You are here: start » tools » lxc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tools:lxc [2022/09/01 18:25]
darron [Configure] 		tools:lxc [2024/04/28 18:47] (current)
darron [Initialise]
Line 2: Line 2:
  
 Linux containers (LXC) is the Linux implementation of FreeBSD Jails. Linux containers (LXC) is the Linux implementation of FreeBSD Jails.
- 
-This page mostly covers usage in debian, however, due to limitations 
-there it's best to adapt this to ubuntu instead. Only minor differences 
-exist and they are not mentioned. 
  
 Within a Linux container we can run a self-contained installation of Linux Within a Linux container we can run a self-contained installation of Linux
Line 16: Line 12:
  
 <code> <code>
-apt-get install lxc lxc-templates bridge-utils cgroupfs-mount+apt-get install lxc lxc-templates bridge-utils cgroupfs-mount conntrack iptables debootstrap
 /etc/init.d/cgroupfs-mount start /etc/init.d/cgroupfs-mount start
 </code> </code>
Line 35: Line 31:
 ==systemd== ==systemd==
 <code> <code>
 +systemctl disable lxc-monitord.service
 +systemctl mask lxc-monitord.service
 systemctl disable lxc-net.service systemctl disable lxc-net.service
 systemctl disable lxc.service systemctl disable lxc.service
Line 42: Line 40:
  
 <code> <code>
-sed -i 's/LXC_AUTO="true"/LXC_AUTO="false"/ /etc/default/lxc +sed -i 's/LXC_AUTO="true"/LXC_AUTO="false"/g' /etc/default/lxc 
-sed -i 's/USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/ /etc/default/lxc-net+sed -i 's/USE_LXC_BRIDGE="true"/USE_LXC_BRIDGE="false"/g' /etc/default/lxc-net
 </code> </code>
  
Line 82: Line 80:
  
 <code> <code>
-#!/bin/sh +#! /bin/sh 
-PATH=/sbin+PATH=/sbin:/usr/sbin:/bin:/usr/bin
  
 iptables -t filter -F iptables -t filter -F
Line 89: Line 87:
 iptables -t raw -F iptables -t raw -F
 iptables -t nat -F iptables -t nat -F
-/usr/sbin/conntrack -F+conntrack -F
  
 # raw:PREROUTING # raw:PREROUTING
Line 109: Line 107:
 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -d 0/0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -d 0/0 -j MASQUERADE
  
-sysctl -w net.bridge.bridge-nf-call-ip6tables=0 
-sysctl -w net.bridge.bridge-nf-call-iptables=0 
-sysctl -w net.bridge.bridge-nf-call-arptables=0 
 sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.ip_forward=1
 sysctl -w net.ipv4.conf.all.proxy_arp=1 sysctl -w net.ipv4.conf.all.proxy_arp=1
 +
 sysctl -w net.netfilter.nf_conntrack_max=524288 sysctl -w net.netfilter.nf_conntrack_max=524288
-sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=7440+sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7440 
 echo 65536 > /sys/module/nf_conntrack/parameters/hashsize echo 65536 > /sys/module/nf_conntrack/parameters/hashsize
 echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range echo "1024 65535" > /proc/sys/net/ipv4/ip_local_port_range
Line 140: Line 137:
  
 <code> <code>
 +mkdir -p /var/cache/lxc/debian
 wget "https://ftp-master.debian.org/keys/release-10.asc" wget "https://ftp-master.debian.org/keys/release-10.asc"
 +gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-10.asc
 wget "https://ftp-master.debian.org/keys/release-11.asc" wget "https://ftp-master.debian.org/keys/release-11.asc"
-gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-10.asc 
 gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-11.asc gpg --no-default-keyring --keyring /var/cache/lxc/debian/archive-key.gpg --import release-11.asc
 </code> </code>
Line 157: Line 155:
 lxc-create -n terminator -t debian -- -r bullseye -a armhf lxc-create -n terminator -t debian -- -r bullseye -a armhf
 </code> </code>
-=== Configure === 
  
-==/var/lib/lxc/HOSTNAME/config== +Install bookworm (32-bit)
- +
-__Obsolete Debian template__+
  
 <code> <code>
-# Template used to create this container: /usr/share/lxc/templates/lxc-debian +lxc-create -n cracker -t debian -- -r bookworm -a armhf
-# Parameters passed to the template: -r wheezy -a amd64 +
-# For additional config options, please look at lxc.container.conf(5) +
-lxc.rootfs = /var/lib/lxc/HOSTNAME/rootfs +
- +
-# Common configuration +
-lxc.include = /usr/share/lxc/config/debian.common.conf +
- +
-# Container specific configuration +
-lxc.mount = /var/lib/lxc/HOSTNAME/fstab +
-lxc.utsname = HOSTNAME +
-lxc.arch = amd64 +
- +
-# Network +
-lxc.network.type = veth +
-lxc.network.flags = up +
- +
-# that's the interface defined above in host's interfaces file +
-lxc.network.link = lxcbr0 +
- +
-# name of network device inside the container, +
-# defaults to eth0, you could choose a name freely +
-lxc.network.name = lxcnet0  +
- +
-lxc.network.hwaddr = 00:FF:AA:00:00:01 +
-lxc.network.veth.pair = veth1 +
- +
-# the ip may be set to 0.0.0.0/24 or skip this line +
-# if you like to use a dhcp client inside the container +
-lxc.network.ipv4 = 10.10.10.10/24 +
- +
-# define a gateway to have access to the internet +
-lxc.network.ipv4.gateway = 10.10.10.1 +
- +
-# Autostart +
-lxc.start.auto = 1 +
-lxc.start.delay = 5 +
-lxc.start.order = 100+
 </code> </code>
 +=== Configure ===
  
-__Modern Debian template__+==/var/lib/lxc/HOSTNAME/config==
  
 <code> <code>
Line 216: Line 175:
 # (Be aware this has security implications) # (Be aware this has security implications)
  
-lxc.net.0.type = empty+#lxc.net.0.type = veth 
 +#lxc.net.0.hwaddr = 00:XX:XX:XX:XX:XX 
 +#lxc.net.0.link = lxcbr0 
 +#lxc.net.0.flags = up
 lxc.apparmor.profile = generated lxc.apparmor.profile = generated
 lxc.apparmor.allow_nesting = 1 lxc.apparmor.allow_nesting = 1
Line 239: Line 201:
 lxc.net.0.veth.pair = veth0 lxc.net.0.veth.pair = veth0
 lxc.net.0.ipv4.address = ?/24 lxc.net.0.ipv4.address = ?/24
-lxc.net.0.ipv6.address = ? 
 lxc.net.0.ipv4.gateway = ? lxc.net.0.ipv4.gateway = ?
-lxc.net.0.ipv6.gateway = ? +#lxc.net.0.ipv6.address = ? 
- +#lxc.net.0.ipv6.gateway = ?
-You may need the following for initial boot (Devuan) +
- +
-# You can replace systemd with runit afterwards by changing the lxc.init.cmd before rebooting+
  
 +# You may need the following for initial boot
 +#
 +# You can replace systemd by changing the lxc.init.cmd before rebooting
 +#
 lxc.cgroup.devices.allow = lxc.cgroup.devices.allow =
 lxc.cgroup.devices.deny = lxc.cgroup.devices.deny =
Line 283: Line 245:
 some user ids to map to the container then configure it. some user ids to map to the container then configure it.
  
-This has been tested to work Ubuntu vivid. It failed to operate on Debian +This has been tested to work Ubuntu vivid and nothing else since.
-at this time due to set up of /dev within the container and possibly other issues.+
  
 When assigning a range of ids to the root user. Choose what is available, here i When assigning a range of ids to the root user. Choose what is available, here i
 chose 200000 because this was free. chose 200000 because this was free.
 +
 <code> <code>
 usermod --add-subuids 200000-265535 root usermod --add-subuids 200000-265535 root
Line 308: Line 270:
 Now we can start and stop the container, attach to it, etc. Now we can start and stop the container, attach to it, etc.
  
 +===Runit===
  
 +Start container and login as root
 +<code>
 +lxc-start -F -n container
 +</code>
 +
 +Install runit. It will ask you to enter a phrase and after installation reboot.
 +
 +<code>
 +apt install runit-init
 +reboot
 +</code>
 +
 +Login to tidy up.
 +
 +<code>
 +lxc-attach -n container
 +cd /etc/service
 +rm getty-tty*
 +</code>