‘m using Debian Linux server with Linux Containers (lxc). How do I disconnect and exit from an lxc-console to a shell prompt without closing ssh session?

You need to use the lxc-console command to log in to a running Linux container. The syntax is as follows:

lxc-console -n container-name

lxc-console -n webserver

lxc-console -n pgsql

To exit an lxc-console from a shell prompt:

Open a shell prompt.

Login to a host server called server1.

Use the lxc-console command to log in to a running container called ‘memcache’ type: lxc-console -n memcache

To exit an lxc-console session, type Ctrl-A followed by Q.

Here is a sample session:

Gif.01: How to disconnect from lxc-console demo

‘m using LXC (Linux Containers) a virtualization system running on a Ubuntu LTS. How can I update all my Ubuntu or Debian Linux based guests containers VM from host operating system?

Container is not new technology. A large number of Unix-like system already have developed powerful container based virtualization solutions such as FreeBSD jails, OpenVZ, Solaris Zones and more. The LXC is very fast efficient virtualization. An OS kernel (host) gives different views of the system to different running processes. This is also know as sandboxing or compartmentalization of CPU, and other resources. This is useful to increase server and application security and efficiency.

Fig. 01: Sample Linux Containers

Security 101: Keep Linux kernel and software up to date

Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. You can use the RPM package manager such as yum command and/or apt-get command to apply all security updates:

[www-container]# yum update

OR

[www-container]# apt-get update && apt-get upgrade

List the containers existing on the system

Type the following command on host:

# lxc-ls -1

# lxc-ls

Sample outputs:

dnsvm     wwwvm    mysqlvm        memcache

Applying update from host to Linux containers using lxc-attach command

The syntax is as follows for Debian/Ubuntu based LXC guest vm:

[hostOS]# lxc-attach -n VM-NAME-HERE apt-get update

[hostOS]# lxc-attach -n VM-NAME-HERE apt-get -y upgrade

To run command on mysqlvm, type:

[hostOS]# lxc-attach -n mysqlvm apt-get update

[hostOS]# lxc-attach -n mysqlvm apt-get -y upgrade

The syntax is as follows for CentOS/RHEL/Fedora Linux based LXC guest vm:

[hostOS]# lxc-attach -n VM-NAME-HERE yum update -y

To run command on wwwvm vm, run:

[hostOS]# lxc-attach -n wwwvm yum update -y

A sample shell script to update all Debian/Ubuntu LXC vms

#!/bin/bash

# Purpose: Update all lxc vms

# Note: Tested on Ubuntu LTS only

# Author: Vivek Gite <www.cyberciti.biz>, under GPL v2+

# ——————————————————-

# Get the vm list

vms= $(lxc-ls –active)

# Update each vm

update_vm(){

local vm= $1

echo  *** [VM: $vm [$(hostname) @ $(date)] ] ***

/usr/bin/lxc-attach -n  $vm  apt-get — -qq update

/usr/bin/lxc-attach -n  $vm  apt-get — -qq -y upgrade

/usr/bin/lxc-attach -n  $vm  apt-get — -qq -y clean

/usr/bin/lxc-attach -n  $vm  apt-get — -qq -y autoclean

# Note for RHEL/CentOS/Fedora Linux comment above two line and uncomment the following line #

# lxc-attach -n  $vm  yum -y update

echo  —————————————————————–

}

# Do it

for v in $vms

do

update_vm  $v

done

Run it as follows:

# ~/bin/lxc-update-vm.sh

Sample outputs:

*** [VM: wwwvm [server1 @ Wed Jul 22 12:31:12 CDT 2015] ] ***

(Reading database … 20514 files and directories currently installed.)

Preparing to unpack …/mysql-common_5.5.44-0ubuntu0.14.04.1_all.deb …

Unpacking mysql-common (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Preparing to unpack …/libmysqlclient18_5.5.44-0ubuntu0.14.04.1_amd64.deb …

Unpacking libmysqlclient18:amd64 (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Preparing to unpack …/linux-libc-dev_3.13.0-58.97_amd64.deb …

Unpacking linux-libc-dev:amd64 (3.13.0-58.97) over (3.13.0-57.95) …

Preparing to unpack …/mysql-client_5.5.44-0ubuntu0.14.04.1_all.deb …

Unpacking mysql-client (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Preparing to unpack …/mysql-client-5.5_5.5.44-0ubuntu0.14.04.1_amd64.deb …

Unpacking mysql-client-5.5 (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Preparing to unpack …/mysql-client-core-5.5_5.5.44-0ubuntu0.14.04.1_amd64.deb …

Unpacking mysql-client-core-5.5 (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Setting up mysql-common (5.5.44-0ubuntu0.14.04.1) …

Setting up libmysqlclient18:amd64 (5.5.44-0ubuntu0.14.04.1) …

Setting up linux-libc-dev:amd64 (3.13.0-58.97) …

Setting up mysql-client-core-5.5 (5.5.44-0ubuntu0.14.04.1) …

Setting up mysql-client-5.5 (5.5.44-0ubuntu0.14.04.1) …

Setting up mysql-client (5.5.44-0ubuntu0.14.04.1) …

Processing triggers for libc-bin (2.19-0ubuntu6.6) …

*** [VM: memcachevm [server1 @ Wed Jul 22 12:31:23 CDT 2015] ] ***

*** [VM: nixcraftvm [server1 @ Wed Jul 22 12:31:28 CDT 2015] ] ***

*** [VM: dbvm [server1 @ Wed Jul 22 12:31:34 CDT 2015] ] ***

(Reading database … 15085 files and directories currently installed.)

Preparing to unpack …/mysql-common_5.5.44-0ubuntu0.14.04.1_all.deb …

Unpacking mysql-common (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Preparing to unpack …/libmysqlclient18_5.5.44-0ubuntu0.14.04.1_amd64.deb …

Unpacking libmysqlclient18:amd64 (5.5.44-0ubuntu0.14.04.1) over (5.5.43-0ubuntu0.14.04.1) …

Setting up mysql-common (5.5.44-0ubuntu0.14.04.1) …

Setting up libmysqlclient18:amd64 (5.5.44-0ubuntu0.14.04.1) …

Processing triggers for libc-bin (2.19-0ubuntu6.6) …

*** [VM: testingvm [server1 @ Wed Jul 22 12:31:44 CDT 2015] ] ***

ow can I find out information about a Linux container (LXC) such as CPU usage and memory usage from the command prompt? Is there is top command like a tool for lxc to monitor memory and cpu usage?

You need to use the lxc-info command to display the following information about a LXC:

CPU usage in seconds.

Block I/O usage.

Memory usage.

Kmem (kernel memory) usage.

Networking TX/RX usage.

lxc-info syntax and example

The syntax is:

lxc-info -n {container-name-here}

lxc-info [options] -n {container-name-here}

To display information for cyberciti container, enter:

# lxc-info -n cyberciti

Fig.01: lxc-info in action

Show information for all containers whose name starts with nixcraft, run:

# lxc-info -n  nixcraft.*

Just print the container’s state

# lxc-info -s -n lxcdb

Just print the container’s pid

# lxc-info -p -n lxmemcache

ust print the container’s IP addresses

# lxc-info -i -n lxnginx

Say hello to lxc-top

You can use the lxc-top command to monitor container statistics. The output is updated every 3 seconds and is ordered according to the sortby value given by the user. The syntax is:

lxc-top

lxc-top [options]

Set amount of time in seconds to delay between screen updates:

# lxc-top –delay 5

To Sort the containers by name, cpu use, or memory use. The sortby argument should be one of the letters n,c,b,m,k to sort by name, cpu use, block I/O, memory, or kernel memory use respectively. The default is ‘n’.

# lxc-top –sort {sortby}

[ CPU usage ]

# lxc-top –sort c

[ memory usage ]

# lxc-top –sort m

htop cgroup option

First, install htop on a Linux operating system using the yum or apt-get:

$ sudo apt-get install htop

OR

$ sudo yum install htop

Start the htop, enter:

# htop

Press F2 special key to enter into setup mode. Choose SETUP > Columns > Choose CGGROUP from Available Columns > Press F10 to save the changes:

Fig.02: Display htop cgroups columns on a Linux

You should see output as follows:

Fig.03: htop in action

ow do I install, create and manage unprivileged LXC containers on Ubuntu Linux version 14.04 LTS server?

LXC is an acronym for Linux Containers. It is nothing but an operating system-level virtualization technology for running multiple isolated Linux distros (systems containers) on a single Linux host. In this tutorial you will learn how to install and manage LXC containers on Ubuntu Linux server.

Say hello to LXC

Fig.01: Linux containers

The LXC often described as a lightweight virtualization technology. You can think LXC as chrooted jail on steroids. There is no guest operating system involved. You can only run Linux distros with LXC. You can not run Windows or BSD or any other operating system with LXC. You can run CentOS or Gentoo or any other Linux distro using LXC.

Traditional virtualization such as KVM/XEN/VMWARE and paravirtualization need a full operating system image for each instance. You can run any operating system using traditional virtualization.

Install the lxc on Ubuntu

Type the following apt-get command to install :

$ sudo apt-get install lxc

Sample outputs:

Fig.02: Installing LXC on Ubuntu

LXC and networking

LXC creates a NATed bridge called lxcbr0 for you. Each container will have one veth NIC and all traffic routed using the lxcbr0 bridge. To view current settings, enter:

$ sudo brctl show

Sample outputs:

bridge name bridge id  STP enabled interfaces

lxcbr0  8000.fe09977d9e4f no  vethH1OXMH

To see an IP address assigned to the lxcbr0, enter:

$ sudo ifconfig lxcbr0

Sample outputs:

lxcbr0    Link encap:Ethernet  HWaddr fe:09:97:7d:9e:4f

inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0

inet6 addr: fe80::4820:9fff:fe01:4d52/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:40 errors:0 dropped:0 overruns:0 frame:0

TX packets:42 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3553 (3.5 KB)  TX bytes:4383 (4.3 KB)

To see DHCP range used by containers, enter:

$ ps aux | grep lxc-dns | grep -o  dhcp-range.[0-9].*

Sample outputs:

dhcp-range 10.0.3.2,10.0.3.254 –dhcp-lease-max=253 –dhcp-no-override –except-interface=lo –interface=lxcbr0 –dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases

To check the current kernel for lxc support, enter:

$ lxc-checkconfig

Sample outputs:

Kernel configuration not found at /proc/config.gz; searching…

Kernel configuration found at /boot/config-3.13.0-76-generic

— Namespaces —

Namespaces: enabled

Utsname namespace: enabled

Ipc namespace: enabled

Pid namespace: enabled

User namespace: enabled

Network namespace: enabled

Multiple /dev/pts instances: enabled

— Control groups —

Cgroup: enabled

Cgroup clone_children flag: enabled

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled

— Misc —

Veth pair device: enabled

Macvlan: enabled

Vlan: enabled

Bridges: enabled

Advanced netfilter: enabled

CONFIG_NF_NAT_IPV4: enabled

CONFIG_NF_NAT_IPV6: enabled

CONFIG_IP_NF_TARGET_MASQUERADE: enabled

CONFIG_IP6_NF_TARGET_MASQUERADE: enabled

CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled

— Checkpoint/Restore —

checkpoint restore: enabled

CONFIG_FHANDLE: enabled

CONFIG_EVENTFD: enabled

CONFIG_EPOLL: enabled

CONFIG_UNIX_DIAG: enabled

CONFIG_INET_DIAG: enabled

CONFIG_PACKET_DIAG: enabled

CONFIG_NETLINK_DIAG: enabled

File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Creating unprivileged container

Unprivileged containers run the same way as privileged ones, simply without using sudo or root access. This is more secure as you can’t be root on the host even if you managed to escape container. The steps are as follows:

Create a new user for lxc.

Set password for for lxc.

Find out allocated subuids and subgids for the lxc user.

Create a default container configuration file for lxc user

Create a new container.

Start a new container.

Deploy apps in newly created unprivileged container.

Step – 1: Create a new user for lxc

Type the following command to add a user called mylxcusr:

$ sudo useradd -s /sbin/bash -c  unprivileged lxc user  -m mylxcusr

Step – 2: Set password for for lxc

Set the password for mylxcusr

$ sudo passwd mylxcusr

Step -3: Find out allocated subuids and subgids for the lxc user

Type the following command

$ sudo grep mylxcusr /etc/sub{gid,uid}

Sample outputs:

/etc/subgid:mylxcusr:100000:65536

/etc/subuid:mylxcusr:100000:65536

Note down the values.

Step – 4:Create a default container configuration file for lxc user

Make sure the user “mylxcusr” is allowed up to 10 veth type devices to be created and added to the bridge called lxcbr0. In other words networking will only work if you add the following lines:

$ sudo vi /etc/lxc/lxc-usernet

Append the following line:

mylxcusr veth lxcbr0 10

Save and close the file. Now switch to new user using su or just login using the ssh client:

$ su – mylxcusr

OR

$ ssh mylxcusr@server1.cyberciti.biz

$ ssh mylxcusr@74.86.144.194

$ id

Sample outputs:

uid=1002(mylxcusr) gid=1002(mylxcusr) groups=1002(mylxcusr)

Once logged into a remote machine, type the following command to create ~/.config/lxc/ director as follows:

$ mkdir -p ~/.config/lxc

Finally, create ~/.config/lxc/default.conf file as follows:

$ cp /etc/lxc/default.conf ~/.config/lxc/default.conf

Edit the file, enter:

$ vi ~/.config/lxc/default.conf

Append the configuration as follows (use mapped user and group id ranges 100000:65536 from step #3):

lxc.id_map = u 0 100000 65536

lxc.id_map = g 0 100000 65536

Step – 5:Create a new container

Let us create a new Ubuntu container called httpd, enter:

$ lxc-create -t download -n httpd — -d ubuntu -r trusty -a amd64

Sample outputs:

Fig.03: Create an Ubuntu container

That’s all it takes to create an Ubuntu container called httpd.

Step – 6:Start a new container

To start httpd container type:

$ lxc -n httpd -d

$ echo $?

$ lxc-ls –fancy

NAME      STATE    IPV4       IPV6  AUTOSTART

httpd     RUNNING  10.0.3.61  –     NO

To start a process inside a running container or just to login, enter:

$ lxc-attach -n httpd

Sample session inside a httpd container:

root@httpd:/# id

uid=0(root) gid=0(root) groups=0(root)

root@httpd:/# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3e:ea:ce:fa

inet addr:10.0.3.61  Bcast:10.0.3.255  Mask:255.255.255.0

inet6 addr: fe80::216:3eff:feea:cefa/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:37 errors:0 dropped:0 overruns:0 frame:0

TX packets:35 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:3502 (3.5 KB)  TX bytes:3362 (3.3 KB)

lo        Link encap:Local Loopback

inet addr:127.0.0.1  Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING  MTU:65536  Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@httpd:/# lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 14.04.3 LTS

Release: 14.04

Codename: trusty

For security reason, container images ship without user accounts and without a root password. Setup a root password for httpd container:

# passwd root

To enable sshd for httpd container, run:

# apt-get install openssh-server

You can login from host to container using ssh:

$ ssh user@10.0.3.255

Step – 7:Deploy apps in newly created unprivileged container

You can now install nginx, php or any other application. Just attach to container and run commands or apps as per your need.

Important management commands

Here is a quick overview of useful commands:

How do I start a container?

$ lxc-start -n {container-name-here} -d

$ lxc-start -n mysql -d

How do I stop a container?

$ lxc-stop -n {container-name-here}

$ lxc-stop -n mysql

How do I destroy (delete) a container?

$ lxc-destroy -n {container-name-here}

$ lxc-destroy -n mysql

How do I list all containers?

$ lxc-ls

$ lxc-ls –fancy

How do I update or patch my container?

Use the lxc-attach command to update your container that is powered by Ubuntu or Debian:

$ lxc-attach -n mysql apt-get — -qq update

$ lxc-attach -n mysql apt-get — -qq upgrade

$ lxc-attach -n nginx yum — -y update

How do I force DHCP to provide a persistent IP address to my container?

As a root on host run the following command:

$ sudo vi /etc/lxc/dnsmasq.conf

To give containers on lxcbr0 a persistent ip address based on domain name, you can add entries as follows:

dhcp-host=httpd,10.0.3.20

dhcp-host=mysql,10.0.3.21

dhcp-host=nginx,10.0.3.23

dhcp-host=php7,10.0.3.24

Save and close the file.

How do I create CentOS/Gentoo/Fedora or any other flavour of LXC?

$ lxc-create -t download -n {container-name-here} — -d {DISTRONAME} -r {RELEASE} -a {ARCH}

$ lxc-create -t download -n bar — -d centos -r 6 -a amd64

$ lxc-create -t download -n foo — -d gentoo -r current -a amd64

$ lxc-create -t download -n db — -d ubuntu -r precise -a i386

$ lxc-create -t download -n nginx — -d debian -r jessie -a amd64

$ lxc-create -t download -n mysql — -d fedora -r 22 -a amd64

$ lxc-create -t download -n maridb — -d oracle -r 6.5 -a amd64

$ lxc-create -t download -n cahcing — -d plamo -r 5.x -a amd64

The list of lxc flavour:

DIST RELEASE ARCH VARIANT BUILD

centos 6 amd64 default 20160203_02:16

centos 6 i386 default 20160203_02:16

centos 7 amd64 default 20160203_02:16

debian jessie amd64 default 20160202_22:42

debian jessie armel default 20160111_22:42

debian jessie armhf default 20160111_22:42

debian jessie i386 default 20160202_22:42

debian sid amd64 default 20160202_22:42

debian sid armel default 20160111_22:42

debian sid armhf default 20160111_22:42

debian sid i386 default 20160202_22:42

debian squeeze amd64 default 20160202_22:42

debian squeeze armel default 20150826_22:42

debian squeeze i386 default 20160202_22:42

debian wheezy amd64 default 20160202_22:42

debian wheezy armel default 20160111_22:42

debian wheezy armhf default 20160111_22:42

debian wheezy i386 default 20160202_22:42

fedora 21 amd64 default 20160203_01:27

fedora 21 armhf default 20160112_01:27

fedora 21 i386 default 20160203_01:27

fedora 22 amd64 default 20160203_01:27

fedora 22 armhf default 20160112_01:27

fedora 22 i386 default 20160203_01:27

gentoo current amd64 default 20160203_14:12

gentoo current armhf default 20160111_14:12

gentoo current i386 default 20160203_14:12

oracle 6.5 amd64 default 20160203_11:40

oracle 6.5 i386 default 20160203_11:40

plamo 5.x amd64 default 20160202_21:36

plamo 5.x i386 default 20160202_21:36

ubuntu precise amd64 default 20160203_03:49

ubuntu precise armel default 20160112_03:49

ubuntu precise armhf default 20160203_03:49

ubuntu precise i386 default 20160203_03:49

ubuntu trusty amd64 default 20160203_03:49

ubuntu trusty arm64 default 20150604_03:49

ubuntu trusty armhf default 20160203_03:49

ubuntu trusty i386 default 20160203_03:49

ubuntu trusty ppc64el default 20160201_03:49

ubuntu vivid amd64 default 20160203_03:49

ubuntu vivid arm64 default 20150604_03:49

ubuntu vivid armhf default 20160203_03:49

ubuntu vivid i386 default 20160203_03:49

ubuntu vivid ppc64el default 20160201_03:49

ubuntu wily amd64 default 20160203_03:49

ubuntu wily arm64 default 20150604_03:49

ubuntu wily armhf default 20160203_03:49

ubuntu wily i386 default 20160203_03:49

ubuntu wily ppc64el default 20160201_03:49

ubuntu xenial amd64 default 20160203_03:49

ubuntu xenial armhf default 20160203_03:49

ubuntu xenial i386 default 20160203_03:49

Conclusion

And, there you have it, a container running on Ubuntu Linux 14.04 LTS in unprivileged mode. I suggest you visit the official project home page and Ubuntu lxc wiki page for more information.

ow do I install, create and manage unprivileged LXC containers on Ubuntu Linux version 14.04 LTS server?

LXC is an acronym for Linux Containers. It is nothing but an operating system-level virtualization technology for running multiple isolated Linux distros (systems containers) on a single Linux host. In this tutorial you will learn how to install and manage LXC containers on Ubuntu Linux server.

Say hello to LXC

Fig.01: Linux containers

The LXC often described as a lightweight virtualization technology. You can think LXC as chrooted jail on steroids. There is no guest operating system involved. You can only run Linux distros with LXC. You can not run Windows or BSD or any other operating system with LXC. You can run CentOS or Gentoo or any other Linux distro using LXC.

Traditional virtualization such as KVM/XEN/VMWARE and paravirtualization need a full operating system image for each instance. You can run any operating system using traditional virtualization.

Install the lxc on Ubuntu

Type the following apt-get command to install :

$ sudo apt-get install lxc

Sample outputs:

Fig.02: Installing LXC on Ubuntu

LXC and networking

LXC creates a NATed bridge called lxcbr0 for you. Each container will have one veth NIC and all traffic routed using the lxcbr0 bridge. To view current settings, enter:

$ sudo brctl show

Sample outputs:

bridge name bridge id  STP enabled interfaces

lxcbr0  8000.fe09977d9e4f no  vethH1OXMH

To see an IP address assigned to the lxcbr0, enter:

$ sudo ifconfig lxcbr0

Sample outputs:

lxcbr0    Link encap:Ethernet  HWaddr fe:09:97:7d:9e:4f

inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0

inet6 addr: fe80::4820:9fff:fe01:4d52/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:40 errors:0 dropped:0 overruns:0 frame:0

TX packets:42 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3553 (3.5 KB)  TX bytes:4383 (4.3 KB)

To see DHCP range used by containers, enter:

$ ps aux | grep lxc-dns | grep -o  dhcp-range.[0-9].*

Sample outputs:

dhcp-range 10.0.3.2,10.0.3.254 –dhcp-lease-max=253 –dhcp-no-override –except-interface=lo –interface=lxcbr0 –dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases

To check the current kernel for lxc support, enter:

$ lxc-checkconfig

Sample outputs:

Kernel configuration not found at /proc/config.gz; searching…

Kernel configuration found at /boot/config-3.13.0-76-generic

— Namespaces —

Namespaces: enabled

Utsname namespace: enabled

Ipc namespace: enabled

Pid namespace: enabled

User namespace: enabled

Network namespace: enabled

Multiple /dev/pts instances: enabled

— Control groups —

Cgroup: enabled

Cgroup clone_children flag: enabled

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled

— Misc —

Veth pair device: enabled

Macvlan: enabled

Vlan: enabled

Bridges: enabled

Advanced netfilter: enabled

CONFIG_NF_NAT_IPV4: enabled

CONFIG_NF_NAT_IPV6: enabled

CONFIG_IP_NF_TARGET_MASQUERADE: enabled

CONFIG_IP6_NF_TARGET_MASQUERADE: enabled

CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled

— Checkpoint/Restore —

checkpoint restore: enabled

CONFIG_FHANDLE: enabled

CONFIG_EVENTFD: enabled

CONFIG_EPOLL: enabled

CONFIG_UNIX_DIAG: enabled

CONFIG_INET_DIAG: enabled

CONFIG_PACKET_DIAG: enabled

CONFIG_NETLINK_DIAG: enabled

File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Creating unprivileged container

Unprivileged containers run the same way as privileged ones, simply without using sudo or root access. This is more secure as you can’t be root on the host even if you managed to escape container. The steps are as follows:

Create a new user for lxc.

Set password for for lxc.

Find out allocated subuids and subgids for the lxc user.

Create a default container configuration file for lxc user

Create a new container.

Start a new container.

Deploy apps in newly created unprivileged container.

Step – 1: Create a new user for lxc

Type the following command to add a user called mylxcusr:

$ sudo useradd -s /sbin/bash -c  unprivileged lxc user  -m mylxcusr

Step – 2: Set password for for lxc

Set the password for mylxcusr

$ sudo passwd mylxcusr

Step -3: Find out allocated subuids and subgids for the lxc user

Type the following command

$ sudo grep mylxcusr /etc/sub{gid,uid}

Sample outputs:

/etc/subgid:mylxcusr:100000:65536

/etc/subuid:mylxcusr:100000:65536

Note down the values.

Step – 4:Create a default container configuration file for lxc user

Make sure the user “mylxcusr” is allowed up to 10 veth type devices to be created and added to the bridge called lxcbr0. In other words networking will only work if you add the following lines:

$ sudo vi /etc/lxc/lxc-usernet

Append the following line:

mylxcusr veth lxcbr0 10

Save and close the file. Now switch to new user using su or just login using the ssh client:

$ su – mylxcusr

OR

$ ssh mylxcusr@server1.cyberciti.biz

$ ssh mylxcusr@74.86.144.194

$ id

Sample outputs:

uid=1002(mylxcusr) gid=1002(mylxcusr) groups=1002(mylxcusr)

Once logged into a remote machine, type the following command to create ~/.config/lxc/ director as follows:

$ mkdir -p ~/.config/lxc

Finally, create ~/.config/lxc/default.conf file as follows:

$ cp /etc/lxc/default.conf ~/.config/lxc/default.conf

Edit the file, enter:

$ vi ~/.config/lxc/default.conf

Append the configuration as follows (use mapped user and group id ranges 100000:65536 from step #3):

lxc.id_map = u 0 100000 65536

lxc.id_map = g 0 100000 65536

Step – 5:Create a new container

Let us create a new Ubuntu container called httpd, enter:

$ lxc-create -t download -n httpd — -d ubuntu -r trusty -a amd64

Sample outputs:

Fig.03: Create an Ubuntu container

That’s all it takes to create an Ubuntu container called httpd.

Step – 6:Start a new container

To start httpd container type:

$ lxc -n httpd -d

$ echo $?

$ lxc-ls –fancy

NAME      STATE    IPV4       IPV6  AUTOSTART

httpd     RUNNING  10.0.3.61  –     NO

To start a process inside a running container or just to login, enter:

$ lxc-attach -n httpd

Sample session inside a httpd container:

root@httpd:/# id

uid=0(root) gid=0(root) groups=0(root)

root@httpd:/# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3e:ea:ce:fa

inet addr:10.0.3.61  Bcast:10.0.3.255  Mask:255.255.255.0

inet6 addr: fe80::216:3eff:feea:cefa/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:37 errors:0 dropped:0 overruns:0 frame:0

TX packets:35 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:3502 (3.5 KB)  TX bytes:3362 (3.3 KB)

lo        Link encap:Local Loopback

inet addr:127.0.0.1  Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING  MTU:65536  Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@httpd:/# lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 14.04.3 LTS

Release: 14.04

Codename: trusty

For security reason, container images ship without user accounts and without a root password. Setup a root password for httpd container:

# passwd root

To enable sshd for httpd container, run:

# apt-get install openssh-server

You can login from host to container using ssh:

$ ssh user@10.0.3.255

Step – 7:Deploy apps in newly created unprivileged container

You can now install nginx, php or any other application. Just attach to container and run commands or apps as per your need.

Important management commands

Here is a quick overview of useful commands:

How do I start a container?

$ lxc-start -n {container-name-here} -d

$ lxc-start -n mysql -d

How do I stop a container?

$ lxc-stop -n {container-name-here}

$ lxc-stop -n mysql

How do I destroy (delete) a container?

$ lxc-destroy -n {container-name-here}

$ lxc-destroy -n mysql

How do I list all containers?

$ lxc-ls

$ lxc-ls –fancy

How do I update or patch my container?

Use the lxc-attach command to update your container that is powered by Ubuntu or Debian:

$ lxc-attach -n mysql apt-get — -qq update

$ lxc-attach -n mysql apt-get — -qq upgrade

$ lxc-attach -n nginx yum — -y update

How do I force DHCP to provide a persistent IP address to my container?

As a root on host run the following command:

$ sudo vi /etc/lxc/dnsmasq.conf

To give containers on lxcbr0 a persistent ip address based on domain name, you can add entries as follows:

dhcp-host=httpd,10.0.3.20

dhcp-host=mysql,10.0.3.21

dhcp-host=nginx,10.0.3.23

dhcp-host=php7,10.0.3.24

Save and close the file.

How do I create CentOS/Gentoo/Fedora or any other flavour of LXC?

$ lxc-create -t download -n {container-name-here} — -d {DISTRONAME} -r {RELEASE} -a {ARCH}

$ lxc-create -t download -n bar — -d centos -r 6 -a amd64

$ lxc-create -t download -n foo — -d gentoo -r current -a amd64

$ lxc-create -t download -n db — -d ubuntu -r precise -a i386

$ lxc-create -t download -n nginx — -d debian -r jessie -a amd64

$ lxc-create -t download -n mysql — -d fedora -r 22 -a amd64

$ lxc-create -t download -n maridb — -d oracle -r 6.5 -a amd64

$ lxc-create -t download -n cahcing — -d plamo -r 5.x -a amd64

The list of lxc flavour:

DIST RELEASE ARCH VARIANT BUILD

centos 6 amd64 default 20160203_02:16

centos 6 i386 default 20160203_02:16

centos 7 amd64 default 20160203_02:16

debian jessie amd64 default 20160202_22:42

debian jessie armel default 20160111_22:42

debian jessie armhf default 20160111_22:42

debian jessie i386 default 20160202_22:42

debian sid amd64 default 20160202_22:42

debian sid armel default 20160111_22:42

debian sid armhf default 20160111_22:42

debian sid i386 default 20160202_22:42

debian squeeze amd64 default 20160202_22:42

debian squeeze armel default 20150826_22:42

debian squeeze i386 default 20160202_22:42

debian wheezy amd64 default 20160202_22:42

debian wheezy armel default 20160111_22:42

debian wheezy armhf default 20160111_22:42

debian wheezy i386 default 20160202_22:42

fedora 21 amd64 default 20160203_01:27

fedora 21 armhf default 20160112_01:27

fedora 21 i386 default 20160203_01:27

fedora 22 amd64 default 20160203_01:27

fedora 22 armhf default 20160112_01:27

fedora 22 i386 default 20160203_01:27

gentoo current amd64 default 20160203_14:12

gentoo current armhf default 20160111_14:12

gentoo current i386 default 20160203_14:12

oracle 6.5 amd64 default 20160203_11:40

oracle 6.5 i386 default 20160203_11:40

plamo 5.x amd64 default 20160202_21:36

plamo 5.x i386 default 20160202_21:36

ubuntu precise amd64 default 20160203_03:49

ubuntu precise armel default 20160112_03:49

ubuntu precise armhf default 20160203_03:49

ubuntu precise i386 default 20160203_03:49

ubuntu trusty amd64 default 20160203_03:49

ubuntu trusty arm64 default 20150604_03:49

ubuntu trusty armhf default 20160203_03:49

ubuntu trusty i386 default 20160203_03:49

ubuntu trusty ppc64el default 20160201_03:49

ubuntu vivid amd64 default 20160203_03:49

ubuntu vivid arm64 default 20150604_03:49

ubuntu vivid armhf default 20160203_03:49

ubuntu vivid i386 default 20160203_03:49

ubuntu vivid ppc64el default 20160201_03:49

ubuntu wily amd64 default 20160203_03:49

ubuntu wily arm64 default 20150604_03:49

ubuntu wily armhf default 20160203_03:49

ubuntu wily i386 default 20160203_03:49

ubuntu wily ppc64el default 20160201_03:49

ubuntu xenial amd64 default 20160203_03:49

ubuntu xenial armhf default 20160203_03:49

ubuntu xenial i386 default 20160203_03:49

Conclusion

And, there you have it, a container running on Ubuntu Linux 14.04 LTS in unprivileged mode. I suggest you visit the official project home page and Ubuntu lxc wiki page for more information.

want to stop the application running inside a container. I issued lxc-stop -n myapp but the command is not returning to the shell prompt, and my lxc container entered in hang state. How do I kill my container running on Ubuntu Linux host?

You need use the lxc-stop command to reboot, cleanly shuts down, or kills all the processes inside the Linux container (LXC). By default, it will request a clean shutdown of the container by sending lxc.haltsignal (defaults to SIGPWR) to the container’s init process, waiting up to 60 seconds for the container to exit, and then returning. If the container fails to cleanly exit in 60 seconds, it will be sent the lxc.stopsignal (defaults to SIGKILL) to force it to shut down.

Reboot the container

The syntax is:

lxc-stop -n containerNameHere -r

To reboot the container called myhttpd, enter:

lxc-stop -n myhttpd -r

Shut down and kill the container (hard kill)

The syntax is:

lxc-stop -n containerNameHere -k

OR

lxc-stop -n containerNameHere –kill

To forcefully kill and shut down the container called myhttpd, enter:

lxc-stop -n myhttpd -k

To wait TIMEOUT (say 180) seconds before hard-stopping the container, enter:

lxc-stop -n myhttpd -k -t 180

OR

lxc-stop -n myhttpd -k –timeout 180

Clean shutdown (recommended)

The following syntax only request a clean shutdown, do not kill the container tasks if the clean shutdown fail:

lxc-stop -n containerNameHere –nokill

lxc-stop -n myhttpd –nokill

A note about timeouts

To avoid waiting up to 60 seconds and simply perform the requestion action (reboot, shutdown, or hard kill) and exit, pass the -W option:

hard kill ##

lxc-stop -W -n containerNameHere -k

reboot ##

lxc-stop -W -n containerNameHere -r

How do I view the container state?

To list only running containers, enter:

lxc-ls –fancy –running

Sample outputs:

To list only stopped containers, enter:

lxc-ls –fancy –stopped

To list both stopped and running containers on the system, enter:

lxc-ls –fancy

Sample outputs:

NAME         STATE    IPV4       IPV6  AUTOSTART

debian8      STOPPED  –          –     NO

wwwapp1      RUNNING  10.0.3.14  –     YES

dnsapp1      RUNNING  10.0.3.16  –     YES

staticf1     RUNNING  10.0.3.17  –     YES

mysqlapp     RUNNING  10.0.3.19  –     YES

would like to perform common automated configuration tasks and run commands/scripts after the LXD instance starts. How to use cloud-init to run commands on my Linux Container (LXD) instance at launch time?

LXD can use the cloud-init directive to run commands or scripts at the first boot cycle when you launch an instance using the lxc command.

What is a cloud-init?

cloud-init handles early initialization of a cloud instance including LXD and Linux containers. By default cloud-init installed in the Ubuntu/CentOS and all other major cloud images. With cloud-init you can configure:

Sample cloud-init file for lxc/lxd

Hostname

Update system

Install additional packages

Generate ssh private keys

Install ssh keys to a users .ssh/authorized_keys so they can log in without a password

Configure static IP or networking

Include users/groups

Creating files

Install and run chef recipes

Setup and run puppet

Add apt or yum repositories

Run commands on first boot

Disk setup

Configure RHN subscription and more.

Let us get started with an example.

Step 1: Create lxc container

Type the following command to create a Ubuntu LXC container called foo (but do not run the lxc container yet):

$ lxc init ubuntu: foo

One can create a CentOS 7 based Linux container too:

$ lxc init images:centos/7/amd64 bar

You can apply certain profile too:

$ lxc init images:ubuntu/xenial/amd64 C2 -p staticlanwan

Step 2: Create yml cloud-init config file

In this example, I’m going to setup my lxc hostname, update my system, and Install ssh keys to a users .ssh/authorized_keys so they can log in without a password:

$ vi config.xml

First line must be #cloud-config:

#cloud-config

Next, I want to run ‘apt-get upgrade’ on first boot to download and install all security updates for my Linux container, so append:

# Apply updates using apt

package_upgrade: true

Setup hostname and domain name and update /etc/hosts file:

# Set hostname

hostname: foo

fqdn: foo.nixcraft.com

manage_etc_hosts: true

Run the following commands on first boot. In this case, update sshd to listen only on private IP and reload sshd, append:

#Run command on first boot only

bootcmd:

– [sh, -c,  echo  ListenAddress 192.168.1.100  >> /etc/ssh/sshd_config ]

– systemctl reload ssh

You can install php7 and nginx packages as follows, append:

# Install packages

packages:

– nginx

– php-common

– php7.0

– php7.0-cli

– php7.0-common

– php7.0-fpm

– php7.0-gd

– php7.0-mysql

– php7.0-opcache

– php-pear

Finally, install a ssh-key for vivek login and add vivek to sudo file too, append:

# User setup

users:

– name: vivek

ssh-authorized-keys:

– ***insert-your-key-here****

sudo: [ ALL=(ALL) NOPASSWD:ALL ]

groups: sudo

shell: /bin/bash

Save and close the file.

Step 3: Pass cloud-init directives to an instance with user data

You need to set a user.user-data variable as follows for foo Linux container:

$ lxc config set foo user.user-data – < config.yml

To view your lxc config for foo container, run:

$ lxc config show foo

Sample outputs:

name: foo

profiles:

• default
• config:
•   user.user-data:  #cloud-config\npackage_upgrade: true\n\n#Set hostname\nhostname:
•     foo\nfqdn: foo.nixcraft.com\nmanage_etc_hosts: true\n\n#Run command on first boot
•     only\nbootcmd:\n – [sh, -c, \ echo  ListenAddress 192.168.1.100  >> /etc/ssh/sshd_config\ ]\n
•     – systemctl reload ssh\n \n# Install packages\npackages:\n – nginx\n – php-common\n
•     – php7.0\n – php7.0-fpm\n – php7.0-gd\n – php7.0-mysql\n\n# User setup\nusers:\n
•     – name: vivek\n   ssh-authorized-keys:\n     – ***insert-your-key-here****\n   sudo:
•     [ ALL=(ALL) NOPASSWD:ALL ]\n   groups: sudo\n   shell: /bin/bash\n\n
•   volatile.apply_template: create
•   volatile.base_image: 315bedd32580c3fb79fd2003746245b9fe6a8863fc9dd990c3a2dc90f4930039
•   volatile.eth0.hwaddr: 00:16:3e:3d:d9:47
•   volatile.last_state.idmap:  [{ Isuid :true, Isgid :false, Hostid :100000, Nsid :0, Maprange :65536},{ Isuid :false, Isgid :true, Hostid :100000, Nsid :0, Maprange :65536}]
• devices:
•   root:
•     path: /
•     type: disk
• ephemeral: false
• Step 4: Start your container
• Type the following command:
• $ lxc start foo

Wait for 2-5 minutes. To run all above tasks.

Step 5: Verify it

To login to foo LXC, enter:

$ lxc exec foo bash

Verify that sshd bind to private IP:

$ netstat -tulpn

Verify that packages are installed and system updated:

$ sudo tail -f /var/log/apt/history.log

A note about LXD not working with cloud-init

Please note that cloud-init in LXD triggers after network is up. In other words if network defined as DHCP or static but failed to get an IP address may result into hang ups in cloud-init. It will fail without much warning. Set the following command prior to the first container startup as described in step #4:

$ lxc config set foo user.network_mode link-local

$ lxc start foo

Log files for LXD

If you are having problems with cloud-init or cloud-config, take look at the following log files:

$ lxc exec foo bash

You can see the actual process logs for cloud-init s processing of the configuration file here:

# tail -f /var/log/cloud-init.log

Output of your commands can be found here:

# tail -f /var/log/cloud-init-output.log

Do I need to install the cloud-init package on the host server?

No.

REFERENCES:

Cloud-init documentation

Cloud config examples

LXD key/value configuration information

The LXD home page

The LXD container hypervisor

See lxc command man page

ow do I install LXD container “hypervisor” to runs unmodified Debian/Ubuntu/CentOS Linux operating systems VM at incredible speed on a Ubuntu Linux 16.04 LTS server?

LXD is lxc on steroids with strong security on the mind. LXD is not a rewrite of LXC. Under the hood, LXD uses LXC through liblxc and its Go binding. In this tutorial, you will learn to set up LXD on a Ubuntu Linux server.

Install LXD

Type the following apt-get command:

$ sudo apt install lxd

OR

$ sudo apt-get install lxd

Sample outputs:

Fig.01 Installing LXD on a Ubuntu Linux 16.04 LTS

Configure the LXD networking and storage for VM

I suggest you use ZFS and along with DHCP based IP networking for ease of setup for each VM. The ZFS offers quick option to make snapshots and other advanced features. See how to install ZFS on Ubuntu server for more information. The following command displays my ZFS setup for all VMs:

$ sudo zfs list

Sample outputs:

[sudo] password for vivek:

NAME              USED  AVAIL  REFER  MOUNTPOINT

nixcraft          744K   461G   192K  /nixcraft

nixcraft/lxdvms   192K   461G   192K  /nixcraft/lxdvms

To setup both storage and networking option, enter:

$ sudo lxd init

Sample outputs:

Name of the storage backend to use (dir or zfs) [default=zfs]:

Create a new ZFS pool (yes/no) [default=yes]? no

Name of the existing ZFS pool or dataset: nixcraft/lxdvms

Would you like LXD to be available over the network (yes/no) [default=no]?

Do you want to configure the LXD bridge (yes/no) [default=yes]?

You need to configure the LXD dhcp based bridge as prompted:

Setup a network bridge for the LXD

Setup bridge name for the LXD

A random subnet for the LXD

Setup a valid IPv4 address for the LXD

Setup CIDR for the LXD

Setup the first IP for the LXD dhcpd

Setup last IP address for the LXD dhcpd

Setup max number of the LXD dhcpd client

Setup NAT for the LXD

Setup IPv6 for the LXD

Say hello to lxc command

The lxc command used to talk with LXD server. The lxd package creates a new “lxd” group which contains all users allowed to talk to lxd over the local unix socket. In other words your username must be part of lxd group:

$ id username

$ id vivek

$ grep lxd /etc/group

Sample outputs:

lxd:x:110:vivek

If vivek (or any other user) user is not part of lxd group you will get an error that read as follows when you try to use lxc command:

Permission denied, are you in the lxd group?

Please note that group membership is only applied at login or ssh session, you then either need to close and re-open your user/ssh session or use the following command to avoid above error:

$ newgrp lxd

Verify that the lxc client is talking to the LXD daemon:

$ lxc list

Sample outputs:

+——+——-+——+——+——+———–+

| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |

+——+——-+——+——+——+———–+

How do I list available images for various Linux distro?

$ lxc image list images:

Sample outputs:

Fig.02: Listing all images from default remote server

Most of the images are known by several aliases. To see a list, enter:

$ lxc image alias list images:

$ lxc image alias list images: | grep -i centos

$ lxc image alias list images: | grep -i arch

$ lxc image alias list images: | grep -i debian

How create and use your first container

The syntax is:

lxc launch images:{distro}/{version}/{arch} {container-name-here}

Create a Alpine Linux 3.4 VM

$ lxc launch images:alpine/3.4/amd64 alpine-www

Sample outputs:

Creating alpine-www

Retrieving image: 100%

Starting alpine-www

Create a CentOS Linux 7 VM

$ lxc launch images:centos/7/amd64 cenots-db

Create a Ubuntu Linux 16.4 “xenial” LTS VM

$ lxc launch images:ubuntu/xenial/amd64 ubuntu-nginx

Create a Debian Linux 7.x “wheezy” VM

$ lxc launch images:debian/wheezy/amd64 file-server

Create a Debian Linux 8.x “jessie” VM

$ lxc launch images:debian/jessie/amd64 file-server

Create a Arch Linux VM

$ lxc launch images:archlinux/amd64 arch-c1

Create a Gentoo Linux VM

$ lxc launch images:gentoo/amd64 gentoo-c1

Create a Fedora Linux 24 VM

$ lxc launch images:fedora/24/amd64 fedora24-c1

Create a Fedora Linux 25 VM

$ lxc launch images:fedora/25/amd64 fedora25-c1

Create a Ppensuse Linux 13.2 VM

$ lxc launch images:opensuse/13.2/amd64 opensuse

Create a Opensuse Linux 42.2 VM

$ lxc launch images:opensuse/42.2/amd64 opensuse-42-2

Create a Oracle Linux 7.x VM

$ lxc launch images:oracle/7/amd64 oracle-proxy-c1

How do I list all my containers?

Type the following command:

$ lxc list –fast

$ lxc list | grep RUNNING

$ lxc list | grep STOPPED

$ lxc list | grep

$ lxc list  *c1*

$ lxc list  *db*

$ lxc list

Sample outputs:

Fig.03 Lists the available resource for the LXD

How do I execute/run the specified command in a container?

The syntax is:

lxc exec containerName — command

lxc exec containerName — /path/to/script

lxc exec containerName –env EDITOR=/usr/bin/vim — command

run date, ip a, ip rm and other commands on various containers ###

$ lxc exec cenots-db — date

$ lxc exec opensuse — ifconfig

$ lxc exec ubuntu-nginx — ip r

$ lxc exec fedora24-c1 — dnf update

$ lxc exec file-server — cat /etc/debian_version

Sample outputs:

Fig.03: Run commands on in a container

How do I get the bash shell access in a container?

To gain login and gain shell access in a container named file-server , enter:

$ lxc exec file-server bash

Now you can run commands or install packages:

# cat /etc/*issue*

# apt-get update

# apt-get upgrade

To exit simply from container simply type exit:

# exit

Sample session:

Fig.04: Gain a bash shell access in container

How do I start my containers?

The syntax is:

$ lxc start containerName

$ lxc start foo

$ lsc start centos-db opensuse

How do I stop my containers?

The syntax is:

$ lxc stop containerName

$ lxc stop foo

$ lsc stop centos-db opensuse

How do I restart my containers?

The syntax is:

$ lxc restart containerName

$ lxc restart foo

$ lsc restart centos-db opensuse

How do I delete my containers?

The syntax is (be careful as the LXD containers are deleted immediately without any confirmation prompt i.e. keep backups):

$ lxc delete containerName

$ lxc delete foo

$ lsc delete centos-db

You may get the following error while deleting the container:

The container is currently running, stop it first or pass –force.

To fix this:

$ lxc stop centos-db && lxc delete centos-db

How do I show information on LXD servers and containers?

Type the following command:

$ lxc info

$ lxc info containerName

$ lxc info cenots-db

Sample outputs:

Fig.05: How to see LXD containers memory, cpu, network usage info using lxc

Can I run the OpenSSH server in a container?

Yes. You can install and use the openssh-server just like a VPS or dedicated box. For example:

$ lxc exec centos-db — yum install openssh-server

$ lxc exec cenots-db — systemctl start sshd

$ ssh user@centos-db

$ ssh user@centos-db-ip-address-here

am using LXD (Linux container) to host Apache, MySQL, Perl and PHP-based app. I would like to assign or map fixed IP address to my MySQL container. How do I allow dnsmasq DHCP server to assign a static IP address to LXD container based on name or MAC address?

You can set per host/container parameters for the DHCP server. An LXD machine (VM) can be always given the same hostname, IP address and leas time. For example, you can tell dnsmasq to always given the VM msyqldb1 the IP address 192.168.1.100.

How to always allocate the LXD VM/machine named db the IP address 10.147.164.3?

Your dnsmasq DHCP server can read the file contains information about one host per line. The default file name is /var/lib/lxd/networks/lxdbr0/dnsmasq.hosts. The format of a line is as follows:

{ipaddr},{hostname}

OR

{macadd},{ipaddr},{hostname}

The advantage of storing DHCP host information in this file is that it can be changed without re-starting dnsmasq server when the file will be re-read when dnsmasq receives SIGHUP. Edit the /var/lib/lxd/networks/lxdbr0/dnsmasq.hosts file, enter:

$ sudo vi /var/lib/lxd/networks/lxdbr0/dnsmasq.hosts

Sample config:

# always set IP to 10.147.164.2 for apache1 vm

10.147.164.2,apache1

# always set IP to 10.147.164.3 for db1 vm having mac addr 00:16:ee:62:ff:90

00:16:ee:62:ff:90,10.147.164.3,db1

Save and close the file. Send SIGHUP to dnsmasq using killall command as follows:

$ sudo killall -SIGHUP dnsmasq

Now you can start lxd vm or restart already running lxd vm:

$ lxc restart db1

$ lxc start db1

Verify new IP address:

$ lxc list

$ lxc info db1

Sample outputs:

Fig.01: Set DHCP IPs of lxd/lxc (Linux containers) on Linux

or security and ease of admin, I want to install LXD on my cloud server either powered by XEN or KVM. How do I install LXD on Ubuntu Linux server powered by KVM virtualization technology?

You can implement the Linux container (LXD/LXC) to partition a your cloud server. Both cloud server, its files, and resources are only given the access to the right services such as Apache, Nginx, MySQL, Proxy, Memcached and so on. Canonical’s LXD is a pure-container hypervisor that runs unmodified Linux operating systems and applications with VM-style operations at incredible speed and density. In this quick tutorial you will learn how to install the latest stable version of LXD container under KVM cloud server hosted at Linode for security mechanism on Ubuntu Linux 16.04.xx LTS server.

Step 1 – Configure PPA

To install the latest upstream release, use a PPA as follows. Type the apt command or apt-get command as follows to install software-properties-common:

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository ppa:ubuntu-lxc/lxd-stable

Sample outputs:

This PPA contains the latest stable release of LXD as well as the latest stable version of any of its dependencies.

More info: https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lxd-stable

Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmpgjzialhs/secring.gpg  created

gpg: keyring `/tmp/tmpgjzialhs/pubring.gpg  created

gpg: requesting key 7635B973 from hkp server keyserver.ubuntu.com

gpg: /tmp/tmpgjzialhs/trustdb.gpg: trustdb created

gpg: key 7635B973: public key  Launchpad PPA for Ubuntu LXC team  imported

gpg: Total number processed: 1

gpg:               imported: 1  (RSA: 1)

OK

Update your system:

$ sudo apt-get update

$ sudo apt-get dist-upgrade

Sample outputs:

Reading package lists… Done

Building dependency tree

Reading state information… Done

Calculating upgrade… Done

The following packages will be upgraded:

libseccomp2

1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 36.9 kB of archives.

After this operation, 28.7 kB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 libseccomp2 amd64 2.3.1-2ubuntu2~ubuntu16.04.1~ppa1 [36.9 kB]

Fetched 36.9 kB in 0s (79.1 kB/s)

(Reading database … 29837 files and directories currently installed.)

Preparing to unpack …/libseccomp2_2.3.1-2ubuntu2~ubuntu16.04.1~ppa1_amd64.deb …

Unpacking libseccomp2:amd64 (2.3.1-2ubuntu2~ubuntu16.04.1~ppa1) over (2.2.3-3ubuntu3) …

Processing triggers for libc-bin (2.23-0ubuntu5) …

Setting up libseccomp2:amd64 (2.3.1-2ubuntu2~ubuntu16.04.1~ppa1) …

Processing triggers for libc-bin (2.23-0ubuntu5) …

Step 2 – Install lxd

Type the following apt command or apt-get command:

$ sudo apt-get install lxd

OR

$ sudo apt install lxd

Sample outputs:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following additional packages will be installed:

acl dns-root-data dnsmasq-base ebtables liblxc1 liblzo2-2 libnetfilter-conntrack3 lxc-common lxcfs lxd-client squashfs-tools uidmap

Suggested packages:

criu lxd-tools

The following NEW packages will be installed:

acl dns-root-data dnsmasq-base ebtables liblxc1 liblzo2-2 libnetfilter-conntrack3 lxc-common lxcfs lxd lxd-client squashfs-tools uidmap

0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.

Need to get 5,708 kB of archives.

After this operation, 24.2 MB of additional disk space will be used.

Do you want to continue? [Y/n] y

Get:1 http://mirrors.linode.com/ubuntu xenial/main amd64 liblzo2-2 amd64 2.08-1.2 [48.7 kB]

Get:2 http://mirrors.linode.com/ubuntu xenial/main amd64 acl amd64 2.2.52-3 [38.0 kB]

Get:3 http://mirrors.linode.com/ubuntu xenial/main amd64 dns-root-data all 2015052300+h+1 [15.0 kB]

Get:4 http://mirrors.linode.com/ubuntu xenial/main amd64 libnetfilter-conntrack3 amd64 1.0.5-1 [36.6 kB]

Get:5 http://mirrors.linode.com/ubuntu xenial-updates/main amd64 dnsmasq-base amd64 2.75-1ubuntu0.16.04.1 [294 kB]

Get:6 http://mirrors.linode.com/ubuntu xenial/main amd64 ebtables amd64 2.0.10.4-3.4ubuntu1 [79.6 kB]

Get:7 http://mirrors.linode.com/ubuntu xenial/main amd64 squashfs-tools amd64 1:4.3-3ubuntu2 [105 kB]

Get:8 http://mirrors.linode.com/ubuntu xenial/main amd64 uidmap amd64 1:4.2-3.1ubuntu5 [65.9 kB]

Get:9 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 lxc-common amd64 2.0.6-0ubuntu5~ubuntu16.04.1~ppa1 [77.2 kB]

Get:10 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 liblxc1 amd64 2.0.6-0ubuntu5~ubuntu16.04.1~ppa1 [252 kB]

Get:11 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 lxcfs amd64 2.0.5-0ubuntu2~ubuntu16.04.1~ppa1 [42.8 kB]

Get:12 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 lxd-client amd64 2.7-0ubuntu2~ubuntu16.04.1~ppa1 [1,923 kB]

Get:13 http://ppa.launchpad.net/ubuntu-lxc/lxd-stable/ubuntu xenial/main amd64 lxd amd64 2.7-0ubuntu2~ubuntu16.04.1~ppa1 [2,730 kB]

Fetched 5,708 kB in 3s (1,448 kB/s)

Selecting previously unselected package liblzo2-2:amd64.

(Reading database … 29837 files and directories currently installed.)

Preparing to unpack …/liblzo2-2_2.08-1.2_amd64.deb …

Unpacking liblzo2-2:amd64 (2.08-1.2) …

Selecting previously unselected package acl.

Preparing to unpack …/acl_2.2.52-3_amd64.deb …

Unpacking acl (2.2.52-3) …

Selecting previously unselected package dns-root-data.

Preparing to unpack …/dns-root-data_2015052300+h+1_all.deb …

Unpacking dns-root-data (2015052300+h+1) …

Selecting previously unselected package libnetfilter-conntrack3:amd64.

Preparing to unpack …/libnetfilter-conntrack3_1.0.5-1_amd64.deb …

Unpacking libnetfilter-conntrack3:amd64 (1.0.5-1) …

Selecting previously unselected package dnsmasq-base.

Preparing to unpack …/dnsmasq-base_2.75-1ubuntu0.16.04.1_amd64.deb …

Unpacking dnsmasq-base (2.75-1ubuntu0.16.04.1) …

Selecting previously unselected package ebtables.

Preparing to unpack …/ebtables_2.0.10.4-3.4ubuntu1_amd64.deb …

Unpacking ebtables (2.0.10.4-3.4ubuntu1) …

Selecting previously unselected package lxc-common.

Preparing to unpack …/lxc-common_2.0.6-0ubuntu5~ubuntu16.04.1~ppa1_amd64.deb …

Unpacking lxc-common (2.0.6-0ubuntu5~ubuntu16.04.1~ppa1) …

Selecting previously unselected package liblxc1.

Preparing to unpack …/liblxc1_2.0.6-0ubuntu5~ubuntu16.04.1~ppa1_amd64.deb …

Unpacking liblxc1 (2.0.6-0ubuntu5~ubuntu16.04.1~ppa1) …

Selecting previously unselected package lxcfs.

Preparing to unpack …/lxcfs_2.0.5-0ubuntu2~ubuntu16.04.1~ppa1_amd64.deb …

Unpacking lxcfs (2.0.5-0ubuntu2~ubuntu16.04.1~ppa1) …

Selecting previously unselected package lxd-client.

Preparing to unpack …/lxd-client_2.7-0ubuntu2~ubuntu16.04.1~ppa1_amd64.deb …

Unpacking lxd-client (2.7-0ubuntu2~ubuntu16.04.1~ppa1) …

Selecting previously unselected package squashfs-tools.

Preparing to unpack …/squashfs-tools_1%3a4.3-3ubuntu2_amd64.deb …

Unpacking squashfs-tools (1:4.3-3ubuntu2) …

Selecting previously unselected package uidmap.

Preparing to unpack …/uidmap_1%3a4.2-3.1ubuntu5_amd64.deb …

Unpacking uidmap (1:4.2-3.1ubuntu5) …

Selecting previously unselected package lxd.

Preparing to unpack …/lxd_2.7-0ubuntu2~ubuntu16.04.1~ppa1_amd64.deb …

Adding system user `lxd  (UID 111) …

Adding new user lxd  (UID 111) with group nogroup  …

Creating home directory `/var/lib/lxd/  …

Adding group `lxd  (GID 118) …

Done.

Unpacking lxd (2.7-0ubuntu2~ubuntu16.04.1~ppa1) …

Processing triggers for man-db (2.7.5-1) …

Processing triggers for libc-bin (2.23-0ubuntu5) …

Processing triggers for dbus (1.10.6-1ubuntu3.3) …

Processing triggers for systemd (229-4ubuntu16) …

Processing triggers for ureadahead (0.100.0-19) …

Setting up liblzo2-2:amd64 (2.08-1.2) …

Setting up acl (2.2.52-3) …

Setting up dns-root-data (2015052300+h+1) …

Setting up libnetfilter-conntrack3:amd64 (1.0.5-1) …

Setting up dnsmasq-base (2.75-1ubuntu0.16.04.1) …

Setting up ebtables (2.0.10.4-3.4ubuntu1) …

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults

Setting up lxcfs (2.0.5-0ubuntu2~ubuntu16.04.1~ppa1) …

Setting up lxd-client (2.7-0ubuntu2~ubuntu16.04.1~ppa1) …

Setting up squashfs-tools (1:4.3-3ubuntu2) …

Setting up uidmap (1:4.2-3.1ubuntu5) …

Setting up liblxc1 (2.0.6-0ubuntu5~ubuntu16.04.1~ppa1) …

Setting up lxd (2.7-0ubuntu2~ubuntu16.04.1~ppa1) …

Setting up lxd dnsmasq configuration.

To go through the initial LXD configuration, run: lxd init

Setting up lxc-common (2.0.6-0ubuntu5~ubuntu16.04.1~ppa1) …

Processing triggers for libc-bin (2.23-0ubuntu5) …

Processing triggers for dbus (1.10.6-1ubuntu3.3) …

Processing triggers for systemd (229-4ubuntu16) …

Processing triggers for ureadahead (0.100.0-19) …

Step 3 – Add user account for lxd

Type the following command to add a user named vivek, run:

$ sudo adduser vivek

Make sure vivek is part of a secondary group named lxd group, enter:

$ sudo usermod -a -G lxd vivek

Verify it, run the id command as follows:

$ id vivek

Sample outputs:

uid=1002(vivek) gid=1002(vivek) groups=1002(vivek),118(lxd)

Step 4 – Configure lxd

To go through the initial LXD configuration, run:

$ sudo lxd init

Sample outputs:

Step 5 -Creating and using your first container

First login as vivek user:

$ ssh vivek@server1.cyberciti.biz

OR

$ su – vivek

Verify that the lxc client is talking to the LXD daemon:

$ lxc list

Sample outputs:

+——+——-+——+——+——+———–+

| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |

+——+——-+——+——+——+———–+

The syntax is as follows to create your first container:

lxc launch images:{distro}/{version}/{arch} {container-name-here}

To list all available images for various Linux distro, run:

$ lxc image list images:

To create a CentOS Linux v7.x container:

$ lxc launch images:centos/7/amd64 my-cenots

Sample outputs:

Creating my-cenots

Retrieving image: 100% (16.80MB/s)

Starting my-cenots

To create a Ubuntu Linux 16.4 LTS container:

$ lxc launch images:ubuntu/xenial/amd64 my-ubuntu

Sample outputs:

Animated gif.01: Lxc creating your VM

Step 6 – Login to your first container

Type the following command:

$ lxc exec my-centos bash

$ lxc exec my-ubuntu bash

You can now update your container or install needed software.

Step 6 – Lock down root user

You do not need root user or default user such as ubuntu/centos created in your container:

$ lxc exec my-ubuntu bash

Lock down root account access, run:

# passwd -l root

Delete unwanted user account using the userdel command, run:

# userdel -r ubuntu

Step 7 – Basic Linux containers management commands

Let us see important commands to manage your containers.

Start a container

$ lxc start containerName

Stop a container

$ lxc stop containerName

Restart a container

$ lxc restart containerName

Delete a container

$ lxc delete containerName

Get info about running container

$ lxc info containerName

Run the specified command in a container

$ lxc exec containerName command1

$ lxc exec containerName command1 opt1

$ lxc exec containerName date

$ lxc exec containerName — command1 -arg1 -arg2

$ lxc exec my-cenots — yum update -y

Create a read-only snapshot of a container

$ lxc snapshot containerName snapShotName

$ lxc snapshot my-cenots snap0

$ lxc info my-cenots

Restore a container’s state to a previous snapshot

$ lxc restore containerName snapShotName

$ lxc restore my-cenots snap0

$ lxc info my-cenots

$ lxc exec my-cenots bash

I recommend that you let built-in DHCP assign a static IP to LXD container/VM based on name or MAC address for ease of management including talking with each other. I suggest that you setup LAMP stack as follows:

$ lxc launch images:ubuntu/xenial/amd64 db1

$ lxc launch images:ubuntu/xenial/amd64 nginx1

$ lxc launch images:ubuntu/xenial/amd64 apache-php1

$ lxc launch images:ubuntu/xenial/amd64 memcached

Once LXC VM up and running. Log into each container and setup services i.e. install Apache and PHP on apache-php1 VM. Use Nginx (or any other proxy server) or iptables on your cloud server to redirect traffic to port 80/443 from your public IP address to container service.

And there you have it. LXD container/VM is running for each service such as a web server, MySQL, Memcached, Proxy and so on. All of your services are running on separate LXD vm instance. Naturally, this limits the number of other services that can be cracked if an attacker can successfully exploit a software flaw in one network service.

See also

HowTo: Run Network Service Per System / VM Instance To Improve Overall Security Of A Web Stacks (LAMP)