LXC

Host Setup

Network

See network setup

Control group support

Add to /etc/fstab:

cgroup               /sys/fs/cgroup  cgroup  defaults  0  0

Then mount:

# mount cgroup

In order to enable memory and swap controller add the following kernel boot parameters:

cgroup_enable=memory swapaccount=1

LXC installation

# apt-get install lxc debootstrap

Debian's LXC expects that the base path is /var/lib/lxc. To store the containers anywhere else do

# rmdir /var/lib/lxc
# ln -s /srv/lxc /var/lib/lxc

Check the installation:

# lxc-checkconfig

Debian wheezy uses live-debconfig to configure the container. As live-debconfig is only available in Debian jessie it must be downloaded and put to /usr/share/lxc/packages.

Add to /etc/apt/sources.list:

deb http://ftp.de.debian.org/debian unstable main contrib non-free

Then download:

# cd /usr/share/lxc/packages
# apt-get update
# apt-get download live-debconfig

Container Security

TODO

• /proc and /sys
• lxc.cap.drop

Create an LXC container

Create a temporary lxc.conf (see /usr/share/doc/lxc/examples for examples):

lxc.utsname                             = lxc1
lxc.network.type                        = veth
lxc.network.flags                       = up
lxc.network.link                        = br0
lxc.network.name                        = eth0
lxc.network.ipv4                        = 2.3.4.5/32
lxc.network.veth.pair                   = veth0

Then create and debootstrap the container.

# lxc-create -n lxc1 -t debian -f lxc1.conf

Additional options:

--debconf-frontend
--debconf-priority
--preseed-file

Debconfig steps:

• Enter (optional) preseed file to use: empty
• Distribution: Debian GNU/Linux 7.0 "wheezy
• Architecture: 64-bit PC (amd64)
• Archives: Debian Security, Debian Updates
• Mirror: http://ftp.de.debian.org/debian
• Mirror Security: http://security.debian.org/
• Archive Areas: main, contrib, non-free
• Packages: empty
• Root password: enter
• Bridge: br0
• MAC: enter

Live-debconfig steps:

• Hostname: enter
• Enable Loopback Interface?: no
• Ethernet Interface Method: static
• Ethernet Interface Comment: empty
• Ethernet IP Address?: enter
• Ethernet Broadcast Address: empty
• Ethernet Gateway Address: empty
• Ethernet MTU: empty
• Ethernet Network Mask: 255.255.255.255
• Ethernet Network Address: empty
• Ethernet post-up Command: ...
• Nameserver Addresses: 8.8.8.8
• Enable LXC: yes
• How many consoles for LXC: 1
• Which services to disable for LXC: checkroot.sh hwclockfirst.sh hwclock.sh kmod module-init-tools mountall.sh mountkernfs.sh umountfs umountroot
• Access the hardware clock: no
• Enable SELinux: no

Optional: review LXC config file /srv/lxc/lxc1/config:

Optional: review container network configuration /srv/lxc/lxc1/rootfs/etc/network/interfaces:

Optional: review container hosts file /srv/lxc/test/rootfs/etc/hosts:

Basic setup

Start the container

# lxc-start -n lxc1

Login as root.

Configure console

See Configure console.

Install basic tools

See Install basic tools.

Disable logging of kernel messages within the container. Edit /etc/rsyslog.conf and comment the line

#$ModLoad imklog

Then restart rsyslogd:

# /etc/init.d/rsyslog restart

SSH server

See SSH Server.

Stop the container

(lxc1)# halt

Autostart the container

Check /etc/default/lxc:

RUN=yes
CONF_DIR=/etc/lxc

Create link in /etc/lxc/auto:

# ln -s /srv/lxc/lxc1/config /etc/lxc/auto/lxc1.conf

Then start using the init script:

# /etc/init.d/lxc start

Install security tools

• Cron-APT
• Optional: Shorewall, can also be done by host system
• Optional: Fail2ban, can also be done by host system

TODOs

• Routing from Internet
• cgroup: set limits
• Use LVM volumne
• DNS cache
• DHCP server

Sources:

• http://wiki.debian.org/LXC/SimpleBridge
• http://wiki.debian.org/LXC
• http://www.wallix.org/2011/09/20/how-to-use-linux-containers-lxc-under-debian-squeeze/
• http://www.vislab.uq.edu.au/howto/lxc/lxcnetwork.html