You are here: start » tools » lxc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
tools:lxc [2022/09/01 18:24]
darron [Run] 		tools:lxc [2024/04/28 18:36]
darron [Initialise]
Line 2: Line 2:
  
 Linux containers (LXC) is the Linux implementation of FreeBSD Jails. Linux containers (LXC) is the Linux implementation of FreeBSD Jails.
- 
-This page mostly covers usage in debian, however, due to limitations 
-there it's best to adapt this to ubuntu instead. Only minor differences 
-exist and they are not mentioned. 
  
 Within a Linux container we can run a self-contained installation of Linux Within a Linux container we can run a self-contained installation of Linux
Line 16: Line 12:
  
 <code> <code>
-apt-get install lxc lxc-templates bridge-utils cgroupfs-mount+apt-get install lxc lxc-templates bridge-utils cgroupfs-mount conntrack iptables debootstrap
 /etc/init.d/cgroupfs-mount start /etc/init.d/cgroupfs-mount start
 </code> </code>
Line 35: Line 31:
 ==systemd== ==systemd==
 <code> <code>
 +systemctl disable lxc-monitord.service
 +systemctl mask lxc-monitord.service
 systemctl disable lxc-net.service systemctl disable lxc-net.service
 systemctl disable lxc.service systemctl disable lxc.service
Line 42: Line 40:
  
 <code> <code>
-sed -i 's/LXC_AUTO="true"/LXC_AUTO="false"/ /etc/default/lxc +sed -i 's/LXC_AUTO="true"/LXC_AUTO="false"/g' /etc/default/lxc 
-sed -i 's/USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/ /etc/default/lxc-net+sed -i 's/USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/g' /etc/default/lxc-net
 </code> </code>
  
Line 82: Line 80:
  
 <code> <code>
-#!/bin/sh +#! /bin/sh 
-PATH=/sbin+PATH=/sbin:/usr/sbin:/bin:/usr/bin
  
 iptables -t filter -F iptables -t filter -F
Line 89: Line 87:
 iptables -t raw -F iptables -t raw -F
 iptables -t nat -F iptables -t nat -F
-/usr/sbin/conntrack -F+conntrack -F
  
 # raw:PREROUTING # raw:PREROUTING
Line 109: Line 107:
 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -d 0/0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -d 0/0 -j MASQUERADE
  
-sysctl -w net.bridge.bridge-nf-call-ip6tables=0 
-sysctl -w net.bridge.bridge-nf-call-iptables=0 
-sysctl -w net.bridge.bridge-nf-call-arptables=0 
 sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_forward=1
 sysctl -w net.ipv4.conf.all.proxy_arp=1 sysctl -w net.ipv4.conf.all.proxy_arp=1
 +
 sysctl -w net.netfilter.nf_conntrack_max=524288 sysctl -w net.netfilter.nf_conntrack_max=524288
-sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=7440+sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440 
 echo 65536 > /sys/module/nf_conntrack/parameters/hashsize echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
 echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range
Line 140: Line 137:
  
 <code> <code>
 +mkdir -p /var/cache/lxc/debian
 wget "https://ftp-master.debian.org/keys/release-10.asc" wget "https://ftp-master.debian.org/keys/release-10.asc"
 +gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-10.asc
 wget "https://ftp-master.debian.org/keys/release-11.asc" wget "https://ftp-master.debian.org/keys/release-11.asc"
-gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-10.asc 
 gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-11.asc gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-11.asc
 </code> </code>
Line 157: Line 155:
 lxc-create -n terminator -t debian -- -r bullseye -a armhf lxc-create -n terminator -t debian -- -r bullseye -a armhf
 </code> </code>
-=== Configure === 
  
-==/var/lib/lxc/HOSTNAME/config== +Install bookworm
- +
-__Obsolete Debian template__+
  
 <code> <code>
-# Template used to create this container: /usr/share/lxc/templates/lxc-debian +lxc-create -n cracker -t debian -- -r bookworm -a armhf
-# Parameters passed to the template: -r wheezy -a amd64 +
-# For additional config options, please look at lxc.container.conf(5) +
-lxc.rootfs = /var/lib/lxc/HOSTNAME/rootfs +
- +
-# Common configuration +
-lxc.include = /usr/share/lxc/config/debian.common.conf +
- +
-# Container specific configuration +
-lxc.mount = /var/lib/lxc/HOSTNAME/fstab +
-lxc.utsname = HOSTNAME +
-lxc.arch = amd64 +
- +
-# Network +
-lxc.network.type = veth +
-lxc.network.flags = up +
- +
-# that's the interface defined above in host's interfaces file +
-lxc.network.link = lxcbr0 +
- +
-# name of network device inside the container, +
-# defaults to eth0, you could choose a name freely +
-lxc.network.name = lxcnet0  +
- +
-lxc.network.hwaddr = 00:FF:AA:00:00:01 +
-lxc.network.veth.pair = veth1 +
- +
-# the ip may be set to 0.0.0.0/24 or skip this line +
-# if you like to use a dhcp client inside the container +
-lxc.network.ipv4 = 10.10.10.10/24 +
- +
-# define a gateway to have access to the internet +
-lxc.network.ipv4.gateway = 10.10.10.1 +
- +
-# Autostart +
-lxc.start.auto = 1 +
-lxc.start.delay = 5 +
-lxc.start.order = 100+
 </code> </code>
 +=== Configure ===
  
-__Modern Debian template__+==/var/lib/lxc/HOSTNAME/config==
  
 <code> <code>
Line 216: Line 175:
 # (Be aware this has security implications) # (Be aware this has security implications)
  
-lxc.net.0.type = empty+#lxc.net.0.type = veth 
 +#lxc.net.0.hwaddr = 00:XX:XX:XX:XX:XX 
 +#lxc.net.0.link = lxcbr0 
 +#lxc.net.0.flags = up
 lxc.apparmor.profile = generated lxc.apparmor.profile = generated
 lxc.apparmor.allow_nesting = 1 lxc.apparmor.allow_nesting = 1
Line 239: Line 201:
 lxc.net.0.veth.pair = veth0 lxc.net.0.veth.pair = veth0
 lxc.net.0.ipv4.address = ?/24 lxc.net.0.ipv4.address = ?/24
-lxc.net.0.ipv6.address = ? 
 lxc.net.0.ipv4.gateway = ? lxc.net.0.ipv4.gateway = ?
-lxc.net.0.ipv6.gateway = ? +#lxc.net.0.ipv6.address = ? 
- +#lxc.net.0.ipv6.gateway = ?
-You may need the following for initial boot (Devuan) +
- +
-# You can replace systemd with runit and afterwards by changing the lxc.init.cmd before rebooting+
  
 +# You may need the following for initial boot
 +#
 +# You can replace systemd by changing the lxc.init.cmd before rebooting
 +#
 lxc.cgroup.devices.allow = lxc.cgroup.devices.allow =
 lxc.cgroup.devices.deny = lxc.cgroup.devices.deny =
Line 283: Line 245:
 some user ids to map to the container then configure it. some user ids to map to the container then configure it.
  
-This has been tested to work Ubuntu vivid. It failed to operate on Debian +This has been tested to work Ubuntu vivid and nothing else since.
-at this time due to set up of /dev within the container and possibly other issues.+
  
 When assigning a range of ids to the root user. Choose what is available, here i When assigning a range of ids to the root user. Choose what is available, here i
 chose 200000 because this was free. chose 200000 because this was free.
 +
 <code> <code>
 usermod --add-subuids 200000-265535 root usermod --add-subuids 200000-265535 root
Line 308: Line 270:
 Now we can start and stop the container, attach to it, etc. Now we can start and stop the container, attach to it, etc.
  
 +===Runit===
  
 +Start container and login as root
 +<code>
 +lxc-start -F -n container
 +</code>
 +
 +Install runit. It will ask you to enter a phrase and after installation reboot.
 +
 +<code>
 +apt install runit-init
 +reboot
 +</code>
 +
 +Login to tidy up.
 +
 +<code>
 +lxc-attach -n container
 +cd /etc/service
 +rm getty-tty*
 +</code>