Linux Containers

Linux Containers, or LXC, is a Linux feature that allows Linux to run one or more isolated virtual systems (with their own network interfaces, process namespace, user namespace, and power state) using a single Linux kernel on a single server.

Configuring the Funtoo Host System

Install LXC kernel

Emerge lxc

Configure Networking For Container

Typically, one uses a bridge to allow containers to connect to the network. This is how to do it under Funtoo Linux:

1. create a bridge using the Funtoo network configuration scripts. Name the bridge something like brwan (using /etc/init.d/netif.brwan). Configure your bridge to have an IP address.
2. Make your physical interface, such as eth0, an interface with no IP address (use the Funtoo interface-noip template.)
3. Make netif.eth0 a slave of netif.brwan in /etc/conf.d/netif.brwan.
4. Enable your new bridged network and make sure it is functioning properly on the host.

You will now be able to configure LXC to automatically add your container's virtual ethernet interface to the bridge when it starts, which will connect it to your network.

Setting up a Funtoo Linux LXC Container

Here are the steps required to get Funtoo Linux running inside a container.

Create and Configure Container Filesystem

1. Start with a Funtoo OpenVZ template, and unpack it to a directory such as /lxc/funtoo.
2. Edit /lxc/funtoo/etc/rc.conf and change rc_sys=openvz to rc_sys=lxc.
3. Create an empty /lxc/funtoo/etc/fstab file.
4. Ensure c1 line is uncommented (enabled) and c2 through c6 lines are disabled in /lxc/funtoo/etc/inittab.
5. Edit udev-mount, udev-postmount and udev-save and change the keyword line to have the arguments -openvz -vserver -lxc. (fixed now)

That's all you need to get the container filesystem ready to start.

Create Container Configuration Files

Create the following files:

/etc/lxc/funtoo/config

lxc.utsname = funtoo
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = brwan
lxc.network.ipv4 = <your IPv4 address here, like 1.2.3.4/29>
lxc.network.hwaddr = <your randomly-generated MAC address here, like a2:97:b6:df:df:28>
lxc.network.name = eth0
lxc.mount = /etc/lxc/funtoo/fstab
lxc.rootfs = /lxc/funtoo
lxc.tty = 12
lxc.pts = 128
# restrict capabilities
lxc.cap.drop = audit_control
lxc.cap.drop = audit_write
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = mknod
lxc.cap.drop = setpcap
lxc.cap.drop = sys_admin
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_module
lxc.cap.drop = sys_rawio

Above, use the following command to generate a random MAC for lxc.network.hwaddr:

# openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//'

It is a very good idea to assign a static MAC address to your container using lxc.network.hwaddr. If you don't, LXC will auto-generate a new random MAC every time your container starts, which may confuse network equipment that expects MAC addresses to remain constant.

/etc/lxc/funtoo/fstab

none /lxc/funtoo/dev/pts devpts defaults 0 0
none /lxc/funtoo/proc proc defaults 0 0
none /lxc/funtoo/sys sysfs defaults 0 0
none /lxc/funtoo/dev/shm tmpfs defaults 0 0
none /lxc/funtoo/libexec/rc/init.d tmpfs defaults 0 0

Initializing and Starting the Container

You will probably need to set the root password for the container before you can log in. You can use chroot to do this quickly:

# chroot /lxc/funtoo
(chroot) # passwd
New password: XXXXXXXX
Retype new password: XXXXXXXX
passwd: password updated successfully
# exit

Now that the root password is set, run:

# lxc-start -n funtoo -d

The -d option will cause it to run in the background.

To attach to the console:

# lxc-console -n funtoo

You should now be able to log in and use the container. In addition, the container should now be accessible on the network.

To stop the container:

# lxc-stop -n funtoo

Ensure that networking is working from within the container while it is running, and you're good to go!

LXC Bugs/Missing Features

• LXC's shell scripts are badly designed and are sure way to destruction, avoid using lxc-create and lxc-destroy.

• Missing tool to graceful shutdown container. 'lxc-halt' should be written and be posix sh-compatible, using lxc-execute to run halt in container.

• Our udev should be updated to contain -lxc in scripts.

• Our openrc should be patched to handle the case where it cannot mount tmpfs, and gracefully handle this situation somehow.

• If used network.type = phys after lxc-stop the interface will be renamed to value from lxc.network.link. It supposed to be fixed in 0.7.4, happens still on 0.7.5 - http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg01760.html