Mercurial Mercurial > tips / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Creating unpriviliged containers.
authorOleksandr Gavenko <gavenkoa@gmail.com>
Tue, 29 Jan 2019 01:41:18 +0200
changeset 2348 fbfaded9734e
parent 2347 26666adc0987
child 2349 d750ee7ed18f
Creating unpriviliged containers.
lxc.rst file | annotate | diff | comparison | revisions 
--- a/lxc.rst	Tue Jan 29 01:01:06 2019 +0200
+++ b/lxc.rst	Tue Jan 29 01:41:18 2019 +0200
@@ -60,6 +60,17 @@
   $ sudo service lxc-net start
   $ sudo systemctl restart lxc-net.service
 
+Project file layout
+===================
+
+* ``/usr/share/lxc/templates`` is list of templates.
+* ``/var/cache/lxc`` is cache for downloaded images.
+
+* ``~/.local/share/lxc`` container storage.
+* ``~/.config/lxc`` container configs.
+* ``~/.cache/lxc`` is cache for unprivileged downloded images.
+* ``~/.local/share/lxcsnaps`` is storage for unprivileged snapshots.
+
 Create new container in LXC
 ===========================
 
@@ -136,12 +147,43 @@
 
   $ echo nameserver 8.8.8.8 | sudo tee /var/lib/lxc/$NAME/rootfs/etc/resolv.conf
 
+Creating unpriviliged containers
+================================
+
+Check if user has assigned ids for namespaces::
+
+  $ cat /etc/subuid
+  vagrant:100000:65536
+  $ cat /etc/subgid
+  vagrant:100000:65536
+
+If not assign ranges with::
+
+  sudo usermod -v 100000-165536 -w 100000-165536  vagrant
+
+or::
+
+  sudo usermod -add-subuids 100000-165536  vagrant
+  sudo usermod -add-subgids 100000-165536  vagrant
+
+Create local config::
+
+  mkdir -p ~/.config/lxc
+  cat <<EOF >~/.config/lxc/default.conf
+  lxc.idmap = u 0 100000 65536
+  lxc.idmap = g 0 100000 65536
+  lxc.network.type = veth
+  lxc.network.link = lxcbr0
+  EOF
+  echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
+
 LXC Container management
 ========================
 
 List available containers::
 
   $ sudo lxc-ls
+  $ sudo lxc-ls -f
   $ sudo lxc-ls --fancy
 
 Show details about container::
@@ -176,10 +218,42 @@
 
   lxc.start.auto = 1
 
+Other autostart params::
+
+  lxc.start.delay = 15 # delay in seconds
+  lxc.start.order = 50 # higher value means starts earlier
+
+Limit memory usage::
+
+  lxc.cgroup.memory.limit_in_bytes = 256M
+
+Apply memory limit on fly::
+
+  sudo lxc-cgroup -n $NAME memory.limit_in_bytes 100M
+
 Link containers in non standard location to take them in account::
 
   $ ln -s /opt/lxc/$NAME /var/lib/lxc/$NAME
 
+Show container status/into::
+
+  $ sudo lxc-info -n $NAME
+
+Print just state::
+
+  $ sudo lxc-info -n $NAME -s
+  $ sudo lxc-info -n $NAME --state
+
+Print just pid::
+
+  $ sudo lxc-info -n $NAME -p
+  $ sudo lxc-info -n $NAME --pid
+
+Print just IP addresses::
+
+  $ sudo lxc-info -n $NAME -i
+  $ sudo lxc-info -n $NAME --ips
+
 Run command in running container::
 
   $ sudo lxc-attach -n $NAME
@@ -187,6 +261,16 @@
   $ sudo lxc-attach -n $NAME -- ls -a
   $ sudo lxc-attach -n $NAME -- apk list
 
+Open session in console (attaches container tty process to current terminal, prompt for
+user/password)::
+
+  $ sudo lxc-console -n $NAME
+
+Freeze/unfreeze::
+
+  $ sudo lxc-freeze -n $NAME
+  $ sudo lxc-unfreeze -n $NAME
+
 Making snapshot
 ===============
 
@@ -199,11 +283,11 @@
 
 Make a snapshot::
 
-  $ sudo lcx-halt -n $NAME
-  $ sudo lcx-snapshot -n $NAME
+  $ sudo lxc-halt -n $NAME
+  $ sudo lxc-snapshot -n $NAME
 
 Restore from snapshot::
 
-  $ sudo lcx-halt -n $NAME
-  $ sudo lcx-snapshot -n $NAME -r $SNAPNAME
+  $ sudo lxc-halt -n $NAME
+  $ sudo lxc-snapshot -n $NAME -r $SNAPNAME
tips