{"id":300,"date":"2013-05-06T20:09:09","date_gmt":"2013-05-06T20:09:09","guid":{"rendered":"http:\/\/www.buildcube.com\/tech_blog\/?p=300"},"modified":"2023-10-04T22:08:07","modified_gmt":"2023-10-04T22:08:07","slug":"wheezy-is-out-so-is-openvz-but-lxc-seems-to-be-in","status":"publish","type":"post","link":"https:\/\/www.voodoo.business\/blog\/2013\/05\/06\/wheezy-is-out-so-is-openvz-but-lxc-seems-to-be-in\/","title":{"rendered":"Wheezy is out, so is openVZ, but LXC seems to be in !"},"content":{"rendered":"\n

This post is somewhat old, and kept here for historical reasons, if you want to run LXC containers on Debian Bookworm (12), I have composed a much more useful post here<\/a><\/p>\n\n\n

Yes, Wheezy is out to the public, and openVZ is out of Wheezy, so what to do.<\/p>\n

Basically, what i am doing now is investigating the alternative LXC, i have no time to learn right now, so i am going to have to do this fast.<\/p>\n

I have a gut feeling that LXC is better than openVZ, after all, it is in the mainline kernel, and it is supposed to be marvelously easy to install, so let me start working on this with everyone here.<\/p>\n

NOTES: if you want to give away LXC containers to people, you will need to use AppArmor with it, here, i run my containers, so i will not be installing AppArmor in this tutorial, but maybe soon i will add a tutorial for the AppArmor part.<\/p>\n

So, LXC here we come, to completely replace openVZ, with something more open (Sorry Parallels Virtuozzo, welcome IBM), something that can keep up with the kernel and not keep us behind.<\/p>\n

I will be turning this post into a tutorial on installing and running LXC on debian wheezy (7) with memory allocation to containers and with the kernel that shipped with wheezy, i should be done creating this tutorial in a few days, and it will remain an incremental effort where i will be adding more and more as i learn about this.<\/p>\n

NOTES: memory allocation is not compiled with the kernel by default but disabled, you enable it by adding a parameter to grub. (Not anymore, now memory allocation works out of the box)<\/p>\n

1- Install base system of wheezy (debian 7)<\/p>\n

2- Install some stuff i can never do without<\/p>\n

apt-get update<\/p>\n

apt-get upgrade<\/p>\n

apt-get install ssh openssh-server fail2ban<\/p>\n

fail2ban is a very important application that will prevent outsiders from bruit force cracking your server, it is very important, without it you will be hacked sooner or later (especially if you are in a datacenter), hackers look for servers to send spam from all the time.<\/p>\n

Now, we need to specify a hostname for this machine (the LXC HOST), i want to call mine server5.example.com<\/p>\n

echo server5.example.com > \/etc\/hostname<\/p>\n

\/etc\/init.d\/hostname.sh start<\/p>\n

hostname<\/p>\n

hostname -f<\/p>\n

apt-get install ntp ntpdate<\/p>\n

Now, we need to setup networking for LXC, every physical NIC (Network adapter) will need a bridge.<\/p>\n

To create a bridge, you need to install<\/p>\n

apt-get install bridge-utils<\/pre>\n
Then your \/etc\/network\/interfaces file must look like this<\/p>\n
------------------------------------------------\n# This file describes the network interfaces available on your system\n# and how to activate them. For more information, see interfaces(5).\n# The loopback network interface\n  auto lo\n  iface lo inet loopback\n# The primary network interface\n  #allow-hotplug eth0\n  #iface eth0 inet dhcp\n#Bridge setup\nauto br0\n  iface br0 inet static\n  bridge_ports eth0\n  bridge_fd 0\n  address 192.168.2.121\n  netmask 255.255.255.0\n  gateway 192.168.2.1\n  dns-nameservers 8.8.8.8\n------------------------------------------------<\/pre>\n
apt-get install lxc<\/p>\n
You will be presented with the following prompt, i myself accept the default \/var\/lib\/lxc<\/p>\n
Please specify the directory that will be used to store the Linux Containers. If unsure, use \/var\/lib\/lxc (default). LXC directory:<\/p>\n
mkdir \/cgroup<\/p>\n
Add the following line in \/etc\/fstab using a text editor:<\/p>\n
cgroup \/cgroup cgroup defaults 0 0<\/p>\n
mount -a<\/p>\n
Now, to make sure everything is working like it should<\/p>\n
lxc-checkconfig<\/p>\n
------------------- OUTPUT OF lxc-checkconfig ----------------START\n\nKernel config \/proc\/config.gz not found, looking in other places...\nFound kernel config file \/boot\/config-3.2.0-4-amd64\n--- Namespaces ---\nNamespaces: enabled\nUtsname namespace: enabled\nIpc namespace: enabled\nPid namespace: enabled\nUser namespace: enabled\nNetwork namespace: enabled\nMultiple \/dev\/pts instances: enabled\n\n--- Control groups ---\nCgroup: enabled\nCgroup clone_children flag: enabled\nCgroup device: enabled\nCgroup sched: enabled\nCgroup cpu account: enabled\nCgroup memory controller: enabled\nCgroup cpuset: enabled\n\n--- Misc ---\nVeth pair device: enabled\nMacvlan: enabled\nVlan: enabled\nFile capabilities: enabled\n\nNote : Before booting a new kernel, you can check its configuration\nusage : CONFIG=\/path\/to\/config \/usr\/bin\/lxc-checkconfig.\n\n------------------- OUTPUT OF lxc-checkconfig ------------------END<\/pre>\n
And on the host machine, you need to enable IP forwarding befor you fire up any of those LXC containers<\/p>\n
 echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n
But to make that peppermint you need to edit the file \/etc\/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1<\/p>\n
\/etc\/sysctl.conf:<\/p>\n
net.ipv4.ip_forward = 1<\/pre>\n
You might find that the entry is already there but with the value 0, in that case just flip the zero to a 1, or you might find it there but commented out, in that case, delete the # that precedes that line to enable it.<\/p>\n
To enable the changes made in sysctl.conf (And you don’t if you already executed the echo 1 statement above) you will need to run the command:<\/p>\n
sysctl -p \/etc\/sysctl.conf<\/pre>\n
Now that LXC is officially installed, there is more than 1 way to create containers, debootstrap is one of them (you will need to install it, and the container config will need to be done manually by adding a few lines into a file you create inside the container area), while i will use the LXC way by using the application lxc-create you are free to use any tool, including importing containers from vmware (copying vmware containers will work).<\/p>\n
Also worth mentioning, i use apt-cacher so when i am asked about the urls of the distro, i simply modify it to read http:\/\/192.168.2.133:3142\/ftp.us.debian.org\/debian\/ which is how i accerss apt-cacher to speed up things and not re-download everything every time.<\/p>\n
So, lets start<\/p>\n
lxc-create -t debian -n vm33<\/pre>\n
On a newer releast (7.7), the above gave me an error, so the following was the error and the solution (needed command)<\/p>\n
\u00a0<\/pre>\n
MIRROR=http:\/\/ftp.us.debian.org\/debian lxc-create -n vm10 -t debian -- -r wheezy<\/pre>\n
Or if you want to use apt-cacher<\/p>\n
MIRROR=http:\/\/192.168.10.237:3142\/ftp.us.debian.org\/debian lxc-create -n vm10 -t debian -- -r wheezy<\/pre>\n
1- Preseed file anyone? Enter (optional) preseed file to use: <== leave this one empty<\/p>\n
2- Chose the distro (debian wheezy for me)<\/p>\n
3- 64 or 32, i use 64<\/p>\n
4-
Archives.<\/p>\n
[*] Debian Security<\/p>\n
[*] Debian Updates<\/p>\n
[*] Debian Backports<\/p>\n
[ ] Debian Proposed Updates<\/p>\n
5- Mirror.<\/p>\n
i modify this to read http:\/\/192.168.2.133:3142\/ftp.us.debian.org\/debian\/ in order to use my apt-cacher, you can put any mirror here, or leave the default one (http:\/\/ftp.debian.org\/debian\/ Mirror Security http:\/\/security.debian.org\/ and Mirror Backports) provided for you. Archive areas Main, Packages (leave blank or specify the packages you want, you can install them later with apt-get), then the root password<\/p>\n
You must keep in mind that even after you see the message ‘debian’ template installed ‘vm33’ created, the config file for vm33 is not really ready, you need to enable networking in it manually. so, let’s edit the file \/var\/lib\/lxc\/vm33\/config and add networking support<\/p>\n
vi \/var\/lib\/lxc\/vm33\/config<\/p>\n
NOTE: THE BELOW IS FOR TYPICAL SETUPS, FOR HETZNER DATACENTER, PLEASE SEE THE POST ON LXC NETWORK SETUP WITH HETZNER.<\/p>\n
then add the lines right before #Capabilities and after the lines of ## Container<\/p>\n
lxc.network.type = veth<\/p>\n
lxc.network.flags = up<\/p>\n
lxc.network.link = br0<\/p>\n
lxc.network.name = eth0<\/p>\n
lxc.network.ipv4 = 192.168.2.125\/24<\/p>\n
Also, before we start the container, there are a few things we need to do…<\/p>\n
there seems to be an issue with the ssh keys, so what we will do around this issue is copy the keys from the host, (We will generate new ones for the conatiner later)<\/p>\n
EXECUTE ON HOST<\/p>\n
cp \/etc\/ssh\/ssh_host_dsa_key \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_dsa_key\ncp \/etc\/ssh\/ssh_host_dsa_key.pub \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_dsa_key.pub\ncp \/etc\/ssh\/ssh_host_ecdsa_key \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_ecdsa_key\ncp \/etc\/ssh\/ssh_host_ecdsa_key.pub \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_ecdsa_key.pub\ncp \/etc\/ssh\/ssh_host_rsa_key \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_rsa_key\ncp \/etc\/ssh\/ssh_host_rsa_key.pub \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_rsa_key.pub<\/pre>\n
Then, they won’t work without proper permissions<\/p>\n
chmod 0600 \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_dsa_key.pub\nchmod 0600 \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_ecdsa_key \nchmod 0600  \/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_rsa_key<\/pre>\n
Now i reboot the server just to be on the safe side, then i do the following<\/p>\n
lxc-start -n vm33 -d<\/pre>\n
lxc-info -n vm33<\/pre>\n
When you run the command for information, you should see the word RUNNING and a pid.<\/p>\n
Just SSH to the host !<\/p>\n
Now if you want to create new host keys for SSH just do the following<\/p>\n
delete the files<\/p>\n
\/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_dsa_key.pub\n\/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_ecdsa_key\n\/var\/lib\/lxc\/vm33\/rootfs\/etc\/ssh\/ssh_host_rsa_key<\/pre>\n
execute<\/p>\n
dpkg-reconfigure openssh-server<\/p>\n
—————————————<\/p>\n
Making LXC auto start at the system boot
The old Way – create a symbolic link, should still work, but i have not tried<\/p>\n
ln -s \/var\/lib\/lxc\/vm34\/config \/etc\/lxc\/auto\/vm34_config<\/p>\n
The new way that provides better control of the order they are started in.
Set lxc.start.auto == 1 in the config<\/p>\n
Then, the following will tell the system what containers to start first, and when<\/p>","protected":false},"excerpt":{"rendered":"
This post is somewhat old, and kept here for historical reasons, if you want to run LXC containers on Debian Bookworm (12), I have composed a much more useful post here Yes, Wheezy is out to the public, and openVZ is out of Wheezy, so what to do. Basically, what i am doing now is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,173,139],"tags":[],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-linux","category-lxc","category-virtualization-linux"],"_links":{"self":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/comments?post=300"}],"version-history":[{"count":4,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":2793,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/posts\/300\/revisions\/2793"}],"wp:attachment":[{"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/media?parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/categories?post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.voodoo.business\/blog\/wp-json\/wp\/v2\/tags?post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}