[lxc-users] Advice for running LXC on a Debian host

Fajar A. Nugraha list at fajar.net
Mon Mar 16 00:01:15 UTC 2015 

On Mon, Mar 16, 2015 at 3:24 AM, Rory Campbell-Lange
<rory at campbell-lange.net> wrote:
> Thanks very much for the advice, Mark, Fajar and Xavier.
>
> I'm going to try on Debian testing (Jessie) and see if that works
> acceptably.
>
> If not we will have to try another containerisation/vm solution as we
> wish to stick with Debian.

My next suggestion is to determine your priorities, since every
possible solution has a tradeoff.

kvm is probably the most-supported vm solution on debian, but it has
higher overhead compared to containers

openvz has been around long, but to get all of its features on debian
you'd need a special kernel from openvz. And it doesn't support jessie
yet, only wheezy.

privileged container with lxc and without apparmor is easy-enough to
install on jessie (a simple apt-get install), but pretty much allows
container root to mess up the host. Plus it has some known bugs. That
could still be acceptable if you use lxc only for resource separation
and control the containers yourself.

lxc-1.0.7 (from debian experimental, contains known bugfix for 1.0.x)
can be rebuilt on jessie. You can use it to create root-owned
unprivileged containers (involves some manual config not covered
here), which provides some level of additional security and isolation
(even without apparmor) since now container root is just another
normal non-root user on the host side. This might be your best option
for containers under jessie.

One last note: on my test with jessie and lxc 1.0.7, you'd also need
to manually create the bridge, enable ipv4 forwarding, as well as
iptables rules (masq, udp checksum fix rule). All of which are
autocreated on ubuntu.



# cat /var/lib/lxc/w2/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d debian -r wheezy -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 100000
lxc.id_map = g 0 100000 100000
lxc.rootfs = /var/lib/lxc/w2/rootfs
lxc.utsname = w2

# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.hwaddr = 00:16:3e:00:01:01



# cat /etc/debian_version
8.0

# dpkg -l|grep lxc
ii  lxc                                 1:1.0.7-1
amd64        Linux Containers userspace tools

# lxc-ls -f --running
NAME  STATE    IPV4             IPV6  AUTOSTART
-----------------------------------------------
w2    RUNNING  192.168.125.142  -     NO

# lxc-attach -n w2 -- cat /etc/debian_version
7.8

# lxc-attach -n w2 -- cat /proc/1/uid_map
         0     100000     100000

# lxc-info -p -n w2
PID:            17610

# ps -ef | grep 17610
100000   17610 17601  0 06:24 ?        00:00:00 init [3]
100000   19279 17610  0 06:25 pts/2    00:00:00 /sbin/getty 38400 tty1 linux
100000   19280 17610  0 06:25 pts/3    00:00:00 /sbin/getty 38400 tty2 linux
100000   19281 17610  0 06:25 pts/4    00:00:00 /sbin/getty 38400 tty3 linux
100000   19282 17610  0 06:25 pts/5    00:00:00 /sbin/getty 38400 tty4 linux
100000   19328 17610  0 06:26 ?        00:00:00 dhclient -v -pf
/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
100000   19344 17610  0 06:28 pts/6    00:00:00 /bin/login --
root     20128 19430  0 06:51 pts/1    00:00:00 grep 17610

-- 
Fajar

More information about the lxc-users mailing list