Linux Containers (LXC) in Ubuntu 15.04

Last month, I've been trying out LXC in Fedora 22 (F22) with some limitations and missing features. I tried but failed to get unprivileged container to work and there is no RPM packages for LXD. Although you can compile the code and create RPM yourself, but is not worth the time spend in doing so. Hence, is best to switch to the Ubuntu which has the latest LXC support since the one of the project leaders, St├ęphane Graber, is working for Canonical Ltd, the company that manage Ubuntu.

Installation is pretty much straightforward, just apt-getting it.
$ sudo apt-get install lxc

Checking the default LXC configuration. Compare to LXC in F22, the Cgroup memory controller was enabled by default and the kernel is still using 3.19 compare to 4.0.1.
$ lxc-checkconfig 
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.19.0-10-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

One of the issue encounterd for LXC in F22 is the installation did not create the default lxcbr0 bridge interface. Not so in Ubuntu.
$ cat /etc/lxc/default.conf | grep network.link
lxc.network.link = lxcbr0

Checking the activated bridge interface, lxcbr0.
$ brctl show
bridge name     bridge id               STP enabled     interfaces
lxcbr0          8000.000000000000       no

Instead of creating a new LXC container as root user, we can create unprivileged containers as normal or non-root user.
$ lxc-create -n test-ubuntu -t ubuntu
lxc_container: conf.c: chown_mapped_root: 3394 No mapping for container root
lxc_container: lxccontainer.c: do_bdev_create: 849 Error chowning /home/ang/.local/share/lxc/test-ubuntu/rootfs to container root
lxc_container: conf.c: suggest_default_idmap: 4534 You must either run as root, or define uid mappings
lxc_container: conf.c: suggest_default_idmap: 4535 To pass uid mappings to lxc-create, you could create
lxc_container: conf.c: suggest_default_idmap: 4536 ~/.config/lxc/default.conf:
lxc_container: conf.c: suggest_default_idmap: 4537 lxc.include = /etc/lxc/default.conf
lxc_container: conf.c: suggest_default_idmap: 4538 lxc.id_map = u 0 100000 65536
lxc_container: conf.c: suggest_default_idmap: 4539 lxc.id_map = g 0 100000 65536
lxc_container: lxccontainer.c: lxcapi_create: 1320 Error creating backing store type (none) for test-ubuntu
lxc_container: lxc_create.c: main: 274 Error creating container test-ubuntu

From the above error, we need to define the uid mappings for both user and group. Duplicate the LXC's default.conf to our own home directory and add in the mapping.
$ mkdir -p ~/.config/lxc
mkdir: created directory ‘/home/ang/.config/lxc’
$ cp /etc/lxc/default.conf ~/.config/lxc/
$ echo "lxc.id_map = u 0 100000 65536" >> ~/.config/lxc/default.conf
$ echo "lxc.id_map = g 0 100000 65536" >> ~/.config/lxc/default.conf
$ echo "$USER veth lxcbr0 2" | sudo tee -a /etc/lxc/lxc-usernet
ang veth lxcbr0 2

Checking back our own user's default.conf config file.
$ cat ~/.config/lxc/default.conf 
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

Try to create our unprivileged container again. As the error indicate below, unprivileged containers can only be created through the download template.
$ lxc-create -n test-ubuntu -t ubuntu
This template can't be used for unprivileged containers.
You may want to try the "download" template instead.
lxc_container: lxccontainer.c: create_run_template: 1108 container creation template for test-ubuntu failed
lxc_container: lxc_create.c: main: 274 Error creating container test-ubuntu

Re-run the command to create the container but using the download template. This will take a while.
$ lxc-create -t download -n test-ubuntu -- -d ubuntu -r trusty -a amd64
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an Ubuntu container (release=trusty, arch=amd64, variant=default)

To enable sshd, run: apt-get install openssh-server

For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Start the container in daemon or background mode. It seems we have error here.
$ lxc-start -n test-ubuntu -d
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 346 To get more details, run the container in foreground mode.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

Restart the container again in foreground mode.
$ lxc-start -n test-ubuntu -F
lxc-start: start.c: print_top_failing_dir: 102 Permission denied - could not access /home/ang.  Please grant it 'x' access, or add an ACL for the container root.
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1164 failed to spawn 'test-ubuntu'
lxc-start: lxc_start.c: main: 344 The container failed to start.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

To fix this, we need to grant access to our $HOME directory.
$ sudo chmod +x $HOME

Let's us try again.
$ lxc-start -n test-ubuntu -d
$ lxc-attach -n test-ubuntu

Compare to Fedora 22, LXC in Ubuntu 15.04 is easier to setup although we still need to reconfigure it to enable unprivileged container creation. In short, if you want good LXC support, use Ubuntu 15.04.

No comments:

Post a Comment