LXC - Rocky 8

最後更新: 2020-07-10

前言

Rocky 8 自帶的 LXC Version 係 3.0

目錄

  • 設定 LXC Hypervisor
  •  

設定 LXC Hypervisor

 

[0] System Tools

dnf install rsyslog -y

systemctl enable rsyslog --now

[1] Basic Tools

dnf install epel-release -y

dnf install screen vim curl wget tcpdump net-tools -y

echo "vbell off" > ~/.screenrc; echo "set bg=dark" > ~/.vimrc

[2] lxc package & service

dnf install lxc lxc-templates lxcfs -y      # On EPEL

systemctl enable lxc.service --now

systemctl enable lxcfs --now

Notes

安 lxcfs 後會有設定檔: /usr/share/lxc/config/common.conf.d/lxcfs.conf

container 會自動載入它 lxc.include = /usr/share/lxc/config/common.conf.d/

[3] Networking

nmcli con add type bridge con-name lxcbr0

nmcli con mod bridge-lxcbr0 connection.id lxcbr0

nmcli con mod lxcbr0 connection.interface-name lxcbr0

nmcli con mod lxcbr0 bridge.stp no

nmcli con mod lxcbr0 connection.zone internal

nmcli con mod lxcbr0 ipv4.method manual ipv4.addr "192.168.200.254/24"

nmcli con mod lxcbr0 ipv6.method disabled

nmcli con up lxcbr0

Checking

nmcli conn show

NAME         UUID                                  TYPE      DEVICE
System eth0  dcfcf8b4-1b71-4a7a-9725-b5a3dd1e37af  ethernet  eth0
lxcbr0       68c38d8d-c3a4-4c10-93ff-4004a21c0830  bridge    lxcbr0

[4] Containers go Internet

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p -q

cat /proc/sys/net/ipv4/ip_forward

firewall-cmd --get-active-zone    # 已用 nmcli 設定 lxcbr0 在 internal zone

internal
  interfaces: lxcbr0
public
  interfaces: eth0

firewall-cmd --zone=public --add-masquerade --permanent

# 移除 service

firewall-cmd --zone=internal --permanent --remove-service={cockpit,dhcpv6-client,mdns,samba-client,ssh}

# 在 host 使用 dnsmasq dns cacher

firewall-cmd --zone=internal --permanent --add-service=dns

firewall-cmd --reload

[5] Shortcut

ln -s /var/lib/lxc /lxc

 


Help

 

man lxc.container.conf

 



lxc.hook

 

lxc.hook.mount

A hook to be run in the container's namespace after mounting has been done, but before the pivot_root.

lxc.hook.pre-start

A hook to be run in the host's namespace before the container ttys, consoles, or mounts are up.

lxc.hook.start

A hook to be run in the container's namespace immediately before executing the container's init.

 * 支援 environment variables

 


ringbuffer for console logging

 

This in-memory buffer is size-limited and can be queried through a new function in the LXC API.

It can be reset at any time and can be dumped to disk on container shutdown.

lxc.console.buffer.size

Setting this option instructs LXC to allocate an in-memory ringbuffer.

The keyword auto will cause LXC to allocate a ringbuffer of 128kB.

(must be at least as big as a standard page size(4kB))

lxc.console.size

Setting this option instructs LXC to place a limit on the size of the console log file specified in lxc.console.logfile

If users want to mirror the console ringbuffer on disk they should set lxc.console.size equal to lxc.console.buffer.size.

lxc.console.rotate

Whether to rotate the console logfile specified in lxc.console.logfile.

 


seccomp

 

lxc.seccomp.profile

Specify a file containing the seccomp configuration to load before the container starts.

Versions 1

the policy is a simple allowlist

Versions 2

the policy may be denylist or allowlist, supports per-rule and per-policy default actions

Each "syscall number" is allowlisted, while every unlisted number is denylisted for use in the container

 


Setting 改了名

 

memory

lxc.cgroup.memory.limit_in_bytes = 2048M
lxc.cgroup.memory.memsw.limit_in_bytes = 2048M

pts & tty

# 舊: lxc.pts
lxc.pty.max = 16

# 舊: lxc.tty
lxc.tty.max = 4

Hostname

lxc.uts.name = myhostname

Network

lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0

# container 見到 的 NIC 名稱
lxc.net.0.name = eth0

# host 見到的 NIC 名稱
lxc.net.0.veth.pair = VPS_NAME

# Address
lxc.net.0.hwaddr = 4a:49:43:49:79:bf
lxc.net.0.ipv4.address = 10.2.3.5/24

 


lxc-config

 

# list all available configuration items

lxc-config -l

lxc.default_config
lxc.lxcpath
lxc.bdev.lvm.vg
lxc.bdev.lvm.thin_pool
lxc.bdev.zfs.root
lxc.cgroup.use
lxc.cgroup.pattern

# Set

lxc.bdev.zfs.root = lxc

# Get

lxc-config lxc.default_config

/etc/lxc/default.conf

lxc.cgroup.use

Comma separated list of cgroup controllers to setup.
If none is specified, all available controllers will be used.

lxc.cgroup.pattern

Format string used to generate the cgroup path (e.g. lxc/%n).