无法使用非特权 LXC 容器运行私有网络

无法使用非特权 LXC 容器运行私有网络

我们正在尝试设置一个使用非特权容器的私有网络。Vagrant文​​件如下:

# -*- mode: ruby -*-
# vi: set ft=ruby :

require 'yaml'
settings = YAML.load_file 'config.yml'

Vagrant.configure("2") do |config|
  config.vm.provider :lxc do |lxc|
        lxc.privileged = false
  end
  config.vm.box = "{ an existing box }"
  config.hostmanager.enabled = true
  config.hostmanager.manage_host = true
  config.hostmanager.manage_guest = true
  config.hostmanager.aliases = settings['vhosts']
  config.vm.provision :hostmanager
  config.vm.network "private_network", ip: settings['container_ip'], lxc__bridge_name: 'lxcbr1'
  config.vm.synced_folder settings['workspace'], "/vagrant", type: "sshfs",
                ssh_opts_append: "-o Compression=yes -o CompressionLevel=5",
                sshfs_opts_append: "-o direct_io -o sync_read -o sshfs_sync -o cache=no -o compression=no -o uid=1000 -o gid=100"
  config.vm.provider :lxc do |lxc|
    lxc.customize 'cgroup.memory.limit_in_bytes', '2048M'
  end
  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    apt-get install -y apache2
 SHELL
end

配置.yml文件是:

workspace: ./
vhosts:
  - container.local
container_ip: 172.16.2.1

生成的配置文件位于~/.local/share/lxc/{container_name}/config包含:

*SNIP*
# Network configuration

##############################################
# Container specific configuration (automatically set)
#lxc.aa_profile = lxc-default
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = ~/.local/share/lxc/test6_default_1596017521854_84661/rootfs
lxc.rootfs.backend = dir
lxc.utsname = test6_default_1596017521854_84661

##############################################
# Network configuration (automatically set)
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:FF:c1:4b:73:64
*SNIP*

所以当我们运行流浪起来,容器启动,但出现以下错误:

╰─[zsh] vagrant up                                                                                                                                                                                             127 ↵
Bringing machine 'default' up with 'lxc' provider...
==> default: Checking if box '{ an existing box }' is up to date...
==> default: Starting container...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 10.0.3.187:22
    default: SSH username: vagrant
    default: SSH auth method: private key
verify_host_key: false is deprecated, use :never
==> default: Machine booted and ready!
==> default: Setting up private networks...
There was an error executing ["/usr/bin/env", "~/.vagrant.d/gems/2.3.3/gems/vagrant-lxc-1.4.3/scripts/pipework", "lxcbr1", "test6_default_1596017521854_84661", "172.16.2.1/24"]

For more information on the failure, enable detailed logging by setting
the environment variable VAGRANT_LOG to DEBUG.

调试,出现以下错误:

stderr : RTNETLINK answers: Operation not permitted

即使允许用户在 lxc 配置中的 lxcbr1 上添加 veth:

user@vagrant-host ~ # cat /etc/lxc/lxc-usernet 
{ user } veth lxcbr1 10
{ user } veth lxcbr0 10

这似乎与管道脚本必须使用 sudo 运行的事实有关,而当以非 root 用户身份运行容器时则不可用。

相关内容