LXC Containers
From wikinotes
LXC containers allow you to start VMs sharing the currently running kernel similar to BSD's jails. HOWEVER, unlike jails, if you have root access to a LXC container, you have root access to the host machine.
Locations
Resources /usr/share/lxc/templateslxc setup templates for various Distros Containers /var/lib/lxc/CONTAINER_NAMEcontainer location /var/lib/lxc/CONTAINER_NAME/configcontainer config /var/lib/lxc/CONTAINER_NAME/rootfscontainer filesystem
Install
sudo pacman -S lxc arch-install-scripts bridge-utils packer -S yum #if using centos containers packer -S debootstrap #if using debian
Usage
lxc-create -n NAME -t TEMPLATE # create container lxc-ls # list containers lxc-ls --active # list running containers lxc-start -n NAME # start container lxc-start -n NAME -d # start container in background lxc-attach -n NAME # start shell in container running in background
Network Setup
the Arch lxc scripts expect a network bridge ('br0').
Rather than creating several bridges for several OS's, we'll create
a single bridge, and use that as a gateway for the containers# /etc/netctl/lxbridge Description="LXC Bridge" Interface=br0 Connection=bridge BindsToInterfaces=(eth0) # !!!! I've had a very difficult time with this, if not working, try removing the interface it binds to. IP=static Address=10.0.0.1/24 SkipForwardingDelay=yessu iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables-save > /etc/iptables/iptables.rules sudo netctl reenable lxcbridge # load config (reenable is necessary for config changes) sudo netctl start lxcbridge # (re)start lxcbridge ifconfig br0 # check br0 status ip addr # check available interfaces su # su is necessary for saving iptables. Cannot be sudo systemctl enable iptables # enable iptables rule-loading on boot iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE # you'll want to do this for each interface on the host that will iptables -t nat --list # confirm that both of your iptables rules are shown iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules # all of the binding is done with the bridge.# /etc/sysctl.d/40-ip-forward.conf net.ipv4.ip_forward=1 # Allow IP forwarding in netctlsudo sysctl net.ipv4.ip_forward=1 # Allow IP forwarding in netctl in current session
Create Container
lxc-checkconfig # check Kernel capabilities (UserNameSpace should be only missing) ls /usr/share/lxc/templates # view available templates. Don't use the 'lxc-' prefix when creating sudo lxc-create -n mayadb -t centos # create VM sudo systemctl enable lxc@mayadb.service # start container on boot# /var/lib/lxc/mayadb/config lxc.network.type=veth lxc.network.link=br0 lxc.network.ipv4=10.0.0.100 # choose an IP for Container lxc.network.ipv4.gateway=10.0.0.1 # choose network bridge lxc.network.flags=up lxc.network.name=eth0 lxc.network.mtu=1500iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules # all of the binding is done with the bridge. lxc-start -n mayadb # start VM OR lxc-start -n mayadb -d # start VM in background lxc-console -n mayadb # get a TTY from container login as root chroot /var/lib/lxc/mayadb/rootfs; passwd # reset root password from outside jail
