LXC Containers
From wikinotes
LXC containers allow you to start VMs sharing the currently running kernel similar to BSD's jails. HOWEVER, unlike jails, if you have root access to a LXC container, you have root access to the host machine.
Locations
Resources /usr/share/lxc/templates
lxc setup templates for various Distros Containers /var/lib/lxc/CONTAINER_NAME
container location /var/lib/lxc/CONTAINER_NAME/config
container config /var/lib/lxc/CONTAINER_NAME/rootfs
container filesystem
Install
sudo pacman -S lxc arch-install-scripts bridge-utils packer -S yum #if using centos containers packer -S debootstrap #if using debian
Usage
lxc-create -n NAME -t TEMPLATE # create container lxc-ls # list containers lxc-ls --active # list running containers lxc-start -n NAME # start container lxc-start -n NAME -d # start container in background lxc-attach -n NAME # start shell in container running in background
Network Setup
# the Arch lxc scripts expect a network bridge ('br0'). # Rather than creating several bridges for several OS's, we'll create # a single bridge, and use that as a gateway for the containers #### /etc/netctl/lxbridge Description="LXC Bridge" Interface=br0 Connection=bridge BindsToInterfaces=(eth0) ## !!!! I've had a very difficult time with this, if not working, try removing the interface it binds to. IP=static Address=10.0.0.1/24 SkipForwardingDelay=yes #### su iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables-save > /etc/iptables/iptables.rules sudo netctl reenable lxcbridge #load config (reenable is necessary for config changes) sudo netctl start lxcbridge #(re)start lxcbridge ifconfig br0 #check br0 status ip addr #check available interfaces su #su is necessary for saving iptables. Cannot be sudo systemctl enable iptables #enable iptables rule-loading on boot iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE #allow a specific ip address access to external internet iptables -t nat -A POSTROUTING -s 10.0.0.100 -o enp0s25 -j MASQUERADE #you'll want to do this for each interface on the host that will iptables -t nat --list #confirm that both of your iptables rules are shown iptables-save > /etc/iptables/iptables.rules #be connecting to the internet. These are just firewall rules #all of the binding is done with the bridge. #### /etc/sysctl.d/40-ip-forward.conf net.ipv4.ip_forward=1 # Allow IP forwarding in netctl #### sudo sysctl net.ipv4.ip_forward=1 # Allow IP forwarding in netctl in current session
Create Container
lxc-checkconfig #check Kernel capabilities (UserNameSpace should be only missing) ls /usr/share/lxc/templates #view available templates. Don't use the 'lxc-' prefix when creating sudo lxc-create -n mayadb -t centos #create VM sudo systemctl enable lxc@mayadb.service #start container on boot #### /var/lib/lxc/mayadb/config lxc.network.type=veth lxc.network.link=br0 lxc.network.ipv4=10.0.0.100 #choose an IP for Container lxc.network.ipv4.gateway=10.0.0.1 #choose network bridge lxc.network.flags=up lxc.network.name=eth0 lxc.network.mtu=1500 #### iptables -t nat -A POSTROUTING -s 10.0.0.100 -o wlp3s0 -j MASQUERADE #allow a specific ip address access to external internet iptables-save > /etc/iptables/iptables.rules #be connecting to the internet. These are just firewall rules #all of the binding is done with the bridge. lxc-start -n mayadb #start VM OR lxc-start -n mayadb -d #start VM in background lxc-console -n mayadb #get a TTY from container login as root chroot /var/lib/lxc/mayadb/rootfs; passwd #reset root password from outside jail