<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, May 29, 2017 at 2:56 PM, Rick Leir <span dir="ltr"><<a href="mailto:rleir@leirtech.com" target="_blank">rleir@leirtech.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><div><div class="gmail-h5"><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br>
</div>
<div>IMHO the easiest way to use lxc is with lxd. Unofficial
packages exists (at least it did in the past) for fedora,
but the easiest way to get started with lxd is on ubuntu
(a live trial is available on <a href="https://linuxcontainers.org/lxd/try-it/" target="_blank">https://linuxcontainers.<wbr>org/lxd/try-it/</a>).</div>
</div>
</div>
</div>
</blockquote></div></div>
Fajar,<br>
I did consider using LXD, but it did not seem to have significant
benefits compared with LXC so I went with the tried-and-true. The
welcome page could have a better comparison of LXD vs plain LXC, and
I could have been persuaded!. </div></blockquote><div><br></div><div><br></div><div>Which welcome page?</div><div><a href="https://linuxcontainers.org/">https://linuxcontainers.org/</a> should list some of them already. <br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">Oh, and I use Fedora for my servers
for various reasons which might only matter to me. And Ubuntu on my
desktops and Chromebook.</div></blockquote><div><br></div><div><br></div><div>It all comes down to what you're comfortable with, and what the devs are using.</div><div>Most lxc1 features should be consistent accross all distros. However when it comes to new features, or things lxd-related (like zfs integration), it should be easier (as a user) to work on ubuntu.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><span class="gmail-"><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Libvirt has its own lxc driver (<a href="http://libvirt.org/drvlxc.html" target="_blank">http://libvirt.org/drvlxc.<wbr>html</a>),
and you manage it using 'virsh'. lxc1 has its own userland
tools (e.g. lxc-create), and by default should include an
init script which creates lxcbr0 (with its appropriate NAT
rules). The wiki link you mentioned mix both, using
libvirt ONLY for the bridge, while using lxc1 userland
tools to manage the container. IMHO not an ideal setup.</div>
<div><br>
</div>
<div>Another thing, the page says 'debootstrap is necessary
in order to build Debian-based containers'. That is true
if you want to build a debian/ubuntu container from
scratch, but for most users the 'download' template should
be enough (and MUCH faster to create) and it doesn't need
debootstrap/dpkg installed on the host.</div>
</div>
</div>
</div>
</blockquote></span>
I used 'debootstrap', for a debian container, but I might have used
'download' if I knew more about it. For a person choosing an option
without more info, a fair guess would be 'use download if no other
choice is an option'. How could the cli communicate this better? Now
I have tried 'download', it is the old cli which I am used to.<br>
<br></div></blockquote><div><br></div><div><br></div><div><a href="https://linuxcontainers.org/lxc/getting-started/">https://linuxcontainers.org/lxc/getting-started/</a> does list "-t download" as its only example. And around halfway:<br></div><div><br></div><div>"</div><div><div>Creating unprivileged containers as a user</div><div>Unprivileged containers are the safest containers.</div><div>Those use a map of uid and gid to allocate a range of uids and gids to a container.</div><div>That means that uid 0 (root) in the container is actually something like uid 100000</div><div>outside the container. So should something go very wrong and an attacker manages</div><div>to escape the container, they'll find themselves with about as many rights as a nobody user.</div><div><br></div><div>Unfortunately this also means that the following common operations aren't allowed:</div><div><br></div><div>mounting most of filesystems</div><div>creating device nodes</div><div>any operation against a uid/gid outside of the mapped set</div><div>Because of that, most distribution templates simply won't work with those.</div><div>Instead you should use the "download" template which will provide you with pre-built images</div><div>of the distributions that are known to work in such an environment.</div></div><div>"</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
My, the debian containers are basic.<br>
# ls -al<br>
bash: ls: command not found<br>
<br></div></blockquote><div><br></div><div>Something's wrong with your setup. I just tested both debian and download template (jessie/amd64, privileged), both can run "ls" just fine.</div><div><br></div><div>-- </div><div>Fajar</div></div></div></div>