LXC Linux Containers by example

LXC Linux Containers by example, by whistl, 2015-07-04 

  1.  # install ubuntu server 15.04
    1. # you can use physical hardware, like an Intel NUC
    2. # you can use a virtual machine, such as one of your Xen or VMware virtual servers
      1. # Give it 4+ GB RAM, 40+ GB disk to play with LXC
  2. # Select ubuntu guided disk partitioning with LVM, use all available disk.
  3. # but when it asks you how much space to use for guided partitioning,
  4. # enter “6G” (6 gigabytes, not the whole disk).
  5. # The host only needs a regular root and decent swap partitions.
  6. # You can add more swap partitions and vram later, if needed.
  7. # You’ll use the unallocated space later.
  8. # after your install is complete, reboot
  9. # login as your unprivileged user
  10. sudo -i
  11. apt-get clean all
  12. apt-get update
  13. apt-get upgrade
  14. apt-get install lxc openssh-server
  15. # configure bridge br0 so your containers can directly access the network
  16. cat >/etc/network/interfaces <<EOL
  17. auto lo
  18. iface lo inet loopback
  19. iface eth0 inet manual
  20. auto br0
  21. iface br0 inet static
  22.    address 192.168.3.13
  23.    netmask 255.255.255.0
  24.    network 192.168.3.0
  25.    gateway 192.168.3.1
  26.    dns-nameservers 192.168.3.1
  27.    dns-search hak5.org
  28.    bridge_ports eth0
  29. EOL
  30. # configure the default container config files:
  31. cd /etc/lxc
  32. cat >seccomp.conf <<EOL
  33. 2
  34. blacklist
  35. [all]
  36. kexec_load errno 1
  37. open_by_handle_at errno 1
  38. init_module errno 1
  39. finit_module errno 1
  40. delete_module errno 1
  41. EOL
  42. cp default.conf default.conf.orig
  43. cat >default.conf <<EOL
  44. lxc.network.type = veth
  45. lxc.network.flags = up
  46. lxc.network.link = br0
  47. lxc.network.hwaddr = 00:16:3e:xx:xx:xx
  48. # autostart at boot time
  49. lxc.start.auto = 1
  50. lxc.start.delay = 5
  51. lxc.pivotdir = lxc_putold
  52. lxc.cap.drop = sys_module mac_admin mac_override sys_time
  53. # deny all device access by default
  54. lxc.cgroup.devices.deny = a
  55. # allow mknod
  56. lxc.cgroup.devices.allow = c *:* m
  57. lxc.cgroup.devices.allow = b *:* m
  58. # /dev/null, /dev/zero
  59. lxc.cgroup.devices.allow = c 1:3 rwm
  60. lxc.cgroup.devices.allow = c 1:5 rwm
  61. # consoles
  62. lxc.cgroup.devices.allow = c 5:0 rwm
  63. lxc.cgroup.devices.allow = c 5:1 rwm
  64. # /dev/{,u}random
  65. lxc.cgroup.devices.allow = c 1:8 rwm
  66. lxc.cgroup.devices.allow = c 1:9 rwm
  67. # /dev/pts/*
  68. lxc.cgroup.devices.allow = c 5:2 rwm
  69. lxc.cgroup.devices.allow = c 136:* rwm
  70. # rtc
  71. lxc.cgroup.devices.allow = c 254:0 rm
  72. # fuse
  73. lxc.cgroup.devices.allow = c 10:229 rwm
  74. # tun
  75. lxc.cgroup.devices.allow = c 10:200 rwm
  76. # full
  77. lxc.cgroup.devices.allow = c 1:7 rwm
  78. # hpet
  79. lxc.cgroup.devices.allow = c 10:228 rwm
  80. # kvm
  81. lxc.cgroup.devices.allow = c 10:232 rwm
  82. # loop devices
  83. #lxc.cgroup.devices.allow = b 7:* rwm
  84. # blacklist some syscalls
  85. lxc.seccomp = /etc/lxc/seccomp.conf
  86. EOL
  87. # reboot
  88. shutdown -r now
  89. # login
  90. sudo -i
  91. # list your LVM config
  92. pvs
  93. vgs
  94. lvs
  95. # Note your volume group name, mine was host15-vg
  96. # configure your first container using the ubuntu template
  97. lxc-create -n ubuntu1 -t ubuntu -B lvm –vgname host15-vg
  98. # start your container
  99. lxc-start -n ubuntu1 -d -c /var/log/ubuntu1.log -C
  100. # launch a root shell inside your container
  101. lxc-attach -n ubuntu1
  102. # view from within container
  103. ps -ef
  104. df -h
  105. ip addr show
  106. apt-get install openssh-server
  107. passwd ubuntu
  108. ps -ef
  109. # return to the host os
  110. exit
  111. # compare to the view from the host os
  112. ps -ef
  113. df -h
  114. ip addr show
  115. brctl show
  116. # how about using a template for another OS? (requires yum tool)
  117. apt-get install yum
  118. lxc-create -n centos2 -t centos -B lvm –vgname host15-vg
  119. lxc-start -n centos2 -d -c /var/log/centos2.log -C
  120. lxc-attach -n centos2
  121. exit
  122. # how about a library of pre-built container OSs?
  123. lxc-create -n foo -t download — –list 2>&1 | less
  124. lxc-create -n centos3 -t download -B lvm –vgname host15-vg –fssize 4G — –dist centos –release 6 –arch x86_64
  125. lxc-start -n centos3 -d -c /var/log/centos3.log -C
  126. lxc-attach -n centos3
  127. exit
  128. # the container’s config file is /var/lib/lxc/container/config
  129. # when using the filesystem backing store, the containers file system
  130. # is entirely located under /var/lib/lxc/container/rootfs
  131. # when using LVM backing store, a separate logical volume is created
  132. # using the container name, and is only visible by the container.
  133. # The command ‘lxc-clone -s’ uses LVM copy-on-write snapshot features
  134. # to conserve disk space
  135. lxc-stop -n ubuntu1
  136. lxc-clone -s –fssize 4G -o ubuntu1 -n ubuntu2
  137. lxc-start -n ubuntu1 -d -C -c /var/log/ubuntu1.log
  138. lxc-start -n ubuntu2 -d -C -c /var/log/ubuntu2.log
  139. # this feature allows you to create a “base” container with all
  140. # your favorite utilities pre-installed, passwords and security
  141. # configured just right, then you can use lxc-clone to produce
  142. # the actual containers where you install and run apache,
  143. # mariadb, openldap, etc.