virtualization:lxc [NetGeekery]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
====== LXC ======

    new versions:
    ## replace lxc.network with lxc.net.0

====== Installation ======
    $ sudo apt-get install lxc

====== Setup ======
    ## add unprivileged lxc user
    See: < Notes/Server/misc.notes >
        users:
            username: lxc

====== LXC ======
    create:
        template: download
        distro: ubuntu
        release: xenial
        arch: amd64
        $ lxc-create -t ${template} -f ${config} -n ${containername}
        ## -- template options
            # $ lxc-create -t ${template} -f ${config} -n ${containername} -- -d ${distro} -r ${release} -a ${arch}
        ## no gpg key
            # $ lxc-create -t ${template} -f ${config} -n ${containername} -- -d ${distro} -r ${release} -a ${arch} --no-validate

    start:
        $ lxc-start -n ${containername}
        ## -- config options
            # $lxc-start -n ${containername} -d -f ${config}
    destroy:
        $ lxc-destroy -n ${containername}
    stop:
        $ lxc-stop -n ${containername}
    ## show containers
    list:
        $ lxc-ls -f
            # NAME           STATE   AUTOSTART GROUPS IPV4       IPV6
    info:
        $ lxc-info -n ${containername}
    access:
        $ lxc-console -n ${containername}
            # ubuntu@${containername}:~$
    shell:
        $ lxc-attach -n ${containername}
        $ lxc-attach -n ${containername} -e -- ${command}

    ## file locations
    < /var/lib/lxc/${containername}/rootfs >

    errors:
        - lxc: unshare: Operation not permitted
            $ echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
            $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
        - lxc: missing newuidmap/newgidmap
            $ sudo apt-get install uidmap
        - lxc: Keyring file not available
            $ sudo apt-get install ubuntu-archive-keyring

====== CONTAINERS ======
    configuration:
        autostart:
            $ sudo nano /var/lib/lxc/${containername}/config
                <  /var/lib/lxc/${containername}/config >
                    lxc.start.auto = 1
        ip:
            $ sudo nano /var/lib/lxc/${containername}/config
                <  /var/lib/lxc/${containername}/config >
                    lxc.network.type = veth
                    lxc.network.link = lxcbr0
                    lxc.network.flags = up
                    lxc.network.hwaddr = 00:16:3e:xx:xx:xx

            ## static ip
                $ sudo nano /var/lib/lxc/${containername}/config
                    <  /var/lib/lxc/${containername}/config >
                        # lxc.network.ipv4 = 10.0.4.79
                        # lxc.network.ipv4.gateway = auto

                ${containername}:~$ sudo nano /etc/network/interfaces
                     < /etc/network/interfaces >
                        auto etho0
                        iface etho0 inet static
                            address 10.0.4.79
                            netmask 255.255.255.0
                            gateway 10.0.4.1
        limits:
            $ sudo nano /var/lib/lxc/${containername}/config
                <  /var/lib/lxc/${containername}/config >
                    lxc.cgroup.memory.limit_in_bytes = 50000000
                    lxc.cgroup.cpu.shares = 100
            ## -- alternative
            ## $ lxc-cgroup -n test-container cpu.shares 100
        sharedfiles:
            $ sudo mkdir /media/data/share && chmod 7777 /media/data/share
            ${containername}:~$ sudo mkdir share
            $ sudo nano /var/lib/${containername}/config
                < /var/lib/${containername}/config >
                    lxc.mount.entry = /media/data/share share none ro,bind 0.0
        debugging:
            $ sudo strace -o strace.out -f -u "${USER}" lxc-usernsexec

    location:
        < /home/lxc/.local/share/lxc/${containername} >

====== Networking ======
    $ sudo apt isntall dnsmasq-base
    $ sudo systemctl restart lxc-net
    $ sudo systemctl status lxc-net
    $ sudo nano /etc/lxc/default.conf
        < /etc/lxc/default.conf >
            lxc.network.type = veth
            lxc.network.link = lxcbr0
            lxc.network.flags = up
            lxc.network.hwaddr = 00:16:3e:xx:xx:xx
    $ sudo nano /etc/default/lxc-net
        < /etc/default/lxc-net >
            USE_LXC_BRIDGE="true"
    $ sudo systemctl restart lxc-net
    $ sudo systemctl status lxc-net
    $ sudo ip -4 -o a show lxcbr0
        14: lxcbr0    inet 10.0.3.1/24 scope global lxcbr0\       valid_lft forever preferred_lft forever

====== Configuration ======
    ## CONFIG=/usr/src/linux-headers-4.4.0-78-generic/.config
    $ lxc-checkconfig
        # Kernel configuration not found at /proc/config.gz; searching...
        # Kernel configuration found at /boot/config-3.8.0-19-generic
        # --- Namespaces ---
        # Namespaces: enabled
        # Utsname namespace: enabled
        # Ipc namespace: enabled
        # Pid namespace: enabled
        # User namespace: enabled
        # Network namespace: enabled
        # Multiple /dev/pts instances: enabled

        # --- Control groups ---
        # Cgroup: enabled
        # Cgroup clone_children flag: enabled
        # Cgroup device: enabled
        # Cgroup sched: enabled
        # Cgroup cpu account: enabled
        # Cgroup memory controller: enabled
        # Cgroup cpuset: enabled

        # --- Misc ---
        # Veth pair device: enabled
        # Macvlan: enabled
        # Vlan: enabled
        # Bridges: enabled
        # Advanced netfilter: enabled
        # CONFIG_NF_NAT_IPV4: enabled
        # CONFIG_NF_NAT_IPV6: enabled
        # CONFIG_IP_NF_TARGET_MASQUERADE: enabled
        # CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
        # CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
        # FUSE (for use with lxcfs): enabled

        # --- Checkpoint/Restore ---
        # checkpoint restore: enabled
        # CONFIG_FHANDLE: enabled
        # CONFIG_EVENTFD: enabled
        # CONFIG_EPOLL: enabled
        # CONFIG_UNIX_DIAG: enabled
        # CONFIG_INET_DIAG: enabled
        # CONFIG_PACKET_DIAG: enabled
        # CONFIG_NETLINK_DIAG: enabled
        # File capabilities: enabled

        # Note : Before booting a new kernel, you can check its configuration
        # usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
        # # kernel configuration

    ## make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
    $ nano /etc/subuid
        lxd:100000:65536
        root:100000:65536
        ubuntu:165536:65536
    $ nano /etc/subgid
        lxd:100000:65536
        root:100000:65536
        ubuntu:165536:65536

    ## virtual ethernet (veth) - links containers with the host system
    ## lxcbr0 - name of the LXC network bridge - the only supported network type
    ## 10 - quota of interfaces to the user
    $ echo ${username} veth lxcbr0 10 >> /etc/lxc/lxc-usernet
    $ mkdir -p ~/.config/lxc
    $ cp /etc/lxc/default.conf ~/.config/lxc/default.conf
    $ sudo nano ~/.config/lxc/default.conf
        < ~/.config/lxc/default.conf >
            lxc.id_map = u 0 100000 65536   ## make sure this matches /etc/subuid
            lxc.id_map = g 0 100000 65536   ## make sure this matches /etc/subgid

            ## unprivileged
            lxc.id_map = u 0 165536 65536   ## make sure this matches /etc/subuid
            lxc.id_map = g 0 165536 65536   ## make sure this matches /etc/subgid

    ## error creating unprivileged container
    cat /proc/sys/kernel/unprivileged_userns_clone
    ## if 0:
    echo "kernel.unprivileged_userns_clone=1" > /etc/sysctl.d/80-lxc-userns.conf
    sysctl --system

References:
https://www.digitalocean.com/community/tutorials/getting-started-with-lxc-on-an-ubuntu-13-04-vps