LXC - Linux Containers

Resources

Basic setup

Physical host has to have a network bridge

On physical host, in /etc/lxc/default.conf:

lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up

If using OpenVPN in container, config also needs:

lxc.hook.autodev = sh -c "modprobe tun ; cd ${LXC_ROOTFS_MOUNT}/dev ; mkdir net ; mknod net/tun c 10 200 ; chmod 0666 net/tun"
lxc.cgroup.devices.allow = c 10:200 rwm

Create container: lxc-create -n lxcguest -t /usr/share/lxc/templates/lxc-freeslack
Edit container's config and:
- Set MAC for virtual NIC: lxc.network.hwaddr = DE:AD:BE:EF:00:00
- Change location(s) of mount(s), if needed
- Change container's /etc/rc.d/rc.inet1.conf
Start container: lxc-start -n lxcguest -d
Connect to container's console: lxc-console -n lxcname
Default login/password is root/root
Packages to add:
- glibc-i18n
- groff
- man
- ksh93
- vim
- less
- rsync
- perl
- python
- python-setuptools
- sudo
- db48
- gnupg
- gnupg2
- curl
- guile
- gc
- make
- nmap
- libunistring
- libffi
- git

Unprivileged

Prerequisites
Create standard root-privileged container
Remap that container's owner & group numbers to the user's subuid & subgid
Move the container into the user's file space
Run the unprivileged container

Prerequisites

Ensure the libcgroup package is at least libcgroup-0.41-x86_64-2_slack14.2

In /etc/cgconfig.conf:

group lxc { 
    perm {
        task {
            uid = rk4n3;
            gid = rk4n3;
        }
    admin {
          uid = rk4n3;
          gid = rk4n3;
      }
  }

  cpuset {
      cgroup.clone_children = 1;
      cpuset.mems = 0;
      cpuset.cpus = 0-3;
  }
  cpu {}
  cpuacct {}
  blkio {}
  memory { memory.use_hierarchy = 1; }
  devices {}
  freezer {}
  net_cls {}
  perf_event {}
  net_prio {}
}

In /etc/cgrules.conf:
```
rk4n3           *               lxc/
```

As root:

usermod --add-subuids 100000-165536 rk4n3
usermod --add-subgids 100000-165536 rk4n3

Start cgconfig (1st) and cgred (2nd) services, verify with: lscgroup

Re-Mapping Container UIDs & GIDs

Acquire uidmapshift.c and container-userns-convert from: nsexec tools

Build uidmapshift with:

gcc -o uidmapshift uidmapshift.c

Near the end of the container-userns-convert , around line 61, change the call to uidmapshift to be $PATHTOYOUR/uidmapshift, then make container-userns-convert executable. Perform the actual conversion with (as root):

./container-userns-convert yourcontainername 100000

In $HOME/.config/lxc/default.conf:

lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = DE:AD:BE:EF:xx:xx
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

In /etc/lxc/lxc-usernet:

rk4n3 veth br0 10

Extra Setup

lighttpd

Packages to install for lighttpd (preferred)
- php
Packages to install for lighttpd2 (experimental)
- lua
- colm
- kelbt
- ragel
- libev
- libunwind (optional: pass UNWIND=yes to lighttpd2 slackbuild)
- libiodbc
- libmcrypt
- libxml2
- cyrus-sasl
- enchant
- aspell
- aspell-en
- t1lib
- icu4c
- sqlite
- net-snmp
- libxslt
- libgcrypt
- libnl3
- libgpg-error
- lighttpd2

MySQL

Install the mysql package(s)
- Prerequisites in addition to template's packages: libaio and jemalloc

Minimal X Footprint

libXaw
libXft
libXmu
libXt
libX11
libXpm
libXau
libXdmcp
libxcb
libXrender
libXext
libXfont
libXcursor
libXfixes
xsetroot
xcursorgen
libSM
libICE
libXinerama
xauth
xdm
rgb
utempter
harfbuzz
freetype
fontconfig
dejavu-fonts-ttf
font-misc-misc
libsecret
libnotify
glibmm
xterm
twm

FreeSlack Template

Full text here ...

Full Package Set

flex
procmail
db48
sendmail-cf
sendmail
mailx
libffi
cyrus-sasl
less
libunistring
amanda
xz
which
wget
vim
util-linux
tar
sysvinit-scripts
sysvinit-functions
sysvinit
sysklogd
sudo
slackpkg
sharutils
shadow
sed
rsync
python
procps-ng
pkgtools
perl
openssl-solibs
openssh
network-scripts
net-tools
ncurses
mpfr
logrotate
iputils
gzip
grep
gnupg
glibc-solibs
gawk
findutils
eudev
etc
e2fsprogs
diffutils
dialog
dhcpcd
dcron
coreutils
bzip2
bin
bash
aaa_terminfo
aaa_elflibs
aaa_base

CentOS/RHEL Specifics

To see available templates: ls -alh /usr/share/lxc/templates/
See official CentOS topic for further detail

Table of Contents