LXD

From ArchWiki
Revision as of 11:28, 23 October 2017 by C0rn3j (talk | contribs) (Add link to documentation)
Jump to navigation Jump to search

LXD is a container "hypervisor" and a new user experience for Linux Containers.

Setup

Required software

Install LXC and the lxdAUR package, then start lxd.service.

Verify that the running kernel is properly configured to run a container:

$ lxc-checkconfig

The safest type of container that LXD can create is unprivileged. This is done by leveraging the Linux kernel's User Namespaces feature. However, due to more general security concerns, the default Arch kernel does not ship with User Namespaces enabled (CONFIG_USER_NS is a kernel compile-time decision). You have three (3) options to use a kernel with CONFIG_USER_NS and thereby create unprivileged containers:

  • Install the linux-hardened kernel package along-side the default linux kernel. When you wish to run unprivileged LXD containers, boot with linux-hardened by selecting it in the bootloader. linux-hardened is compiled with CONFIG_USER_NS. Otherwise, run with linux as normal.
  • Install the linux-usernsAUR or linux-lts-usernsAUR packages from the AUR. Both are compiled with CONFIG_USER_NS, the latter being the Long-Term Support version.
  • Compile and install your own custom kernel with CONFIG_USER_NS enabled.
Note: If you decide to run a kernel without User Namespaces, LXD containers will be privileged and that involves some risk (in the event a process escapes the container). See #Launching container without CONFIG_USER_NS below.

Sub{u,g}id configuration

You will need sub{u,g}ids for root, so that LXD can create the unprivileged containers:

$ echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid

Accessing LXD as a unprivileged user

By default the LXD daemon allows users in the lxd group access, so add your user to the group:

# usermod -a -G lxd <user>

LXD Networking

LXD uses LXC's networking capabilities. By default it connects containers to the lxcbr0 network device. Refer to the LXC documentation on network configuration to set up a bridge for your containers.

If you want to use a different interface than lxcbr0 edit the default using the lxc command line tool:

$ lxc profile edit default

An editor will open with a config file that by default contains:

name: default
config: {}
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxcbr0
    type: nic

You can set the parent parameter to whichever bridge you want LXD to attach the containers to by default.

Example network configuration

Thanks to @jpic, the LXD package now provides some example networking configuration in /usr/share/lxd/. To use this configuration run the following commands:

$ ln -s /usr/share/lxd/dnsmasq-lxd.conf /etc/dnsmasq-lxd.conf
$ ln -s /usr/share/lxd/systemd/system/dnsmasq@lxd.service /etc/systemd/system/dnsmasq@lxd.service 
$ ln -s /usr/share/lxd/netctl/lxd  /etc/netctl/lxd
$ ln -s /usr/share/lxd/dbus-1/system.d/dnsmasq-lxd.conf /etc/dbus-1/system.d/dnsmasq-lxd.conf

If you use NetworkManager, also symlink the following file:

$ ln -s /usr/share/lxd/NetworkManager/dnsmasq.d/lxd.conf /etc/NetworkManager/dnsmasq.d/lxd.conf

Change parent: lxcbr0 to parent: lxd:

$ lxc profile edit default

Finally, enable and start dnsmasq@lxd.service and netctl@lxd.service.

If you encounter issue with the provided example configuration, or have suggestions to improve it, please leave a comment on the lxdAUR page.

Basic usage

First steps

LXD has two parts, the daemon (the lxd binary), and the client (the lxc binary). Now that the daemon is all configured and running, you can create a container:

$ lxc launch ubuntu:14.04

Alternatively, you can also use a remote LXD host as a source of images. One comes pre-configured in LXD, called "images" (images.linuxcontainers.org)

$ lxc launch images:centos/7/amd64 centos

Advance usage

Modify processes and files limit

You may want to increase file descriptor limit or max user processes limit, since default file descriptor limit is 1024 on Archlinux

$ sudo systemctl edit lxd

And config as follow:

[Service]
LimitNOFILE=infinity
LimitNPROC=infinity
TasksMax=infinity

Then restart lxd

$ sudo systemctl restart lxd

Troubleshooting

Launching container without CONFIG_USER_NS

For launching images you must provide security.privileged=true during image creation:

$ lxc launch ubuntu:16.04 ubuntu -c security.privileged=true

Or for already existed image you may edit config:

$ lxc config edit ubuntu
name: ubuntu
profiles:
- default
config:
  ...
  security.privileged: "true"
  ...
devices:
  root:
    path: /
    type: disk
ephemeral: false

Or to enable security.privileged=true for new containers, edit the config for the default profile:

$ lxc profile edit default

See also