LXC Containers (a whole OS to trash)
LXC is lightweight virtualization available in Linux. You can launch another linux OS without the baggage of a heavyweight installation like virtualbox and big VDI images. Docker is based on LXC, the difference is docker is targeted at single application launch, ready to be used with minimal configurations, LXC will start /sbin/init to you will have the full OS boot, without grub or initramfs of course. The kernel will be the same as host
Why is LXC important?
Because it can provide another OS or the same for you to tamper any way you want it, without interfering the default installation of OMV or touching important configurations files that can harm your webUI . Many users here in the forum complain about modifying nginx core configuration, upgrading nginx, php, java, installing desktop applications (seriously?), outdated libraries of Debian, etc etc. Many of them they still don't realize that the distribution is for making your PC a NAS server nothing more, yes the plugins extend functionality and OMV has many, but sometimes they can break. An error or typo in php code in a plugin can bring the webUI down. LXC can be used for developers also to spawn an OpenMediaVault instance for testing purposes.
The whole idea of this guide is to provision you with a full OS with bare metal performance that will not interfere in any way with OMV, keeping your hands out of php and nginx and no port conflict.
In this tutorial will configure a LXC container based on ubuntu 16.04 using an exclusive LAN IP, yes exclusive no port forward (NAT), no masquerading, no global or single static route. No complains about nginx binding to all interfaces.
One problem comes at the moment lxc version of Debian Jessie/Wheezy has no capabilities of launching unprivileged containers without heavy intervention. This means the whole virtual OS will launch as root, whereas using unprivileged containers can run a system user or normal user. Is up to you if you decide to continue from here.
This tutorial is based on OMV 3 installation but lxc is also available for wheezy so there should be no problem (testers welcome)
Start: Installing LXC
First we proceed to install lxc. If you have omv-extras installed then,
apt-get install lxc/jessie-backports iproute2 #Omv 3.0
apt-get install lxc/wheezy-backports iproute2 #omv 2.0
we install iproute2 because frankly we need to learn it, ifconfig (net-tools) is deprecated, iproute2 is the correct userland tool to configure the network in modern linux.
If you don't have omv-extras install you will need to add the wheezy or jessie backport repo.
Creating first container:
The following command will provide a list with different templates of several linux distros to download into your OS
lxc-create -t download -n MyCNT ## the "-n" switch will be the name assigned to the containers
This is the list available at the moment
Setting up the GPG keyring
Downloading the image index
---
DIST RELEASE ARCH VARIANT BUILD
---
alpine 3.0 amd64 default 20160528_17:50
alpine 3.1 amd64 default 20160528_17:50
alpine 3.2 amd64 default 20160528_17:50
alpine 3.3 amd64 default 20160528_17:50
alpine edge amd64 default 20160528_17:50
centos 6 amd64 default 20160529_02:16
centos 7 amd64 default 20160529_02:16
debian jessie amd64 default 20160528_22:42
debian sid amd64 default 20160528_22:42
debian stretch amd64 default 20160528_22:42
debian wheezy amd64 default 20160528_22:42
fedora 22 amd64 default 20160529_01:27
fedora 23 amd64 default 20160529_01:27
gentoo current amd64 default 20160528_14:12
opensuse 13.2 amd64 default 20160529_00:53
oracle 6 amd64 default 20160528_11:40
oracle 7 amd64 default 20160528_11:40
plamo 5.x amd64 default 20160528_21:36
plamo 6.x amd64 default 20160528_21:36
ubuntu precise amd64 default 20160528_06:39
ubuntu trusty amd64 default 20160528_03:49
ubuntu wily amd64 default 20160528_03:49
ubuntu xenial amd64 default 20160528_03:49
ubuntu yakkety amd64 default 20160528_03:49
You can see also different arch's there, for now will focus on amd64 only, we choose ubuntu 16.04
Distribution: ubuntu
Release: xenial
Architecture: amd64
Downloading the image index
Downloading the rootfs
lxc-create The command will start downloading the OS template, the location stored will be
/var/lib/lxc/MyCNT ##The size of the ubuntu template is about 330MB. There might be smaller ones like alpine, but you Fedora, centos, gentoo, arch, etc to choose
NOTE: btrfs users can create the lxc container with btrfs fs driver
lxc-create -t download -n MyCNT -B btrfs
Inside you can find a file named config and rootfs folder with the OS root tree.
The config file is where you define network configuration, auto start, host to container data binds, etc, etc. If you're familiar with docker then you know the deal. More information here
https://help.ubuntu.com/lts/serverguide/lxc.html
Host Network Configuration
For the container to receive a LAN ip we need to create a macvlan bridge type interface, for that we need to add the virtual interface /etc/network/interfaces, as we already know we need to this using OpenMediaVault mkconf stanza, otherwise any change in the webUI network section will override changes. We will assume the home lan subnet is 10.10.10.0/24
nano /usr/share/openmediavault/mkconf/interfaces.d/50_macvlan
#!/bin/sh
set -e
. /etc/default/openmediavault
. /usr/share/openmediavault/scripts/helper-functions
OMV_INTERFACES_CONFIG=${OMV_INTERFACES_CONFIG:-"/etc/network/interfaces"}
cat <<EOF >> ${OMV_INTERFACES_CONFIG}
auto macvlan0
iface macvlan0 inet dhcp
pre-up ip link add link eth0 name macvlan0 type macvlan mode bridge
pre-up ip link set macvlan0 address 36:41:9e:f2:16:99
address 10.10.10.16/24
broadcast 10.10.10.255
EOF
Alles anzeigen
We run omv-mkconf interfaces and restart the network manager
/etc/init.d/networking restart
now type ip addr show you should see all physical and virtual interfaces including the new macvlan.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:21:97:5e brd ff:ff:ff:ff:ff:ff
inet 10.10.10.15/24 brd 10.10.10.255 scope global eth0
valid_lft forever preferred_lft forever
3: macvlan0@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether 36:41:9e:f2:16:99 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.16/24 brd 10.10.10.255 scope global macvlan0
valid_lft forever preferred_lft forever
Alles anzeigen
Now to confirm this use your laptop or other client and start pinging the macvlan IP address, you should get replies.
IMPORTANT: With this network setup your container should be able to communicate with lan clients and vice versa, but the container will not be able to communicate through the network with the host and vice versa. If you really want to enable host-guest net communication you have to replace the "default" route device to point at macvlan0 virtual device as well as delete the eth0 route.
A network configuration for this case should be like:
auto macvlan0
iface macvlan0 inet dhcp
pre-up ip route del default
pre-up ip route del 10.10.10.0/24
pre-up ip link add link eth0 name macvlan0 type macvlan mode bridge
You should be able to still access your omv server using the eth0 ip as well as macvlan0 ip.
Container Network Configuration
nano /var/lib/lxc/MyCNT/config
Leave the default options except lxc.network.type = empty comment it with # or delete that line and add to the bottom of the config
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.flags = up
lxc.network.link = macvlan0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:41:11:65
lxc.network.mtu = 1500
#lxc.start.auto = 1
The last line is optional in case you want to make the container start automatically on host boot. The HW address there can be used for DHCP IP address reservation in the router if you want, or you can use static ip inside the container.
Now this templates come with no root password so we to create one the template, the rootfs is a linux root tree so we can just chroot
chroot /var/lib/lxc/MyCNT/rootfs /bin/bash
Now type passwd #Enter the password two times and exit the chroot