libera/#devuan/ Saturday, 2019-11-02

agristhe brewmaster I would assume02:36
agrisWhy would a LXC template not be able to be used in unprivileged mode?02:56
agrisroot@vm2:~# ls /usr/share/lxc/templates/02:56
agrislxc-alpine     lxc-centos  lxc-devuan.old   lxc-gentoo        lxc-plamo       lxc-ubuntu02:56
agrislxc-altlinux   lxc-cirros  lxc-devuanstock  lxc-openmandriva  lxc-slackware   lxc-ubuntu-cloud02:56
agrislxc-archlinux  lxc-debian  lxc-download     lxc-opensuse      lxc-sparclinux02:56
agrislxc-busybox    lxc-devuan  lxc-fedora       lxc-oracle        lxc-sshd02:56
agrisroot@vm2:~# lxc-create -n postgres -t devuan02:56
agrisThis template can't be used for unprivileged containers.02:56
agrisYou may want to try the "download" template instead.02:56
agrisIs there something I have to change in the template itself?02:57
agrisalso, how is 'download' a valid template02:57
agristhat's not a distro02:57
specingagris: yes, you need to modify it02:59
specingdownload downloads pre-prepared images03:00
agrisI see03:00
agrisWhat modifications need to be put in place to make it work in non-privileged mode?03:00
agriswith uid/gid mappings03:01
agrisIt's just a simple bootstrapping bash script03:01
agrisor is the unsupported message in there just for show?03:01
agrisI'm going to comment out that warning code and see what happens03:10
agrismy issue isn't converting an existing container to a userns one03:18
agrisit's making the devuan lxc template i've worked on create a userns container on creation if the system is configured to be able to03:19
specingagris: that script illustrates how a userns one differs from a normal one03:19
agrisI see03:19
agrisI know the uid is different03:20
agrisbut what I do not understand is how the template needs to change to simply support a uid map03:20
agrismy configuration is already setup to support that03:20
agrishold on, I'll upload my patches to git.devuan.org03:21
agrisWhat is there left to do on beowulf?03:43
agrisI wish I was not the only one using LXC on Devuan03:50
agriswith apparmor03:50
specingagris: you are probably the only one using apparmor, too03:51
agrisIt really shows03:51
agris>lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1306 Path "/sys/fs/cgroup/memory//lxc/matterbridge" already existed.03:52
agris  lxc-start: cgroups/cgfsng.c: cgfsng_create: 1363 No such file or directory - Failed to create /sys/fs/cgroup/memory//lxc/matterbridge: No such file or directory03:52
specingfew people actually care about security03:52
agrisI had to write the lxc template myself to work with openrc03:53
agrisand then to even start at all with apparmor03:53
specingthere are only two major distros enforcing selinux, apparmor hangs in the air and grsecurity is now unobtaining03:53
specingall the while software is as shitty as ever03:53
agriseven than I'm still forced to use lxc.aa_allow_incomplete = 103:53
agrisand if I try turning full enforcing back on to test something, all the old cgroups are still there, preventing containers from booting again until the hypervisor kernel is cold-rebooted03:54
specingI have lxc working on grsec gentoo03:54
agrisspecing, does LXC even support SELinux?03:55
specinglxc is silly if you have selinux03:55
specingselinux can separate things very well03:55
agrisdude, I'm not using LXC for security's sake03:55
agristhe apparmor is supposed to make LXC secure03:55
specingwell then, SELinux should transparently work with LXC via file contexts03:56
agrisby preventing containers from manipulating the hardware03:56
agrisspecing, How do I get SE Linux working with LXC on Devuan?03:56
specingno idea03:56
agrisI mean if what your saying is true I'd drop this cononical broken crap right now and reboot the server with SE03:57
agristhis sucks so bad03:58
specingyou'd still have to tag the files03:58
agrishere I am03:58
agrishaving to define allowed devices by MAJOR:MINOR by hand03:58
specingmaybe redhat has an out-of-the-box working solution03:58
agrisredhat has their own problems03:58
specingor fedora (so redhat)03:58
agrisplus they want to push their 'kuberneties' which I don't need03:59
specingthey are the only ones apart from Google seriously using selinux03:59
agrisI was first using LXC containers on RedHat03:59
agrisbut I stopped immediately because I realized they were shipping version on of LXC04:00
agris*version one04:00
agriswhich has like, no security at all04:00
agrisand this is all I have to go by04:01
agrisI think a lot of the apparmor bugs are just because I'm using ascii/stretch04:01
agriswhere as apparmor is debian wasn't really in a usable state until buster04:02
agriswhich I'm not sure I can upgrade to in Devuan yet04:02
agrishuh, looks like Debian may have updated the LXC wiki since last time04:03
agrisDoes anybody know what there is left to do for releasing Beowulf?04:04
agrisIf it's something that doesn't effect me I could try upgrading now04:04
agrisit's even more fragmented now that systemd apparently is a container hypervisor too now04:05
agrisI wonder if I could just use Alpine for the hypervisor and use Devuan containers04:06
agrisit seems to already be doing most of what I'm trying to do with Devuan04:09
agrisOpenRC LXC container hypervisor with discretionary access control04:09
agris*mandatory access control04:10
agrisbut I'd really like to try and make it work with Devuan first04:10
TwistedFatei'm having problems with locales04:11
TwistedFatehow can i fix them?04:11
emdeteTwistedFate: use `export LANG=C` before starting that command or gen the desired locale17:29
flingis torbrowsel-launcher packaged on devuan?17:58
yetiso... yes and no... somehow18:01
flingIs there an lxd image for ceres?18:06
golinuxProbably outdated18:09
sedroskenso OpenRC is considered experimental on ASCII, right?18:44
sedroskenbecause I, er, can definitely see there's some work to be done... then again, once beowulf hits release that should drastically improve just from the source packages being buster-vintage and not from stretch18:45
sedroskenin particular, removing ethernet from my laptop (which I used to run setup since it needed some firmware i didn't have readily available for my wifi) resulted in a race condition that took almost a minute to clear on first boot18:46
sedroskenbecause it insisted on keeping on trying to set up eth0 with nothing connected to it18:46
sedroskenso, stupid question, I'm sure, but... how would I go about getting a beowulf image? it doesn't seem readily available on any of the mirrors18:48
sedroskenor is it something where I'm just going to have to migrate to beowulf from ascii?18:52
gnarfacesedrosken: yes, you have to migrate from ascii still21:22
gnarfaceand the 60 second delay in boot is probably a DHCP timeout, not a race condition.  give that device a static ip or no configuration at all and it should not do this21:23
gnarface(there may be some unofficial beowulf installers floating around as test images, but they're not in the repos yet)21:23
sedroskenSo would migrating to testing be as simple as swapping the repositories over in sources.list and then dist-upgrading? It's been a while since I've upgraded like that, admittedly, and never from stable to testing22:04
yetibasically that way... maybe run dist-upgrade with --download-only 1st to get all debs22:13
yetiso if something kills connectivity, you can continue22:13
gnarfacesedrosken: yea, in theory.  depending on what you have installed, you could have some package conflicts.22:13
gnarfacesedrosken: people are succeeding at this regularly though, so it is reasonably doable22:13
yetiI did that >10 times22:14
yetiand I'm definitely not einstein22:14
gnarfacepermissions backend stuff for graphical logins had some issues, i heard.  if you avoid that stuff you avoid most the drama.22:14
yetiremove doesnt kill the config files, so throwing away some big parts that can easily be installed later again minimises such conflicts22:15
gnarfaceyea, it has been advised to do a minimal ascii install then upgrade before pulling in the rest of the desktop environment22:16
gnarfaceand if it's a pre-existing install, it might be easier to uninstall some stuff first22:16
gnarfacesedrosken: it would be irresponsible for me not to remind you though that most people asking about this don't actually need to upgrade to beowulf, they usually just need to get the newer kernel from ascii-backports (and maybe also mesa or nvidia drivers, as appropriate)22:21
sedroskenYeah I plan to reinstall from my netinst CD to get a barebones system again before I do it since I don't have a ton configured anywah22:21
sedroskenIt's not just that, I need a newer version of firefox-esr than even ascii-backports has22:22
gnarfaceoh, yea that's problematic because of the rust dependencies.  i guess you're stuck then.22:23
WonkaFirefox ESR 68 is current, what would be new enough?22:50
sedroskenASCII backports version is 60.9.0esr23:12
gnarfacewait, there's a firefox in ascii backports finally?  that seems recent...23:12
gnarfacelike the past couple days recent23:12
gnarfacei swear i checked just last week23:12
gnarfacelike, less than 7 days ago23:12
gnarfacewas i hallucinating?23:12
gnarfacei thought there was an issue getting rust to build for that version of glibc or something like that23:13
Jjp137wait no there isn't a firefox-esr in ascii-backports23:17
gnarfacesedrosken: you looking at buster backports perhaps?23:20
sedroskenI didn't think I was but I guess I must have been23:23
Jjp137if Debian's website is correct, there isn't one in buster-backports either23:23
sedroskenBut yeah I need at least better than 60.x for one of my critical extensions23:23
gnarfacewell ceres is up to at least 6823:25
Jjp137beowulf too:
furrywolfI tried installing the 68 esr package on ascii a week or two ago, and it had way too many dependencies to be easily done.23:27
gnarfaceyea i think you have to backport all the dependencies of rust all the way down to glibc23:31
gnarfaceby that point you're basically running beowulf in effect anyway23:31
furrywolfyes, glibc was one of the big ones.23:31
furrywolfI gave up.  still using 60.23:31
gnarfacei would just recommend anyone having to test with a newer firefox to use a beowulf or ceres chroot, or failing that, qemu23:32
* furrywolf would like to use a newer firefox to see if it fixes any of the bugs and crashes23:35
sedroskenI have no issues with the stability of 60.x, I just need newer to use one of the extensions I can't go without23:38
sedroskenSimple tab groups for those wondering23:38
sedroskenYeah I'm one of *those* people, who have too many tabs for their own good23:39
furrywolfI have lots of issues with its stability.  and I don't have much hope 68 will fix it, since it's been shit since...  version 4?  :)23:39
sedroskenHah, fair enough23:41
sedroskenBut remember that the web has changed quite a lot since ff3.6's heyday23:42
furrywolfit leaks through 8GB of ram annoyingly quickly, it crashes if I try closing a window with more than one tab open, it can't remember my tabs from last time it exited, ...23:42
sedroskenI'd also like to be able to install qutebrowser from the main repo, as well23:42
sedroskenOne of those things where I'm trying to get back into the vim habit and the only way to make me learn is to force myself into it, haha23:43
sedroskenWell, I don't have quite those issues, in actuality I have very few complaints since quantum hit23:43

Generated by 2.17.0 by Marius Gedminas - find it at!