Cloned2Preserve
/
jailmaker
mirror of https://github.com/Jip-Hop/jailmaker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update incus_lxd_lxc_kvm.md

This commit is contained in:
Jip-Hop 2024-01-27 13:13:09 +01:00
parent 53689df645
commit 1ac8bb8fc1
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/incus_lxd_lxc_kvm.md
View File

@ -77,6 +77,40 @@ root@incus:/home/test# dd if=/dev/random of=./test2.img bs=1G count=1 oflag=dsyn
To be able to create unprivileged (rootless) containers with incus inside the jail, you need to increase the amount of UIDs available inside the jail. Please refer to the [Podman instructions](rootless_podman_in_rootless_jail.md) for more information. If you don't increase the UIDs you can only create privileged containers. You'd have to change `Privileged` to `Allow` in `Security policies` in this case. To be able to create unprivileged (rootless) containers with incus inside the jail, you need to increase the amount of UIDs available inside the jail. Please refer to the [Podman instructions](rootless_podman_in_rootless_jail.md) for more information. If you don't increase the UIDs you can only create privileged containers. You'd have to change `Privileged` to `Allow` in `Security policies` in this case.
## Canonical LXD install via snap
Installing the lxd snap is an alternative to Incus. But out of the box running `snap install lxd` will cause AppArmor issues when running inside a jailmaker jail on SCALE.
### Workaround 1: Disable AppArmor kernel module
[To my knowledge AppArmor is not uses on SCALE](https://github.com/truenas/charts/pull/428#issuecomment-1113936420). The AppArmor related packages aren't even installed.
Ensure to add --bind=/dev/fuse and ensure using bridge or macvlan networking:
```
# On the host
cat /sys/module/apparmor/parameters/enabled
Y
midclt call system.advanced.update '{"kernel_extra_options": "apparmor=0"}'
reboot
cat /sys/module/apparmor/parameters/enabled
# In Ubuntu jail
apt update
ln -s /bin/true /usr/local/bin/udevadm
apt install -y --no-install-recommends snapd
snap install lxd
lxd init
snap set lxd ui.enable=true
systemctl reload snap.lxd.daemon
# Check out: https://example:8443
```
### Workaround 2: inaccessible /sys/module/apparmor
If I don't want to mess with kernel parameters, I can trick the jail into thinking the apparmor module is not loaded by mounting over /sys/module/apparmor: `mount -v -r -t tmpfs -o size=50m test /sys/module/apparmor`. Then `snap install lxd` completes! Best way to do this is to add `--inaccessible=/sys/module/apparmor` to the systemd_nspawn_user_args.
## References ## References
- [Running QEMU/KVM Virtual Machines in Unprivileged LXD Containers](https://dshcherb.github.io/2017/12/04/qemu-kvm-virtual-machines-in-unprivileged-lxd.html) - [Running QEMU/KVM Virtual Machines in Unprivileged LXD Containers](https://dshcherb.github.io/2017/12/04/qemu-kvm-virtual-machines-in-unprivileged-lxd.html)