userdoc:guest_lxc_container

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
userdoc:guest_lxc_container [2020/05/24 17:12]
mkeuter [Optional] 		userdoc:guest_lxc_container [2025/01/09 03:26] (current)
mkeuter
Line 16: Line 16:
 Then from the CLI: Then from the CLI:
  
-  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate+  lxc-create -t download -n debian12 -- -d debian -r bookworm -a amd64 --no-validate
  
   service lxc init   service lxc init
  
-  lxc-attach debian10+  lxc-attach debian12
     passwd     passwd
 +    apt update
     apt install openssh-server iputils-ping curl     apt install openssh-server iputils-ping curl
     ...     ...
Line 34: Line 35:
   service lxc stop   service lxc stop
  
-  lxc-destroy debian10+  lxc-destroy debian12
  
 If you don't want to re-enable LXC in the near future: If you don't want to re-enable LXC in the near future:
Line 49: Line 50:
   LXC_BRIDGE0="eth3"   LXC_BRIDGE0="eth3"
  
-!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added.+!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added (e.g. DNS will not work!).
  
 !!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example: !!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example:
Line 79: Line 80:
 # Container specific configuration # Container specific configuration
 lxc.tty.max = 0 lxc.tty.max = 0
 +#lxc.cgroup.memory.limit_in_bytes = 1024M
 +#lxc.cgroup.cpuset.cpus = 1,3
 lxc.rootfs.path = dir:/var/lib/lxc/debian10/rootfs lxc.rootfs.path = dir:/var/lib/lxc/debian10/rootfs
 lxc.uts.name = debian10 lxc.uts.name = debian10
Line 143: Line 146:
 ===== Recommended Base Installs ===== ===== Recommended Base Installs =====
  
-  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate+  lxc-create -t download -n debian12 -- -d debian -r bookworm -a amd64 --no-validate
      
-  lxc-create -t download -n debian9 -- -d debian -r stretch -a amd64 --no-validate+  lxc-create -t download -n debian11 -- -d debian -r bullseye -a amd64 --no-validate
      
-  lxc-create -t download -n ubuntu18 -- -d ubuntu -r bionic -a amd64 --no-validate +  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate
-   +
-  lxc-create -t download -n centos8 -- -d centos -r 8 -a amd64 --no-validate +
-   +
-  lxc-create -t download -n centos7 -- -d centos -r 7 -a amd64 --no-validate +
  
 Typical base installs use less than 1 GB of disk space. Typical base installs use less than 1 GB of disk space.
- 
-\\  
-===== Pi-hole Container Example ===== 
- 
-The [[https://pi-hole.net/|Pi-hole]] project is a "DNS sinkhole" that protects your devices from unwanted content, without installing any client-side software. 
- 
-Pi-hole is a perfect example to use with AstLinux within a LXC.  Begin as with the "Quick Start Guide" but use the name ''pi-hole''. 
- 
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support. 
- 
-Then from the CLI: 
- 
-  lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate 
- 
-  service lxc init 
- 
-  lxc-attach pi-hole 
-    passwd 
-    apt install openssh-server iputils-ping curl 
-    ... 
-    exit 
- 
-!!Tip ->!! Optionally you may want to also... 
-    apt install sudo nano 
- 
-!!Tip ->!! Set ''PermitRootLogin yes'' for sshd and restart sshd. Type ''exit'' to leave the container and do the rest via ssh. 
- 
-\\ 
-__Install Pi-hole:__ 
-\\ 
- 
-Either with ''lxc-attach pi-hole'' or ''ssh root@pi-hole_ip_address'' 
- 
-  curl -sSL https://install.pi-hole.net -o pihole.sh 
-  # Comment out the "set -e" in pihole.sh, then 
-  bash pihole.sh 
- 
-Follow the dialogs and answer the questions. 
- 
-Change Pi-hole WebGUI password: 
- 
-  /usr/local/bin/pihole -a -p 
- 
-\\ 
-!!Tip ->!! If ''lighttpd'' is not started after the Pi-hole installation (=> ''netstat -tlp''): 
- 
-  apt remove lighttpd 
-  bash pihole.sh 
-  # choose "Update" 
-   
-The Pi-hole LXC container uses about 40-50 MB of RAM. 
- 
-\\ 
-===== Command via a Container ===== 
- 
-There are occasions where a command might be useful within AstLinux, but it may use python, golang, etc. or is just large in comparison to the 50 MB size of the AstLinux image.  A LXC container can be a handy tool to add such a command. 
- 
-Below is an example how to add the ''lynx'' command line web browser.  The ''lynx'' container only runs when needed. 
- 
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support. 
- 
-Then from the CLI: 
- 
-  lxc-create -t download -n lynx -- -d debian -r buster -a amd64 --no-validate 
- 
-  service lxc restart 
- 
-  lxc-attach lynx 
-    apt install lynx ca-certificates fping 
-    exit 
- 
-Next, stop the ''lynx'' container and keep it from automatically starting. 
- 
-  lxc-stop lynx 
-  sed -i 's/^lxc.start.auto=1/lxc.start.auto=0/' /var/lib/lxc/lynx/config 
- 
-Finally, create a wrapper script to start/stop the container and issue a command. 
- 
-Place this script at ''/mnt/kd/bin/lynx'' and give it ''chmod 755'' permissions. 
-  #!/bin/sh 
-  ## 
-  ## lynx wrapper for LXC Debian 10 container 
-  ## 
-   
-  ## generate a random uid 
-  rand_uid=$((RANDOM % 4999 + 95000)) 
-   
-  ## Destination IP to test when container network is active 
-  ping_ip="8.8.4.4" 
-   
-  trap 'printf "Abort\n" >&2; lxc-stop lynx; exit 1' INT TERM EXIT 
-   
-  lxc-start lynx 
-   
-  printf "Waiting for container network to become active... " 
-  lxc-attach lynx -u $rand_uid -- fping -q -r15 $ping_ip 
-  printf "OK\n" 
-   
-  lxc-attach lynx -u $rand_uid -- lynx "$@" 
-   
-  lxc-stop lynx 
-   
-  trap - INT TERM EXIT 
-   
-  exit 0 
- 
-!!Tip ->!! If you edit ''/var/lib/lxc/lynx/config'' and assign a manual IP address, the container starts very quickly, whereas using DHCP it takes 4-6 seconds to establish the network. 
- 
-Test it! 
- 
-  /mnt/kd/bin/lynx https://www.astlinux-project.org 
  
 \\  \\ 
Line 277: Line 164:
 lxc.cgroup.memory.limit_in_bytes = 512M lxc.cgroup.memory.limit_in_bytes = 512M
 #lxc.cgroup.cpu.shares = 256 #lxc.cgroup.cpu.shares = 256
-define which cores are allowed to use (not the count!)+Define which actual cores (e.g. 0 to 3) are allowed to use - comma separated (it's NOT the count of cores!)
 lxc.cgroup.cpuset.cpus = 1,3 lxc.cgroup.cpuset.cpus = 1,3
 </code> </code>
  
 \\  \\ 
  • userdoc/guest_lxc_container.1590358377.txt.gz
  • Last modified: 2020/05/24 17:12
  • by mkeuter