最後更新: 2020-07-10
前言
Rocky 8 自帶的 LXC Version 係 3.0
目錄
- 設定 LXC Hypervisor
設定 LXC Hypervisor
[0] System Tools
dnf install rsyslog -y
systemctl enable rsyslog --now
[1] Basic Tools
dnf install epel-release -y
dnf install screen vim curl wget tcpdump net-tools -y
echo "vbell off" > ~/.screenrc; echo "set bg=dark" > ~/.vimrc
[2] lxc package & service
dnf install lxc lxc-templates lxcfs -y # On EPEL
systemctl enable lxc.service --now
systemctl enable lxcfs --now
Notes
安 lxcfs 後會有設定檔: /usr/share/lxc/config/common.conf.d/lxcfs.conf
container 會自動載入它 lxc.include = /usr/share/lxc/config/common.conf.d/
[3] Networking
nmcli con add type bridge con-name lxcbr0
nmcli con mod bridge-lxcbr0 connection.id lxcbr0
nmcli con mod lxcbr0 connection.interface-name lxcbr0
nmcli con mod lxcbr0 bridge.stp no
nmcli con mod lxcbr0 connection.zone internal
nmcli con mod lxcbr0 ipv4.method manual ipv4.addr "192.168.200.254/24"
nmcli con mod lxcbr0 ipv6.method disabled
nmcli con up lxcbr0
Checking
nmcli conn show
NAME UUID TYPE DEVICE System eth0 dcfcf8b4-1b71-4a7a-9725-b5a3dd1e37af ethernet eth0 lxcbr0 68c38d8d-c3a4-4c10-93ff-4004a21c0830 bridge lxcbr0
[4] Containers go Internet
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p -q
cat /proc/sys/net/ipv4/ip_forward
firewall-cmd --get-active-zone # 已用 nmcli 設定 lxcbr0 在 internal zone
internal interfaces: lxcbr0 public interfaces: eth0
firewall-cmd --zone=public --add-masquerade --permanent
# 移除 service
firewall-cmd --zone=internal --permanent --remove-service={cockpit,dhcpv6-client,mdns,samba-client,ssh}
# 在 host 使用 dnsmasq dns cacher
firewall-cmd --zone=internal --permanent --add-service=dns
firewall-cmd --reload
[5] Shortcut
ln -s /var/lib/lxc /lxc
Help
man lxc.container.conf
lxc.hook
lxc.hook.mount
A hook to be run in the container's namespace after mounting has been done, but before the pivot_root.
lxc.hook.pre-start
A hook to be run in the host's namespace before the container ttys, consoles, or mounts are up.
lxc.hook.start
A hook to be run in the container's namespace immediately before executing the container's init.
* 支援 environment variables
ringbuffer for console logging
This in-memory buffer is size-limited and can be queried through a new function in the LXC API.
It can be reset at any time and can be dumped to disk on container shutdown.
lxc.console.buffer.size
Setting this option instructs LXC to allocate an in-memory ringbuffer.
The keyword auto will cause LXC to allocate a ringbuffer of 128kB.
(must be at least as big as a standard page size(4kB))
lxc.console.size
Setting this option instructs LXC to place a limit on the size of the console log file specified in lxc.console.logfile
If users want to mirror the console ringbuffer on disk they should set lxc.console.size equal to lxc.console.buffer.size.
lxc.console.rotate
Whether to rotate the console logfile specified in lxc.console.logfile.
seccomp
lxc.seccomp.profile
Specify a file containing the seccomp configuration to load before the container starts.
Versions 1
the policy is a simple allowlist
Versions 2
the policy may be denylist or allowlist, supports per-rule and per-policy default actions
Each "syscall number" is allowlisted, while every unlisted number is denylisted for use in the container
Setting 改了名
memory
lxc.cgroup.memory.limit_in_bytes = 2048M lxc.cgroup.memory.memsw.limit_in_bytes = 2048M
pts & tty
# 舊: lxc.pts lxc.pty.max = 16 # 舊: lxc.tty lxc.tty.max = 4
Hostname
lxc.uts.name = myhostname
Network
lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 # container 見到 的 NIC 名稱 lxc.net.0.name = eth0 # host 見到的 NIC 名稱 lxc.net.0.veth.pair = VPS_NAME # Address lxc.net.0.hwaddr = 4a:49:43:49:79:bf lxc.net.0.ipv4.address = 10.2.3.5/24
lxc-config
# list all available configuration items
lxc-config -l
lxc.default_config lxc.lxcpath lxc.bdev.lvm.vg lxc.bdev.lvm.thin_pool lxc.bdev.zfs.root lxc.cgroup.use lxc.cgroup.pattern
# Set
lxc.bdev.zfs.root = lxc
# Get
lxc-config lxc.default_config
/etc/lxc/default.conf
lxc.cgroup.use
Comma separated list of cgroup controllers to setup.
If none is specified, all available controllers will be used.
lxc.cgroup.pattern
Format string used to generate the cgroup path (e.g. lxc/%n).