This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
docs:lxc [2013-11-19 22:47] glen [Vserver comparision] |
docs:lxc [2013-12-09 15:33] glen load iptables from hook |
||
---|---|---|---|
Line 24: | Line 24: | ||
Build the guest container. | Build the guest container. | ||
+ | |||
==== Bare minimum, no template ==== | ==== Bare minimum, no template ==== | ||
Line 62: | Line 63: | ||
!!! WARNING: pld template for LXC is yet to be written !!! | !!! WARNING: pld template for LXC is yet to be written !!! | ||
+ | ===== Common problems / Useful tricks ===== | ||
+ | |||
+ | ==== lxc-stop is not graceful ==== | ||
+ | |||
+ | Currently ''lxc-stop -n test'' sends ''SIGPWR'' to init inside container, but ''rc-scripts'' fails to shutdown things properly (shutdown scripts are not invoked). For workaround, stop services manually before issueing ''lxc-stop'' or run ''poweroff''/''halt''/''reboot'' from container. | ||
+ | |||
+ | Details: In process table is only this process runrning, no further actions from ''rc-scripts'': | ||
+ | <file> | ||
+ | /sbin/shutdown -f -h +2 Power Failure; System Shutting Down | ||
+ | </file> | ||
+ | |||
+ | ==== loginuid ==== | ||
+ | |||
+ | having ''audit_control'' dropped: | ||
+ | <file config config> | ||
+ | lxc.cap.drop = audit_control | ||
+ | </file> | ||
+ | |||
+ | ''pam_loginuid.so'' does not allow ''sshd'' to login: | ||
+ | <file> | ||
+ | Nov 24 16:02:10 test sshd[2694]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session | ||
+ | </file> | ||
+ | |||
+ | You can either [[http://kb.parallels.com/en/112597|workaround]] to disable ''pam_loginuid.so'' in the authentication rules: | ||
+ | <file> | ||
+ | # sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/* | ||
+ | </file> | ||
+ | |||
+ | Or just **do not** drop the capability. | ||
===== Vserver comparision ===== | ===== Vserver comparision ===== | ||
Line 68: | Line 98: | ||
Also, unfortunately ''/proc/PID/root'' points to ''/'' for LXC guests as well, so ''rc-scripts'' ''filter_chroot()'' can't differentiate between host and guest processes. | Also, unfortunately ''/proc/PID/root'' points to ''/'' for LXC guests as well, so ''rc-scripts'' ''filter_chroot()'' can't differentiate between host and guest processes. | ||
- | Also, ''dmesg(1)'' in guest sees hosts dmesg. | + | Also, ''dmesg(1)'' in guest sees hosts' dmesg by default, you can turn this off by setting ''kernel.dmesg_restrict=1'' sysctl param, available since ''2.6.37'' kernel. |
**Commands:** | **Commands:** | ||
Line 86: | Line 117: | ||
- you can't filter it from host's firewall | - you can't filter it from host's firewall | ||
- you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | - you HAVE to set mac. If not - on every container start you'll have different one (your router will not pass the traffic). | ||
+ | - iptables is initialized from lxc.hook.pre-mount hook (ran in the container's namespace and having macvlan interface visible) | ||
- | first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. | ||
- | also you may use some generation techniques like these (assuming the ip is ''192.168.2.160''): | + | first boot with ''hwaddr'' line disabled, look what the random address was assigned, set it in config. |
+ | also you may use some generation techniques like these: using last three ip numbers and [[http://xenbits.xen.org/docs/4.3-testing/misc/xl-network-configuration.html|Xen's OUI (00:16:3e)]] address space. If IP is ''192.168.2.160'', then: | ||
<code bash> | <code bash> | ||
- | $ printf "02:00:%x:%x:%x:%x" 192 168 2 160 | + | $ printf "00:16:3e:%x:%x:%x" 168 2 160 |
- | 02:00:c0:a8:2:a0 | + | 00:16:3e:a8:2:a0 |
</code> | </code> | ||
Line 105: | Line 137: | ||
lxc.network.ipv4 = 192.168.2.160/23 | lxc.network.ipv4 = 192.168.2.160/23 | ||
lxc.network.ipv4.gateway = 192.168.2.1 | lxc.network.ipv4.gateway = 192.168.2.1 | ||
+ | |||
+ | lxc.hook.pre-mount = /sbin/service iptables start | ||
+ | lxc.cap.drop = net_admin | ||
</file> | </file> |