meta data for this page
  •  
Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

LXC

  • /var/lib/lxc default container place
  • /var/cache/lxc download cache

Preparation

sudo apt-get install bridge-utils
sudo apt-get install lxc lxc-templates
sudo apt-get install cgmanager cgmanager-utils cgroup-bin
sudo lxc-checkconfig

Make sure cgroup filesystem is mounted

/etc/fstab
cgroup	/sys/fs/cgroup	cgroup	defaults	0	0

Basic usage

lxc-create -n test-container -t ubuntu
lxc-start -n test-container
lxc-start -n test-container --daemon
lxc-info -n test-container
lxc-attach -n test-container
lxc-console -n test-container
lxc-stop -n  test-container
lxc-destroy -n test-container

Getting info

lxc-ls --fancy
lxc-info -n test-container

Bind mounts

local/share/lxc/oldgitlab/config
lxc.mount.entry = /host/some/folder container/folder none bind,create=dir,optional 0 0
</code>

===== Templates =====
Use template "ubuntu" and pass "-r trusty" argument to template:
<code>lxc-create -n test-container -t ubuntu --dir/home/LXC/test-container -- -r trusty -a amd64</code>

Every template can show own help:
<code>
lxc-create -t download --help
</code>

Pass "List images" parameter to "download" template
<code>
lxc-create -t download -n test-container -- -l
</code>



Available templates:
<code>
/usr/share/lxc/templates/lxc-gentoo
/usr/share/lxc/templates/lxc-centos
/usr/share/lxc/templates/lxc-oracle
/usr/share/lxc/templates/lxc-alpine
/usr/share/lxc/templates/lxc-fedora
/usr/share/lxc/templates/lxc-sshd
/usr/share/lxc/templates/lxc-altlinux
/usr/share/lxc/templates/lxc-opensuse
/usr/share/lxc/templates/lxc-download
/usr/share/lxc/templates/lxc-busybox
/usr/share/lxc/templates/lxc-ubuntu
/usr/share/lxc/templates/lxc-ubuntu-cloud
/usr/share/lxc/templates/lxc-openmandriva
/usr/share/lxc/templates/lxc-cirros
/usr/share/lxc/templates/lxc-plamo
/usr/share/lxc/templates/lxc-archlinux
/usr/share/lxc/templates/lxc-debian
</code>

===== Network =====
==== Direct bridge ====

On host: use br0 as main interface:
<file | /etc/network/interfaces>
auto eth0
iface eth0 inet static
    address 0.0.0.0

auto br0
iface br0 inet dhcp
    bridge_ports eth0

Edit container configuration and set net bridge interface: 

lxc.network.link = br0

Unprivileged containers

Create user: 

sudo useradd -s /bin/bash -c 'gitlab lxc user' -m lxcgitlab
sudo passwd mylxcusr

Find subuids and subgids for created user 

sudo grep lxc /etc/sub{gid,uid}
/etc/subgid:lxcgitlab:165536:65536
/etc/subuid:lxcgitlab:165536:65536

Allow new user create network interfaces:

/etc/lxc/lxc-usernet
lxcgitlab veth br0 10

Now login as new user (using ssh or su). Create default lxc configureation in user directory: 

mkdir -p ~/.config/lxc
cp /etc/lxc/default.conf ~/.config/lxc/default.conf

Edit file below and put subuid and subgid:

~/.config/lxc/default.conf
...
lxc.network.link = br0
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
...

Create container: 

lxc-create -t download -n gitlab

Autostart

~/.local/share/lxc/gitlab/config
lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 100
lxc-autostart  processes  containers with lxc.start.auto set. It lets the user start, shutdown, kill, restart containers in the right order, waiting the right time. Supports fil‐
tering by lxc.group or just run against all defined containers. It can also be used by external tools in list mode where no action will be performed and the list of affected con‐
tainers (and if relevant, delays) will be shown.

Edit cron 

crontab -e
@reboot lxc-autostart

Use systemd (not finished yet): Enable autostarting systemd for user: 

sudo loginctl enable-linger lxcgitlab
~/.config/systemd/user/lxc-autostart.service
...

Debug

lxc-start -n test-container
lxc-start: start.c: lxc_init: 402 failed loading seccomp policy
lxc-start: start.c: __lxc_start: 1086 failed to initialize the container
lxc-start: lxc_start.c: main: 341 The container failed to start.
lxc-start: lxc_start.c: main: 345 Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start -n test-container -l DEBUG -o debug.log
lxc-start 1460629578.157 INFO     lxc_start_ui - lxc_start.c:main:264 - using rcfile /var/lib/lxc/test-container/config
lxc-start 1460629578.158 WARN     lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
lxc-start 1460629578.159 WARN     lxc_cgmanager - cgmanager.c:cgm_get:985 - do_cgm_get exited with error
lxc-start 1460629578.159 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
lxc-start 1460629578.159 ERROR    lxc_start - start.c:lxc_init:402 - failed loading seccomp policy
lxc-start 1460629578.159 ERROR    lxc_start - start.c:__lxc_start:1086 - failed to initialize the container
lxc-start 1460629578.159 ERROR    lxc_start_ui - lxc_start.c:main:341 - The container failed to start.
lxc-start 1460629578.159 ERROR    lxc_start_ui - lxc_start.c:main:345 - Additional information can be obtained by setting the --logfile and --logpriority options.

Errors

Failed to mount cgroup

Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied

Ubuntu 14.04 has LXC 1.0.7 which doesn't support running systemd inside the container.

You can install the LXC 1.1.4 backport available in trusty-backports which should fix that (enabled backports in /etc/apt/sources.list, then apt-get update, then apt-get -t trusty-backports install lxc) or use the stable LXC PPA at ppa:ubuntu-lxc/stable

failed to attach 'veth'...

Start container in foreground mode lxc-start -n container -F 

lxc-start: conf.c: instantiate_veth: 2594 failed to attach 'veth7LY5W6' to the bridge 'lxcbr0': Operation not permitted
lxc-start: conf.c: lxc_create_network: 2871 failed to create netdev
lxc-start: start.c: lxc_spawn: 1066 failed to create the network
lxc-start: start.c: __lxc_start: 1329 failed to spawn 'gitlab'

Start with debug logging: 

...
lxc-start 20160418064521.427 ERROR    lxc_conf - conf.c:instantiate_veth:2594 - failed to attach 'vethSIJAS1' to the bridge 'lxcbr0': Operation not permitted
lxc-start 20160418064521.456 ERROR    lxc_conf - conf.c:lxc_create_network:2871 - failed to create netdev
lxc-start 20160418064521.456 ERROR    lxc_start - start.c:lxc_spawn:1066 - failed to create the network
lxc-start 20160418064521.456 ERROR    lxc_start - start.c:__lxc_start:1329 - failed to spawn 'gitlab'
...

From some reasons lxcbr0 doesn't exists. Check if lxc-net.service works correctly: 

journalctl -u lxc-net.service
systemd[1]: Starting LXC network bridge setup...
lxc-net[1280]: dnsmasq: failed to create listening socket for 10.0.3.1: Address already in use
lxc-net[1280]: Failed to setup lxc-net.
grinnux2 systemd[1]: Started LXC network bridge setup.

Dnsmasq starts to spawn own DNS server on port :53 when on host system bind daemon is running. Dnsmasq wants to bind only to IP on lxcbr0 interface, so check if other process is listening on port :53 

lsof -ni :53

Probably bind daemon is listening on all interfaces. To change this, edit

/etc/bind/named.conf.options
listen-on { 127.0.0.1; 192.168.0.231; };
listen-on-v6 { none; };
systemctl restart bind9
systemctl restart lxc-net