meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:lxc [2016/04/18 10:39] – [Network] niziaklinux:lxc [2020/09/07 19:01] (current) niziak
Line 1: Line 1:
 ====== LXC ====== ====== LXC ======
-  * /var/lib/lxc default container place +  * LXC web panel: [[https://lxc-webpanel.github.io/index.html]] 
-  * /var/cache/lxc download cache+
  
 ===== Preparation ===== ===== Preparation =====
 <code bash> <code bash>
 sudo apt-get install bridge-utils sudo apt-get install bridge-utils
-sudo apt-get install lxc lxc-templates cgmanager cgroup-lite+sudo apt-get install lxc lxc-templates 
 +sudo apt-get install cgmanager cgmanager-utils cgroup-bin
 sudo lxc-checkconfig sudo lxc-checkconfig
 </code> </code>
 +
 Make sure cgroup filesystem is mounted Make sure cgroup filesystem is mounted
 +
 <file | /etc/fstab> <file | /etc/fstab>
 cgroup /sys/fs/cgroup cgroup defaults 0 0 cgroup /sys/fs/cgroup cgroup defaults 0 0
 </file> </file>
  
-===== Basic usage =====+===== LXC Files ====
  
 +==== Priviledged containers ====
 +  * /var/lib/lxc default container place
 +  * /var/cache/lxc download cache
 +
 +==== Unpriviledged containers ====
 +
 +<code text>
 +/home/user
 +├── .cache
 +│   ├── lxc
 +│       ├── download
 +│       │   └── ubuntu
 +│       │       ├── precise
 +│       │       │   └── amd64
 +│       │       └── xenial
 +│       │           └── amd64
 +│       └── run
 +│           └── lxc
 +│               └── lock
 +│                   └── home
 +├── .config
 +│   └── lxc
 +│       └── default.conf
 +├── .local
 +│   └── share
 +│       ├── lxc
 +│       │   ├── gitlab
 +│       │   │   ├── config
 +│       │   │   ├── rootfs
 +│       │   │   │   ├── bin
 +│       │   │   │   ├── boot
 +│       │   │   │   ├── dev
 +│       │   │   │   ├── etc
 +│       │   │   │   ├── ...
 +│       │   │   └── snaps
 +│       │   │       └── snap0
 +│       │   └── apache
 +│       │       ├── config
 +│       │       ├── rootfs
 +│       │       │   ├── bin
 +│       │       │   ├── boot
 +│       │       │   ├── dev
 +│       │       │   ├── etc
 +│       │       │   ├── ...
 +│       │       └── snaps
 +│       │           └── snap0
 +</code>
 +
 +===== Basic usage =====
 <code bash> <code bash>
 lxc-create -n test-container -t ubuntu lxc-create -n test-container -t ubuntu
 +lxc-create -n test-container -t ubuntu -B btrfs
 +lxc-create -n test-container -t download -B btrfs
 +lxc-destroy -n test-container
 +
 lxc-start -n test-container lxc-start -n test-container
 lxc-start -n test-container --daemon lxc-start -n test-container --daemon
-lxc-info -n test-container 
-lxc-attach -n test-container 
-lxc-console -n test-container 
 lxc-stop -n  test-container lxc-stop -n  test-container
-lxc-destroy -n test-container 
-</code> 
  
-==== Getting info ==== 
-<code bash> 
 lxc-ls --fancy lxc-ls --fancy
 lxc-info -n test-container lxc-info -n test-container
 +
 +lxc-attach -n test-container
 +lxc-console -n test-container
 +
 +lxc-snapshot -n test-container
 </code> </code>
 +
 +
 +==== Bind mounts ====
 +<file | local/share/lxc/oldgitlab/config>
 +lxc.mount.entry = /host/some/folder container/folder none bind,create=dir,optional 0 0
 +</file>
  
 ===== Templates ===== ===== Templates =====
Line 85: Line 145:
 Edit container configuration and set net bridge interface: Edit container configuration and set net bridge interface:
 <code>lxc.network.link = br0</code> <code>lxc.network.link = br0</code>
 +
 +
 +
 +===== Unprivileged containers =====
 +Create user:
 +<code bash>sudo useradd -s /bin/bash -c 'gitlab lxc user' -m lxcgitlab</code>
 +<code bash>sudo passwd mylxcusr</code>
 +
 +Find subuids and subgids for created user
 +<code bash>sudo grep lxc /etc/sub{gid,uid}</code>
 +<code>
 +/etc/subgid:lxcgitlab:165536:65536
 +/etc/subuid:lxcgitlab:165536:65536
 +</code>
 +
 +Allow new user create network interfaces:
 +<file | /etc/lxc/lxc-usernet>
 +lxcgitlab veth br0 10
 +</file>
 +
 +Now login as new user (using ssh or su).
 +Create default lxc configureation in user directory:
 +<code bash>
 +mkdir -p ~/.config/lxc
 +cp /etc/lxc/default.conf ~/.config/lxc/default.conf
 +</code>
 +
 +Edit file below and put subuid and subgid:
 +<file | ~/.config/lxc/default.conf>
 +...
 +lxc.network.link = br0
 +lxc.id_map = u 0 165536 65536
 +lxc.id_map = g 0 165536 65536
 +...
 +</file>
 +
 +Create container:
 +<code bash>lxc-create -t download -n gitlab</code>
 +
 +==== Snapshot ====
 +
 +  ~$ lxc-snapshot -n gitlab
 +  newgidmap: gid range [165536-165537) -> [331072-331073) not allowed
 +  error mapping child
 +  setgid: Invalid argument
 +
 +lxc-snapshow is calling ''newgidmap'' 
 +
 +   lxc-snapshot 20160426080144.153 WARN     lxc_confile - confile.c:config_pivotdir:1877 - lxc.pivotdir is ignored.  It will soon become an error.
 +   lxc-snapshot 20160426080144.153 INFO     lxc_confile - confile.c:config_idmap:1498 - read uid map: type u nsid 0 hostid 165536 range 65536
 +   lxc-snapshot 20160426080144.153 INFO     lxc_confile - confile.c:config_idmap:1498 - read uid map: type g nsid 0 hostid 165536 range 65536
 +   lxc-snapshot 20160426080144.258 WARN     lxc_confile - confile.c:config_pivotdir:1877 - lxc.pivotdir is ignored.  It will soon become an error.
 +   lxc-snapshot 20160426080144.258 INFO     lxc_confile - confile.c:config_idmap:1498 - read uid map: type u nsid 0 hostid 165536 range 65536
 +   lxc-snapshot 20160426080144.258 INFO     lxc_confile - confile.c:config_idmap:1498 - read uid map: type g nsid 0 hostid 165536 range 65536
 +   lxc-snapshot 20160426080144.377 INFO     lxcbtrfs - bdev/lxcbtrfs.c:btrfs_snapshot:306 - btrfs: snapshot create ioctl returned 0
 +   lxc-snapshot 20160426080144.397 WARN     bdev - bdev/bdev.c:bdev_copy:393 - Failed to update ownership of /home/lxcgitlab/.local/share/lxc/oldgitlab/snaps/snap2/rootfs
 +   lxc-snapshot 20160426080144.397 INFO     lxc_container - lxccontainer.c:copy_file:2622 - Error stat'ing /home/lxcgitlab/.local/share/lxc/oldgitlab/lxc_rdepends
 +   lxc-snapshot 20160426080144.398 INFO     lxc_container - lxccontainer.c:copy_rdepends:2781 - Error copying reverse dependencies
 +
 +
 +==== Autostart ====
 +
 +<file | ~/.local/share/lxc/gitlab/config>
 +lxc.start.auto = 1
 +lxc.start.delay = 5
 +lxc.start.order = 100
 +lxc.group = onboot
 +</file>
 +<code>
 +lxc-autostart  processes  containers with lxc.start.auto set. It lets the user start, shutdown, kill, restart containers in the right order, waiting the right time. Supports fil‐
 +tering by lxc.group or just run against all defined containers. It can also be used by external tools in list mode where no action will be performed and the list of affected con‐
 +tainers (and if relevant, delays) will be shown.
 +</code>
 +
 +Edit cron
 +<code bash>crontab -e</code>
 +<code>@reboot /usr/bin/lxc-autostart --all</code>
 +
 +
 +Use systemd (**not finished yet**):
 +Enable autostarting systemd for user:
 +<code>sudo loginctl enable-linger lxcgitlab</code>
 +
 +<file | ~/.config/systemd/user/lxc-autostart.service>
 +...
 +</file>
 +
 +===== Limit resources =====
 +<file | config>
 +# 512MB memory limit, 256MB soft limie - system treats it as low mem condition
 +lxc.cgroup.memory.limit_in_bytes = 512M
 +lxc.cgroup.memory.soft_limit_in_bytes = 256M
 +# total usage memory (swap+ram) limit to 1G
 +lxc.cgroup.memory.memsw.limit_in_bytes = 1G
 +
 +# arbitary value which only sets relative priority between containers
 +lxc.cgroup.cpu.shares = 100
 +
 +# restrict to use cpu core 0 and 1
 +lxc.cgroup.cpuset.cpus 0,1
 +
 +lxc.cgroup.blkio.weight 500
 +</file>
 +
 +Limiting runtime:
 +<code bash>lxc-cgroup -n test-container cpu.shares 100</code>
 +
 +<file | ~/.local/share/lxc/gitlab/config>
 +</file>
 +==== ulimit change for unpriv container ====
 +Inside container, this command fails:
 +<code bash>ulimit -n 65536</code>
 +
  
  
Line 110: Line 283:
 lxc-start 1460629578.159 ERROR    lxc_start_ui - lxc_start.c:main:345 - Additional information can be obtained by setting the --logfile and --logpriority options. lxc-start 1460629578.159 ERROR    lxc_start_ui - lxc_start.c:main:345 - Additional information can be obtained by setting the --logfile and --logpriority options.
 </code> </code>
 +
 +Debug levels: ''FATAL ALERT CRIT ERROR WARN NOTICE INFO DEBUG TRACE'' \\
 +
 +Configure debug levels in config file:
 +  lxc.logfile
 +  lxc.loglevel
 +
  
 ===== Errors ===== ===== Errors =====
 +
 +==== Failed to load config for gitlab ====
 +
 +Error after system upgrade. LXC has been updated from 2.0.1 to v 3.0.1
 +
 +<code bash>
 +$ lxc-info gitlab
 +Failed to load config for gitlab
 +Failure to retrieve information on /home/lxcgitlab/.local/share/lxc:gitlab
 +</code>
 +
 +SOLUTION:
 +<code bash>
 +cd /home/lxcgitlab/.local/share/lxc/gitlab
 +lxc-update-config -c config
 +</code>
 +
 ==== Failed to mount cgroup ==== ==== Failed to mount cgroup ====
 <code> <code>
Line 162: Line 359:
 systemctl restart lxc-net systemctl restart lxc-net
 </code> </code>
 +
 +==== umount: /dev/zero: block devices are not permitted on filesystem ====
 +During shutdown
 +<code>
 +umount: /dev/zero: block devices are not permitted on filesystem
 +umount: /dev/urandom: block devices are not permitted on filesystem
 +umount: /dev/tty: block devices are not permitted on filesystem
 +</code>
 +>Ah - this is happening because the shutdown process is trying to do a
 +>force umount.  We don't allow those (using seccom) because if the fs is
 +>a bind mount from a fuse or nfs, it'll disconnect the original mount.
 +>
 +>You can test this yourself by logging in and doing
 +>
 +>umount -f /dev/urandom
 +>
 +>versus
 +>
 +>umount /dev/urandom