This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:virtualization:lxc [2016/10/02 17:55] tkilla [Unprivileged containers] |
linux:virtualization:lxc [2022/01/13 23:08] (current) tkilla [Unprivileged containers] |
||
---|---|---|---|
Line 344: | Line 344: | ||
http:// | http:// | ||
- | | + | FIX: original keyserver is broken! add: --keyserver hkp:// |
+ | |||
+ | |||
+ | | ||
or | or | ||
- | lxc-create -n websrv -t debian-wheezy | + | lxc-create -n websrv -t debian-wheezy |
Start / Stop VS: | Start / Stop VS: | ||
Line 356: | Line 359: | ||
Enter VS: | Enter VS: | ||
lxc-console -n websrv | lxc-console -n websrv | ||
+ | |||
+ | |||
+ | In Buster, use the lxc-download script: | ||
+ | |||
+ | / | ||
+ | lxc-create -t / | ||
Line 366: | Line 375: | ||
lxc-clone --backingstore btrfs --orig vs1 --new vs2 --snapshot | lxc-clone --backingstore btrfs --orig vs1 --new vs2 --snapshot | ||
+ | \\ | ||
+ | ===== Mount external Dirs in Container ===== | ||
+ | |||
+ | The recommended way is to add the mountpoint with a relative path in the VS config: | ||
+ | |||
+ | lxc.mount.entry=/ | ||
+ | |||
+ | |||
+ | Under some cicumstances it does not work (in unprivileged containers), | ||
+ | |||
+ | lxc.mount.entry = /home/test / | ||
+ | |||
+ | Also check Permissions and Ownership. chown to the root ID inside the container. | ||
\\ | \\ | ||
===== brtfs snapshots ===== | ===== brtfs snapshots ===== | ||
+ | |||
+ | the container must be stopped for a lxc-snapshot. use btrfs snapshot to backup running containers (mysql may get inconsitent) | ||
you need to create container with option | you need to create container with option | ||
lxc-create -B btrfs -n mycontainer -t ubuntu | lxc-create -B btrfs -n mycontainer -t ubuntu | ||
+ | |||
+ | |||
Line 378: | Line 404: | ||
mv / | mv / | ||
- | btrfs subvolume create / | + | btrfs subvolume create / |
btrfs subvolume list / | btrfs subvolume list / | ||
- | lxc-snapshot -n webdev | ||
| | ||
# for unprivileged root container, check UID and GID of rootfs dir (here it is 100000): | # for unprivileged root container, check UID and GID of rootfs dir (here it is 100000): | ||
chown 100000: | chown 100000: | ||
+ | mv / | ||
+ | lxc-snapshot -n webdev | ||
+ | |||
+ | snapshot with comment | ||
+ | |||
+ | echo " | ||
+ | lxc-stop -n my-lxc-container | ||
+ | lxc-snapshot -n my-lxc-container -c snap-comment | ||
+ | rm snap-comment | ||
* https:// | * https:// | ||
Line 427: | Line 461: | ||
lxc.id_map = g 0 100000 65536 | lxc.id_map = g 0 100000 65536 | ||
+ | in buster it's called idmap: | ||
+ | lxc.idmap = u 0 100000 65536 | ||
+ | lxc.idmap = g 0 100000 65536 | ||
**shift uuids to another span:** | **shift uuids to another span:** | ||
Line 438: | Line 475: | ||
create container - use download method for unprivileged. jessie is not available, so you can upgrade wheezy and fix systemd error :( | create container - use download method for unprivileged. jessie is not available, so you can upgrade wheezy and fix systemd error :( | ||
- | | + | FIX for download: Original keyserver is broken, add --keyserver hkp:// |
+ | |||
+ | | ||
# error no jessie: | # error no jessie: | ||
- | lxc-create -B btrfs -n websrv -t download -- -d debian -r jessie -a amd64 | + | lxc-create -B btrfs -n websrv -t download -- -d debian -r jessie -a amd64 --keyserver hkp:// |
# error not working with unprivileged | # error not working with unprivileged | ||
- | LANG=C SUITE=jessie MIRROR=http:// | + | LANG=C SUITE=jessie MIRROR=http:// |
Line 523: | Line 562: | ||
* https:// | * https:// | ||
+ | |||
+ | ** systemd cgroups fuckup** | ||
+ | |||
+ | Could not find writable mount point for cgroup hierarchy 12 while trying to create cgroup | ||
+ | |||
+ | 12 is a systemd hierarchy - if you remove systemd and switch to sysvinit-core, | ||
+ | |||
+ | FIXME: | ||
+ | |||
+ | check all of systemd is gone (uninstall ii): | ||
+ | dpkg -l *systemd* | ||
+ | apt remove --purge *systemd* | ||
+ | | ||
+ | / | ||
+ | |||
+ | session | ||
+ | |||
+ | Check, if 12 is still active: | ||
+ | |||
+ | cat / | ||
+ | |||
+ | WORKAROUND: | ||
+ | mcedit / | ||
+ | lxc.cgroup.use = @all | ||
+ | |||
+ | * this is helpful: https:// | ||
+ | * this is not: https:// | ||
+ | |||
+ | \\ | ||
**SSH Config** | **SSH Config** | ||
Line 539: | Line 607: | ||
* http:// | * http:// | ||
+ | |||
+ | or run this inside the container: | ||
+ | |||
+ | sed '/ | ||
FIXME maybe insecure | FIXME maybe insecure | ||
Line 551: | Line 623: | ||
+ | **rsyslog error** | ||
+ | |||
+ | TESTME | ||
+ | |||
+ | rsyslog doesnt start on boot and errors in syslog: | ||
+ | .. rsyslogd: imklog: cannot open kernel log(/ | ||
+ | .. rsyslogd-2145: | ||
+ | |||
+ | Disable kernel logging in container / | ||
+ | |||
+ | # $ModLoad imklog | ||
+ | |||
+ | |||
+ | |||
+ | \\ | ||
+ | ===== Move a root system into container ===== | ||
+ | |||
+ | you can disable many services: | ||
+ | * udev: udev service (which is a hard dependency of systemd in Jessie) won't run in a container, but systemd recognized it | ||
+ | * apparmor: mounts security-fs, | ||
+ | * kmod | ||
+ | * lm-sensors | ||
+ | * dbus | ||
+ | * kbd | ||
+ | * hdparm | ||
+ | * ... | ||
+ | |||
+ | configuration changes | ||
+ | |||
+ | * various sysctl.conf options do not work inside container | ||
+ | * / | ||
+ | |||
+ | If you get errors like: | ||
+ | INIT: Id " | ||
+ | |||
+ | disable the matching line in / | ||
+ | # 5: | ||