====== LXC container in AstLinux ======

Starting with AstLinux 1.3.10 it is possible to run [[https://linuxcontainers.org/lxc/introduction/#LXC|LXC containers]] within AstLinux.

The containers are using the same kernel and hardware as AstLinux.

===== Quick Start Guide =====

__Enable LXC Support:__
\\

  * Define ''LXC_BRIDGE0'' in ''user.conf'' using a physical or VLAN interface (e.g. ''LXC_BRIDGE0="eth3"'')
  * Assign the newly created ''lxcbr0'' to an internal interface in the **Network tab**
  * Reboot

Then from the CLI:

  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate

  service lxc init

  lxc-attach debian10
    passwd
    apt update
    apt install openssh-server iputils-ping curl
    ...
    exit

\\
__Disable LXC Support:__
\\

First from the CLI:

  service lxc stop

  lxc-destroy debian10

If you don't want to re-enable LXC in the near future:

  * Remove ''LXC_BRIDGE0'' in ''user.conf''
  * Reassign where ''lxcbr0'' was an internal interface in the **Network tab** to another interface
  * Reboot

\\
===== Networking =====

There are different [[https://linuxcontainers.org/lxc/manpages//man5/lxc.container.conf.5.html#lbAO|networking modes]] for LXC. We are using ''veth'', that needs a bridge on the host (configured in ''user.conf'') e.g.

  LXC_BRIDGE0="eth3"

!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added (e.g. DNS will not work!).

!!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example:

In the **Network tab**:
  VLANS: eth3.10
  The DMZ Interface: lxcbr0

In your ''user.conf'' config:
  LXC_BRIDGE0="eth3.10"

\\
===== Linux Container Config =====

Per the above "Quick Start Guide" example with the ''debian10'' container, the default, auto-generated config looks like this:
<code>
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d debian -r buster -a amd64 --no-validate
# Template script checksum (SHA-1): a37305b11025a13952335f1e0a9f26e5201a26d1
# For additional config options, please look at lxc.container.conf(5)

# Container Auto Start: 0 (no) or 1 (yes), defaults to 0
lxc.start.auto=1

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.tty.max = 0
#lxc.cgroup.memory.limit_in_bytes = 1024M
#lxc.cgroup.cpuset.cpus = 1,3
lxc.rootfs.path = dir:/var/lib/lxc/debian10/rootfs
lxc.uts.name = debian10

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.name = eth0
#lxc.net.0.ipv4.address = 192.168.101.10/24
#lxc.net.0.ipv4.gateway = auto
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:43:a5:1e
</code>

!!Note ->!! The ''lxc.net.0.hwaddr'' is auto-generated with a random value.

The standard location for this config file is ''/var/lib/lxc/debian10/config'' which AstLinux symlinks to ''/mnt/kd/lxc/container/debian10/config''

You may tweak this config file to your liking.

To determine if the container auto-starts:

  # Container Auto Start: 0 (no) or 1 (yes), defaults to 0
  lxc.start.auto=1

By default DHCP is enabled in the recommended base installs, but if you want to enable a static IP address, uncomment these lines:

  lxc.net.0.ipv4.address = 192.168.101.10/24
  lxc.net.0.ipv4.gateway = auto

and adjust the ''192.168.101.10/24'' network to be valid on your ''lxcbr0'' network.

If you would like your ''veth'' interface names to be descriptive, add to the "Network configuration"

  lxc.net.0.veth.pair = veth_debian10

!!Tip ->!! Keep the name short, as the length is limited, also begin the name with ''veth''.

\\
After making a change in the config with ''lxc.start.auto=1'', the container can be restarted with:

  service lxc restart

Alternatively, if ''lxc.start.auto=0'', you can manually start the container with:

  lxc-start debian10

If you are using the Web Interface, both the **Network tab** and **Edit tab** support "Restart Linux Containers".

\\
===== Destroy All Containers =====

If you want to disable all LXC container support, or start fresh, from the CLI:

!!Warning ->!!  This action is not undoable, All LXC containers and download caches will be deleted!

  service lxc stop

  rm -rf /mnt/kd/lxc

  service lxc init

\\
===== Recommended Base Installs =====

  lxc-create -t download -n debian12 -- -d debian -r bookworm -a amd64 --no-validate
  
  lxc-create -t download -n debian11 -- -d debian -r bullseye -a amd64 --no-validate
  
  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate

Typical base installs use less than 1 GB of disk space.

\\ 
===== Optional =====

Here are few useful optional configuration options that amongst others limit the resources of the [[https://linuxcontainers.org/lxc/manpages//man5/lxc.container.conf.5.html|container]]:

<code>
lxc.environment = TERM=linux

lxc.cgroup.memory.limit_in_bytes = 512M
#lxc.cgroup.cpu.shares = 256
# Define which actual cores (e.g. 0 to 3) are allowed to use - comma separated (it's NOT the count of cores!)
lxc.cgroup.cpuset.cpus = 1,3
</code>

\\