最後更新: 2018-04-16
介紹
Centos7: Epel
Install Package
yum install lxc-extra lxc lxc-templates
# lxc-ls is part of the lxc-extra package
yum install bridge-utils
Check & Start
lxc-checkconfig
systemctl start lxc.service
systemctl enable lxc.service
Checking
systemctl status lxc.service
mount | grep cgroup
Host System Setting
# Enable IP forward 功能
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
# Checking
sysctl net.ipv4.ip_forward
Host Bridge For VPS
# 查看對應的 Bridge
cat /etc/lxc/default.conf
lxc.network.type = veth lxc.network.link = virbr0 lxc.network.flags = up
# 建立 Bridge
/etc/sysconfig/network-scripts/ifcfg-virbr0
ONBOOT=yes DEVICE=virbr0 TYPE=Bridge BOOTPROTO="static" IPADDR=192.168.200.254 NETMASK=255.255.255.0 NETWORK=192.168.200.0 NM_CONTROLLED=no IPV6INIT="no" STP=off DELAY=0
service network restart # Or "ifup virbr0"
# Checking
brctl show
bridge name bridge id STP enabled interfaces virbr0 8000.000000000000 no
Firewall - Masquerade & Port Forward
Masquerade
# 把 Bridge 放到另一個 zone
# 新 Interface default 在 public zone firewall-cmd --zone=public --remove-interface=virbr0 --permanent firewall-cmd --zone=public --add-interface=ens192 --permanent firewall-cmd --zone=internal --add-interface=virbr0 --permanent
# firewall-cmd --reload 不可以把 Interface 轉 zone
service firewalld restart
Checking
firewall-cmd --get-active-zone
internal interfaces: virbr0 public interfaces: ens192
# 設定 masquerade
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
Checking
firewall-cmd --zone=public --query-masquerade
Port Forward
firewall-cmd --zone=public --permanent \ --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.200.11
LXC Data Storage
mkdir /mnt/lxc /mnt/lxc/cache /mnt/lxc/vps
UUID="3fcc2a73-b8cd-4fc9-8d59-0fecdcdd7391" /mnt/lxc ext4 noatime 0 0 /mnt/lxc/cache /var/cache/lxc none bind 0 0 /mnt/lxc/vps /var/lib/lxc none bind 0 0
VPS Templates (建立 VPS)
# templates 的 help
/usr/share/lxc/templates/lxc-centos -h
...
-R,--release # CentOS release for the new container.
-a,--arch # Define what arch the container will be [i686,x86_64]
位置
- Cache - /var/cache/lxc
- VPS - /var/lib/lxc
# 建立與 system 一樣的 VPS
lxc-create -n vm01 -t centos
# 建立 Centos 6 i386 的 VPS ( size: 351M) # 這 template 沒有 sshd service
lxc-create -n test-centos6 -t centos -- -a i386 -R 6
Config VPS Network
/var/lib/lxc/test-centos6/config
lxc.network.flags = up lxc.network.veth.pair = v-test-centos6-e0 lxc.network.name = eth0 lxc.network.ipv4 = 192.168.200.11/24 lxc.network.ipv4.gateway = 192.168.200.254 # DNS 在這裡設定不了
Resource Setting
/var/lib/lxc/test-centos6/config
# RAM = 512M lxc.cgroup.memory.limit_in_bytes = 512M # RAM + SWAP = 1G lxc.cgroup.memory.memsw.limit_in_bytes = 1G
Container hooks environment variables
Available to the startup hooks to provide configuration information and assist in the functioning of the hooks
- LXC_NAME (-n)
- LXC_CONFIG_FILE (-f)
- LXC_ROOTFS_PATH (lxc.rootfs)
Call: ${LXC_ROOTFS_MOUNT}
lxc.environment
i.e.
# set SYSLOG_SERVER lxc.environment = SYSLOG_SERVER=192.0.2.42 # inherit host environment lxc.environment = PATH
Centos7 Template
sys_admin
# 在 C7 上行 C7, 當沒 sys_admin 後 contrainer 會 start fail
lxc.cap.drop = sys_admin
lxc-start centos7 -F
Failed to mount tmpfs at /dev/shm: Operation not permitted Failed to mount tmpfs at /run: Operation not permitted Failed to mount tmpfs at /sys/fs/cgroup: Operation not permitted Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory [!!!!!!] Failed to mount API filesystems, freezing.
setfcap
lxc.cap.drop = setfcap
yum update httpd
error: unpacking of archive failed on file /usr/sbin/suexec;62fdabc8: cpio: cap_set_file
Centos6 Template
# first time start vps
lxc-start -n test-centos6
lxc-start -n test-centos6 -d
# 第一次 login 的 password
/var/lib/lxc/test-centos6/tmp_root_pass
# reset password
chroot /var/lib/lxc/test-centos6/rootfs passwd
lxc-console -n test-centos6
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
# checking
lxc-ls -f