[Lxc-users] New LXC Creation Script: lxc-ubuntu-x

Fri Sep 30 01:05:58 UTC 2011

      Hello,
     I have just published a new Open Source LXC container creation 
script, called lxc-ubuntu-x.  It implements all the latest "best 
practices" I found on the web, and introduces some new features.  I am 
using this script in a production environment, and I invite you to check 
it out:

http://derek.simkowiak.net/lxc-ubuntu-x/

     It currently generates Ubuntu or Debian containers.

     I created this because the scripts and tutorials I found on the web 
all had shortcomings of one form or another.  For example, many blogs 
recommend mounting filesystems within the container's init (which does 
not allow for a shared read-only mount, because root can simply remount 
it).  So, this script uses an external fstab file.  Also:

- It creates a random MAC address with a high vendor address, to 
workaround Launchpad bug #58404
- It generates new (unique) SSH host keys and SSL certificates for each 
new container
- It applies all necessary dev, mtab, and init script fixes, including 
booting containers with Upstart
- It is fully non-interactive; it allows for automatic generation of 
containers. (Getting this to work was surprisingly difficult!)
- It restricts container "capabilities" as much as possible by default
- It creates a default user, sets his password, installs any SSH 
"authorized_keys" file you want, and adds him to the sudo admin group.

     It also introduces two new features: hooks, and templates.

     The "hooks" are scripts that allow you to customize specific stages 
of the LXC container creation.  For example, there is a 
"configure_network" hook that you could use to grab an IP address out of 
a database.  There is a "configure_software" hook that you could use to 
apt-get install other software packages.  The other two hooks are 
"configure_lxc", which creates the .conf file, and "configure_fstab", 
which sets up mountpoints (including read-only, shared mountpoints).  
So, if you want to customize the deployment of your LXC containers, you 
only have to edit the right hook, instead of wading through hundreds of 
lines of other setup code.

     The second feature, "templates", is the one I am most proud of.  It 
allows you to use any other LXC container (or tarball) as a template.  
So, instead of doing a full debootstrap for every new container, this 
script will untar your template, and then apply template-specific 
configuration hooks (to generate new certs, add a user, apply security 
updates, etc.).  If the template tarball does not already exist, it is 
created automatically.  I have deployed new LXC containers to the 
network in about 3 seconds using this feature.

     The script lxc-ubuntu-x currently ships with a "default" template 
that is just a minimal Ubuntu with OpenSSH, and a "lamp" template that 
has a full LAMP environment, perfect for web development.  But the 
template system could easily support other templates: Samba servers, 
DHCP or DNS servers, OpenVPN servers, WordPress installs, etc.  In the 
future my script may include extra templates like those.  Note that 
there is no dependence on the existence of any .tgz files -- they are 
simply created as high-speed caches.  (Untarring a .tgz is much faster 
than waiting for debootstrap.)

     I gathered together all of the best practices information I could 
find from blogs and this list, and incorporated it into this script.  
I'd like to thank everyone who has shared information to the web, and 
especially thank phbaer, whose "lxc-ubuntu" script was my inspiration.  
I will be actively maintaining this script for the foreseeable future, 
so feel free to try it out and submit any bug reports or code fixes.


Thank You,
Derek Simkowiak


References:
   http://www.ibm.com/developerworks/linux/library/l-lxc-containers/
   http://blog.system42.net/2010/05/18/ubuntu-1004-lxc-container-script/
   https://github.com/phbaer/lxc-tools/blob/master/lxc-ubuntu
   http://blog.bodhizazen.net/linux/lxc-configure-ubuntu-lucid-containers/
   http://blog.henyo.com/2011/01/lxclinux-containers-on-ubuntu-1004.html
   (...plus various forum postings and mailing list archives)