meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
vm:proxmox:lxc [2020/05/02 21:30]
niziak 		vm:proxmox:lxc [2021/02/22 08:18] (current)
niziak
Line 1: Line 1:
 ====== LXC ====== ====== LXC ======
  
-===== docker inside unprivileged LXC =====+===== rename CT ===== 
 +<code bash>pct set <​VMID>​ --hostname <​newname></​code>​
  
-Docker is recommended to be used inside VM. +===== update CT templates ​=====
- +
-From documentation:​ [[https://​pve.proxmox.com/​wiki/​Linux_Container#​pct_configuration]] +
- +
-  * edit LXC container config +
-<file | /​etc/​pve/​local/​lxc/​contained_id.conf>​ +
-features: ​ keyctl=1,nesting=+
-</​file>​ +
-  * stop/start LXC container +
-  * <code bash>​docker run hello-world</​code>​ +
- +
-==== issue ==== +
-=== VFS FS is used by docker. === +
- +
- +
-  The vfs backend is a very simple fallback that has no copy-on-write support. Each layer is just a separate directory. Creating a new layer based on another layer is done by making a deep copy of the base layer into a new directory. +
-  Since this backend doesn’t share diskspace use between layers, and since creating a new layer is a slow operation this is not a very practical backend. However, it still has its uses, for instance to verify other backends against, or if you need a super robust (if slow) backend that works everywhere. +
-  ​+
 <code bash> <code bash>
-docker info +# pveam - Proxmox VE Appliance Manager 
-... +pveam update
- ​Server Version: 19.03.8 +
- ​Storage Driver: vfs +
-...+
 </​code>​ </​code>​
  
-When restarted in privileged container: 
-NOTE: restarting in privileged container do mess with user permission. Make backup/​clone before. 
- 
-<code bash> 
-docker info 
-... 
- ​Storage Driver: aufs 
-  Root Dir: /​var/​lib/​docker/​aufs 
-  Backing Filesystem: zfs 
-  Dirs: 0 
-  Dirperm1 Supported: true 
-... 
-</​code>​ 
- 
-Solution: 
-<code bash> 
-cp /​etc/​apparmor.d/​lxc/​lxc-default-with-nesting /​etc/​apparmor.d/​lxc/​lxc-default-with-nesting-docker 
-</​code>​ 
- 
-Edit new file and update ''​profile''​ name and add some mount permissions:​ 
- 
-<​file|/​etc/​apparmor.d/​lxc/​lxc-default-with-nesting-docker>​ 
-# Do not load this file.  Rather, load /​etc/​apparmor.d/​lxc-containers,​ which 
-# will source all profiles under /​etc/​apparmor.d/​lxc 
- 
-profile lxc-container-default-with-nesting-docker flags=(attach_disconnected,​mediate_deleted) { 
-  #include <​abstractions/​lxc/​container-base>​ 
-  #include <​abstractions/​lxc/​start-container>​ 
- 
-  deny /​dev/​.lxc/​proc/​** rw, 
-  deny /​dev/​.lxc/​sys/​** rw, 
-  mount fstype=proc -> /​var/​cache/​lxc/​**,​ 
-  mount fstype=sysfs -> /​var/​cache/​lxc/​**,​ 
-  mount options=(rw,​bind),​ 
-  mount fstype=cgroup -> /​sys/​fs/​cgroup/​**,​ 
-  mount fstype=cgroup2 -> /​sys/​fs/​cgroup/​**,​ 
-  mount fstype=aufs,​ 
-  mount fstype=overlay,​ 
-} 
-</​file>​ 
  
-<code bash>​systemctl reload apparmor</​code>​+===== Shrink container disc =====
  
-Edit ''/​etc/​pve/​lxc/​${container_id}.conf''​ and append this line: +It is not supportedCommand <code bash>pct resize <​VMID>​ rootfs <​newsize>​</codecannot be used.
-<file | /etc/​pve/​lxc/​${container_id}.conf> +
-lxc.apparmor.profile: lxc-container-default-with-nesting-docker+
  
-#​lxc.apparmor.profile = unconfined +Workaround 1: 
-</file>+  * Stop container 
 +  * Edit ''​<vmid>conf''​ and set new disk size 
 +  * Perform backup 
 +  * Restore LXC from backup
  
 +Workaround 2:
 +  * Change ZFS volume size <code bash>zfs set refquota=8G rpool/​data/​subvol-810-disk-0</​code>​
 +  * Adjust LXC config:
 +    * Edit ''<​vmid>​conf''​ and set new disk size, **OR**
 +    * ''​pct rescan''​