LXC 3

最後更新: 2020-07-10

前言

Centos 8 自帶的 LXC 3.0

目錄


Installation

 

# On Centos8 (Centos 8 上的 lxc 係 Version 3.0)

dnf install lxc lxcfs lxc-templates

lxc-checkconfig

lxc-start --version

3.0.4

Setting

systemctl enable lxc

 


Template - local

 

Download

link="https://us.images.linuxcontainers.org/images"

os="centos/7/amd64/default"

date="20200707_07:08"               # 每天都會更新

wget $link/$os/$date/rootfs.tar.xz

wget $link/$os/$date/meta.tar.xz

wget $link/$os/$date/SHA256SUMS

sha256sum --ignore-missing -c SHA256SUMS

rootfs.tar.xz: OK
meta.tar.xz: OK

Usage

This one consumes images, one can create with distrobuilder as I now see.

The ones you create with e.g. distrobuilder build-lxc /usr/share/distrobuilder/centos (creates meta.tar.xz and rootfs.tar.xz).

distrobuilder build-lxc /usr/share/distrobuilder/centos

lxc-create c1 -t local -- --metadata meta.tar.xz --fstree rootfs.tar.xz

 


lxc.hook

 

lxc.hook.mount

A hook to be run in the container's namespace after mounting has been done, but before the pivot_root.

lxc.hook.pre-start

A hook to be run in the host's namespace before the container ttys, consoles, or mounts are up.

lxc.hook.start

A hook to be run in the container's namespace immediately before executing the container's init.

 * 支援 environment variables

 


ringbuffer for console logging

 

This in-memory buffer is size-limited and can be queried through a new function in the LXC API.

It can be reset at any time and can be dumped to disk on container shutdown.

lxc.console.buffer.size

Setting this option instructs LXC to allocate an in-memory ringbuffer.

The keyword auto will cause LXC to allocate a ringbuffer of 128kB.

(must be at least as big as a standard page size(4kB))

lxc.console.size

Setting this option instructs LXC to place a limit on the size of the console log file specified in lxc.console.logfile

If users want to mirror the console ringbuffer on disk they should set lxc.console.size equal to lxc.console.buffer.size.

lxc.console.rotate

Whether to rotate the console logfile specified in lxc.console.logfile.

 


seccomp

 

lxc.seccomp.profile

Specify a file containing the seccomp configuration to load before the container starts.

Versions 1

the policy is a simple allowlist

Versions 2

the policy may be denylist or allowlist, supports per-rule and per-policy default actions

Each "syscall number" is allowlisted, while every unlisted number is denylisted for use in the container