LXC Host

From Michael's Information Zone
Jump to navigation Jump to search

CentOS 7

Basic Install

[1][2] 

[root@web ~]# yum install epel-release
[root@web ~]# yum install debootstrap perl libvirt
[root@web ~]# yum install lxc lxc-templates

Storage

[3]It appears you can change the defualt directory to store containers by modifying /etc/lxc/lxc.conf (and NOT default.conf)[4] 

lxc.lxcpath = /raid5/services/containers

Troubleshooting

ImportError: No module named 'lxc'

I ran into a problem when trying to list my containers. 

[root@nas ~]# lxc-ls
Traceback (most recent call last):
  File "/usr/bin/lxc-ls", line 31, in <module>
    import lxc
ImportError: No module named 'lxc'

I assumed this was a kernel module which really messed me up. After a lot of wasted time I found out that this is a python module[5]
At this point I searched for the package but could not find it. 

[root@nas ~]# yum search python | grep python | grep lxc
python2-lxc.x86_64 : Python2 bindings for LXC
python34-lxc.x86_64 : Python binding for lxc

Looks like python34-lxc is what I need. So I check my installed packages 

[root@nas ~]# yum list installed | grep python | grep lxc
python34-lxc.x86_64

It is already installed. So lets try re-installing 

[root@nas ~]# yum reinstall python34-lxc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usinternet.com
 * epel: mirror.rnet.missouri.edu
 * extras: centos2.zswap.net
 * nux-dextop: li.nux.ro
 * updates: mirror.atlanticmetro.net
Resolving Dependencies
--> Running transaction check
---> Package python34-lxc.x86_64 0:1.0.11-1.el7 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                               Arch                                            Version                                                 Repository                                     Size
===================================================================================================================================================================================================================
Reinstalling:
 python34-lxc                                          x86_64                                          1.0.11-1.el7                                            epel                                           25 k

Transaction Summary
===================================================================================================================================================================================================================
Reinstall  1 Package

Total download size: 25 k
Installed size: 54 k
Is this ok [y/d/N]: y
Downloading packages:
python34-lxc-1.0.11-1.el7.x86_64.rpm                                                                                                                                                        |  25 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 
  Verifying  : python34-lxc-1.0.11-1.el7.x86_64                                                                                                                                                                1/1 

Installed:
  python34-lxc.x86_64 0:1.0.11-1.el7                                                                                                                                                                               

Complete!

Now lets try again 

[root@nas ~]# lxc-ls
[root@nas ~]#

I think we have success!

Unit lxc.service could not be found

When I was first installing LXC, my server ended up dying on me. After moving drives to a new system I found LXC to be corrupted. A re-install was needed. 

[root@nas ~]# systemctl status lxc
Unit lxc.service could not be found.
[root@nas ~]# yum reinstall $(yum list installed | grep lxc | awk '{print $1}')
...
[root@nas ~]# systemctl status lxc
● lxc.service - LXC Container Initialization and Autoboot Code
   Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

SELinux

I am not entirely sure the best way to handle this. Though I am a huge supporter of using SELinux, I am no expert on implementation.
After creating a new container, I ran inter the following errors 

sed: can't read /raid5/services/containers/test3/rootfs/etc/init/tty.conf: No such file or directory
Storing root password in '/raid5/services/containers/test3/tmp_root_pass'
chpasswd: cannot open /etc/passwd
Expiring password for user root.
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
passwd: Error
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.sysinit: No such file or directory
sed: can't read /raid5/services/containers/test3/rootfs/etc/rc.d/rc.sysinit: No such file or directory

Because lxc copies the rootfs from cache, I think this messes up the context on the files. Digging through the audit.log I found passwd having problems accessing the container files. 

[root@nas ~]# : > /var/log/audit/audit.log
[root@nas ~]# lxc-create -n test3 -t centos
...
[root@nas ~]# grep passwd /var/log/audit/audit.log
type=AVC msg=audit(1537633138.649:5348): avc:  denied  { read write } for  pid=18611 comm="chpasswd" path="/raid5/services/containers/test2/partial" dev="zfs" ino=176109 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
...
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: Authentication token manipulation error

Since all of these alerts were generated during the creation of the container, I felt comfortable enough using audit2allow to allow access. Though looking at the output it may not have been a good idea. Time will tell :-P 

[root@nas ~]# grep passwd /var/log/audit/audit.log | audit2allow


#============= passwd_t ==============
allow passwd_t default_t:chr_file read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:dir read;

#!!!! WARNING: 'default_t' is a base type.
allow passwd_t default_t:file { read write };

#!!!! WARNING: 'etc_t' is a base type.
allow passwd_t etc_t:file { unlink write };
[root@nas ~]# restorecon -R /raid5/services/containers
[root@nas ~]# chroot /raid5/services/containers/test3/rootfs passwd
Changing password for user root.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
  1. http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/
  2. https://stgraber.org/2013/12/27/lxc-1-0-container-storage/
  3. https://stackoverflow.com/questions/25286546/change-lxc-container-directory
  4. https://github.com/lxc/lxc/issues/208
  5. http://lxc-users.linuxcontainers.narkive.com/R1ziqqL4/lxc-ls-question
Retrieved from "https://wiki.1701technology.com/index.php?title=LXC_Host&oldid=940"