Yes, Wheezy is out to the public, and openVZ is out of Wheezy, so what to do.
Basically, what i am doing now is investigating the alternative LXC, i have no time to learn right now, so i am going to have to do this fast.
I have a gut feeling that LXC is better than openVZ, after all, it is in the mainline kernel, and it is supposed to be marvelously easy to install, so let me start working on this with everyone here.
NOTES: if you want to give away LXC containers to people, you will need to use AppArmor with it, here, i run my containers, so i will not be installing AppArmor in this tutorial, but maybe soon i will add a tutorial for the AppArmor part.
So, LXC here we come, to completely replace openVZ, with something more open (Sorry Parallels Virtuozzo, welcome IBM), something that can keep up with the kernel and not keep us behind.
I will be turning this post into a tutorial on installing and running LXC on debian wheezy (7) with memory allocation to containers and with the kernel that shipped with wheezy, i should be done creating this tutorial in a few days, and it will remain an incremental effort where i will be adding more and more as i learn about this.
NOTES: memory allocation is not compiled with the kernel by default but disabled, you enable it by adding a parameter to grub. (Not anymore, now memory allocation works out of the box)
1- Install base system of wheezy (debian 7)
2- Install some stuff i can never do without
apt-get install ssh openssh-server fail2ban
fail2ban is a very important application that will prevent outsiders from bruit force cracking your server, it is very important, without it you will be hacked sooner or later (especially if you are in a datacenter), hackers look for servers to send spam from all the time.
Now, we need to specify a hostname for this machine (the LXC HOST), i want to call mine server5.example.com
echo server5.example.com > /etc/hostname
apt-get install ntp ntpdate
Now, we need to setup networking for LXC, every physical NIC (Network adapter) will need a bridge.
To create a bridge, you need to install
apt-get install bridge-utils
Then your /etc/network/interfaces file must look like this
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
iface lo inet loopback
# The primary network interface
#iface eth0 inet dhcp
iface br0 inet static
apt-get install lxc
You will be presented with the following prompt, i myself accept the default /var/lib/lxc
Please specify the directory that will be used to store the Linux Containers. If unsure, use /var/lib/lxc (default). LXC directory:
Add the following line in /etc/fstab using a text editor:
cgroup /cgroup cgroup defaults 0 0
Now, to make sure everything is working like it should
------------------- OUTPUT OF lxc-checkconfig ----------------START
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-3.2.0-4-amd64
--- Namespaces ---
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig.
------------------- OUTPUT OF lxc-checkconfig ------------------END
And on the host machine, you need to enable IP forwarding befor you fire up any of those LXC containers
echo 1 > /proc/sys/net/ipv4/ip_forward
But to make that peppermint you need to edit the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
You might find that the entry is already there but with the value 0, in that case just flip the zero to a 1, or you might find it there but commented out, in that case, delete the # that precedes that line to enable it.
To enable the changes made in sysctl.conf (And you don’t if you already executed the echo 1 statement above) you will need to run the command:
sysctl -p /etc/sysctl.conf
Now that LXC is officially installed, there is more than 1 way to create containers, debootstrap is one of them (you will need to install it, and the container config will need to be done manually by adding a few lines into a file you create inside the container area), while i will use the LXC way by using the application lxc-create you are free to use any tool, including importing containers from vmware (copying vmware containers will work).
Also worth mentioning, i use apt-cacher so when i am asked about the urls of the distro, i simply modify it to read http://192.168.2.133:3142/ftp.us.debian.org/debian/ which is how i accerss apt-cacher to speed up things and not re-download everything every time.
So, lets start
lxc-create -t debian -n vm33
On a newer releast (7.7), the above gave me an error, so the following was the error and the solution (needed command)
MIRROR=http://ftp.us.debian.org/debian lxc-create -n vm10 -t debian -- -r wheezy
Or if you want to use apt-cacher
MIRROR=http://192.168.10.237:3142/ftp.us.debian.org/debian lxc-create -n vm10 -t debian -- -r wheezy
1- Preseed file anyone? Enter (optional) preseed file to use: <== leave this one empty
2- Chose the distro (debian wheezy for me)
3- 64 or 32, i use 64
[*] Debian Security
[*] Debian Updates
[*] Debian Backports
[ ] Debian Proposed Updates
i modify this to read http://192.168.2.133:3142/ftp.us.debian.org/debian/ in order to use my apt-cacher, you can put any mirror here, or leave the default one (http://ftp.debian.org/debian/ Mirror Security http://security.debian.org/ and Mirror Backports) provided for you. Archive areas Main, Packages (leave blank or specify the packages you want, you can install them later with apt-get), then the root password
You must keep in mind that even after you see the message ‘debian’ template installed ‘vm33’ created, the config file for vm33 is not really ready, you need to enable networking in it manually. so, let’s edit the file /var/lib/lxc/vm33/config and add networking support
NOTE: THE BELOW IS FOR TYPICAL SETUPS, FOR HETZNER DATACENTER, PLEASE SEE THE POST ON LXC NETWORK SETUP WITH HETZNER.
then add the lines right before #Capabilities and after the lines of ## Container
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.2.125/24
Also, before we start the container, there are a few things we need to do…
there seems to be an issue with the ssh keys, so what we will do around this issue is copy the keys from the host, (We will generate new ones for the conatiner later)
EXECUTE ON HOST
cp /etc/ssh/ssh_host_dsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key
cp /etc/ssh/ssh_host_dsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key.pub
cp /etc/ssh/ssh_host_ecdsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key
cp /etc/ssh/ssh_host_ecdsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key.pub
cp /etc/ssh/ssh_host_rsa_key /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key
cp /etc/ssh/ssh_host_rsa_key.pub /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key.pub
Then, they won’t work without proper permissions
chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_dsa_key.pub
chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_ecdsa_key
chmod 0600 /var/lib/lxc/vm33/rootfs/etc/ssh/ssh_host_rsa_key
Now i reboot the server just to be on the safe side, then i do the following
lxc-start -n vm33 -d
lxc-info -n vm33
When you run the command for information, you should see the word RUNNING and a pid.
Just SSH to the host !
Now if you want to create new host keys for SSH just do the following
delete the files
Making LXC auto start at the system boot
The old Way – create a symbolic link, should still work, but i have not tried
ln -s /var/lib/lxc/vm34/config /etc/lxc/auto/vm34_config
The new way that provides better control of the order they are started in.
Set lxc.start.auto == 1 in the config
Then, the following will tell the system what containers to start first, and when