LXC Containers
From wikinotes
(Redirected from Arch AgnesWintermute LXC Containers)
LXC containers allow you to start VMs sharing the currently running kernel similar to BSD's jails. HOWEVER, unlike jails, if you have root access to a LXC container, you have root access to the host machine.
Locations
Resources /usr/share/lxc/templates
lxc setup templates for various Distros Containers /var/lib/lxc/CONTAINER_NAME
container location /var/lib/lxc/CONTAINER_NAME/config
container config /var/lib/lxc/CONTAINER_NAME/rootfs
container filesystem
Install
sudo pacman -S lxc arch-install-scripts bridge-utils packer -S yum #if using centos containers packer -S debootstrap #if using debian
Usage
lxc-create -n NAME -t TEMPLATE # create container lxc-ls # list containers lxc-ls --active # list running containers lxc-start -n NAME # start container lxc-start -n NAME -d # start container in background lxc-attach -n NAME # start shell in container running in background
Network Setup
the Arch lxc scripts expect a network bridge ('br0').
Rather than creating several bridges for several OS's, we'll create
a single bridge, and use that as a gateway for the containers# /etc/netctl/lxbridge Description="LXC Bridge" Interface=br0 Connection=bridge BindsToInterfaces=(eth0) # !!!! I've had a very difficult time with this, if not working, try removing the interface it binds to. IP=static Address=10.0.0.1/24 SkipForwardingDelay=yessu iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables-save > /etc/iptables/iptables.rules sudo netctl reenable lxcbridge # load config (reenable is necessary for config changes) sudo netctl start lxcbridge # (re)start lxcbridge ifconfig br0 # check br0 status ip addr # check available interfaces su # su is necessary for saving iptables. Cannot be sudo systemctl enable iptables # enable iptables rule-loading on boot iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE # you'll want to do this for each interface on the host that will iptables -t nat --list # confirm that both of your iptables rules are shown iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules # all of the binding is done with the bridge.# /etc/sysctl.d/40-ip-forward.conf net.ipv4.ip_forward=1 # Allow IP forwarding in netctlsudo sysctl net.ipv4.ip_forward=1 # Allow IP forwarding in netctl in current session
Create Container
lxc-checkconfig # check Kernel capabilities (UserNameSpace should be only missing) ls /usr/share/lxc/templates # view available templates. Don't use the 'lxc-' prefix when creating sudo lxc-create -n mayadb -t centos # create VM sudo systemctl enable lxc@mayadb.service # start container on boot# /var/lib/lxc/mayadb/config lxc.network.type=veth lxc.network.link=br0 lxc.network.ipv4=10.0.0.100 # choose an IP for Container lxc.network.ipv4.gateway=10.0.0.1 # choose network bridge lxc.network.flags=up lxc.network.name=eth0 lxc.network.mtu=1500iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules # all of the binding is done with the bridge. lxc-start -n mayadb # start VM OR lxc-start -n mayadb -d # start VM in background lxc-console -n mayadb # get a TTY from container login as root chroot /var/lib/lxc/mayadb/rootfs; passwd # reset root password from outside jail