Difference between revisions of "LXC Host"

From Michael's Information Zone
Jump to navigation Jump to search
(Created page with "==CentOS 7== <ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref>")
 
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==CentOS 7==
 
==CentOS 7==
 +
===Basic Install===
 
<ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref>
 
<ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref>
 +
<pre>
 +
[root@web ~]# yum install epel-release
 +
[root@web ~]# yum install debootstrap perl libvirt
 +
[root@web ~]# yum install lxc lxc-templates
 +
</pre>
 +
 +
===Storage===
 +
<ref>https://stackoverflow.com/questions/25286546/change-lxc-container-directory</ref>It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)<ref>https://github.com/lxc/lxc/issues/208</ref>
 +
<pre>
 +
lxc.lxcpath = /raid5/services/containers
 +
</pre>
 +
===Troubleshooting===
 +
====ImportError: No module named 'lxc'====
 +
I ran into a problem when trying to list my containers.
 +
<pre>
 +
[root@nas ~]# lxc-ls
 +
Traceback (most recent call last):
 +
  File "/usr/bin/lxc-ls", line 31, in <module>
 +
    import lxc
 +
ImportError: No module named 'lxc'
 +
 +
</pre>
 +
I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module<ref>http://lxc-users.linuxcontainers.narkive.com/R1ziqqL4/lxc-ls-question</ref>
 +
<br>
 +
At this point I searched for the package but could not find it.
 +
<pre>
 +
[root@nas ~]# yum search python | grep python | grep lxc
 +
python2-lxc.x86_64 : Python2 bindings for LXC
 +
python34-lxc.x86_64 : Python binding for lxc
 +
</pre>
 +
Looks like python34-lxc is what I need. So I check my installed packages
 +
<pre>
 +
[root@nas ~]# yum list installed | grep python | grep lxc
 +
python34-lxc.x86_64 
 +
</pre>
 +
It is already installed. So lets try re-installing
 +
<pre>
 +
[root@nas ~]# yum reinstall python34-lxc
 +
Loaded plugins: fastestmirror
 +
Loading mirror speeds from cached hostfile
 +
* base: mirrors.usinternet.com
 +
* epel: mirror.rnet.missouri.edu
 +
* extras: centos2.zswap.net
 +
* nux-dextop: li.nux.ro
 +
* updates: mirror.atlanticmetro.net
 +
Resolving Dependencies
 +
--> Running transaction check
 +
---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled
 +
--> Finished Dependency Resolution
 +
 +
Dependencies Resolved
 +
 +
===================================================================================================================================================================================================================
 +
Package                                              Arch                                            Version                                                Repository                                    Size
 +
===================================================================================================================================================================================================================
 +
Reinstalling:
 +
python34-lxc                                          x86_64                                          1.0.11-1.el7                                            epel                                          25 k
 +
 +
Transaction Summary
 +
===================================================================================================================================================================================================================
 +
Reinstall  1 Package
 +
 +
Total download size: 25 k
 +
Installed size: 54 k
 +
Is this ok [y/d/N]: y
 +
Downloading packages:
 +
python34-lxc-1.0.11-1.el7.x86_64.rpm                                                                                                                                                        |  25 kB  00:00:00   
 +
Running transaction check
 +
Running transaction test
 +
Transaction test succeeded
 +
Running transaction
 +
  Installing : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1
 +
  Verifying  : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1
 +
 +
Installed:
 +
  python34-lxc.x86_64 0:1.0.11-1.el7                                                                                                                                                                             
 +
 +
Complete!
 +
</pre>
 +
Now lets try again
 +
<pre>
 +
[root@nas ~]# lxc-ls
 +
[root@nas ~]#
 +
</pre>
 +
I think we have success!
 +
 +
====Unit lxc.service could not be found====
 +
When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.
 +
<pre>
 +
[root@nas ~]# systemctl status lxc
 +
Unit lxc.service could not be found.
 +
[root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}')
 +
...
 +
[root@nas ~]# systemctl status lxc
 +
● lxc.service - LXC Container Initialization and Autoboot Code
 +
  Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
 +
  Active: inactive (dead)
 +
 +
</pre>
 +
====SELinux====
 +
I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
 +
<br>
 +
After creating a new container, I ran inter the following errors
 +
<pre>
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory
 +
Storing root password in '/raid5/services/containers/test3/tmp_root_pass'
 +
chpasswd: cannot open /etc/passwd
 +
Expiring password for user root.
 +
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
 +
passwd: Error
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory
 +
</pre>
 +
Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files.
 +
<pre>
 +
[root@nas ~]# : > /var/log/audit/audit.log
 +
[root@nas ~]# lxc-create -n test3 -t centos
 +
...
 +
[root@nas ~]# grep passwd /var/log/audit/audit.log
 +
type=AVC msg=audit(1537633138.649:5348): avc:  denied  { read write } for  pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
 +
...
 +
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
 +
Changing password for user root.
 +
New password:
 +
BAD PASSWORD: The password is shorter than 8 characters
 +
Retype new password:
 +
passwd: Authentication token manipulation error
 +
</pre>
 +
Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P
 +
<pre>
 +
[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow
 +
 +
 +
#============= passwd_t ==============
 +
allow passwd_t default_t:chr_file read;
 +
 +
#!!!! WARNING: 'default_t' is a base type.
 +
allow passwd_t default_t:dir read;
 +
 +
#!!!! WARNING: 'default_t' is a base type.
 +
allow passwd_t default_t:file { read write };
 +
 +
#!!!! WARNING: 'etc_t' is a base type.
 +
allow passwd_t etc_t:file { unlink write };
 +
[root@nas ~]# restorecon -R /raid5/services/containers
 +
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
 +
Changing password for user root.
 +
New password:
 +
BAD PASSWORD: The password is shorter than 8 characters
 +
Retype new password:
 +
passwd: all authentication tokens updated successfully.
 +
</pre>

Latest revision as of 11:33, 22 September 2018

CentOS 7

Basic Install

[1][2]

[root@web ~]# yum install epel-release
[root@web ~]# yum install debootstrap perl libvirt
[root@web ~]# yum install lxc lxc-templates

Storage

[3]It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)[4]

lxc.lxcpath = /raid5/services/containers

Troubleshooting

ImportError: No module named 'lxc'

I ran into a problem when trying to list my containers.

[root@nas ~]# lxc-ls
Traceback (most recent call last):
  File "/usr/bin/lxc-ls", line 31, in <module>
    import lxc
ImportError: No module named 'lxc'

I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module[5]
At this point I searched for the package but could not find it.

[root@nas ~]# yum search python | grep python | grep lxc
python2-lxc.x86_64 : Python2 bindings for LXC
python34-lxc.x86_64 : Python binding for lxc

Looks like python34-lxc is what I need. So I check my installed packages

[root@nas ~]# yum list installed | grep python | grep lxc
python34-lxc.x86_64  

It is already installed. So lets try re-installing

[root@nas ~]# yum reinstall python34-lxc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usinternet.com
 * epel: mirror.rnet.missouri.edu
 * extras: centos2.zswap.net
 * nux-dextop: li.nux.ro
 * updates: mirror.atlanticmetro.net
Resolving Dependencies
--> Running transaction check
---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                               Arch                                            Version                                                 Repository                                     Size
===================================================================================================================================================================================================================
Reinstalling:
 python34-lxc                                          x86_64                                          1.0.11-1.el7                                            epel                                           25 k

Transaction Summary
===================================================================================================================================================================================================================
Reinstall  1 Package

Total download size: 25 k
Installed size: 54 k
Is this ok [y/d/N]: y
Downloading packages:
python34-lxc-1.0.11-1.el7.x86_64.rpm                                                                                                                                                        |  25 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 
  Verifying  : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 

Installed:
  python34-lxc.x86_64 0:1.0.11-1.el7                                                                                                                                                                               

Complete!

Now lets try again

[root@nas ~]# lxc-ls
[root@nas ~]# 

I think we have success!

Unit lxc.service could not be found

When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.

[root@nas ~]# systemctl status lxc
Unit lxc.service could not be found.
[root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}')
...
[root@nas ~]# systemctl status lxc
● lxc.service - LXC Container Initialization and Autoboot Code
   Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

SELinux

I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
After creating a new container, I ran inter the following errors

sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory
Storing root password in '/raid5/services/containers/test3/tmp_root_pass'
chpasswd: cannot open /etc/passwd
Expiring password for user root.
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
passwd: Error
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory

Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files.

[root@nas ~]# : > /var/log/audit/audit.log
[root@nas ~]# lxc-create -n test3 -t centos
...
[root@nas ~]# grep passwd /var/log/audit/audit.log
type=AVC msg=audit(1537633138.649:5348): avc:  denied  { read write } for  pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
...
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: Authentication token manipulation error

Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P

[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow


#============= passwd_t ==============
allow passwd_t default_t:chr_file read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:dir read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:file { read write };

#!!!! WARNING: 'etc_t' is a base type.
allow passwd_t etc_t:file { unlink write };
[root@nas ~]# restorecon -R /raid5/services/containers
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.