gitolite/c3d2-wiki
gitolite
/
c3d2-wiki
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
c3d2-wiki/LXC.mw

543 lines
14 KiB
Plaintext
Raw Permalink Blame History

== create ==
* mit lvm
*: <source lang="bash">lxc-create -n<container-name> -t <template> -B lvm --lvname <container-name> --vgname <volumen-gruppen-name> --fstype <filesystem-type> --fssize <filesystem-größe></source>
* ohne lvm
*: <source lang="bash">lxc-create -n<container-name> -t <template></source>
== start ==
* start
*: <source lang="bash">lxc-start -n<container-name> -f</path/to/config/file> -d</source>
== stop ==
* stop
*: <source lang="bash">lxc-stop -n<container-name></source>
== config ==
<pre>
## network
lxc.network.type = veth
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = 00:00:c3:d2:00:23
lxc.network.veth.pair = br0_<container-name>
lxc.network.flags = up
lxc.network.type = veth
lxc.network.link = br1
lxc.network.name = eth1
lxc.network.hwaddr = 00:00:c3:d2:01:23
lxc.network.veth.pair = br1_<container-name>
lxc.network.flags = up
## Container
lxc.utsname = <container-name>
lxc.rootfs = /var/lib/lxc/<container-name>/rootfs
lxc.arch = x86_64
#lxc.console = /var/log/lxc/<container-name>.console
lxc.tty = 2
lxc.pts = 1024
## Capabilities
lxc.cap.drop = audit_control
lxc.cap.drop = audit_write
lxc.cap.drop = linux_immutable
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = setpcap
lxc.cap.drop = sys_admin
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_module
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
## Devices
# Allow all devices
#lxc.cgroup.devices.allow = a
# Deny all devices
lxc.cgroup.devices.deny = a
# Allow to mknod all devices (but not using them)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
# /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
# /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
# /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
# tty0
lxc.cgroup.devices.allow = c 4:0 rwm
# tty1
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
# /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
# tun
lxc.cgroup.devices.allow = c 10:200 rwm
## Limits
lxc.cgroup.cpu.shares = 1024
lxc.cgroup.cpuset.cpus = 0
lxc.cgroup.memory.limit_in_bytes = 256M
lxc.cgroup.memory.memsw.limit_in_bytes = 1G
## Filesystem
lxc.mount.entry = proc proc proc ro,nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs ro 0 0
</pre>
== console ==
=== <code>''</path/to/conatiner/rootfs>''/etc/inittab</code> ===
<pre>
# /sbin/getty invocations for the runlevels.
#
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
#
# Format:
# <id>:<runlevels>:<action>:<process>
#
# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
#
c1:2345:respawn:/sbin/getty 38400 tty1
#1:2345:respawn:/sbin/getty 38400 tty1
#2:23:respawn:/sbin/getty 38400 tty2
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
# console
1:12345:respawn:/sbin/agetty --noclear 115200 console linux
</pre>
===lxc-console===
* VMs auflisten:
*: <source lang="bash">lxc-list</source>
* an VM attachen:
*: <source lang="bash">lxc-console -n<container-name></source>
* Von Konsole detachen:
*: im screen:
*:: {{Taste|Ctrl}}+{{Taste|a}}{{Taste|a}}{{Taste|q}}
*: ohne screen:
*:: {{Taste|Ctrl}}+{{Taste|a}}{{Taste|q}}
== debian 8 (jessie/systemd lxc) ==
z.b wheezy container upgrade auf jessie
lxc - config
<source lang="bash">
lxc.autodev = 1
lxc.kmsg = 0
</source>
im rootfs container:
<source lang="bash">
apt-get install dbus (sofern vergessen)
# udev fuu deaktivieren:
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
# tty fuu deaktivieren: /var/lib/lxc/{container}/rootfs/lib/systemd/system/getty@.service
ConditionPathExists=/dev/tty0
# permission fuu
ln -s -f /bin/true /usr/bin/chfn
</source>
https://wiki.archlinux.org/index.php/Lxc-systemd
https://github.com/lxc/lxc/commit/a9bf60bab547013a9873a3fb9efe61155e8694b8
https://wiki.debian.org/LXC#Debian_8_.22Jessie.22.2Ftesting
=== frickeln ===
https://gist.github.com/peo3/1142202
== LXC on ZFS (flatbert) ==
; Container erstellen:
debian lxc bootstrap
: <source lang="bash">lxc-create -n example -t debian</source>
neues dataset
: <source lang="bash">zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/rpool/disk33 rpool/disk33</source>
lxc Container verschieben
: <source lang="bash">rsync -aAX --progress /var/lib/lxc/example/rootfs/ /rpool/disk33/</source>
: <source lang="bash">rm -rfv /var/lib/lxc/example/rootfs</source>
lxc Container Config kopieren
: <source lang="bash">cp /var/lib/lxc/pentabot/config /var/lib/lxc/example/config</source>
lxc Container Config anpassen
: <source lang="bash">vi /var/lib/lxc/example/config</source>
<pre>
###
### namen, pfade, mac adresse, cap, rootfs pfad
###
#
### LXC - jessie/systemd hacks // ###
lxc.autodev = 1
lxc.kmsg = 0
lxc.cap.drop=mac_admin mac_override setfcap setpcap sys_boot sys_module sys_pacct sys_rawio sys_resource sys_time sys_tty_config
# lxc.pts = 1024
### // LXC - jessie/systemd hacks ###
#
</pre>
lxc autostart (reboot safe)
: <source lang="bash">cd /etc/lxc/auto</source>
: <source lang="bash">ln -s ../../../var/lib/lxc/example/config 310_example.conf</source>
lxc link zum rpool dataset
: <source lang="bash">cd /lxc-container</source>
: <source lang="bash">ln -s /rpool/disk33 example</source>
lxc / debian jessie upgrade sources.list
: <source lang="bash">cp /lxc-container/pentabot/etc/apt/sources.list /lxc-container/example/etc/apt/sources.list</source>
lxc starten
: <source lang="bash">lxc-start -n example</source>
lxc wheezy auf jessie upgraden (ohne systemd)
: <source lang="bash">apt-get update; apt-get upgrade</source>
== LXC Debian 7 (Wheezy) Container Upgrade auf Debian 8 (Jessie) mit sysvinit ==
Container läuft mit Wheezy
<source lang="bash">
grep "PRETTY" /var/lib/lxc/*/*/etc/os-release
/var/lib/lxc/bind/root/etc/os-release:PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
</source>
lxc capabilities anpassen und container restarten
<source lang="bash">
vi /var/lib/lxc/bind/config
## Capabilities
### LXC - jessie/systemd hacks // ###
lxc.kmsg = 0
#lxc.cap.drop = audit_control
#lxc.cap.drop = audit_write
### LXC - jessie/systemd hacks // ###
lxc-stop -n bind
</source>
nachschauen ob noch alte interfaces active sind
<source lang="bash">
ifconfig | grep "bind"
</source>
und ggf. abwarten bis die alten interface ressourcen "freigegeben" sind (nicht mehr auftauchen)
Container neustarten:
<source lang="bash">
lxc-start -n bind
</source>
Repo anpassen
<source lang="bash">
rm /etc/apt/sources.list.d/debian.list
</source>
<source lang="bash">
vi /etc/apt/sources.list
### ### ### C3D2 ### ### ###
deb http://ftp.de.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie main contrib non-free
deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
deb http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
deb-src http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
### ### ### C3D2 ### ### ###
# EOF
</source>
Container Upgrade
<source lang="bash">
apt-get update; apt-get clean; apt-get update; apt-get upgrade
</source>
Container Dist-Upgrade
<source lang="bash">
apt-get dist-upgrade
</source>
Container von systemd auf sysvinit-core umstellen
<source lang="bash">
apt-get install sysvinit-core
apt-get autoremove
apt-get install --reinstall sysvinit-core
</source>
Container neustarten:
<source lang="bash">
@HOST!
lxc-stop -n bind
lxc-start -n bind
</source>
Container mit Jessie
<source lang="bash">
grep "PRETTY" /var/lib/lxc/*/*/etc/os-release
/var/lib/lxc/bind/root/etc/os-release:PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
</source>
Bei Fehler:
<source lang="bash">
/etc/init.d/udev-finish: 21: exec: /lib/udev/udev-finish: not found
</source>
dann ein:
<source lang="bash">
apt-get remove --purge udev
</source>
== Debian 8 (Jessie) HOST mit Debian 8 (Jessie) LXC und sytemd (systemd-sysv) ==
LXC Container capabilities für systemd anpassen
<source lang="bash">
### LXC - jessie/systemd hacks // ###
lxc.autodev = 1
lxc.kmsg = 0
#!# lxc.cap.drop = sys_admin
#!# lxc.cap.drop = mknod
#!# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
#!# lxc.cap.drop = audit_write
#!# lxc.cap.drop = setfcap
#!# lxc.cap.drop = setpcap
#!# lxc.cap.drop = sys_resource
#
### lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
### lxc.cap.drop = setuid # breaks sshd,nfs statd
### lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
### lxc.cap.drop = net_raw # breaks dhcp/ping
#
### lxc.cap.drop = sys_nice
#
lxc.cap.drop = sys_module
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = sys_time
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_tty_config
lxc.tty=2
lxc.pts = 1024
#/ lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
### // LXC - jessie/systemd hacks ###
</source>
udev (im container) disablen
<source lang="bash">
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
</source>
==upgrade auf systemd lxc container==
=== Container auf Jessie upgrade ===
<source lang="bash">
cat /etc/apt/sources.list
### ### ### C3D2 ### ### ###
deb http://ftp.de.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie main contrib non-free
deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
deb http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
deb-src http://ftp.de.debian.org/debian-security/ jessie/updates main contrib non-free
### ### ### C3D2 ### ### ###
# EOF
apt-get clean
apt-get update
apt-get upgrade
apt-get dist-upgrade
</source>
sobald "Systemdfehler" bei der Installation von dem systemd Package auftaucht, Container stoppen und mit neuer ContainerConfig starten, dann dist-upgrade fortführen
=== Beispiel: systemd kompatible LXC-Config ===
<source lang="bash">
cat /var/lib/lxc/CONTAINER/config
lxc.utsname=CONTAINER
lxc.arch=x86_64
#/ lxc.console=/var/log/lxc/mail.console
lxc.network.type=veth
lxc.network.link=br0
lxc.network.name=eth0
lxc.network.hwaddr=00:00:00:00:01:01
lxc.network.veth.pair=br0_CONTAINER
lxc.network.flags=up
lxc.network.type=veth
lxc.network.link=br1
lxc.network.name=eth1
lxc.network.hwaddr=00:00:00:00:02:01
lxc.network.veth.pair=br1_CONTAINER
lxc.network.flags=up
lxc.network.type=veth
lxc.network.link=br2
lxc.network.name=eth2
lxc.network.hwaddr=00:00:00:00:03:01
lxc.network.veth.pair=br2_CONTAINER
lxc.network.flags=up
lxc.rootfs=/var/lib/lxc/CONTAINER/root
lxc.mount.entry=proc /var/lib/lxc/CONTAINER/root/proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=devpts /var/lib/lxc/CONTAINER/root/dev/pts devpts newinstance 0 0
lxc.mount.entry=sysfs /var/lib/lxc/CONTAINER/root/sys sysfs defaults 0 0
### Limits
#/ lxc.cgroup.cpu.shares = 1024
#/ lxc.cgroup.cpuset.cpus = 0
#/ lxc.cgroup.memory.limit_in_bytes = 256M
#/ lxc.cgroup.memory.memsw.limit_in_bytes = 1G
###
lxc.cgroup.memory.limit_in_bytes=536870912
### LXC - jessie/systemd hacks // ###
lxc.autodev = 1
lxc.kmsg = 0
#
#!# lxc.cap.drop = sys_admin
#!# lxc.cap.drop = mknod
#!# lxc.cap.drop = audit_control
#!# lxc.cap.drop = audit_write
#!# lxc.cap.drop = setfcap
#!# lxc.cap.drop = setpcap
#!# lxc.cap.drop = sys_resource
#
lxc.cap.drop = sys_module
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = sys_time
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_tty_config
#
lxc.tty=2
lxc.pts = 1024
##/ lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
#### // LXC - jessie/systemd hacks ###
lxc.cgroup.devices.deny = a
# tty0
lxc.cgroup.devices.allow = c 4:0 rwm
# tty1
lxc.cgroup.devices.allow = c 4:1 rwm
# tty
lxc.cgroup.devices.allow = c 5:0 rwm
# console
lxc.cgroup.devices.allow = c 5:1 rwm
# ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
# pts/*
lxc.cgroup.devices.allow = c 136:* rwm
# null
lxc.cgroup.devices.allow = c 1:3 rwm
# zero
lxc.cgroup.devices.allow = c 1:5 rwm
# full
lxc.cgroup.devices.allow = c 1:7 rwm
# random
lxc.cgroup.devices.allow = c 1:8 rwm
# urandom
lxc.cgroup.devices.allow = c 1:9 rwm
# EOF
</source>
=== systemd reinstall ===
<source lang="bash">
apt-get install -f
apt-get dist-upgrade
apt-get install --reinstall systemd-sysv
</source>
=== udev disable ===
<source lang="bash">
ln -s /dev/null /etc/systemd/system/systemd-udevd.service
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
</source>
Container neustarten
That's it
== rapid lxc deployment ==
; Siehe: [[rapid-lxc-deployment]]
Reference in New Issue View Git Blame Copy Permalink