Here is how we configured a container on our brand new server (Debian 7.6)
Install required packages
aptitude install lxc
Install optional packages
aptitude install bridge-utils debootstrap
Add this line to /etc/fstab
cgroup /sys/fs/cgroup cgroup defaults 0 0
Try to mount it (a reboot solves an eventual “resource busy problem” in any case)
mount /sys/fs/cgroup
Check kernel configuration :
# lxc-checkconfig Kernel config /proc/config.gz not found, looking in other places... Found kernel config file /boot/config-3.2.0-4-amd64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
Let's install a Debian, on a Debian. Dev is the name of a sandbox container. This is were anyone can try new things, before going to Prod. lxc-create -n dev -t debian
Then adapt network configuration in `/var/lib/lxc/dev/config` :
lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0
And make it start at the server boot:
sudo ln -s /var/lib/lxc/dev/config /etc/lxc/auto/dev
Added that to `/etc/network/interfaces` on the host:
# Network setup for Linux containers network config auto lxcbr0 iface lxcbr0 inet static address 10.0.0.1 netmask 255.255.255.0 bridge_ports none bridge_stp off
And restarted the network (I know, it's deprecated…): sudo service network restart
By default, dev will bridge with lxcbr0, but no IP is configured. We need to setup a DHCP server to distribute IPs to our containers.
apt-get install dnsmasq
Add a line in /etc/hosts:
10.0.0.10 dev.fabelier.org dev
And add a file named lxc in `/etc/dnsmasq.d/`
# Listen only on lxcbr0 interface=lxcbr0 #bind-interfaces # Default range dhcp-range=10.0.0.50,10.0.0.100,1h # Reserved addresses dhcp-host=dev,10.0.0.10,infinite
Now, we need to authorize the host to route requests from one interface to the other (activate the packet forwarding engine). Edit /etc/sysctl.conf, and uncomment the line:
net.ipv4.ip_forward=1
Then apply to the kernel:
sudo sysctl -p /etc/sysctl.conf
Finally, when a packet goes on the Internet, we need to hide it behind the public IP of the server:
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
And save it:
sudo iptables-save > /etc/iptables.up.rules
Then create a small script: /etc/network/if-pre-up.d/iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
And make it executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables
To start Dev manually, launch:
sudo lxc-start -n dev -d
Remove -d to see the whole log and troubleshoot.
Now, we should be able to connect via SSH (login: root/password: root):
ssh root@dev The authenticity of host 'dev (10.0.0.10)' can't be established. ECDSA key fingerprint is 41:20:78:9c:e1:b8:40:a5:c6:76:fe:09:de:91:f7:39. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dev,10.0.0.10' (ECDSA) to the list of known hosts. root@dev's password: Linux dev 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jul 18 20:06:17 2014 from 10.0.0.1 root@dev:~#
If it's not working, you can connect to the console directly:
lxc-console -n dev
Press Crtl-a q to exit the console
Now, 'change the root password
'
#passwd Install sudo #apt-get install sudo Create another non-root account, and give it sudo rights #adduser toto #usermod -a -G sudo toto Disable SSH root login editing the folowing line in /etc/ssh/sshd_conf: PermitRootLogin no