Slackware notes for lxc containers ---------------------------------- If you want to try lxc containers you have to decide which kind of networking you want for them. A couple of example choices are: - a network bridge on your network interface, with the containers in the same network segment as the host; - a network bridge on a dummy interface used as gateway with NAT: the containers will be in a private network segment but they will still be optionally accessible via port redirections. If you want to offer services and you have plenty of ips to use (like in an home network), maybe the first solution can be easier, as you don't have to use iptables to redirect incoming connections to the private network of the containers. Assumptions (for the sake of the examples): the network interface of the host is eth0, its ip is 192.168.1.5 and we are in a 192.168.1.0/24 class C network with 192.168.1.1 as our gateway. - containers on the same network segment as the host We have to put the interface down because we are going to add it to the bridge, so if you are doing this through an ssh connection, I suggest you to run this as a script in a screen session, to avoid being cutted off /sbin/ifconfig eth0 down /sbin/brctl addbr br0 /sbin/brctl setfd br0 0 /sbin/ifconfig br0 192.168.1.5 netmask 255.255.255.0 promisc up /sbin/brctl addif br0 eth0 ifconfig eth0 0.0.0.0 up route add default gw 192.168.1.1 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp for this setup we will use a configuration file for the container like lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 lxc.net.0.hwaddr = 00:ee:ee:bb:22:cc lxc.net.0.ipv4.address = 192.168.1.10/24 lxc.net.0.ipv4.gateway = 192.168.1.1 lxc.net.0.name = eth0 - containers on a natted private network In this case the script to bring up the private network could be something like /sbin/brctl addbr br0 /sbin/brctl setfd br0 0 /sbin/ifconfig br0 192.168.111.1 netmask 255.255.255.0 promisc up echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # example of redirection iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.111.2:80 for this setup we will use a configuration file for the container like lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 lxc.net.0.hwaddr = 00:ee:ee:bb:22:cc lxc.net.0.ipv4.address = 192.168.111.10/24 lxc.net.0.ipv4.gateway = 192.168.111.1 lxc.net.0.name = eth0 In either cases the script that brings up the network can be called from /etc/rc.d/rc.local: note that you should execute these network scripts before trying to start your containers. To create you first container use one of the two configuration files, according to your network choice, then issue this command MIRROR=http://192.168.1.2 lxc-create -n example -f example.conf -t slackware Short description of the variables supported by the Slackware template: - "arch" defaults to the host's one. The template supports slackware{,64,arm} but this option makes sense only specifying arch=i586 on a x86_64 host to install a 32 bit container (the only case possible/tested ATM); - "release" defaults to "current" (and it's tested with that: the minimal packages slackware template most probably won't work with other releases); - TEMPLATE defaults to "minimal-lxc" but you can also use other templates, assumed that you have them available in /etc/slackpkg/templates/; - MIRROR defaults to "http://ftp.slackware.com/pub/slackware" and points to a slackpkg mirror, the main tree, withouth the /slackware{,64}-$release/ at the end: using a closer mirror is recommended; - "example.conf" is the configuration file for the container (described in the two examples above); - "example" is the name of the container; - slackware is the linux flavour of the container. Then edit /var/lib/lxc/example/rootfs/etc/rc.d/rc.inet1.conf and /var/lib/lxc/example/rootfs/etc/resolv.conf, the network configuration files in the container filesystem, with its network settings (IPADDRS[0], GATEWAY and nameserver). After having done that you can start the container (in background, by default) with lxc-start -n example Then you can connect to it through the network via ssh (you have to edit /etc/ssh/sshd_config to allow root login before starting the container) or via lxc-console lxc-console -n example Autostarting containers ----------------------- If you want your containers to autostart at boot add this line to your containers config (/var/lib/lxc/${container}/config) lxc.start.auto = 1 then add this block to /etc/rc.d/rc.local # Start the lxc containers if [ -x /etc/rc.d/rc.lxc ]; then /etc/rc.d/rc.lxc start fi and this other to /etc/rc.d/rc.local_shutdown # Stop the lxc containers if [ -x /etc/rc.d/rc.lxc ]; then /etc/rc.d/rc.lxc stop fi LXCFS support ------------- If you have the lxcfs filesystem available, your containers could be configured to behave more like virtual machines, supporting additional isolation: to do that you have to bind mount entries from the fuse lxcfs filesystem in the containers, modifying their config files. First check if the lxcfs filesystem is mounted # grep lxcfs /proc/mounts lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0 then edit the config file of the container (/var/lib/lxc/${container}/config) commenting the automount of the proc, sys and cgroup lines (here the default entry is shown) # lxc.mount.auto = proc:mixed sys:ro cgroup:mixed add these new configuration entries just below it lxc.mount.auto = lxc.mount.auto = cgroup:rw:force sys:rw lxc.mount.entry = proc proc proc rw,remount,nodev,nosuid,noexec,relatime,hidepid=2 0 0 lxc.mount.entry = proc/sys proc/sys proc ro,bind,relative 0 0 lxc.mount.entry = proc/sys/net proc/sys/net proc rw,bind,relative 0 0 lxc.mount.entry = proc/sysrq-trigger proc/sysrq-trigger proc ro,bind,relative 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/cpuinfo proc/cpuinfo none bind,optional 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/diskstats proc/diskstats none bind,optional 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/meminfo proc/meminfo none bind,optional 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/stat proc/stat none bind,optional 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/swaps proc/swaps none bind,optional 0 0 lxc.mount.entry = /var/lib/lxcfs/proc/uptime proc/uptime none bind,optional 0 0 this way, for example, the uptime command will output the uptime of the container and not the one of the host. (notes by Matteo Bernardini )