Difference between revisions of "LXC Host"

From Michael's Information Zone
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 7: Line 7:
 
[root@web ~]# yum install lxc lxc-templates
 
[root@web ~]# yum install lxc lxc-templates
 
</pre>
 
</pre>
===ImportError: No module named 'lxc'===
+
 
 +
===Storage===
 +
<ref>https://stackoverflow.com/questions/25286546/change-lxc-container-directory</ref>It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)<ref>https://github.com/lxc/lxc/issues/208</ref>
 +
<pre>
 +
lxc.lxcpath = /raid5/services/containers
 +
</pre>
 +
===Troubleshooting===
 +
====ImportError: No module named 'lxc'====
 
I ran into a problem when trying to list my containers.
 
I ran into a problem when trying to list my containers.
 
<pre>
 
<pre>
Line 81: Line 88:
 
I think we have success!
 
I think we have success!
  
===Unit lxc.service could not be found===
+
====Unit lxc.service could not be found====
 
When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.
 
When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.
 
<pre>
 
<pre>
Line 93: Line 100:
 
   Active: inactive (dead)
 
   Active: inactive (dead)
  
 +
</pre>
 +
====SELinux====
 +
I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
 +
<br>
 +
After creating a new container, I ran inter the following errors
 +
<pre>
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory
 +
Storing root password in '/raid5/services/containers/test3/tmp_root_pass'
 +
chpasswd: cannot open /etc/passwd
 +
Expiring password for user root.
 +
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
 +
passwd: Error
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory
 +
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory
 +
</pre>
 +
Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files.
 +
<pre>
 +
[root@nas ~]# : > /var/log/audit/audit.log
 +
[root@nas ~]# lxc-create -n test3 -t centos
 +
...
 +
[root@nas ~]# grep passwd /var/log/audit/audit.log
 +
type=AVC msg=audit(1537633138.649:5348): avc:  denied  { read write } for  pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
 +
...
 +
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
 +
Changing password for user root.
 +
New password:
 +
BAD PASSWORD: The password is shorter than 8 characters
 +
Retype new password:
 +
passwd: Authentication token manipulation error
 +
</pre>
 +
Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P
 +
<pre>
 +
[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow
 +
 +
 +
#============= passwd_t ==============
 +
allow passwd_t default_t:chr_file read;
 +
 +
#!!!! WARNING: 'default_t' is a base type.
 +
allow passwd_t default_t:dir read;
 +
 +
#!!!! WARNING: 'default_t' is a base type.
 +
allow passwd_t default_t:file { read write };
 +
 +
#!!!! WARNING: 'etc_t' is a base type.
 +
allow passwd_t etc_t:file { unlink write };
 +
[root@nas ~]# restorecon -R /raid5/services/containers
 +
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
 +
Changing password for user root.
 +
New password:
 +
BAD PASSWORD: The password is shorter than 8 characters
 +
Retype new password:
 +
passwd: all authentication tokens updated successfully.
 
</pre>
 
</pre>

Latest revision as of 11:33, 22 September 2018

CentOS 7

Basic Install

[1][2]

[root@web ~]# yum install epel-release
[root@web ~]# yum install debootstrap perl libvirt
[root@web ~]# yum install lxc lxc-templates

Storage

[3]It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)[4]

lxc.lxcpath = /raid5/services/containers

Troubleshooting

ImportError: No module named 'lxc'

I ran into a problem when trying to list my containers.

[root@nas ~]# lxc-ls
Traceback (most recent call last):
  File "/usr/bin/lxc-ls", line 31, in <module>
    import lxc
ImportError: No module named 'lxc'

I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module[5]
At this point I searched for the package but could not find it.

[root@nas ~]# yum search python | grep python | grep lxc
python2-lxc.x86_64 : Python2 bindings for LXC
python34-lxc.x86_64 : Python binding for lxc

Looks like python34-lxc is what I need. So I check my installed packages

[root@nas ~]# yum list installed | grep python | grep lxc
python34-lxc.x86_64  

It is already installed. So lets try re-installing

[root@nas ~]# yum reinstall python34-lxc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usinternet.com
 * epel: mirror.rnet.missouri.edu
 * extras: centos2.zswap.net
 * nux-dextop: li.nux.ro
 * updates: mirror.atlanticmetro.net
Resolving Dependencies
--> Running transaction check
---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                               Arch                                            Version                                                 Repository                                     Size
===================================================================================================================================================================================================================
Reinstalling:
 python34-lxc                                          x86_64                                          1.0.11-1.el7                                            epel                                           25 k

Transaction Summary
===================================================================================================================================================================================================================
Reinstall  1 Package

Total download size: 25 k
Installed size: 54 k
Is this ok [y/d/N]: y
Downloading packages:
python34-lxc-1.0.11-1.el7.x86_64.rpm                                                                                                                                                        |  25 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 
  Verifying  : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 

Installed:
  python34-lxc.x86_64 0:1.0.11-1.el7                                                                                                                                                                               

Complete!

Now lets try again

[root@nas ~]# lxc-ls
[root@nas ~]# 

I think we have success!

Unit lxc.service could not be found

When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed.

[root@nas ~]# systemctl status lxc
Unit lxc.service could not be found.
[root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}')
...
[root@nas ~]# systemctl status lxc
● lxc.service - LXC Container Initialization and Autoboot Code
   Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

SELinux

I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
After creating a new container, I ran inter the following errors

sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory
Storing root password in '/raid5/services/containers/test3/tmp_root_pass'
chpasswd: cannot open /etc/passwd
Expiring password for user root.
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
passwd: Error
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory

Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files.

[root@nas ~]# : > /var/log/audit/audit.log
[root@nas ~]# lxc-create -n test3 -t centos
...
[root@nas ~]# grep passwd /var/log/audit/audit.log
type=AVC msg=audit(1537633138.649:5348): avc:  denied  { read write } for  pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
...
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: Authentication token manipulation error

Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P

[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow


#============= passwd_t ==============
allow passwd_t default_t:chr_file read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:dir read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:file { read write };

#!!!! WARNING: 'etc_t' is a base type.
allow passwd_t etc_t:file { unlink write };
[root@nas ~]# restorecon -R /raid5/services/containers
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.