Commit b02a7e48 authored by Greg Olsen's avatar Greg Olsen

Add config for LXC version <= 1.0.8

Also:
  Fix some template error messages
  License LGPL v2.1 or higher
parent 4a1cb917
This diff is collapsed.
......@@ -6,7 +6,7 @@ Supported releases: jessie, ceres, ascii
---
## Prerequisite
## Requirements
LXC itself must first be installed and working, obviously.
......@@ -19,30 +19,54 @@ If your distro version is old consider downloading the latest.
## Quick Setup
1. Clone this repo:
### 1. Clone this repo:
```shell
$ cd ~
$ git clone git@git.devuan.org:gregolsen/lxc-devuan.git
```
```shell
cd ~
git clone https://git.devuan.org/gregolsen/lxc-devuan.git
```
2. Copy config and template files:
### 2. Copy config and template files:
Choose A or B depending on how LXC was installed.
Choose A or B depending on how LXC was installed.
A. LXC installed from OS distro: /usr/share/lxc
#### A. LXC installed from OS distro: /usr/share/lxc
```shell
$ cp ~/lxc-devuan/config/* /usr/share/lxc/config/
$ cp ~/lxc-devuan/templates/* /usr/share/lxc/templates/
```
Copy lxc-devuan template:
```shell
cp ~/lxc-devuan/templates/* /usr/share/lxc/templates/
```
- Based on your LXC *version*, copy **one** config below:
LXC >= 1.1.0:
```shell
cp ~/lxc-devuan/config/* /usr/share/lxc/config/
```
LXC <= 1.0.8:
```shell
cp ~/lxc-devuan/config-1.0.8/* /usr/share/lxc/config/
```
B. LXC installed locally: /usr/local/share/lxc
#### B. LXC installed locally: /usr/local/share/lxc
```shell
$ cp ~/lxc-devuan/config/* /usr/local/share/lxc/config/
$ cp ~/lxc-devuan/templates/* /usr/local/share/lxc/templates/
```
Copy lxc-devuan template:
```shell
cp ~/lxc-devuan/templates/* /usr/local/share/lxc/templates/
```
- Based on your LXC *version*, copy **one** config below:
LXC >= 1.1.0:
```shell
cp ~/lxc-devuan/config/* /usr/local/share/lxc/config/
```
LXC <= 1.0.8:
```shell
cp ~/lxc-devuan/config-1.0.8/* /usr/local/share/lxc/config/
```
That's it.
......@@ -52,26 +76,26 @@ That's it.
<br>Ex 1. Install Devuan Jessie (amd64)
```shell
$ sudo lxc-create -t devuan -n devuan-jessie-box1
```
```shell
lxc-create -t devuan -n devuan-jessie-box1
```
<br>Ex 2. Install Devuan Jessie with ZFS backingstore (amd64)
```shell
$ sudo lxc-create -t devuan -n devuan-jessie-box2 -B zfs
```
- To use *backingstore* `-B zfs` the ZFS root device is specified in `/etc/lxc/lxc.conf`:
`lxc.bdev.zfs.root = zfs/srv/lxc` <== Example ZFS root device
```shell
lxc-create -t devuan -n devuan-jessie-box2 -B zfs
```
- To use *backingstore* `-B zfs` the ZFS root device is specified in `/etc/lxc/lxc.conf`:
`lxc.bdev.zfs.root = zfs/srv/lxc` <== Example ZFS root device
<br>Ex 3. Install Devuan Jessie (i386)
```shell
$ sudo lxc-create -t devuan -n devuan-jessie32-box3 -- -a i386
```
>**Hint:**
Don't forget the double dash '--' before the --arch parameter!
```shell
lxc-create -t devuan -n devuan-jessie32-box3 -- -a i386
```
>**Hint:**
Don't forget the double dash '--' before the --arch parameter!
<br>Enjoy your new Devuan containers!
......@@ -256,12 +280,12 @@ probably already the default on your system, but you might want to check it.
<br>Ex 8. Host `/etc/resolv.conf` - generated by Host *resolvconf*
```
nameserver 127.0.0.1
nameserver 192.168.0.1
search mylandomain.com
# tail
nameserver 208.67.222.222
nameserver 208.67.220.220
nameserver 127.0.0.1
nameserver 192.168.0.1
search mylandomain.com
# tail
nameserver 208.67.222.222
nameserver 208.67.220.220
```
>- First nameserver queries the local *Host* DNS cache (cached by Dnsmasq)
......@@ -287,35 +311,35 @@ with the necessary DHCP options.
<br>Ex 9. Dnsmasq config specific to *bridge lxcbr0*
```
# listen on lxcbr0 bridge address
listen-address=10.0.0.1
# listen on lxcbr0 bridge address
listen-address=10.0.0.1
# LXC dynamic range 10.0.143.1 <--> 143.254
dhcp-range=set:lxc0,10.0.143.1,10.0.143.254,255.255.0.0,24h
# LXC dynamic range 10.0.143.1 <--> 143.254
dhcp-range=set:lxc0,10.0.143.1,10.0.143.254,255.255.0.0,24h
# IP subnet 10.0/16 for STATIC /etc/ethers MAC:IP assignment
dhcp-range=set:lxc0,10.0.0.1,static,255.255.0.0,infinite
# IP subnet 10.0/16 for STATIC /etc/ethers MAC:IP assignment
dhcp-range=set:lxc0,10.0.0.1,static,255.255.0.0,infinite
# Subnet Mask (1 = option:netmask)
dhcp-option=tag:lxc0,1,255.255.0.0
# Subnet Mask (1 = option:netmask)
dhcp-option=tag:lxc0,1,255.255.0.0
# Gateway IP (3 = option:router)
dhcp-option=tag:lxc0,3,10.0.0.1
# Gateway IP (3 = option:router)
dhcp-option=tag:lxc0,3,10.0.0.1
# DNS Servers (6 = option:dns-server)
dhcp-option=tag:lxc0,6,10.0.0.1
# DNS Servers (6 = option:dns-server)
dhcp-option=tag:lxc0,6,10.0.0.1
# Domain Name (15 = option:domain-name)
dhcp-option=tag:lxc0,15,mylandomain.com
# Domain Name (15 = option:domain-name)
dhcp-option=tag:lxc0,15,mylandomain.com
# IP Forward (19 = option:ip-forwarding 0=disable 1=enable)
dhcp-option=tag:lxc0,19,0
# IP Forward (19 = option:ip-forwarding 0=disable 1=enable)
dhcp-option=tag:lxc0,19,0
# Source Routing (20 = option:? 0=disable 1=enable)
dhcp-option=tag:lxc0,20,0
# Source Routing (20 = option:? 0=disable 1=enable)
dhcp-option=tag:lxc0,20,0
# Broadcast (28 = option:broadcast 0.0.0.0 references local machine)
dhcp-option=tag:lxc0,28,10.0.255.255
# Broadcast (28 = option:broadcast 0.0.0.0 references local machine)
dhcp-option=tag:lxc0,28,10.0.255.255
```
>**NB.**
The example above is not the entire Dnsmasq configuration.
......@@ -327,13 +351,13 @@ With Dnsmasq properly configured for DHCP on bridge lxcbr0,
<br>Ex 10. Container `/etc/resolv.conf` - generated by Container *resolvconf*
```
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.0.1
search mylandomain.com
# tail
nameserver 208.67.222.222
nameserver 208.67.220.220
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.0.1
search mylandomain.com
# tail
nameserver 208.67.222.222
nameserver 208.67.220.220
```
>- First nameserver (DHCP assigned) is the *Host* Dnsmasq (listening on lxcbr0 IP)
......@@ -370,13 +394,13 @@ supports it (Ex. DD-WRT), DNS **A records** can be added using the **host-record
The Dnsmasq **host-record** option comes with the benefit of also adding the **PTR record**.
Router/DNS admin is beyond the scope here. However if your Router runs Dnsmasq, and you're up to
the task, below is an example Dnsmasq **host-record** for an LXC container.
Router/DNS admin is beyond the scope here. However if your Router runs Dnsmasq, and you're
up to the task, below is an example Dnsmasq **host-record** for an LXC container.
<br>Ex 11. Add DNS **A** and **PTR records** to Dnsmasq daemon on Router/DNS
```shell
host-record=devuan-jessie-box2.mylandomain.com,10.0.145.2
host-record=devuan-jessie-box2.mylandomain.com,10.0.145.2
```
<br>
......@@ -432,9 +456,9 @@ and more recently with LXC:
1. Install ethtool:
```shell
$ sudo apt-get install ethtool
```
```shell
$ sudo apt-get install ethtool
```
2. Turn off Tx checksum offloading on the LXC bridge:
......@@ -444,39 +468,33 @@ and more recently with LXC:
Example 'up' command ($IFACE = bridge interface):
```shell
up /sbin/ethtool -K $IFACE tx off # <== TURN OFF TX CHECKSUM OFFLOAD
```
```shell
up /sbin/ethtool -K $IFACE tx off # <== TURN OFF TX CHECKSUM OFFLOAD
```
I manually define all my bridges.
Example bridge definition in `/etc/network/interfaces`:
```
auto lxcbr0
iface lxcbr0 inet static
pre-up brctl addbr $IFACE
address 10.0.0.1
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255
bridge_stp off # disable Spanning Tree Protocol
bridge_waitport 0 # no delay before a port becomes available
bridge_fd 0 # no forwarding delay
up ip link set $IFACE up
up /sbin/ethtool -K $IFACE tx off # <== TURN OFF TX CHECKSUM OFFLOAD
down ip link set $IFACE down
post-down brctl delbr $IFACE
```
<br>
*CentOS/RHEL/SUSE* example (**untested**):
Add to interface config `/etc/sysconfig/network/ifcfg-lxcbr0`:
```shell
ETHTOOL_OPTIONS='-K iface tx off'
```
```
auto lxcbr0
iface lxcbr0 inet static
bridge_fd 0
bridge_stp 0
bridge_ports none
address 10.0.0.1
netmask 255.255.0.0
up /sbin/ethtool -K $IFACE tx off # <== TURN OFF TX CHECKSUM OFFLOAD
```
<br>
- *CentOS/RHEL/SUSE* example (**untested**):
Add to interface config `/etc/sysconfig/network/ifcfg-lxcbr0`:
```shell
ETHTOOL_OPTIONS='-K iface tx off'
```
<br>
Other solutions include, setting an iptables rule on either the
......@@ -542,6 +560,8 @@ perspectives have some merit.
## Release History
* 1.0.1
* Add config for LXC version <= 1.0.8
* 1.0.0
* Initial release
......
# Default pivot location
lxc.pivotdir = lxc_putold
# Default mount entries
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
# Default console settings
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
# Default capabilities
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
# Use a profile which allows nesting
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.mount.auto = cgroup:mixed
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time.
#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting
# Default cgroup limits
lxc.cgroup.devices.deny = a
## Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
## consoles
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
## /dev/{,u}random
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
## /dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## full
lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.autodev = 0
lxc.kmsg = 0
# CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
# We can't move bind-mounts, so don't use /dev/lxc/
lxc.devttydir =
# Extra bind-mounts for userns
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
# Extra fstab entries as mountall can't mount those by itself
#lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
# Default seccomp policy is not needed for unprivileged containers, and
# non-root users cannot use seccmp without NNP anyway.
lxc.seccomp =
# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf
# Default mount entries
#lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
#lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
#lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
#lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host while retaining most of
# apparmor's added security, use the following line instead.
# Use a profile which allows nesting
#lxc.aa_profile = lxc-container-default-with-nesting
# Add uncovered mounts of proc and sys, else unprivileged users
# cannot remount those
#lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
#lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time.
#lxc.hook.pre-start = /usr/share/lxc/hooks/squid-deb-proxy-client
# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
......
# This derives from the global userns config
lxc.include = /usr/share/lxc/config/userns.conf
# Extra fstab entries as mountall can't mount those by itself
#lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment