Failed to import the iplist #24
Comments
|
Hi, what's the output of |
Zugriff verweigert auf Schlüssel = permission denied |
|
This definitely has something to do with running inside a container, but I'm not entirely sure what's causing this. References to this error message I can find are all related to using large sets inside a container. The suggested workarounds are to increase the value of wmem.max on the host. I think it's safe to try this (on the host): to make this permanent. References: If this doesn't work, you could try with a newer kernel... |
|
unfortunately increasing the value did not worked and i already have the newest kernel. |
|
I'm not sure if updating the wmem_max value takes immediate effect inside the container. One thing you could try would be restarting the container after issuing the command Also, what's the output of |
|
It works now! First I changed the value on the host and restarted the container. Unfortunately, that didn't help. Then I started the container as privileged, which didn't help either. I would like to thank you for your help and your great project. |
|
Glad you got it working! No need to buy a coffee. Your research may help other people and that's a welcome contribution. I'll link to this issue somewhere in the readme. |
|
FWIW. beginning with debian 11 – actually the version of systemd in debian 11 – nesting is needed to provide access to /proc & /sys to get around major issues with apparmor. the bug(s) has existed for years. i know the issue still exists in debian 12. i do not know if apparmor is fixed and so i am not certain what will come in debian 13. the large army of people (like me) who use proxmox depend on nesting as a workaround. because this is such a problem, when you create a container of debian 11 or 12 in proxmox 7 or 8, nesting is on by default. so, for now, turning off nesting is not a realistic solution. i would love to use this product, but for me this matter is not closed. |
|
Hi @patanne, are you getting the same error |
|
I took a brief look at Proxmox documentation and they regard nftables support as "tech preview" and "not suited for production use": link. So I wonder if configuring geoip-shell to use iptables+ipset may work around the issue?
Also @patanne what kernel are you running on the host? |
|
it took me a few days to get back to this.
while iptables worked, it is not the best answer simply because the world is trying to move on to nftables. debian 13 (trixie) should release this quarter. proxmox is very good about releasing an update as soon as the latest distro ships. given that trixie will be the latest debian has until 2027, and that it won't be long before i can test it, i will wait until trixie ships to see if this is fixed. if not i will use iptables in my LXC containers. thank you for the suggestions. |
|
Good to know that using iptables works around the issue. I think this is a good reason to report a bug to the netlink developers: (You will need to create a Bugzilla account which is somewhat tedious but possible) Ultimately, to me this looks like a bug in the nftables kernel component. |
|
Also @patanne, could you specify which packages you installed besides |
|
no changes happened on the host. in the LXC container, iptables & ipset. that's it. with respect to some bug somewhere... i began with someone experiencing exactly what i am facing. that led me to someone claiming to have solved the problem in nftables. they submitted the patch on 2023-04-07. i traced the code at netfilter.org. the change was committed on 2023-04-24. this submission was 2 months before the release of debian 12, so even if netfilter.org had released the change, there was no way it could have made it into the release of the latest debian distro. i traced further. that commit was included in the release of 2023-07-14. it was labeled v.1.0.8. the version of nftables in debian 12 (bookworm) is 1.0.6-2+deb12u2. an updated nftables in not in bookworm backports. the version of nftables in debian 13 (trixie) is 1.1.1-1. so this should be solved when trixie rolls and proxmox releases VE v.9. FWIW. this problem does not exist at all, at lease not when using the US only in a whitelist, if the LXC container is privileged. |
|
@patanne thank you for the research. In the meantime, I'm thinking to implement a more nuanced approach to setting the default firewall backend utility. Currently the code simply checks whether nftables is available an if so, it defaults to nftables. The implementation I'm considering would rather:
Does this sound reasonable? |
|
agreed. there are two caveats to bullet point 2, though. first, iptables may not be installed. second, the container may be privileged, at which time the point may be moot. in the case of bullet point 2, possibly display a warning to the user, leading them to this issue. learning whether iptables is installed is easy enough. learning if we are in a lxc container can be achieved via we can know if the container is privileged or not via the ownership of /proc. it will be owned by root if it is privileged and nobody:nogroup if unprivileged. |
|
Hi @patanne, thank you for the information. I've had 0 experience with Proxmox or LXC until a few hours ago, but now I installed Proxmox and created a Debian Bookworm LXC container from a template. I tested both a privileged and an unprivileged container, with an without nesting. I did not find that nesting made any difference at all: in all cases, if the container was privileged then geoip-shell could create large nftables sets, otherwise it couldn't. iptables +ipset worked with all combinations. So unless you can confirm that nesting indeed makes a difference in your setup, I'm not seeing a need to check for nesting (which I was planning initially). Rather, should simply check for the container being privileged. |
|
In a previous post here I mentioned that nesting was needed to get around a clash between apparmor and the container accessing /proc & /sys. A while back I did the research on this to my satisfaction but didn't keep my research, so I have no links to point you to. A telltale that you have run into the problem is to fire up an unprivileged container with nesting turned off. It will boot normally, but after you login it will take 1-5 min to get a shell prompt. The system behaves as if it is hung, when in fact it is waiting for certain blocked operations to time out. To be fair, I have not tested this in a while. Debian Bookworm is up to version 12.10. I probably last tested the need for nesting on 12.5. Could something have changed? Sure. Proxmox just released 8.4. They use their own kernel. When I last tested geoip-shell with nftables, a few weeks ago, Proxmox was still at version 8.3.1. nftables was still failing for me at that time. When it comes to security there are the doomsday people who tell you we are all going to die if your password is only 14 characters long, not 15. I am not one of those people. However, a privileged container has the root user mapped properly into the host, as opposed to being mapped to 'nobody' when unprivileged. If you are running containers in the double digits on a single host that is a recipe for disaster. Forget security. If they can all issue changes to /proc & sysctl how can you guarantee performance? How do you find the culprit? privileged is a bad idea en mass. |
To clarify: was the container privileged? Did you ever succeed in running geoip-shell with nftables and a large ip list in an unprivileged LXC container? I'm asking because as I wrote above, at least with the current version of Proxmox and in my setup, nftables won't accept large sets in an unprivileged container, regardless of nesting or any other options I've tried (while iptables + ipset works fine with large iplists under all conditions).
As a non-user of Proxmox and LXC who doesn't really understand all of the underlying technology, I don't have much to contribute to the discussion about privileged containers security, and I think this issue is not the right place to discuss it. My concern here is detecting conditions under which geoip-shell is likely to fail, warn the user about the existence of these conditions and which workarounds are possible (currently, it looks like they'll either need to use iptables or a privileged container - maybe nftables 1.0.8 will change that?). I am not going to recommend users to use a privileged container - I just want to give them the information. (BTW for cases where both iptables and nftables are available and existing iptables rules are found, geoip-shell will ask the user which firewall backend should be used, after issuing the appropriate warnings - at least this is my plan for now) |
|
Proxmox 8.4 shipped on 2025-04-09, a week ago. I have not had time to test geoip-shell with it. Two weeks ago, because of our discussion here, I did retest nftables with an unprivileged Debian 12.10 container on Proxmox 8.3.1. The test was not successful. |
|
So to me this sounds like regardless of nesting, currently one can only load large nft sets when using a privileged container (at least with nftables versions lower than 1.0.8). It is possible that earlier Proxmox kernel versions had an issue with privileged container and nesting, but currently this does not seem to be the case. So for now, to my understanding, we only have 1 report about nesting having any effect on this, and I'm not sure whether that was a genuine issue or a user mistake. So unless more information is provided, I will ignore nesting when checking for nftables backend compatibility. Since I am not certain that nftables v1.0.8 will actually fix this issue, for now I'll implement a warning during initial setup (or when firewall backend change is requested) when running in an unprivileged container and nftables is one of the possible firewall backends, regardless of nftables version. If anyone has further information, it will help if you post an update here. |
Hi,
after running the "geoip-shell-install.sh" and answering the questions i got this error message:
i hope someone can help me
The text was updated successfully, but these errors were encountered: