543 lines
14 KiB
Plaintext
543 lines
14 KiB
Plaintext
== create ==
|
|
|
|
* mit lvm
|
|
*: <source lang="bash">lxc-create -n<container-name> -t <template> -B lvm --lvname <container-name> --vgname <volumen-gruppen-name> --fstype <filesystem-type> --fssize <filesystem-größe></source>
|
|
|
|
* ohne lvm
|
|
*: <source lang="bash">lxc-create -n<container-name> -t <template></source>
|
|
|
|
== start ==
|
|
|
|
* start
|
|
*: <source lang="bash">lxc-start -n<container-name> -f</path/to/config/file> -d</source>
|
|
|
|
== stop ==
|
|
|
|
* stop
|
|
*: <source lang="bash">lxc-stop -n<container-name></source>
|
|
|
|
== config ==
|
|
|
|
<pre>
|
|
## network
|
|
lxc.network.type = veth
|
|
lxc.network.link = br0
|
|
lxc.network.name = eth0
|
|
lxc.network.hwaddr = 00:00:c3:d2:00:23
|
|
lxc.network.veth.pair = br0_<container-name>
|
|
lxc.network.flags = up
|
|
|
|
lxc.network.type = veth
|
|
lxc.network.link = br1
|
|
lxc.network.name = eth1
|
|
lxc.network.hwaddr = 00:00:c3:d2:01:23
|
|
lxc.network.veth.pair = br1_<container-name>
|
|
lxc.network.flags = up
|
|
|
|
## Container
|
|
lxc.utsname = <container-name>
|
|
lxc.rootfs = /var/lib/lxc/<container-name>/rootfs
|
|
lxc.arch = x86_64
|
|
#lxc.console = /var/log/lxc/<container-name>.console
|
|
lxc.tty = 2
|
|
lxc.pts = 1024
|
|
|
|
## Capabilities
|
|
lxc.cap.drop = audit_control
|
|
lxc.cap.drop = audit_write
|
|
lxc.cap.drop = linux_immutable
|
|
lxc.cap.drop = mac_admin
|
|
lxc.cap.drop = mac_override
|
|
lxc.cap.drop = setpcap
|
|
lxc.cap.drop = sys_admin
|
|
lxc.cap.drop = sys_boot
|
|
lxc.cap.drop = sys_module
|
|
lxc.cap.drop = sys_pacct
|
|
lxc.cap.drop = sys_rawio
|
|
lxc.cap.drop = sys_time
|
|
|
|
## Devices
|
|
# Allow all devices
|
|
#lxc.cgroup.devices.allow = a
|
|
|
|
# Deny all devices
|
|
lxc.cgroup.devices.deny = a
|
|
|
|
# Allow to mknod all devices (but not using them)
|
|
lxc.cgroup.devices.allow = c *:* m
|
|
lxc.cgroup.devices.allow = b *:* m
|
|
|
|
# /dev/console
|
|
lxc.cgroup.devices.allow = c 5:1 rwm
|
|
# /dev/null
|
|
lxc.cgroup.devices.allow = c 1:3 rwm
|
|
# /dev/ptmx
|
|
lxc.cgroup.devices.allow = c 5:2 rwm
|
|
# /dev/pts/*
|
|
lxc.cgroup.devices.allow = c 136:* rwm
|
|
# /dev/random
|
|
lxc.cgroup.devices.allow = c 1:8 rwm
|
|
# /dev/rtc
|
|
lxc.cgroup.devices.allow = c 254:0 rwm
|
|
# /dev/tty
|
|
lxc.cgroup.devices.allow = c 5:0 rwm
|
|
# tty0
|
|
lxc.cgroup.devices.allow = c 4:0 rwm
|
|
# tty1
|
|
lxc.cgroup.devices.allow = c 4:1 rwm
|
|
# /dev/urandom
|
|
lxc.cgroup.devices.allow = c 1:9 rwm
|
|
# /dev/zero
|
|
lxc.cgroup.devices.allow = c 1:5 rwm
|
|
# tun
|
|
lxc.cgroup.devices.allow = c 10:200 rwm
|
|
|
|
## Limits
|
|
lxc.cgroup.cpu.shares = 1024
|
|
lxc.cgroup.cpuset.cpus = 0
|
|
lxc.cgroup.memory.limit_in_bytes = 256M
|
|
lxc.cgroup.memory.memsw.limit_in_bytes = 1G
|
|
|
|
## Filesystem
|
|
lxc.mount.entry = proc proc proc ro,nodev,noexec,nosuid 0 0
|
|
lxc.mount.entry = sysfs sys sysfs ro 0 0
|
|
</pre>
|
|
|
|
== console ==
|
|
|
|
=== <code>''</path/to/conatiner/rootfs>''/etc/inittab</code> ===
|
|
|
|
<pre>
|
|
# /sbin/getty invocations for the runlevels.
|
|
#
|
|
# The "id" field MUST be the same as the last
|
|
# characters of the device (after "tty").
|
|
#
|
|
# Format:
|
|
# <id>:<runlevels>:<action>:<process>
|
|
#
|
|
# Note that on most Debian systems tty7 is used by the X Window System,
|
|
# so if you want to add more getty's go ahead but skip tty7 if you run X.
|
|
#
|
|
c1:2345:respawn:/sbin/getty 38400 tty1
|
|
#1:2345:respawn:/sbin/getty 38400 tty1
|
|
#2:23:respawn:/sbin/getty 38400 tty2
|
|
#3:23:respawn:/sbin/getty 38400 tty3
|
|
#4:23:respawn:/sbin/getty 38400 tty4
|
|
#5:23:respawn:/sbin/getty 38400 tty5
|
|
#6:23:respawn:/sbin/getty 38400 tty6
|
|
|
|
# console
|
|
1:12345:respawn:/sbin/agetty --noclear 115200 console linux
|
|
</pre>
|
|
|
|
===lxc-console===
|
|
* VMs auflisten:
|
|
*: <source lang="bash">lxc-list</source>
|
|
|
|
* an VM attachen:
|
|
*: <source lang="bash">lxc-console -n<container-name></source>
|
|
|
|
* Von Konsole detachen:
|
|
*: im screen:
|
|
*:: {{Taste|Ctrl}}+{{Taste|a}}{{Taste|a}}{{Taste|q}}
|
|
*: ohne screen:
|
|
*:: {{Taste|Ctrl}}+{{Taste|a}}{{Taste|q}}
|
|
|
|
== debian 8 (jessie/systemd lxc) ==
|
|
|
|
z.b wheezy container upgrade auf jessie
|
|
|
|
lxc - config
|
|
<source lang="bash">
|
|
lxc.autodev = 1
|
|
lxc.kmsg = 0
|
|
</source>
|
|
|
|
im rootfs container:
|
|
<source lang="bash">
|
|
apt-get install dbus (sofern vergessen)
|
|
|
|
# udev fuu deaktivieren:
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
|
|
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
|
|
|
|
# tty fuu deaktivieren: /var/lib/lxc/{container}/rootfs/lib/systemd/system/getty@.service
|
|
ConditionPathExists=/dev/tty0
|
|
|
|
# permission fuu
|
|
ln -s -f /bin/true /usr/bin/chfn
|
|
</source>
|
|
|
|
https://wiki.archlinux.org/index.php/Lxc-systemd
|
|
|
|
https://github.com/lxc/lxc/commit/a9bf60bab547013a9873a3fb9efe61155e8694b8
|
|
|
|
https://wiki.debian.org/LXC#Debian_8_.22Jessie.22.2Ftesting
|
|
|
|
=== frickeln ===
|
|
|
|
https://gist.github.com/peo3/1142202
|
|
|
|
== LXC on ZFS (flatbert) ==
|
|
|
|
; Container erstellen:
|
|
|
|
debian lxc bootstrap
|
|
: <source lang="bash">lxc-create -n example -t debian</source>
|
|
|
|
neues dataset
|
|
: <source lang="bash">zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/rpool/disk33 rpool/disk33</source>
|
|
|
|
lxc Container verschieben
|
|
: <source lang="bash">rsync -aAX --progress /var/lib/lxc/example/rootfs/ /rpool/disk33/</source>
|
|
: <source lang="bash">rm -rfv /var/lib/lxc/example/rootfs</source>
|
|
|
|
lxc Container Config kopieren
|
|
: <source lang="bash">cp /var/lib/lxc/pentabot/config /var/lib/lxc/example/config</source>
|
|
|
|
lxc Container Config anpassen
|
|
: <source lang="bash">vi /var/lib/lxc/example/config</source>
|
|
<pre>
|
|
###
|
|
### namen, pfade, mac adresse, cap, rootfs pfad
|
|
###
|
|
|
|
#
|
|
### LXC - jessie/systemd hacks // ###
|
|
lxc.autodev = 1
|
|
lxc.kmsg = 0
|
|
lxc.cap.drop=mac_admin mac_override setfcap setpcap sys_boot sys_module sys_pacct sys_rawio sys_resource sys_time sys_tty_config
|
|
# lxc.pts = 1024
|
|
### // LXC - jessie/systemd hacks ###
|
|
#
|
|
</pre>
|
|
lxc autostart (reboot safe)
|
|
: <source lang="bash">cd /etc/lxc/auto</source>
|
|
: <source lang="bash">ln -s ../../../var/lib/lxc/example/config 310_example.conf</source>
|
|
|
|
lxc link zum rpool dataset
|
|
: <source lang="bash">cd /lxc-container</source>
|
|
: <source lang="bash">ln -s /rpool/disk33 example</source>
|
|
|
|
lxc / debian jessie upgrade sources.list
|
|
: <source lang="bash">cp /lxc-container/pentabot/etc/apt/sources.list /lxc-container/example/etc/apt/sources.list</source>
|
|
|
|
lxc starten
|
|
: <source lang="bash">lxc-start -n example</source>
|
|
|
|
lxc wheezy auf jessie upgraden (ohne systemd)
|
|
: <source lang="bash">apt-get update; apt-get upgrade</source>
|
|
|
|
== LXC Debian 7 (Wheezy) Container Upgrade auf Debian 8 (Jessie) mit sysvinit ==
|
|
|
|
Container läuft mit Wheezy
|
|
|
|
<source lang="bash">
|
|
grep "PRETTY" /var/lib/lxc/*/*/etc/os-release
|
|
|
|
/var/lib/lxc/bind/root/etc/os-release:PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
|
|
</source>
|
|
|
|
lxc capabilities anpassen und container restarten
|
|
|
|
<source lang="bash">
|
|
vi /var/lib/lxc/bind/config
|
|
|
|
## Capabilities
|
|
### LXC - jessie/systemd hacks // ###
|
|
lxc.kmsg = 0
|
|
#lxc.cap.drop = audit_control
|
|
#lxc.cap.drop = audit_write
|
|
### LXC - jessie/systemd hacks // ###
|
|
|
|
lxc-stop -n bind
|
|
</source>
|
|
|
|
nachschauen ob noch alte interfaces active sind
|
|
|
|
<source lang="bash">
|
|
ifconfig | grep "bind"
|
|
</source>
|
|
|
|
und ggf. abwarten bis die alten interface ressourcen "freigegeben" sind (nicht mehr auftauchen)
|
|
|
|
Container neustarten:
|
|
|
|
<source lang="bash">
|
|
lxc-start -n bind
|
|
</source>
|
|
|
|
Repo anpassen
|
|
|
|
<source lang="bash">
|
|
rm /etc/apt/sources.list.d/debian.list
|
|
</source>
|
|
|
|
<source lang="bash">
|
|
vi /etc/apt/sources.list
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
deb http://ftp.de.debian.org/debian/ jessie main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian/ jessie main contrib non-free
|
|
|
|
deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
|
|
|
|
deb http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
|
|
### ### ### C3D2 ### ### ###
|
|
# EOF
|
|
</source>
|
|
|
|
Container Upgrade
|
|
|
|
<source lang="bash">
|
|
apt-get update; apt-get clean; apt-get update; apt-get upgrade
|
|
</source>
|
|
|
|
Container Dist-Upgrade
|
|
|
|
<source lang="bash">
|
|
apt-get dist-upgrade
|
|
</source>
|
|
|
|
Container von systemd auf sysvinit-core umstellen
|
|
|
|
<source lang="bash">
|
|
apt-get install sysvinit-core
|
|
apt-get autoremove
|
|
apt-get install --reinstall sysvinit-core
|
|
</source>
|
|
|
|
Container neustarten:
|
|
|
|
<source lang="bash">
|
|
@HOST!
|
|
|
|
lxc-stop -n bind
|
|
lxc-start -n bind
|
|
</source>
|
|
|
|
|
|
Container mit Jessie
|
|
|
|
<source lang="bash">
|
|
grep "PRETTY" /var/lib/lxc/*/*/etc/os-release
|
|
|
|
/var/lib/lxc/bind/root/etc/os-release:PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
|
|
</source>
|
|
|
|
|
|
Bei Fehler:
|
|
|
|
<source lang="bash">
|
|
/etc/init.d/udev-finish: 21: exec: /lib/udev/udev-finish: not found
|
|
</source>
|
|
|
|
dann ein:
|
|
|
|
<source lang="bash">
|
|
apt-get remove --purge udev
|
|
</source>
|
|
|
|
== Debian 8 (Jessie) HOST mit Debian 8 (Jessie) LXC und sytemd (systemd-sysv) ==
|
|
|
|
LXC Container capabilities für systemd anpassen
|
|
|
|
<source lang="bash">
|
|
### LXC - jessie/systemd hacks // ###
|
|
lxc.autodev = 1
|
|
lxc.kmsg = 0
|
|
|
|
#!# lxc.cap.drop = sys_admin
|
|
#!# lxc.cap.drop = mknod
|
|
#!# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
|
|
#!# lxc.cap.drop = audit_write
|
|
#!# lxc.cap.drop = setfcap
|
|
#!# lxc.cap.drop = setpcap
|
|
#!# lxc.cap.drop = sys_resource
|
|
#
|
|
### lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
|
|
### lxc.cap.drop = setuid # breaks sshd,nfs statd
|
|
### lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
|
|
### lxc.cap.drop = net_raw # breaks dhcp/ping
|
|
#
|
|
### lxc.cap.drop = sys_nice
|
|
#
|
|
lxc.cap.drop = sys_module
|
|
lxc.cap.drop = mac_admin
|
|
lxc.cap.drop = mac_override
|
|
lxc.cap.drop = sys_time
|
|
lxc.cap.drop = sys_boot
|
|
lxc.cap.drop = sys_pacct
|
|
lxc.cap.drop = sys_rawio
|
|
lxc.cap.drop = sys_tty_config
|
|
|
|
lxc.tty=2
|
|
lxc.pts = 1024
|
|
#/ lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
|
|
### // LXC - jessie/systemd hacks ###
|
|
</source>
|
|
|
|
|
|
udev (im container) disablen
|
|
|
|
<source lang="bash">
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
|
|
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
|
|
</source>
|
|
|
|
==upgrade auf systemd lxc container==
|
|
|
|
=== Container auf Jessie upgrade ===
|
|
|
|
<source lang="bash">
|
|
cat /etc/apt/sources.list
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
deb http://ftp.de.debian.org/debian/ jessie main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian/ jessie main contrib non-free
|
|
|
|
deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
|
|
|
|
deb http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
|
|
deb-src http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
|
|
### ### ### C3D2 ### ### ###
|
|
# EOF
|
|
|
|
apt-get clean
|
|
apt-get update
|
|
apt-get upgrade
|
|
apt-get dist-upgrade
|
|
</source>
|
|
|
|
sobald "Systemdfehler" bei der Installation von dem systemd Package auftaucht, Container stoppen und mit neuer ContainerConfig starten, dann dist-upgrade fortführen
|
|
|
|
=== Beispiel: systemd kompatible LXC-Config ===
|
|
|
|
<source lang="bash">
|
|
cat /var/lib/lxc/CONTAINER/config
|
|
|
|
|
|
lxc.utsname=CONTAINER
|
|
lxc.arch=x86_64
|
|
#/ lxc.console=/var/log/lxc/mail.console
|
|
|
|
lxc.network.type=veth
|
|
lxc.network.link=br0
|
|
lxc.network.name=eth0
|
|
lxc.network.hwaddr=00:00:00:00:01:01
|
|
lxc.network.veth.pair=br0_CONTAINER
|
|
lxc.network.flags=up
|
|
|
|
lxc.network.type=veth
|
|
lxc.network.link=br1
|
|
lxc.network.name=eth1
|
|
lxc.network.hwaddr=00:00:00:00:02:01
|
|
lxc.network.veth.pair=br1_CONTAINER
|
|
lxc.network.flags=up
|
|
|
|
lxc.network.type=veth
|
|
lxc.network.link=br2
|
|
lxc.network.name=eth2
|
|
lxc.network.hwaddr=00:00:00:00:03:01
|
|
lxc.network.veth.pair=br2_CONTAINER
|
|
lxc.network.flags=up
|
|
|
|
lxc.rootfs=/var/lib/lxc/CONTAINER/root
|
|
lxc.mount.entry=proc /var/lib/lxc/CONTAINER/root/proc proc nodev,noexec,nosuid 0 0
|
|
lxc.mount.entry=devpts /var/lib/lxc/CONTAINER/root/dev/pts devpts newinstance 0 0
|
|
lxc.mount.entry=sysfs /var/lib/lxc/CONTAINER/root/sys sysfs defaults 0 0
|
|
|
|
### Limits
|
|
#/ lxc.cgroup.cpu.shares = 1024
|
|
#/ lxc.cgroup.cpuset.cpus = 0
|
|
#/ lxc.cgroup.memory.limit_in_bytes = 256M
|
|
#/ lxc.cgroup.memory.memsw.limit_in_bytes = 1G
|
|
###
|
|
|
|
lxc.cgroup.memory.limit_in_bytes=536870912
|
|
|
|
### LXC - jessie/systemd hacks // ###
|
|
lxc.autodev = 1
|
|
lxc.kmsg = 0
|
|
#
|
|
#!# lxc.cap.drop = sys_admin
|
|
#!# lxc.cap.drop = mknod
|
|
#!# lxc.cap.drop = audit_control
|
|
#!# lxc.cap.drop = audit_write
|
|
#!# lxc.cap.drop = setfcap
|
|
#!# lxc.cap.drop = setpcap
|
|
#!# lxc.cap.drop = sys_resource
|
|
#
|
|
lxc.cap.drop = sys_module
|
|
lxc.cap.drop = mac_admin
|
|
lxc.cap.drop = mac_override
|
|
lxc.cap.drop = sys_time
|
|
lxc.cap.drop = sys_boot
|
|
lxc.cap.drop = sys_pacct
|
|
lxc.cap.drop = sys_rawio
|
|
lxc.cap.drop = sys_tty_config
|
|
#
|
|
lxc.tty=2
|
|
lxc.pts = 1024
|
|
##/ lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
|
|
#### // LXC - jessie/systemd hacks ###
|
|
|
|
lxc.cgroup.devices.deny = a
|
|
# tty0
|
|
lxc.cgroup.devices.allow = c 4:0 rwm
|
|
# tty1
|
|
lxc.cgroup.devices.allow = c 4:1 rwm
|
|
# tty
|
|
lxc.cgroup.devices.allow = c 5:0 rwm
|
|
# console
|
|
lxc.cgroup.devices.allow = c 5:1 rwm
|
|
# ptmx
|
|
lxc.cgroup.devices.allow = c 5:2 rwm
|
|
# pts/*
|
|
lxc.cgroup.devices.allow = c 136:* rwm
|
|
# null
|
|
lxc.cgroup.devices.allow = c 1:3 rwm
|
|
# zero
|
|
lxc.cgroup.devices.allow = c 1:5 rwm
|
|
# full
|
|
lxc.cgroup.devices.allow = c 1:7 rwm
|
|
# random
|
|
lxc.cgroup.devices.allow = c 1:8 rwm
|
|
# urandom
|
|
lxc.cgroup.devices.allow = c 1:9 rwm
|
|
|
|
# EOF
|
|
</source>
|
|
|
|
=== systemd reinstall ===
|
|
|
|
<source lang="bash">
|
|
apt-get install -f
|
|
apt-get dist-upgrade
|
|
apt-get install --reinstall systemd-sysv
|
|
</source>
|
|
|
|
=== udev disable ===
|
|
|
|
<source lang="bash">
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
|
|
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
|
|
</source>
|
|
|
|
Container neustarten
|
|
|
|
That's it
|
|
|
|
== rapid lxc deployment ==
|
|
; Siehe: [[rapid-lxc-deployment]]
|