This post is somewhat old, and kept here for historical reasons, if you want to run LXC containers on Debian Bookworm (12), I have composed a much more useful post here
Yes, Wheezy is out to the public, and openVZ is out of Wheezy, so what to do.
Basically, what i am doing now is investigating the alternative LXC, i have no time to learn right now, so i am going to have to do this fast.
I have a gut feeling that LXC is better than openVZ, after all, it is in the mainline kernel, and it is supposed to be marvelously easy to install, so let me start working on this with everyone here.
NOTES: if you want to give away LXC containers to people, you will need to use AppArmor with it, here, i run my containers, so i will not be installing AppArmor in this tutorial, but maybe soon i will add a tutorial for the AppArmor part.
So, LXC here we come, to completely replace openVZ, with something more open (Sorry Parallels Virtuozzo, welcome IBM), something that can keep up with the kernel and not keep us behind.
I will be turning this post into a tutorial on installing and running LXC on debian wheezy (7) with memory allocation to containers and with the kernel that shipped with wheezy, i should be done creating this tutorial in a few days, and it will remain an incremental effort where i will be adding more and more as i learn about this.
NOTES: memory allocation is not compiled with the kernel by default but disabled, you enable it by adding a parameter to grub. (Not anymore, now memory allocation works out of the box)
1- Install base system of wheezy (debian 7)
2- Install some stuff i can never do without
apt-get update
apt-get upgrade
apt-get install ssh openssh-server fail2ban
fail2ban is a very important application that will prevent outsiders from bruit force cracking your server, it is very important, without it you will be hacked sooner or later (especially if you are in a datacenter), hackers look for servers to send spam from all the time.
Now, we need to specify a hostname for this machine (the LXC HOST), i want to call mine server5.example.com
echo server5.example.com > /etc/hostname
/etc/init.d/hostname.sh start
hostname
hostname -f
apt-get install ntp ntpdate
Now, we need to setup networking for LXC, every physical NIC (Network adapter) will need a bridge.
To create a bridge, you need to install
apt-get install bridge-utils
Then your /etc/network/interfaces file must look like this
------------------------------------------------ # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface #allow-hotplug eth0 #iface eth0 inet dhcp #Bridge setup auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address 192.168.2.121 netmask 255.255.255.0 gateway 192.168.2.1 dns-nameservers 8.8.8.8 ------------------------------------------------
apt-get install lxc
You will be presented with the following prompt, i myself accept the default /var/lib/lxc
Please specify the directory that will be used to store the Linux Containers. If unsure, use /var/lib/lxc (default). LXC directory:
mkdir /cgroup
Add the following line in /etc/fstab using a text editor:
cgroup /cgroup cgroup defaults 0 0
mount -a
Now, to make sure everything is working like it should
lxc-checkconfig
------------------- OUTPUT OF lxc-checkconfig ----------------START Kernel config /proc/config.gz not found, looking in other places... Found kernel config file /boot/config-3.2.0-4-amd64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --- Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig. ------------------- OUTPUT OF lxc-checkconfig ------------------END
And on the host machine, you need to enable IP forwarding befor you fire up any of those LXC containers
echo 1 > /proc/sys/net/ipv4/ip_forward
But to make that peppermint you need to edit the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1
/etc/sysctl.conf:
net.ipv4.ip_forward = 1
You might find that the entry is already there but with the value 0, in that case just flip the zero to a 1, or you might find it there but commented out, in that case, delete the # that precedes that line to enable it.
To enable the changes made in sysctl.conf (And you don’t if you already executed the echo 1 statement above) you will need to run the command:
sysctl -p /etc/sysctl.conf
Now that LXC is officially installed, there is more than 1 way to create containers, debootstrap is one of them (you will need to install it, and the container config will need to be done manually by adding a few lines into a file you create inside the container area), while i will use the LXC way by using the application lxc-create you are free to use any tool, including importing containers from vmware (copying vmware containers will work).
Also worth mentioning, i use apt-cacher so when i am asked about the urls of the distro, i simply modify it to read http://192.168.2.133:3142/ftp.us.debian.org/debian/ which is how i accerss apt-cacher to speed up things and not re-download everything every time.
So, lets start
lxc-create -t debian -n vm33
On a newer releast (7.7), the above gave me an error, so the following was the error and the solution (needed command)
MIRROR=http://ftp.us.debian.org/debian lxc-create -n vm10 -t debian -- -r wheezy
Or if you want to use apt-cacher
MIRROR=http://192.168.10.237:3142/ftp.us.debian.org/debian lxc-create -n vm10 -t debian -- -r wheezy
1- Preseed file anyone? Enter (optional) preseed file to use: <== leave this one empty
2- Chose the distro (debian wheezy for me)
3- 64 or 32, i use 64
4-
Archives.
[*] Debian Security
[*] Debian Updates
[*] Debian Backports
[ ] Debian Proposed Updates
5- Mirror.
i modify this to read http://192.168.2.133:3142/ftp.us.debian.org/debian/ in order to use my apt-cacher, you can put any mirror here, or leave the default one (http://ftp.debian.org/debian/ Mirror Security http://security.debian.org/ and Mirror Backports) provided for you. Archive areas Main, Packages (leave blank or specify the packages you want, you can install them later with apt-get), then the root password
You must keep in mind that even after you see the message ‘debian’ template installed ‘vm33’ created, the config file for vm33 is not really ready, you need to enable networking in it manually. so, let’s edit the file /var/lib/lxc/vm33/config and add networking support
vi /var/lib/lxc/vm33/config
NOTE: THE BELOW IS FOR TYPICAL SETUPS, FOR HETZNER DATACENTER, PLEASE SEE THE POST ON LXC NETWORK SETUP WITH HETZNER.
then add the lines right before #Capabilities and after the lines of ## Container
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.2.125/24
Also, before we start the container, there are a few things we need to do…
there seems to be an issue with the ssh keys, so what we will do around this issue is copy the keys from the host, (We will generate new ones for the conatiner later)
EXECUTE ON HOST
cp /etc/ssh/ssh_host_dsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key cp /etc/ssh/ssh_host_dsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key.pub cp /etc/ssh/ssh_host_ecdsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key cp /etc/ssh/ssh_host_ecdsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key.pub cp /etc/ssh/ssh_host_rsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key cp /etc/ssh/ssh_host_rsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key.pub
Then, they won’t work without proper permissions
chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key.pub chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key
Now i reboot the server just to be on the safe side, then i do the following
lxc-start -n vm33 -d
lxc-info -n vm33
When you run the command for information, you should see the word RUNNING and a pid.
Just SSH to the host !
Now if you want to create new host keys for SSH just do the following
delete the files
/var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key
execute
dpkg-reconfigure openssh-server
—————————————
Making LXC auto start at the system boot
The old Way – create a symbolic link, should still work, but i have not tried
ln -s /var/lib/lxc/vm34/config /etc/lxc/auto/vm34_config
The new way that provides better control of the order they are started in.
Set lxc.start.auto == 1 in the config
Then, the following will tell the system what containers to start first, and when
Kir Kolyshkin explains why LXC ist not ready for production and has only a fration of the features that OpenVZ provides.
OpenVZ ist LXC on Steroids!
Kir’s OpenVZ presentation at FOSDEM 2012
http://mirror.geeksoc.org/fosdem/2012/maintracks/janson/Linux_containers_and_OpenVZ.webm
Kir Kolyshkin works for parallels , i have been using LXC for some time on a seriously busy machine, and it is certainly working as good as openVZ for me. maybe LXC is not yet ready for CPS market, but i feel that it will be very soon.