Getting started with LXC
January 24, 2017 —
BarryK
My venture into containers continues. Yesterday I posted some preliminary notes, and a quick look at Firejail:
http://bkhome.org/news/201701/containers-for-quirky.html
LXC is, as far as I can determine, the officially supported Linux kernel mechanism for containers. The website for LXC is here:
https://linuxcontainers.org/
Kernel config
None of my previous kernels for Quirky have namespaces and cgroups support. For my experiments with namespaces and cgroups, I have compiled the 4.4.44 kernel with these settings:
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
# CONFIG_CGROUP_FREEZER is not set
# CONFIG_CGROUP_PIDS is not set
CONFIG_CGROUP_DEVICE=y
# CONFIG_CPUSETS is not set
# CONFIG_CGROUP_CPUACCT is not set
# CONFIG_MEMCG is not set
# CONFIG_CGROUP_PERF is not set
# CONFIG_CGROUP_SCHED is not set
# CONFIG_BLK_CGROUP is not set
# CONFIG_CHECKPOINT_RESTORE is not set
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
Note that for cgroups, I only enabled CONFIG_CGROUP_DEVICE, as that is the only one that intersts me, for now. Was that a bad decision? Maybe should have enabled more, but can do so in future.
LXC 2.0.6
The Ubuntu DEB has a huge number of dependencies, so I compiled lxc version 2.0.6 from source, using this very cutdown config:
# ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --build=x86_64-pc-linux-gnu --with-distro=slackware --disable-lua --enable-bash --disable-python --disable-selinux --disable-apparmor
This is the report:
Environment:
- compiler: gcc
- distribution: slackware
- init script type(s):
- rpath: no
- GnuTLS: yes
- Bash integration: yes
Security features:
- Apparmor: no
- Linux capabilities: yes
- seccomp: no
- SELinux: no
- cgmanager: no
Bindings:
- lua: no
- python3: no
Documentation:
- examples: yes
- API documentation: no
- user documentation: no
Debugging:
- tests: no
- mutex debugging: no
Paths:
- Logs in configpath: no
After installation of LXC, I ran "lxc-checkconfig", and it reported:
# lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: missing
--- Control groups ---
Cgroup: enabled
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: missing
Cgroup cpu account: missing
Cgroup memory controller: missing
Cgroup cpuset: missing
--- Misc ---
Veth pair device: missing
Macvlan: missing
Vlan: missing
Bridges: missing
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled
--- Checkpoint/Restore ---
checkpoint restore: missing
CONFIG_FHANDLE: missing
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: missing
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: missing
CONFIG_NETLINK_DIAG: missing
File capabilities: enabled
What is not shown above, is that the line "Cgroup namespace: required" has the "required" in red colour text. Indicating that something is amiss.
After googling around, I couldn't determine the exact cause of this "required", except for lots of people asking the same question, but did find this statement "This one should be fine to ignore", here:
https://lists.linuxcontainers.org/pipermail/lxc-users/2011-September/002613.html
Anyway, a quick little test, to see if can create a basic container. It has to be created from files from the host system, and for this there are templates:
# ls /usr/share/lxc/templates
lxc-alpine lxc-centos lxc-fedora lxc-oracle lxc-sshd
lxc-altlinux lxc-cirros lxc-gentoo lxc-plamo lxc-ubuntu
lxc-archlinux lxc-debian lxc-openmandriva lxc-slackware lxc-ubuntu-cloud
lxc-busybox lxc-download lxc-opensuse lxc-sparclinux
I will give the busybox template a go:
# lxc-create -n mycontainer -t busybox
lxc-create: lxccontainer.c: do_create_container_dir: 972 No such file or directory - failed to create container path /var/lib/lxc/mycontainer
lxc-create: tools/lxc_create.c: main: 318 Error creating container mycontainer
...hmmm. I manually created /var/lib/lxc, then tried again:
# lxc-create -n mycontainer -t busybox
setting root password to "root"
'dropbear' ssh utility installed
Yes, works, and it is even chrootable:
# chroot /var/lib/lxc/mycontainer/rootfs /bin/sh
# ls
bin etc lib mnt root selinux tmp var
dev home lib64 proc sbin sys usr
# exit
However, there are a lot of lxc-* utilities, so can use those to get into my container.
Using this webpage as a getting-started guide:
https://www.unixmen.com/setup-linux-containers-using-lxc-on-ubuntu-15-04/
It seems that we have to "start" a container first, before can log into it:
# lxc-start -n mycontainer -d
lxc-start: tools/lxc_start.c: main: 360 The container failed to start.
lxc-start: tools/lxc_start.c: main: 362 To get more details, run the container in foreground mode.
lxc-start: tools/lxc_start.c: main: 364 Additional information can be obtained by setting the --logfile and --logpriority options.
Using the fireground option:
# lxc-start -n mycontainer -F
lxc-start: cgroups/cgfs.c: cgfs_init: 2359 cgroupfs failed to detect cgroup metadata
lxc-start: start.c: lxc_spawn: 1093 Failed initializing cgroup support.
...cgroups. I am at the bottom of the learning curve with cgroups, so had better readup on that next. Obviously, there is something I have to initialize.
Well, at the bottom of the learning curve with namespaces and containers also!
But, one step at a time, will get there.
Comments
Regarding my earlier post about increasing the efficiency of containers, by using a shared rootfs using overlayfs (or aufs), can we do this with LXC?Yes, it seems so. Haven't tried it yet, but here are some links, to look at later:
https://lists.linuxcontainers.org/pipermail/lxc-users/2013-June/005283.html
http://unix.stackexchange.com/questions/56953/squashfs-image-as-rootfs-in-lxc
https://the.binbashtheory.com/using-overlayfs-with-lxc/
The second one looks most relevant, as it shows how to setup a squashfs file as the bottom layer. This is what we want, using "q.sfs".