LXC
new versions: ## replace lxc.network with lxc.net.0
Installation
$ sudo apt-get install lxc
Setup
## add unprivileged lxc user
See: < Notes/Server/misc.notes >
users:
username: lxc
LXC
create:
template: download
distro: ubuntu
release: xenial
arch: amd64
$ lxc-create -t ${template} -f ${config} -n ${containername}
## -- template options
# $ lxc-create -t ${template} -f ${config} -n ${containername} -- -d ${distro} -r ${release} -a ${arch}
## no gpg key
# $ lxc-create -t ${template} -f ${config} -n ${containername} -- -d ${distro} -r ${release} -a ${arch} --no-validate
start:
$ lxc-start -n ${containername}
## -- config options
# $lxc-start -n ${containername} -d -f ${config}
destroy:
$ lxc-destroy -n ${containername}
stop:
$ lxc-stop -n ${containername}
## show containers
list:
$ lxc-ls -f
# NAME STATE AUTOSTART GROUPS IPV4 IPV6
info:
$ lxc-info -n ${containername}
access:
$ lxc-console -n ${containername}
# ubuntu@${containername}:~$
shell:
$ lxc-attach -n ${containername}
$ lxc-attach -n ${containername} -e -- ${command}
## file locations
< /var/lib/lxc/${containername}/rootfs >
errors:
- lxc: unshare: Operation not permitted
$ echo 1 > /sys/fs/cgroup/cpuset/cgroup.clone_children
$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
- lxc: missing newuidmap/newgidmap
$ sudo apt-get install uidmap
- lxc: Keyring file not available
$ sudo apt-get install ubuntu-archive-keyring
CONTAINERS
configuration:
autostart:
$ sudo nano /var/lib/lxc/${containername}/config
< /var/lib/lxc/${containername}/config >
lxc.start.auto = 1
ip:
$ sudo nano /var/lib/lxc/${containername}/config
< /var/lib/lxc/${containername}/config >
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
## static ip
$ sudo nano /var/lib/lxc/${containername}/config
< /var/lib/lxc/${containername}/config >
# lxc.network.ipv4 = 10.0.4.79
# lxc.network.ipv4.gateway = auto
${containername}:~$ sudo nano /etc/network/interfaces
< /etc/network/interfaces >
auto etho0
iface etho0 inet static
address 10.0.4.79
netmask 255.255.255.0
gateway 10.0.4.1
limits:
$ sudo nano /var/lib/lxc/${containername}/config
< /var/lib/lxc/${containername}/config >
lxc.cgroup.memory.limit_in_bytes = 50000000
lxc.cgroup.cpu.shares = 100
## -- alternative
## $ lxc-cgroup -n test-container cpu.shares 100
sharedfiles:
$ sudo mkdir /media/data/share && chmod 7777 /media/data/share
${containername}:~$ sudo mkdir share
$ sudo nano /var/lib/${containername}/config
< /var/lib/${containername}/config >
lxc.mount.entry = /media/data/share share none ro,bind 0.0
debugging:
$ sudo strace -o strace.out -f -u "${USER}" lxc-usernsexec
location:
< /home/lxc/.local/share/lxc/${containername} >
Networking
$ sudo apt isntall dnsmasq-base
$ sudo systemctl restart lxc-net
$ sudo systemctl status lxc-net
$ sudo nano /etc/lxc/default.conf
< /etc/lxc/default.conf >
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
$ sudo nano /etc/default/lxc-net
< /etc/default/lxc-net >
USE_LXC_BRIDGE="true"
$ sudo systemctl restart lxc-net
$ sudo systemctl status lxc-net
$ sudo ip -4 -o a show lxcbr0
14: lxcbr0 inet 10.0.3.1/24 scope global lxcbr0\ valid_lft forever preferred_lft forever
Configuration
## CONFIG=/usr/src/linux-headers-4.4.0-78-generic/.config
$ lxc-checkconfig
# Kernel configuration not found at /proc/config.gz; searching...
# Kernel configuration found at /boot/config-3.8.0-19-generic
# --- Namespaces ---
# Namespaces: enabled
# Utsname namespace: enabled
# Ipc namespace: enabled
# Pid namespace: enabled
# User namespace: enabled
# Network namespace: enabled
# Multiple /dev/pts instances: enabled
# --- Control groups ---
# Cgroup: enabled
# Cgroup clone_children flag: enabled
# Cgroup device: enabled
# Cgroup sched: enabled
# Cgroup cpu account: enabled
# Cgroup memory controller: enabled
# Cgroup cpuset: enabled
# --- Misc ---
# Veth pair device: enabled
# Macvlan: enabled
# Vlan: enabled
# Bridges: enabled
# Advanced netfilter: enabled
# CONFIG_NF_NAT_IPV4: enabled
# CONFIG_NF_NAT_IPV6: enabled
# CONFIG_IP_NF_TARGET_MASQUERADE: enabled
# CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
# CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
# FUSE (for use with lxcfs): enabled
# --- Checkpoint/Restore ---
# checkpoint restore: enabled
# CONFIG_FHANDLE: enabled
# CONFIG_EVENTFD: enabled
# CONFIG_EPOLL: enabled
# CONFIG_UNIX_DIAG: enabled
# CONFIG_INET_DIAG: enabled
# CONFIG_PACKET_DIAG: enabled
# CONFIG_NETLINK_DIAG: enabled
# File capabilities: enabled
# Note : Before booting a new kernel, you can check its configuration
# usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
# # kernel configuration
## make sure your user has a uid and gid map defined in /etc/subuid and /etc/subgid.
$ nano /etc/subuid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536
$ nano /etc/subgid
lxd:100000:65536
root:100000:65536
ubuntu:165536:65536
## virtual ethernet (veth) - links containers with the host system
## lxcbr0 - name of the LXC network bridge - the only supported network type
## 10 - quota of interfaces to the user
$ echo ${username} veth lxcbr0 10 >> /etc/lxc/lxc-usernet
$ mkdir -p ~/.config/lxc
$ cp /etc/lxc/default.conf ~/.config/lxc/default.conf
$ sudo nano ~/.config/lxc/default.conf
< ~/.config/lxc/default.conf >
lxc.id_map = u 0 100000 65536 ## make sure this matches /etc/subuid
lxc.id_map = g 0 100000 65536 ## make sure this matches /etc/subgid
## unprivileged
lxc.id_map = u 0 165536 65536 ## make sure this matches /etc/subuid
lxc.id_map = g 0 165536 65536 ## make sure this matches /etc/subgid
## error creating unprivileged container cat /proc/sys/kernel/unprivileged_userns_clone ## if 0: echo "kernel.unprivileged_userns_clone=1" > /etc/sysctl.d/80-lxc-userns.conf sysctl --system
References: https://www.digitalocean.com/community/tutorials/getting-started-with-lxc-on-an-ubuntu-13-04-vps