Xscontainer

stormi

UPDATE 2024-03-19: DON'T DO THIS. We won't support any XCP-ng hosts where system packages have been overriden with pip.

I think these are the steps that worked for me:

yum install xscontainer
yum install python2-pip --enablerepo=epel
pip2 install --upgrade "pip < 21"
pip2 install --upgrade "cryptography == 2.5"
pip2 install --upgrade "paramiko < 3"

As this is done outside a virtualenv (I've tried inside a virtualenv, but I think xscontainer runs stuff outside of it, so it didn't work), this will overwrite the contents of RPMs you installed, so, again, only for testing.

I also had to remove the former host key from the VM metadata:

 xe vm-param-remove uuid=... param-name=other-config param-key=xscontainer-sshhostkey

kiu

@stormi Thanks, I just tried that and it still doesn't work

stormi

Well, I tried it myself on a freshly installed pool, and this worked. Can you elaborate on what doesn't work?

kiu

@stormi I still have the same problem, the key does not want to install and asks me if I want to try again.

stormi

What's the exact error message?

kiu

@stormi

Would you like to push a pool-specific public SSH key into the ~/.ssh/authorized_keys file of the specified VM and therefore authorize hosts in the pool to interact with the containers inside the VM?
Answer y/n: 
y
Attempting to push the public xscontainer key to USER@IP.
ID@IP's password: 
Success.
Attempting to refresh the state of the VM
Failure diagnosis: Unable to find ncat inside the VM. Please install ncat. 
Do you wish to retry?
Answer y/n:

kiu

My server is up to date

stormi

It's not the same error. Your VM is missing a required package : ncat, as the error message says.

kiu

@stormi My bad. Ok I installed the nmap-ncat package under rockylinux and works perfectly now Thank you

Finallf

@olivierlambert @stormi
Is there any solution for this, I'm researching how to use xcp-ng + XO to build and manage docker.
When I read about Xscontainer I was excited because it seemed like the best option.
I have a small server and would like to know what would be a clean and transparent solution to achieve this.

I've read a lot and I'm still confused.

Below is everything I researched and read on the subject:
https://xcp-ng.org/forum/topic/3232/docker-on-xcp-ng?page=1
https://xcp-ng.org/blog/2021/09/14/runx-next-generation-secured-containers/
https://www.youtube.com/watch?v=qOZk8xpIRpQ
http://oinformata.eti.br/wp/xcp-ng-8-0-debian10-docker/
https://doc.rmbinformatica.com.br/ajuda/redes-e-infraestrutura/xen-server/configurando-o-xenserver-para-monitoramento-de-containers-docker

codycrypto

I found another workaround (one-step solution) for the "Unable to verify key-based authentication error" without having to mess with any of the python packaging.

Adding

PubkeyAcceptedKeyTypes +ssh-rsa

To your /etc/ssh/sshd_config file will make the VM accept the older authentication

johnnyorange

@codycrypto this worked! thank you so much!

codycrypto

@johnnyorange Glad I could help! Took me weeks to figure that out lol....I would caution using that in production though, not sure the security implications for accepting the older key type.