[GUIDE] LXC Containers [Not breaking OpenMediaVault] DO NOT ENABLE YET

    • Offizieller Beitrag

    LXC Containers (a whole OS to trash)

    LXC is lightweight virtualization available in Linux. You can launch another linux OS without the baggage of a heavyweight installation like virtualbox and big VDI images. Docker is based on LXC, the difference is docker is targeted at single application launch, ready to be used with minimal configurations, LXC will start /sbin/init to you will have the full OS boot, without grub or initramfs of course. The kernel will be the same as host


    Why is LXC important?

    Because it can provide another OS or the same for you to tamper any way you want it, without interfering the default installation of OMV or touching important configurations files that can harm your webUI . Many users here in the forum complain about modifying nginx core configuration, upgrading nginx, php, java, installing desktop applications (seriously?), outdated libraries of Debian, etc etc. Many of them they still don't realize that the distribution is for making your PC a NAS server nothing more, yes the plugins extend functionality and OMV has many, but sometimes they can break. An error or typo in php code in a plugin can bring the webUI down. LXC can be used for developers also to spawn an OpenMediaVault instance for testing purposes.


    The whole idea of this guide is to provision you with a full OS with bare metal performance that will not interfere in any way with OMV, keeping your hands out of php and nginx and no port conflict.


    In this tutorial will configure a LXC container based on ubuntu 16.04 using an exclusive LAN IP, yes exclusive no port forward (NAT), no masquerading, no global or single static route. No complains about nginx binding to all interfaces.


    One problem comes at the moment lxc version of Debian Jessie/Wheezy has no capabilities of launching unprivileged containers without heavy intervention. This means the whole virtual OS will launch as root, whereas using unprivileged containers can run a system user or normal user. Is up to you if you decide to continue from here.


    This tutorial is based on OMV 3 installation but lxc is also available for wheezy so there should be no problem (testers welcome)


    Start: Installing LXC

    First we proceed to install lxc. If you have omv-extras installed then,


    apt-get install lxc/jessie-backports iproute2 #Omv 3.0
    apt-get install lxc/wheezy-backports iproute2 #omv 2.0


    we install iproute2 because frankly we need to learn it, ifconfig (net-tools) is deprecated, iproute2 is the correct userland tool to configure the network in modern linux.


    If you don't have omv-extras install you will need to add the wheezy or jessie backport repo.


    Creating first container:

    The following command will provide a list with different templates of several linux distros to download into your OS


    lxc-create -t download -n MyCNT ## the "-n" switch will be the name assigned to the containers


    This is the list available at the moment



    You can see also different arch's there, for now will focus on amd64 only, we choose ubuntu 16.04


    Code
    Distribution: ubuntu
    Release: xenial
    Architecture: amd64
    
    
    Downloading the image index
    Downloading the rootfs


    lxc-create The command will start downloading the OS template, the location stored will be


    /var/lib/lxc/MyCNT ##The size of the ubuntu template is about 330MB. There might be smaller ones like alpine, but you Fedora, centos, gentoo, arch, etc to choose


    NOTE: btrfs users can create the lxc container with btrfs fs driver


    lxc-create -t download -n MyCNT -B btrfs


    Inside you can find a file named config and rootfs folder with the OS root tree.


    The config file is where you define network configuration, auto start, host to container data binds, etc, etc. If you're familiar with docker then you know the deal. More information here


    https://help.ubuntu.com/lts/serverguide/lxc.html


    Host Network Configuration


    For the container to receive a LAN ip we need to create a macvlan bridge type interface, for that we need to add the virtual interface /etc/network/interfaces, as we already know we need to this using OpenMediaVault mkconf stanza, otherwise any change in the webUI network section will override changes. We will assume the home lan subnet is 10.10.10.0/24


    nano /usr/share/openmediavault/mkconf/interfaces.d/50_macvlan



    We run omv-mkconf interfaces and restart the network manager


    /etc/init.d/networking restart


    now type ip addr show you should see all physical and virtual interfaces including the new macvlan.





    Now to confirm this use your laptop or other client and start pinging the macvlan IP address, you should get replies.


    IMPORTANT: With this network setup your container should be able to communicate with lan clients and vice versa, but the container will not be able to communicate through the network with the host and vice versa. If you really want to enable host-guest net communication you have to replace the "default" route device to point at macvlan0 virtual device as well as delete the eth0 route.
    A network configuration for this case should be like:


    Code
    auto macvlan0
    iface macvlan0 inet dhcp
      pre-up ip route del default
      pre-up ip route del 10.10.10.0/24
      pre-up ip link add link eth0 name macvlan0 type macvlan mode bridge


    You should be able to still access your omv server using the eth0 ip as well as macvlan0 ip.

    Container Network Configuration


    nano /var/lib/lxc/MyCNT/config


    Leave the default options except lxc.network.type = empty comment it with # or delete that line and add to the bottom of the config


    Code
    lxc.network.type = macvlan
    lxc.network.macvlan.mode = bridge
    lxc.network.flags = up
    lxc.network.link = macvlan0
    lxc.network.name = eth0
    lxc.network.hwaddr = 00:16:3e:41:11:65
    lxc.network.mtu = 1500
    
    
    #lxc.start.auto = 1


    The last line is optional in case you want to make the container start automatically on host boot. The HW address there can be used for DHCP IP address reservation in the router if you want, or you can use static ip inside the container.


    Now this templates come with no root password so we to create one the template, the rootfs is a linux root tree so we can just chroot


    chroot /var/lib/lxc/MyCNT/rootfs /bin/bash


    Now type passwd #Enter the password two times and exit the chroot

    • Offizieller Beitrag

    Starting the container

    We gonna start the container in foreground mode so you can see the full OS boot.


    lxc-start -n MyCNT -F



    There we go. Now let's check networking. The /etc/network/interfaces comes with dhcp by default so


    ip addr show



    let's check networking again from the lan, start ping the new address 10.10.10.14 hopefully you get replies.


    ping 8.8.8.8 ## Test wan routing connectivity


    ping www.google.com ## Check DNS resolving


    To shut down the container just run poweroff.


    Now we can start the container in daemon mode


    lxc-start -n MyCNT


    That's it, now list the running containers


    lxc-ls -f 


    Code
    NAME         STATE   AUTOSTART GROUPS IPV4        IPV6 
    MyCNT        RUNNING 0         -      10.10.10.14 -    
    my-container STOPPED 0         -      -           -    
    stretch      STOPPED 0         -      -           -


    running Now let's attach to the containers
    lxc-attach -n MyCNT


    or if you want login


    lxc-console -n MyCNT


    Now root login is not enabled for tty, so either you create a user or modify the internal tty policy.


    So inside you can: install nginx, mysql, java, etc. Modify sources.list add debian, devuan, ubuntu ppa, devuan repos, chmod 777 -R /, whatever comes to your imagination.


    Now before starting to put our dirty hands in this new pristine server, we should make copy first. LXC comes with lxc-snapshot that can generate a copy of it. At the moment of the writing I could not figure out proper way to handle this. Basically there is the lxc-copy (lxc-copy is the replacement of lxc-clone) snapshot command that generates an overlay with the changes. Unfortunately installing software inside the snapshotted container fails on dpkg. If someone wants to contribute here more than welcome.


    So for non btrfs users let's tar out a copy of the container


    tar czf /var/lib/lxc/MyCNT.tar.gz /var/lib/lxc/MyCNT/


    Using the btrfs driver


    lxc-snapshot -n ubuntu


    Snapshots will be stored in /var/lib/lxc/MyCNT/snaps/snap0/rootfs

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!