a * Lab to make things

User Tools

Site Tools



Here is how we configured a container on our brand new server (Debian 7.6)


Install required packages

aptitude install lxc

Install optional packages

aptitude install bridge-utils debootstrap

Prepare the host

Add this line to /etc/fstab

cgroup  /sys/fs/cgroup  cgroup  defaults  0   0

Try to mount it (a reboot solves an eventual “resource busy problem” in any case)

mount /sys/fs/cgroup

Check kernel configuration :

# lxc-checkconfig 
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-3.2.0-4-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

RootFS creation

Dev: the sandbox

Let's install a Debian, on a Debian. Dev is the name of a sandbox container. This is were anyone can try new things, before going to Prod. lxc-create -n dev -t debian

Then adapt network configuration in `/var/lib/lxc/dev/config` :

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0

And make it start at the server boot:

sudo ln -s /var/lib/lxc/dev/config /etc/lxc/auto/dev



Added that to `/etc/network/interfaces` on the host:

# Network setup for Linux containers network config
auto lxcbr0
iface lxcbr0 inet static
        bridge_ports none
        bridge_stp off

And restarted the network (I know, it's deprecated…): sudo service network restart


By default, dev will bridge with lxcbr0, but no IP is configured. We need to setup a DHCP server to distribute IPs to our containers.

apt-get install dnsmasq

Add a line in /etc/hosts:     dev.fabelier.org        dev

And add a file named lxc in `/etc/dnsmasq.d/`

# Listen only on lxcbr0

# Default range

# Reserved addresses


Now, we need to authorize the host to route requests from one interface to the other (activate the packet forwarding engine). Edit /etc/sysctl.conf, and uncomment the line:


Then apply to the kernel:

sudo sysctl -p /etc/sysctl.conf

Source NAT

Finally, when a packet goes on the Internet, we need to hide it behind the public IP of the server:

sudo iptables -t nat -A POSTROUTING -s -j MASQUERADE

And save it:

sudo iptables-save > /etc/iptables.up.rules

Then create a small script: /etc/network/if-pre-up.d/iptables

 /sbin/iptables-restore < /etc/iptables.up.rules

And make it executable:

 sudo chmod +x /etc/network/if-pre-up.d/iptables

First start

To start Dev manually, launch:

 sudo lxc-start -n dev -d

Remove -d to see the whole log and troubleshoot.

Now, we should be able to connect via SSH (login: root/password: root):

ssh root@dev
The authenticity of host 'dev (' can't be established.
ECDSA key fingerprint is 41:20:78:9c:e1:b8:40:a5:c6:76:fe:09:de:91:f7:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dev,' (ECDSA) to the list of known hosts.
root@dev's password:
Linux dev 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u1 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 18 20:06:17 2014 from

If it's not working, you can connect to the console directly:

 lxc-console -n dev

Press Crtl-a q to exit the console

Now, 'change the root password'


Install sudo
 #apt-get install sudo

Create another non-root account, and give it sudo rights
 #adduser toto
 #usermod -a -G sudo toto

Disable SSH root login editing the folowing line in /etc/ssh/sshd_conf:
 PermitRootLogin no


doc/lxc.txt · Last modified: 2015/02/17 22:51 by gturri