LXC Containers: Difference between revisions
From wikinotes
No edit summary |
|||
Line 45: | Line 45: | ||
= Network Setup = | = Network Setup = | ||
<blockquote> | <blockquote> | ||
the Arch lxc scripts expect a network bridge ('br0').<br> | |||
Rather than creating several bridges for several OS's, we'll create<br> | |||
a single bridge, and use that as a gateway for the containers | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# /etc/netctl/lxbridge | |||
Description="LXC Bridge" | Description="LXC Bridge" | ||
Interface=br0 | Interface=br0 | ||
Connection=bridge | Connection=bridge | ||
BindsToInterfaces=(eth0) | BindsToInterfaces=(eth0) # !!!! I've had a very difficult time with this, if not working, try removing the interface it binds to. | ||
IP=static | IP=static | ||
Address=10.0.0.1/24 | Address=10.0.0.1/24 | ||
SkipForwardingDelay=yes | SkipForwardingDelay=yes | ||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
su | su | ||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
iptables-save > /etc/iptables/iptables.rules | iptables-save > /etc/iptables/iptables.rules | ||
sudo netctl reenable lxcbridge | sudo netctl reenable lxcbridge # load config (reenable is necessary for config changes) | ||
sudo netctl start lxcbridge | sudo netctl start lxcbridge # (re)start lxcbridge | ||
ifconfig br0 | ifconfig br0 # check br0 status | ||
ip addr # check available interfaces | |||
su # su is necessary for saving iptables. Cannot be sudo | |||
systemctl enable iptables # enable iptables rule-loading on boot | |||
systemctl enable iptables | iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet | ||
iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE # you'll want to do this for each interface on the host that will | ||
iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE | iptables -t nat --list # confirm that both of your iptables rules are shown | ||
iptables -t nat --list | iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules | ||
iptables-save > /etc/iptables/iptables.rules | # all of the binding is done with the bridge. | ||
</syntaxhighlight> | |||
<syntaxhighlight lang="dosini"> | |||
net.ipv4.ip_forward=1 | # /etc/sysctl.d/40-ip-forward.conf | ||
net.ipv4.ip_forward=1 # Allow IP forwarding in netctl | |||
sudo sysctl net.ipv4.ip_forward=1 | </syntaxhighlight> | ||
<syntaxhighlight lang="bash"> | |||
sudo sysctl net.ipv4.ip_forward=1 # Allow IP forwarding in netctl in current session | |||
</syntaxhighlight> | |||
</syntaxhighlight> | </syntaxhighlight> | ||
</blockquote><!-- Install --> | </blockquote><!-- Install --> |
Revision as of 14:06, 10 April 2023
LXC containers allow you to start VMs sharing the currently running kernel similar to BSD's jails. HOWEVER, unlike jails, if you have root access to a LXC container, you have root access to the host machine.
Locations
Resources /usr/share/lxc/templates
lxc setup templates for various Distros Containers /var/lib/lxc/CONTAINER_NAME
container location /var/lib/lxc/CONTAINER_NAME/config
container config /var/lib/lxc/CONTAINER_NAME/rootfs
container filesystem
Install
sudo pacman -S lxc arch-install-scripts bridge-utils packer -S yum #if using centos containers packer -S debootstrap #if using debian
Usage
lxc-create -n NAME -t TEMPLATE # create container lxc-ls # list containers lxc-ls --active # list running containers lxc-start -n NAME # start container lxc-start -n NAME -d # start container in background lxc-attach -n NAME # start shell in container running in background
Network Setup
the Arch lxc scripts expect a network bridge ('br0').
Rather than creating several bridges for several OS's, we'll create
a single bridge, and use that as a gateway for the containers# /etc/netctl/lxbridge Description="LXC Bridge" Interface=br0 Connection=bridge BindsToInterfaces=(eth0) # !!!! I've had a very difficult time with this, if not working, try removing the interface it binds to. IP=static Address=10.0.0.1/24 SkipForwardingDelay=yessu iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables-save > /etc/iptables/iptables.rules sudo netctl reenable lxcbridge # load config (reenable is necessary for config changes) sudo netctl start lxcbridge # (re)start lxcbridge ifconfig br0 # check br0 status ip addr # check available interfaces su # su is necessary for saving iptables. Cannot be sudo systemctl enable iptables # enable iptables rule-loading on boot iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE # allow a specific ip address access to external internet iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE # you'll want to do this for each interface on the host that will iptables -t nat --list # confirm that both of your iptables rules are shown iptables-save > /etc/iptables/iptables.rules # be connecting to the internet. These are just firewall rules # all of the binding is done with the bridge.# /etc/sysctl.d/40-ip-forward.conf net.ipv4.ip_forward=1 # Allow IP forwarding in netctlsudo sysctl net.ipv4.ip_forward=1 # Allow IP forwarding in netctl in current session</syntaxhighlight>
Create Container
lxc-checkconfig #check Kernel capabilities (UserNameSpace should be only missing) ls /usr/share/lxc/templates #view available templates. Don't use the 'lxc-' prefix when creating sudo lxc-create -n mayadb -t centos #create VM sudo systemctl enable lxc@mayadb.service #start container on boot #### /var/lib/lxc/mayadb/config lxc.network.type=veth lxc.network.link=br0 lxc.network.ipv4=10.0.0.100 #choose an IP for Container lxc.network.ipv4.gateway=10.0.0.1 #choose network bridge lxc.network.flags=up lxc.network.name=eth0 lxc.network.mtu=1500 #### iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE #allow a specific ip address access to external internet iptables-save > /etc/iptables/iptables.rules #be connecting to the internet. These are just firewall rules #all of the binding is done with the bridge. lxc-start -n mayadb #start VM OR lxc-start -n mayadb -d #start VM in background lxc-console -n mayadb #get a TTY from container login as root chroot /var/lib/lxc/mayadb/rootfs; passwd #reset root password from outside jail