Difference between revisions of "LXC Host"
Michael.mast (talk | contribs) (Created page with "==CentOS 7== <ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref>") |
Michael.mast (talk | contribs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==CentOS 7== | ==CentOS 7== | ||
+ | ===Basic Install=== | ||
<ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref> | <ref>http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/</ref><ref>https://stgraber.org/2013/12/27/lxc-1-0-container-storage/</ref> | ||
+ | <pre> | ||
+ | [root@web ~]# yum install epel-release | ||
+ | [root@web ~]# yum install debootstrap perl libvirt | ||
+ | [root@web ~]# yum install lxc lxc-templates | ||
+ | </pre> | ||
+ | |||
+ | ===Storage=== | ||
+ | <ref>https://stackoverflow.com/questions/25286546/change-lxc-container-directory</ref>It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)<ref>https://github.com/lxc/lxc/issues/208</ref> | ||
+ | <pre> | ||
+ | lxc.lxcpath = /raid5/services/containers | ||
+ | </pre> | ||
+ | ===Troubleshooting=== | ||
+ | ====ImportError: No module named 'lxc'==== | ||
+ | I ran into a problem when trying to list my containers. | ||
+ | <pre> | ||
+ | [root@nas ~]# lxc-ls | ||
+ | Traceback (most recent call last): | ||
+ | File "/usr/bin/lxc-ls", line 31, in <module> | ||
+ | import lxc | ||
+ | ImportError: No module named 'lxc' | ||
+ | |||
+ | </pre> | ||
+ | I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module<ref>http://lxc-users.linuxcontainers.narkive.com/R1ziqqL4/lxc-ls-question</ref> | ||
+ | <br> | ||
+ | At this point I searched for the package but could not find it. | ||
+ | <pre> | ||
+ | [root@nas ~]# yum search python | grep python | grep lxc | ||
+ | python2-lxc.x86_64 : Python2 bindings for LXC | ||
+ | python34-lxc.x86_64 : Python binding for lxc | ||
+ | </pre> | ||
+ | Looks like python34-lxc is what I need. So I check my installed packages | ||
+ | <pre> | ||
+ | [root@nas ~]# yum list installed | grep python | grep lxc | ||
+ | python34-lxc.x86_64 | ||
+ | </pre> | ||
+ | It is already installed. So lets try re-installing | ||
+ | <pre> | ||
+ | [root@nas ~]# yum reinstall python34-lxc | ||
+ | Loaded plugins: fastestmirror | ||
+ | Loading mirror speeds from cached hostfile | ||
+ | * base: mirrors.usinternet.com | ||
+ | * epel: mirror.rnet.missouri.edu | ||
+ | * extras: centos2.zswap.net | ||
+ | * nux-dextop: li.nux.ro | ||
+ | * updates: mirror.atlanticmetro.net | ||
+ | Resolving Dependencies | ||
+ | --> Running transaction check | ||
+ | ---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled | ||
+ | --> Finished Dependency Resolution | ||
+ | |||
+ | Dependencies Resolved | ||
+ | |||
+ | =================================================================================================================================================================================================================== | ||
+ | Package Arch Version Repository Size | ||
+ | =================================================================================================================================================================================================================== | ||
+ | Reinstalling: | ||
+ | python34-lxc x86_64 1.0.11-1.el7 epel 25 k | ||
+ | |||
+ | Transaction Summary | ||
+ | =================================================================================================================================================================================================================== | ||
+ | Reinstall 1 Package | ||
+ | |||
+ | Total download size: 25 k | ||
+ | Installed size: 54 k | ||
+ | Is this ok [y/d/N]: y | ||
+ | Downloading packages: | ||
+ | python34-lxc-1.0.11-1.el7.x86_64.rpm | 25 kB 00:00:00 | ||
+ | Running transaction check | ||
+ | Running transaction test | ||
+ | Transaction test succeeded | ||
+ | Running transaction | ||
+ | Installing : python34-lxc-1.0.11-1.el7.x86_64 1/1 | ||
+ | Verifying : python34-lxc-1.0.11-1.el7.x86_64 1/1 | ||
+ | |||
+ | Installed: | ||
+ | python34-lxc.x86_64 0:1.0.11-1.el7 | ||
+ | |||
+ | Complete! | ||
+ | </pre> | ||
+ | Now lets try again | ||
+ | <pre> | ||
+ | [root@nas ~]# lxc-ls | ||
+ | [root@nas ~]# | ||
+ | </pre> | ||
+ | I think we have success! | ||
+ | |||
+ | ====Unit lxc.service could not be found==== | ||
+ | When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed. | ||
+ | <pre> | ||
+ | [root@nas ~]# systemctl status lxc | ||
+ | Unit lxc.service could not be found. | ||
+ | [root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}') | ||
+ | ... | ||
+ | [root@nas ~]# systemctl status lxc | ||
+ | ● lxc.service - LXC Container Initialization and Autoboot Code | ||
+ | Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled) | ||
+ | Active: inactive (dead) | ||
+ | |||
+ | </pre> | ||
+ | ====SELinux==== | ||
+ | I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation. | ||
+ | <br> | ||
+ | After creating a new container, I ran inter the following errors | ||
+ | <pre> | ||
+ | sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory | ||
+ | Storing root password in '/raid5/services/containers/test3/tmp_root_pass' | ||
+ | chpasswd: cannot open /etc/passwd | ||
+ | Expiring password for user root. | ||
+ | passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied. | ||
+ | passwd: Error | ||
+ | sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory | ||
+ | sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory | ||
+ | </pre> | ||
+ | Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files. | ||
+ | <pre> | ||
+ | [root@nas ~]# : > /var/log/audit/audit.log | ||
+ | [root@nas ~]# lxc-create -n test3 -t centos | ||
+ | ... | ||
+ | [root@nas ~]# grep passwd /var/log/audit/audit.log | ||
+ | type=AVC msg=audit(1537633138.649:5348): avc: denied { read write } for pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file | ||
+ | ... | ||
+ | [root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd | ||
+ | Changing password for user root. | ||
+ | New password: | ||
+ | BAD PASSWORD: The password is shorter than 8 characters | ||
+ | Retype new password: | ||
+ | passwd: Authentication token manipulation error | ||
+ | </pre> | ||
+ | Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P | ||
+ | <pre> | ||
+ | [root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow | ||
+ | |||
+ | |||
+ | #============= passwd_t ============== | ||
+ | allow passwd_t default_t:chr_file read; | ||
+ | |||
+ | #!!!! WARNING: 'default_t' is a base type. | ||
+ | allow passwd_t default_t:dir read; | ||
+ | |||
+ | #!!!! WARNING: 'default_t' is a base type. | ||
+ | allow passwd_t default_t:file { read write }; | ||
+ | |||
+ | #!!!! WARNING: 'etc_t' is a base type. | ||
+ | allow passwd_t etc_t:file { unlink write }; | ||
+ | [root@nas ~]# restorecon -R /raid5/services/containers | ||
+ | [root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd | ||
+ | Changing password for user root. | ||
+ | New password: | ||
+ | BAD PASSWORD: The password is shorter than 8 characters | ||
+ | Retype new password: | ||
+ | passwd: all authentication tokens updated successfully. | ||
+ | </pre> |
Latest revision as of 11:33, 22 September 2018
Contents
CentOS 7
Basic Install
[root@web ~]# yum install epel-release [root@web ~]# yum install debootstrap perl libvirt [root@web ~]# yum install lxc lxc-templates
Storage
[3]It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)[4]
lxc.lxcpath = /raid5/services/containers
Troubleshooting
ImportError: No module named 'lxc'
I ran into a problem when trying to list my containers.
[root@nas ~]# lxc-ls Traceback (most recent call last): File "/usr/bin/lxc-ls", line 31, in <module> import lxc ImportError: No module named 'lxc'
I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module[5]
At this point I searched for the package but could not find it.
[root@nas ~]# yum search python | grep python | grep lxc python2-lxc.x86_64 : Python2 bindings for LXC python34-lxc.x86_64 : Python binding for lxc
Looks like python34-lxc is what I need. So I check my installed packages
[root@nas ~]# yum list installed | grep python | grep lxc python34-lxc.x86_64
It is already installed. So lets try re-installing
[root@nas ~]# yum reinstall python34-lxc Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.usinternet.com * epel: mirror.rnet.missouri.edu * extras: centos2.zswap.net * nux-dextop: li.nux.ro * updates: mirror.atlanticmetro.net Resolving Dependencies --> Running transaction check ---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================================================================================== Reinstalling: python34-lxc x86_64 1.0.11-1.el7 epel 25 k Transaction Summary =================================================================================================================================================================================================================== Reinstall 1 Package Total download size: 25 k Installed size: 54 k Is this ok [y/d/N]: y Downloading packages: python34-lxc-1.0.11-1.el7.x86_64.rpm | 25 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : python34-lxc-1.0.11-1.el7.x86_64 1/1 Verifying : python34-lxc-1.0.11-1.el7.x86_64 1/1 Installed: python34-lxc.x86_64 0:1.0.11-1.el7 Complete!
Now lets try again
[root@nas ~]# lxc-ls [root@nas ~]#
I think we have success!
Unit lxc.service could not be found
When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.
[root@nas ~]# systemctl status lxc Unit lxc.service could not be found. [root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}') ... [root@nas ~]# systemctl status lxc ● lxc.service - LXC Container Initialization and Autoboot Code Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled) Active: inactive (dead)
SELinux
I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
After creating a new container, I ran inter the following errors
sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory Storing root password in '/raid5/services/containers/test3/tmp_root_pass' chpasswd: cannot open /etc/passwd Expiring password for user root. passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied. passwd: Error sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory
Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files.
[root@nas ~]# : > /var/log/audit/audit.log [root@nas ~]# lxc-create -n test3 -t centos ... [root@nas ~]# grep passwd /var/log/audit/audit.log type=AVC msg=audit(1537633138.649:5348): avc: denied { read write } for pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file ... [root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd Changing password for user root. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: Authentication token manipulation error
Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P
[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow #============= passwd_t ============== allow passwd_t default_t:chr_file read; #!!!! WARNING: 'default_t' is a base type. allow passwd_t default_t:dir read; #!!!! WARNING: 'default_t' is a base type. allow passwd_t default_t:file { read write }; #!!!! WARNING: 'etc_t' is a base type. allow passwd_t etc_t:file { unlink write }; [root@nas ~]# restorecon -R /raid5/services/containers [root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd Changing password for user root. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.
- ↑ http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/
- ↑ https://stgraber.org/2013/12/27/lxc-1-0-container-storage/
- ↑ https://stackoverflow.com/questions/25286546/change-lxc-container-directory
- ↑ https://github.com/lxc/lxc/issues/208
- ↑ http://lxc-users.linuxcontainers.narkive.com/R1ziqqL4/lxc-ls-question