更新中

不同场景下的 LXC 容器需要不同的参数启动,不然会造成诸多问题。

1. GPU 共享 (AMD 核显)

选项中加入:

unprivileged: 0
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file

同时在容器中安装 mesa-amdgpu-va-driver。可以使用 vainfo (libva-utils) 查看是否安装成功。

Ubuntu

# 导入源
echo deb https://repo.radeon.com/amdgpu/6.0/ubuntu focal main >> /etc/apt/sources.list
# 导入 key, key 为你缺失的
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 9386B48A1A693C5C

2. 路由器 (Nix-Router)

注意: /dev/ppp 宿主机权限应设为 100000:100000
unprivileged: 1
lxc.net.1.type: phys
lxc.net.1.link: eno1
lxc.net.1.name: wan
lxc.net.1.flags: up
lxc.cgroup2.devices.allow: c 108:0 rwm  # ppp
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
lxc.mount.entry: /dev/ppp dev/ppp none bind,create=file

3. kubernetes

需要的权限过多,近乎于未做隔离。但是若想终止服务可以终止的非常干净,也可以很方便地加上关机超时。

unprivileged: 0
lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: c 1:11 rwm
lxc.mount.auto: proc:rw sys:rw
lxc.mount.entry: /dev/kmsg dev/kmsg none defaults,bind,create=file

114514. 疑难杂症

1. 特权 LXC 与 AppArmor

ref: proxmox forum
  1. "What does checking this checkbox mean:"

Means simply, that an Unprivileged container maps the user and group to an id+100000 on the Proxmox host itself.

For example the root user inside the lxc container has the group id of 0 and user id of 0, while on the Proxmox host itself that user has an group id of 100000 and user id of 100000.

If you create an custom user inside the lxc container with a user if of 285 and group id of 245, that same user will have on the Proxmox host an user id of 100285 and group id of 100245.

Means that the root user of your lxc container or the custom user of your lxc container, doesn't have access on the host to anything if he breach out of the container.

On a privileged lxc container the root user has the user id and group of 0, same as on unprivileged lxc container.

But on the Proxmox host there won't be any user mapping, means there is no +100000.
This means that this root user inside the privileged lxc container with the id of 0, is the root user on the Proxmox host itself with the id of 0.

This means also, if the root user breach out of the privileged lxc container, he will be the root user on the Proxmox host itself, with access to everything on the Proxmox host.

  1. It's a known issue that on priviliged debian and ubuntu lxc containers, apparmor isn't working.
  • On an priviliged Archlinux container it is working for example.
  • On unprivileged debian/ubuntu containers apparmor is working fine!

I don't know the reason, probably apparmor profile issues or whatever.

However on priviliged containers, apparmor has anyway little benefit. It would be nice if it would work actually, but the best thing you can do, is simply removing apparmor.

Uninstall it on every priviliged container and you're good.

2. 特权 LXC 下启用非特权 docker 报错

ref: https://rehtt.com/index.php/archives/259/
  1. LXC 配置加入
lxc.apparmor.profile = unconfined
  1. docker 参数加入
--security-opt apparmor=unconfined

or

services:
  your_service:
    security_opt:
      - apparmor=unconfined
Last modification:February 2, 2024
如果觉得我的文章对你有用,请随意赞赏