| View previous topic :: View next topic |
| Author |
Message |
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 583
|
 Posted: Mon Apr 07, 2025 2:19 pm Post subject: Getting started with Incus |
 |
|
I would like to migrate my FreeBSD jails to Incus on Gentoo.
I would like to preserve my setup roughly:
| Code: | host
workstation (graphical (X11 / wayland)
router (2 Network Interfaces are assigned to it, WAN and LAN) |
I am following this guide:
https://wiki.gentoo.org/wiki/Incus
If I understand correctly, wayland will be a bit trickier than X11:
| Code: | | echo "gui:1000:1" | sudo tee -a /etc/subuid /etc/subgid |
It is worth nothing that I have not assigned any video cards over to the workstation, but also, my system is a 3rd generation intel with just onboard video, so I don't have anything to allocate anyways.
The way I setup my FreeBSD host was a barebones install so that way the attack surface is as small as possible and more importantly, I have as few updates or patches to apply so I don't need to reboot. The host is not graphical and has no network interfaces assigned to it as it has assigned those to the router. The router is responsible for handling all network functionality and for the host and workstation to have network functionality, essentially a connection is made between the host and router and the workstation and router.
Additionally, the host in my case does not have a GUI whatsoever installed, yet I am still able to launch X11 via startx.
I have my inittab configured on FreeBSD to make the first 2 terminals available to the host, next 3 for the router, and next 3 for the workstation. I am presently using:
| Code: | | "/usr/sbin/jexec workstation /usr/libexec/getty Pc" xterm onifexists secure "/usr/libexec/getty Pc" xterm onifexists secure |
I presume that I will use something similar to:
| Code: | | "incus exec workstation /usr/bin/agetty" xterm onifexists secure "/usr/bin/agetty" xterm onifexists secure |
to open a getty for that container so I could log in directly to it.
I don't see many forum posts on incus and am wondering how much it is used as well. Is what I want to do reasonable? |
|
| Back to top |
|
 |
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 583
|
| Posted: Wed Apr 16, 2025 1:40 pm Post subject: |
|
|
I think I have the containers sorted out and it seems easy enough to assign physical network interfaces to the container. It also seems to work fairly similarly to FreeBSD jails which makes my life easier.
I haven't crossed the bridge yet about running a graphical environment in incus, but for FreeBSD, I don't believe I did anything special at all. In both cases, my host system was a barebones install.
All the documentation I've seen thus far appear to be referencing running a graphical container from within a graphical host, but not on a barebones host. Perhaps it will be similar, no special configuration required. |
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 583
|
| Posted: Sun Apr 20, 2025 10:48 am Post subject: |
|
|
I am configuring incus in my target gentoo installation prior to reboot as I would prefer if possible to install and configure it in a single go. That said, I am encountering an error while setting up the networking and from what I gathered, I need to have NAT supported loaded. For that, I have loaded nft_chain_nat and nf_nat.
Yet, the error remains:
| Code: | | Error: Failed to create local member network "incusbr0" in project "default": Failed clearing firewall: Failed to list IPv4 rules (table filter) |
| Code: | | cat /tmp/incus | incus admin init --debug --preseed |
| Code: | config: {}
networks:
- config:
ipv4.address: auto
ipv6.address: auto
description: ""
name: incusbr0
type: ""
project: default
storage_pools:
- config:
source: z_500.4/incus
description: ""
name: default
driver: zfs
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
projects: []
cluster: null |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23359
|
| Posted: Sun Apr 20, 2025 1:56 pm Post subject: |
|
|
| The error references the filter table, not the nat table. Do you have netfilter support for the filter table? What is the output of zgrep IP_NF_ /proc/config.gz? |
|
| Back to top |
|
|
o5gmmob8
Guru
Joined: 17 Oct 2003
Posts: 583
|
| Posted: Sun Apr 20, 2025 8:15 pm Post subject: |
|
|
Ah, good call. This is the kernel from the livecd, I have not yet rebooted as I am trying to build my system entirely before rebooting into it.
| Code: | livecd ~ # zgrep IP_NF_ /proc/config.gz
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m |
EDIT:
I just ran:
| Code: | modprobe iptable_filter
modprobe br_netfilter |
And then am trying to rerun the script setting up incus containers.
EDIT:
With that, I now get ipv6 table, so I need to load ipv6 ...
EDIT:
| Code: | | modprobe ip6table_filter.ko |
Awesome, that worked, so I will modify my script to load those modules prior to attempting to create a container.
EDIT:
I see this when trying to launch the container:
livecd /tmp # incus info --show-log router
| Code: | Name: router
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2025/04/20 20:20 EDT
Last Used: 2025/04/20 20:21 EDT
Log:
lxc router 20250421002145.250 ERROR start - ../lxc-6.0.3/src/lxc/start.c:lxc_spawn:1738 - Operation not permitted - Failed to clone a new set of namespaces
lxc router 20250421002145.250 ERROR start - ../lxc-6.0.3/src/lxc/start.c:__lxc_start:2114 - Failed to spawn container "router"
lxc router 20250421002145.250 ERROR lxccontainer - ../lxc-6.0.3/src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc 20250421002145.280 ERROR af_unix - ../lxc-6.0.3/src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20250421002145.280 ERROR commands - ../lxc-6.0.3/src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid" |
I have gotten further with incus on an actual installation, but I want this to be fully setup during my system build / install process so I can just reboot into my complete install and have everything setup in a single go.
I looked here: https://discuss.linuxcontainers.org/t/solved-unable-to-start-lxc-container-operation-not-permitted-failed-to-allocate-a-pty/219
But, the error appears to be pertaining to the permissions on the Unix socket. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
