.debian.org/LXC | 04:01 |
agris | I think a lot of the apparmor bugs are just because I'm using ascii/stretch | 04:01 |
agris | where as apparmor is debian wasn't really in a usable state until buster | 04:02 |
agris | which I'm not sure I can upgrade to in Devuan yet | 04:02 |
agris | huh, looks like Debian may have updated the LXC wiki since last time | 04:03 |
agris | Does anybody know what there is left to do for releasing Beowulf? | 04:04 |
agris | If it's something that doesn't effect me I could try upgrading now | 04:04 |
agris | it's even more fragmented now that systemd apparently is a container hypervisor too now | 04:05 |
agris | I wonder if I could just use Alpine for the hypervisor and use Devuan containers | 04:06 |
agris | it seems to already be doing most of what I'm trying to do with Devuan | 04:09 |
agris | OpenRC LXC container hypervisor with discretionary access control | 04:09 |
agris | *mandatory access control | 04:10 |
agris | but I'd really like to try and make it work with Devuan first | 04:10 |
TwistedFate | i'm having problems with locales | 04:11 |
TwistedFate | how can i fix them? | 04:11 |
TwistedFate | https://paste.debian.net/hidden/220fc0a9/ | 04:11 |
emdete | TwistedFate: use `export LANG=C` before starting that command or gen the desired locale | 17:29 |
fling | is torbrowsel-launcher packaged on devuan? | 17:58 |
yeti | https://pkginfo.devuan.org/cgi-bin/d1pkgweb-query?search=torbrow | 18:01 |
yeti | so... yes and no... somehow | 18:01 |
fling | how? | 18:05 |
fling | Is there an lxd image for ceres? | 18:06 |
golinux | https://git.devuan.org/devuan-packages/lxd | 18:07 |
golinux | Probably outdated | 18:09 |
sedrosken | so OpenRC is considered experimental on ASCII, right? | 18:44 |
sedrosken | because I, er, can definitely see there's some work to be done... then again, once beowulf hits release that should drastically improve just from the source packages being buster-vintage and not from stretch | 18:45 |
sedrosken | in particular, removing ethernet from my laptop (which I used to run setup since it needed some firmware i didn't have readily available for my wifi) resulted in a race condition that took almost a minute to clear on first boot | 18:46 |
sedrosken | because it insisted on keeping on trying to set up eth0 with nothing connected to it | 18:46 |
sedrosken | so, stupid question, I'm sure, but... how would I go about getting a beowulf image? it doesn't seem readily available on any of the mirrors | 18:48 |
sedrosken | or is it something where I'm just going to have to migrate to beowulf from ascii? | 18:52 |
gnarface | sedrosken: yes, you have to migrate from ascii still | 21:22 |
gnarface | and the 60 second delay in boot is probably a DHCP timeout, not a race condition. give that device a static ip or no configuration at all and it should not do this | 21:23 |
gnarface | (there may be some unofficial beowulf installers floating around as test images, but they're not in the repos yet) | 21:23 |
sedrosken | So would migrating to testing be as simple as swapping the repositories over in sources.list and then dist-upgrading? It's been a while since I've upgraded like that, admittedly, and never from stable to testing | 22:04 |
yeti | basically that way... maybe run dist-upgrade with --download-only 1st to get all debs | 22:13 |
yeti | so if something kills connectivity, you can continue | 22:13 |
gnarface | sedrosken: yea, in theory. depending on what you have installed, you could have some package conflicts. | 22:13 |
gnarface | sedrosken: people are succeeding at this regularly though, so it is reasonably doable | 22:13 |
yeti | I did that >10 times | 22:14 |
yeti | and I'm definitely not einstein | 22:14 |
gnarface | permissions backend stuff for graphical logins had some issues, i heard. if you avoid that stuff you avoid most the drama. | 22:14 |
yeti | remove doesnt kill the config files, so throwing away some big parts that can easily be installed later again minimises such conflicts | 22:15 |
gnarface | yea, it has been advised to do a minimal ascii install then upgrade before pulling in the rest of the desktop environment | 22:16 |
gnarface | and if it's a pre-existing install, it might be easier to uninstall some stuff first | 22:16 |
gnarface | sedrosken: it would be irresponsible for me not to remind you though that most people asking about this don't actually need to upgrade to beowulf, they usually just need to get the newer kernel from ascii-backports (and maybe also mesa or nvidia drivers, as appropriate) | 22:21 |
sedrosken | Yeah I plan to reinstall from my netinst CD to get a barebones system again before I do it since I don't have a ton configured anywah | 22:21 |
sedrosken | Anyway* | 22:21 |
sedrosken | It's not just that, I need a newer version of firefox-esr than even ascii-backports has | 22:22 |
gnarface | oh, yea that's problematic because of the rust dependencies. i guess you're stuck then. | 22:23 |
Wonka | Firefox ESR 68 is current, what would be new enough? | 22:50 |
sedrosken | ASCII backports version is 60.9.0esr | 23:12 |
gnarface | wait, there's a firefox in ascii backports finally? that seems recent... | 23:12 |
gnarface | like the past couple days recent | 23:12 |
gnarface | i swear i checked just last week | 23:12 |
gnarface | like, less than 7 days ago | 23:12 |
gnarface | was i hallucinating? | 23:12 |
gnarface | i thought there was an issue getting rust to build for that version of glibc or something like that | 23:13 |
Jjp137 | wait no there isn't a firefox-esr in ascii-backports | 23:17 |
gnarface | hmmm | 23:20 |
gnarface | sedrosken: you looking at buster backports perhaps? | 23:20 |
sedrosken | Weird | 23:23 |
sedrosken | I didn't think I was but I guess I must have been | 23:23 |
Jjp137 | if Debian's website is correct, there isn't one in buster-backports either | 23:23 |
sedrosken | But yeah I need at least better than 60.x for one of my critical extensions | 23:23 |
gnarface | well ceres is up to at least 68 | 23:25 |
Jjp137 | beowulf too: https://pkginfo.devuan.org/stage/beowulf/beowulf-security/firefox-esr_68.2.0esr-1~deb10u1.html | 23:26 |
furrywolf | I tried installing the 68 esr package on ascii a week or two ago, and it had way too many dependencies to be easily done. | 23:27 |
sedrosken | Eesh | 23:29 |
gnarface | yea i think you have to backport all the dependencies of rust all the way down to glibc | 23:31 |
gnarface | by that point you're basically running beowulf in effect anyway | 23:31 |
furrywolf | yes, glibc was one of the big ones. | 23:31 |
furrywolf | I gave up. still using 60. | 23:31 |
gnarface | i would just recommend anyone having to test with a newer firefox to use a beowulf or ceres chroot, or failing that, qemu | 23:32 |
* furrywolf would like to use a newer firefox to see if it fixes any of the bugs and crashes | 23:35 | |
sedrosken | I have no issues with the stability of 60.x, I just need newer to use one of the extensions I can't go without | 23:38 |
sedrosken | Simple tab groups for those wondering | 23:38 |
sedrosken | Yeah I'm one of *those* people, who have too many tabs for their own good | 23:39 |
furrywolf | I have lots of issues with its stability. and I don't have much hope 68 will fix it, since it's been shit since... version 4? :) | 23:39 |
sedrosken | Hah, fair enough | 23:41 |
sedrosken | But remember that the web has changed quite a lot since ff3.6's heyday | 23:42 |
furrywolf | it leaks through 8GB of ram annoyingly quickly, it crashes if I try closing a window with more than one tab open, it can't remember my tabs from last time it exited, ... | 23:42 |
sedrosken | I'd also like to be able to install qutebrowser from the main repo, as well | 23:42 |
sedrosken | One of those things where I'm trying to get back into the vim habit and the only way to make me learn is to force myself into it, haha | 23:43 |
sedrosken | Well, I don't have quite those issues, in actuality I have very few complaints since quantum hit | 23:43 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!