This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
docs:lxc [2013-12-09 15:45] glen iptables |
docs:lxc [2015-10-05 11:15] glen |
||
---|---|---|---|
Line 4: | Line 4: | ||
**Resources** | **Resources** | ||
- | * [[http://lxc.sourceforge.net|LXC Project homepage]] | + | * [[http://linuxcontainers.org/|LXC Project homepage]] |
+ | * [[https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/|LXC 1.0 blog post series]] - must read to get quick overview what's out there | ||
* [[http://lists.linuxfoundation.org/mailman/listinfo/containers|Linux Containers mailing list]] | * [[http://lists.linuxfoundation.org/mailman/listinfo/containers|Linux Containers mailing list]] | ||
* [[http://wiki.gentoo.org/wiki/LXC|Gentoo wiki about LXC]] | * [[http://wiki.gentoo.org/wiki/LXC|Gentoo wiki about LXC]] | ||
Line 19: | Line 20: | ||
* 3.8+ kernel [[http://docs.docker.io/en/latest/installation/kernel/|according]] to docker devs | * 3.8+ kernel [[http://docs.docker.io/en/latest/installation/kernel/|according]] to docker devs | ||
* [[package>lxc]] package | * [[package>lxc]] package | ||
- | * cgroups mounted, use [[package>systemd]] or [[package>libcgroup]] for that. | + | * cgroups mounted, use [[package>systemd]] or [[package>libcgroup]] for that (edit and enable most groups in ///etc/cgconfig.conf// except debug) |
+ | |||
+ | <note warning>Kernels with vserver support compiled in, do not work correctly with LXC | ||
+ | |||
+ | * [[http://lists.pld-linux.org/mailman/pipermail/pld-devel-en/2014-January/thread.html#23786]] | ||
+ | * http://www.paul.sladen.org/vserver/archives/201402/0015.html | ||
+ | </note> | ||
===== Guest creation ===== | ===== Guest creation ===== | ||
Line 32: | Line 39: | ||
'test' created | 'test' created | ||
- | # lxc-ls --fancy | + | # lxc-ls --fancy (install python3-lxc for lxc-ls) |
NAME STATE IPV4 IPV6 | NAME STATE IPV4 IPV6 | ||
----------------------------------- | ----------------------------------- | ||
Line 52: | Line 59: | ||
There are two versions of PLD available for guest systems: | There are two versions of PLD available for guest systems: | ||
- | * ac - [[:AcInfo|PLD 2.0 (Ac)]] | + | * ac - [[:ac|PLD 2.0 (Ac)]] |
- | * th - [[:ThInfo|PLD 3.0 (Th)]] | + | * th - [[:th|PLD 3.0 (Th)]] |
You may choose one using ''-R'' option: | You may choose one using ''-R'' option: | ||
Line 64: | Line 71: | ||
===== Common problems / Useful tricks ===== | ===== Common problems / Useful tricks ===== | ||
+ | |||
+ | ==== lxc-start has no output ==== | ||
+ | |||
+ | In case ''lxc-start -n test'' produces no output, ensure /dev/console is present in guest filesystem. | ||
==== lxc-stop is not graceful ==== | ==== lxc-stop is not graceful ==== | ||
Line 92: | Line 103: | ||
Or just **do not** drop the capability. | Or just **do not** drop the capability. | ||
+ | |||
+ | ==== syslog ==== | ||
+ | |||
+ | [[package>syslog-ng]] gives following on startup: | ||
+ | |||
+ | <code> | ||
+ | # service syslog-ng restart | ||
+ | syslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted' | ||
+ | Stopping syslog-ng service.............................................................[ DONE ] | ||
+ | Starting syslog-ng service.............................................................[ DONE ] | ||
+ | </code> | ||
+ | |||
+ | **FIXME:** no solution yet | ||
===== Vserver comparision ===== | ===== Vserver comparision ===== | ||
Line 103: | Line 127: | ||
**Commands:** | **Commands:** | ||
^ Vserver ^ LXC ^ Notes ^ | ^ Vserver ^ LXC ^ Notes ^ | ||
- | | vserver test enter | lxc-attach -n test -e | Use ''-e'' option with care, especially when restarting processes | | + | | vserver test enter | lxc-attach -n test | Add ''-e'' to enter with elevated privileges (ignoring ''lxc.cap.drop'') | |
| vserver test start | lxc-start -n test -d | | | vserver test start | lxc-start -n test -d | | ||
| vserver test stop | lxc-stop -n test | | | vserver test stop | lxc-stop -n test | | ||
| vserver-stat | %%lxc-ls --fancy --running%% | you need ''python3-lxc'' installed for this tool | | | vserver-stat | %%lxc-ls --fancy --running%% | you need ''python3-lxc'' installed for this tool | | ||
- | ===== Sample configs ===== | ||
- | ==== config for network ==== | ||
- | static networking, set ''VSERVER=yes'' and ''VSERVER_ISOLATION_NET=yes'' in guest ''/etc/sysconfig/system'' to disable all network configuration by guest. | + | ===== Network configs ===== |
+ | ==== general ==== | ||
- | - uses ''macvlan'' | + | static networking, set ''VSERVER=yes'' and ''VSERVER_ISOLATION_NET=yes'' in guest ''/etc/sysconfig/system'' to disable all network configuration by guest, set RC_PROMPT=no to avoid hanging startup scripts, in general it's good idea to turn off there most of things |
- | - that interface is NOT visible on host | + | |
- | - you can't filter it from host's firewall | + | |
- | - you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | + | |
- | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible) | + | |
+ | ==== network using macvlan in bridge mode ==== | ||
+ | - traffic from host to guest (and vice-versa) is NOT passed. external trafic works | ||
+ | - guest interface is NOT visible on host | ||
+ | - you can't filter guest straffic from host's firewall | ||
+ | - host can use seme default interface with and without guests running. | ||
+ | - one have better to set static MAC address. If not - on every container start you'll have different MAC generated and your router may have problems with passing traffic. | ||
+ | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having guest macvlan interface visible) | ||
first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | ||
Line 143: | Line 169: | ||
+ | ==== network using bridged veth interfaces ==== | ||
+ | |||
+ | ==== More raeding about network ==== | ||
+ | |||
+ | [[http://containerops.org/2013/11/19/lxc-networking/|Elaborate article about configuring different types of network ]] | ||
+ | ===== Sample configs ===== | ||
==== full config ==== | ==== full config ==== | ||