Differences

This shows you the differences between two versions of the page.

--- userdoc:guest_lxc_container [2020/05/17 09:04]
abelbeck [Pi-hole Container Example]
+++ userdoc:guest_lxc_container [2023/06/15 09:03] (current)
abelbeck [Recommended Base Installs]
@@ Line 22: / Line 22: @@
   lxc-attach debian10
     passwd
+    apt update
     apt install openssh-server iputils-ping curl
     ...
@@ Line 49: / Line 50: @@
   LXC_BRIDGE0="eth3"
-!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added.
+!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added (e.g. DNS will not work!).
 !!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example:
@@ Line 79: / Line 80: @@
 # Container specific configuration
 lxc.tty.max = 0
+#lxc.cgroup.memory.limit_in_bytes = 1024M
+#lxc.cgroup.cpuset.cpus = 1,3
 lxc.rootfs.path = dir:/var/lib/lxc/debian10/rootfs
 lxc.uts.name = debian10
@@ Line 143: / Line 146: @@
 ===== Recommended Base Installs =====
-  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate
+  lxc-create -t download -n debian12 -- -d debian -r bookworm -a amd64 --no-validate
-  lxc-create -t download -n debian9 -- -d debian -r stretch -a amd64 --no-validate
+  lxc-create -t download -n debian11 -- -d debian -r bullseye -a amd64 --no-validate
-  lxc-create -t download -n ubuntu18 -- -d ubuntu -r bionic -a amd64 --no-validate
+  lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate
-  lxc-create -t download -n centos8 -- -d centos -r 8 -a amd64 --no-validate
-  lxc-create -t download -n centos7 -- -d centos -r 7 -a amd64 --no-validate
 Typical base installs use less than 1 GB of disk space.
-\\
-===== Pi-hole Container Example =====
-The [[https://pi-hole.net/|Pi-hole]] project is a "DNS sinkhole" that protects your devices from unwanted content, without installing any client-side software.
-Pi-hole is a perfect example to use with AstLinux within a LXC.  Begin as with the "Quick Start Guide" but use the name ''pi-hole''.
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support.
-Then from the CLI:
-  lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate
-  service lxc init
-  lxc-attach pi-hole
-    passwd
-    apt install openssh-server iputils-ping curl
-    ...
-    exit
-!!Tip ->!! Optionally you may want to also...
-    apt install sudo nano
-!!Tip ->!! Set ''PermitRootLogin yes'' for sshd and restart sshd. Type ''exit'' to leave the container and do the rest via ssh.
-\\
-__Install Pi-hole:__
-\\
-Either with ''lxc-attach pi-hole'' or ''ssh root@pi-hole_ip_address''
-  curl -sSL https://install.pi-hole.net -o pihole.sh
-  # Comment out the "set -e" in pihole.sh, then
-  bash pihole.sh
-Follow the dialogs and answer the questions.
-Change Pi-hole WebGUI password:
-  /usr/local/bin/pihole -a -p
-\\
-!!Tip ->!! If ''lighttpd'' is not started after the Pi-hole installation (=> ''netstat -tlp''):
-  apt remove lighttpd
-  bash pihole.sh
-  # choose "Update"
-The Pi-hole LXC container uses about 40-50 MB of RAM.
-\\
-===== Command via a Container =====
-There are occasions where a command might be useful within AstLinux, but it may use python, golang, etc. or is just large in comparison to the 50 MB size of the AstLinux image.  A LXC container can be a handy tool to add such a command.
-Below is an example how to add the ''lynx'' command line web browser.  The ''lynx'' container only runs when needed.
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support.
-Then from the CLI:
-  lxc-create -t download -n lynx -- -d debian -r buster -a amd64 --no-validate
-  service lxc restart
-  lxc-attach lynx
-    apt install lynx ca-certificates fping
-    exit
-Next, stop the ''lynx'' container and keep it from automatically starting.
-  lxc-stop lynx
-  sed -i 's/^lxc.start.auto=1/lxc.start.auto=0/' /var/lib/lxc/lynx/config
-Finally, create a wrapper script to start/stop the container and issue a command.
-Place this script at ''/mnt/kd/bin/lynx'' and give it ''chmod 755'' permissions.
-  #!/bin/sh
-  ##
-  ## lynx wrapper for LXC Debian 10 container
-  ##
-  ## generate a random uid
-  rand_uid=$((RANDOM % 4999 + 95000))
-  ## Destination IP to test when container network is active
-  ping_ip="8.8.4.4"
-  trap 'printf "Abort\n" >&2; lxc-stop lynx; exit 1' INT TERM EXIT
-  lxc-start lynx
-  printf "Waiting for container network to become active... "
-  lxc-attach lynx -u $rand_uid -- fping -q -r15 $ping_ip
-  printf "OK\n"
-  lxc-attach lynx -u $rand_uid -- lynx "$@"
-  lxc-stop lynx
-  trap - INT TERM EXIT
-  exit 0
-!!Tip ->!! If you edit ''/var/lib/lxc/lynx/config'' and assign a manual IP address, the container starts very quickly, whereas using DHCP it takes 4-6 seconds to establish the network.
-Test it!
-  /mnt/kd/bin/lynx https://www.astlinux-project.org
 \\
@@ Line 277: / Line 164: @@
 lxc.cgroup.memory.limit_in_bytes = 512M
 #lxc.cgroup.cpu.shares = 256
-lxc.cgroup.cpuset.cpus = 1
+# Define which actual cores (e.g. 0 to 3) are allowed to use - comma separated (it's NOT the count of cores!)
+lxc.cgroup.cpuset.cpus = 1,3
 </code>
 \\