Wiki

User Tools

Site Tools

Trace:
lxc:install_lxc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
lxc:install_lxc [2021/01/03 15:51] peterlxc:install_lxc [2021/01/07 20:13] (current) peter
Line 8: Line 8:
  
 <code bash> <code bash>
-sudo apt-get install lxc+sudo apt install lxc 
 </code> </code>
  
Line 16: Line 16:
  
 ---- ----
 +
 +===== Install LXC Utils =====
 +
 +<code bash>
 +sudo apt install lxc-utils lxc-templates
 +</code>
 +
 +----
 +
  
 ===== Get Info ===== ===== Get Info =====
Line 32: Line 41:
 ---- ----
  
-===== Permissions =====+===== Configure LXD =====
  
-Unprivileged containers are the safest containers.+Before you can create an instance, you need to configure LXD.
  
-Those use a map of uid and gid to allocate range of uids and gids to a container.+<code bash> 
 +lxd init 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE:**  This will prompt for how to configure it.  Just take the defaults for now. 
 + 
 +  * Would you like to use LXD clustering? (yes/no) [default=no]:  
 +  * Do you want to configure new storage pool? (yes/no) [default=yes]:  
 +  * Name of the new storage pool [default=default]:  
 +  * Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]:  
 +  * Create new BTRFS pool? (yes/no) [default=yes]:  
 +  * Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:  
 +  * Size in GB of the new loop device (1GB minimum) [default=30GB]:  
 +  * Would you like to connect to a MAAS server? (yes/no) [default=no]:  
 +  * Would you like to create a new local network bridge? (yes/no) [default=yes]:  
 +  * What should the new bridge be called? [default=lxdbr0]:  
 +  * What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:  
 +  * What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:  
 +  * Would you like LXD to be available over the network? (yes/no) [default=no]:  
 +  * Would you like stale cached images to be updated automatically? (yes/no) [default=yes]  
 +  * Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:  
 + 
 +</WRAP> 
 + 
 +---- 
 + 
 +===== Create ~/.config/lxc ===== 
 + 
 +<code bash> 
 +mkdir ~/.config/lxc 
 +</code> 
 + 
 +---- 
 + 
 +===== Create ~/.config/lxc/default.conf ===== 
 + 
 +<file bash ~/.config/lxc/default.conf> 
 +lxc.include = /etc/lxc/default.conf 
 +lxc.idmap = u 0 100000 65536 
 +lxc.idmap = g 0 100000 65536 
 +</file> 
 + 
 +---- 
 + 
 +===== Test ===== 
 + 
 +<code bash> 
 +lxc-create -t download -n test 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE:**  The **download** option is used to display a list of all available images, allowing one to be selected. 
 +</WRAP> 
 + 
 + 
 +<WRAP info> 
 +**NOTE:**  An error may be seen: 
 + 
 +<code bash> 
 +Setting up the GPG keyring 
 +ERROR: Unable to fetch GPG key from keyserver 
 +lxc-create: test: lxccontainer.c: create_run_template: 1626 Failed to create container from template 
 +lxc-create: test: tools/lxc_create.c: main: 319 Failed to create container test 
 +</code> 
 + 
 +Try using the following: 
 + 
 +<code bash> 
 +lxc-create -t download -n test -- --keyserver hkp://p80.pool.sks-keyservers.net:80 
 +</code> 
 + 
 +or 
 + 
 +<code bash> 
 +lxc-create -n test -t download -- --no-validate 
 +</code> 
 + 
 +</WRAP> 
 + 
 +returns: 
 + 
 +<code bash> 
 +Setting up the GPG keyring 
 +Downloading the image index 
 + 
 +--- 
 +DIST RELEASE ARCH VARIANT BUILD 
 +--- 
 +alpine 3.10 amd64 default 20210103_13:00 
 +alpine 3.10 arm64 default 20210103_13:00 
 +alpine 3.10 armhf default 20210103_13:00 
 +alpine 3.10 i386 default 20210103_13:00 
 +... 
 +centos 8 amd64 default 20210103_07:41 
 +centos 8 arm64 default 20210103_07:08 
 +centos 8 ppc64el default 20210103_07:08 
 +debian bullseye amd64 default 20210103_05:24 
 +debian bullseye arm64 default 20210103_05:24 
 +... 
 +ubuntu trusty arm64 default 20210103_07:42 
 +ubuntu trusty armhf default 20210103_07:42 
 +ubuntu trusty i386 default 20210103_07:42 
 +ubuntu trusty ppc64el default 20210103_07:42 
 +ubuntu xenial amd64 default 20210103_07:42 
 +ubuntu xenial arm64 default 20210103_07:43 
 +ubuntu xenial armhf default 20210103_07:43 
 +... 
 +</code> 
 + 
 +---- 
 + 
 +==== Select which image to use ==== 
 + 
 +In this example the following is chosen: 
 + 
 +  * Distribution:  **ubuntu**. 
 +  * Release:  **xenial**. 
 +  * Architecture:  **amd64**. 
 + 
 + 
 +<code bash> 
 +Distribution:  
 +ubuntu 
 +Release:  
 +xenial 
 +Architecture:  
 +amd64 
 + 
 +Downloading the image index 
 +Downloading the rootfs 
 +Downloading the metadata 
 +The image cache is now ready 
 +Unpacking the rootfs 
 + 
 +--- 
 + 
 +You just created an Ubuntu xenial amd64 (20210103_07:42) container. 
 + 
 +To enable SSH, run: apt install openssh-server 
 +No default root or user password are set by LXC. 
 +</code> 
 + 
 + 
 +---- 
 + 
 +==== Check the container status ==== 
 + 
 +<code bash> 
 +lxc-info -n test 
 +</code> 
 + 
 +returns: 
 + 
 +<code bash> 
 +Name:           test 
 +State:          STOPPED 
 +</code> 
 + 
 +---- 
 + 
 +==== Start the Container ==== 
 + 
 +<code bash> 
 +lxc-start -n test 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE:**  The following error may be seen: 
 + 
 +<code bash> 
 +lxc-start: test: lxccontainer.c: wait_on_daemonized_start: 851 Received container state "ABORTING" instead of "RUNNING" 
 +lxc-start: test: tools/lxc_start.c: main: 308 The container failed to start 
 +lxc-start: test: tools/lxc_start.c: main: 311 To get more details, run the container in foreground mode 
 +lxc-start: test: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options 
 +</code> 
 + 
 +By default, unprivileged users are not allowed to create any network device on the host.  To fix: 
 + 
 +<file bash /etc/lxc/lxc-usernet> 
 +peter veth lxcbr0 10 
 +</file> 
 + 
 +<WRAP info> 
 +**NOTE:**  This means that peter is allowed to create up to 10 veth devices connected to the lxcbr0 bridge. 
 +</WRAP> 
 + 
 + 
 +</WRAP> 
 + 
 +---- 
 + 
 +==== Check the container status again ==== 
 + 
 +<code bash> 
 +lxc-info -n test 
 +</code> 
 + 
 +returns: 
 + 
 +<code bash> 
 +Name:           test 
 +State:          RUNNING 
 +PID:            793414 
 +IP:             10.0.3.101 
 +Link:           veth1000_qkOr 
 + TX bytes:      1.96 KiB 
 + RX bytes:      11.54 KiB 
 + Total bytes:   13.49 KiB 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE:**  This shows it is running. 
 +</WRAP> 
 + 
 +---- 
 + 
 +==== Get a Shell inside the Container ==== 
 + 
 +<code bash> 
 +lxc-attach -n test 
 +</code> 
 + 
 +<WRAP info> 
 +**NOTE:**  Enter **exit** to exit the Container Shell, back to the host. 
 +</WRAP> 
 + 
 + 
 +---- 
 + 
 +==== Stop the Test Container ==== 
 + 
 +<code bash> 
 +lxc-stop -n test 
 +</code> 
 + 
 +---- 
 + 
 +==== Remove the Test Container ==== 
 + 
 +<code bash> 
 +lxc-destroy -n test 
 +</code> 
 + 
 +----
  
-That means that uid 0 (root) in the container is actually something like uid 100000 outside the container.+===== References =====
  
-So should something go very wrong and an attacker manages to escape the container, they'll find themselves with about as many rights as a nobody user.+https://linuxcontainers.org/lxd/docs/master/
  
 +https://linuxcontainers.org/lxd/getting-started-cli/
  
lxc/install_lxc.1609689095.txt.gz · Last modified: 2021/01/03 15:51 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki