Example using only netctl
@Lahwaacz - While I agree that we don't want to duplicate content in other articles, I feel that providing a working configuration within the article is welcomed for completeness just as we do in the beginners guide. Therefore, a few common set ups are needed in my opinion. See, https://wiki.archlinux.org/index.php?title=Linux_Containers&diff=373914&oldid=373913 Graysky (talk) 19:20, 16 May 2015 (UTC)
- I'm sorry but these two approaches are opposite: we can either avoid duplication or follow the BG style. What is wrong with instructions such as "Create a bridge named ... as described in ..." which is still sufficiently (IMO) complete? -- Lahwaacz (talk) 21:16, 16 May 2015 (UTC)
- -1 for merging the network stuff. The examples provided in the article are appropriate. For me as a consumer of information, the Archwiki merges the past couple years have led to more confusing, fragmented articles/how-to's because now, you end up having to flip back and forth between multiple browser tabs, searching entire articles for the one or two bits that relate to what you are actually trying to accomplish, rather than having relevant info provided in context, right where you need/want it. Sure, have the larger, more exhaustive networking article that I can reference for the nitty, gritty details. And I get that that may also be desirable from wiki maintainers perspective. For a user perspective, however, it's much less efficient for me have to search through it all, try to figure out what context is applicable or not, etc. Tough balancing act. I've just been noticing that as of late things that used to be fairly easy and straight forward to follow, no longer are, and require much more jumping around to sort out the bits you're actually looking for. Peace. Kgunders (talk) 17:33, 28 September 2015 (UTC)
Rewrite a section about "Host network configuration"
I was looking at the above-mentined section, and it does not make any sense to me. First, a bridge interface for containers has nothing to do with whether the host uses wired or wireless connection. Why is it necessary to add an external interface to the bridge? The topology of a network for containers, and how it is connected to the internet is a separate issue.
Therefore, I suggest that I rewrite this section by providing an example of an empty bridge interface. Then, it can be NAT'ed or or whatever. I would argue that NAT is the best setup option because it automatically protects containers from possible malicious network traffic. Lisaev (talk) 02:12, 30 November 2016 (UTC)
- Describing this sensibly is difficult because it's not specific to Linux Containers. There is already much info about this on this wiki, see e.g. QEMU#Networking. I think there should be a separate page with the general info about topologies and virtual interfaces, on which other pages could build, adding their specifics etc. -- Lahwaacz (talk) 06:23, 30 November 2016 (UTC)
- I agree. To me, sensibly means what I use most in practice on dosens of containers -- an empty bridge with veth interfaces dynamically created by LXC and NAT'ed behind the host. The point here is not to give a complete overview of all LXC networking capabilities, because LXC documentation is written well enough, but to give a starting working configuration. I agree that it is not the only possible configuration, but I think that in the current form the host network section is unnecessary confusing :) Lisaev (talk) 05:11, 2 December 2016 (UTC)
Rewrite the section "Container creation"
Apologize: I'm not English mother tongue, it will be very hard for me to have grammatical validation
Since LXC is version 3, the whole templates has been revamped. In order to create container, the choice is now to download the templates from a central place:
[mrakotomandimby@arch-00 arch-00]$ sudo lxc-create -n test -t download Setting up the GPG keyring Downloading the image index --- DIST RELEASE ARCH VARIANT BUILD --- ... alpine edge amd64 default 20180331_17:50 ... archlinux current amd64 default 20180330_01:27 ... centos 7 amd64 default 20180331_02:16 ... debian jessie amd64 default 20180330_22:42 ...
It will prompt you the Distrubution, Release, then Architecture.
If you prefer the one line version:
[mrakotomandimby@arch-00 ~]$ sudo lxc-create -n test -t download -- --dist archlinux --release current --arch amd64
Append the section "Container creation" with archlinux-bootstrap images
Arch provides archlinux-bootstrap images that can be used when pacman is not available (on non-arch systems or when it is broken). In fact, I think it is the simplest method that other distros should use. I verified this method on Fedora 24 server system.
- Like the section above, this is not specific to Linux Containers. Bootstrapping Arch is already described in Install_from_existing_Linux#Method_A:_Using_the_bootstrap_image_.28recommended.29, making a container from that should be fairly trivial. Perhaps some links would be enough? -- Lahwaacz (talk) 06:27, 30 November 2016 (UTC)
- Actually, I dodn't know about that section you mentioned :) Yes, then it should be mostly a link... I suggested the edit because on non-arch distros, the default lxc-archlinux template fails if pacman is not found. Of course, this is stupid because pacman is not needed at all! Unfortunately, the archlinux template is a bloated mess of features (even if pacman is present) because it does not have a dedicated maintainer who would block some features, and upstream LXC accepts almost any patch that is formally correct. Hence, I wanted to provide a 5-line set of instructions so that ppl who run non-arch hosts could deploy arch guests witjout building pacman... Lisaev (talk) 05:18, 2 December 2016 (UTC)
When login to the container with lxc-console -n CONTAINER_NAME a problem with a double tty presents.
The problem can be avoided using lxc-console -n CONTAINER_NAME -t 0 but i don't know if it is a good workaround.
I have added that to the page in the section Basic_usage.
More information on the problem:
"You also need to install Dnsmasq which is a dependency for lxcbr0." This instruction is false, therefor this wiki needs an update. After weeks of trying via the Arch wiki and further asking in IRC, I could not get a working network. Today a Mastodon connection added a blog post with a simple gotcha "Do not install the dnsmasq package. Indeed, dnsmasq-base contains the binary and the doc, whereas dnsmasq also contains the service. However, lxc-net spawns its own dnsmasq process, so if you install dnsmasq, it will run on its own and cause a conflict with lxc-net". They go on to describe the exact error I returned when following the steps described in this Arch wiki.
Essentially DNSMASQ duplicates the call to the network socket. Disabling it, stopping it, and restoring resolv.conf (I'd previously edited to accommodate OpenNIC DNS's) resulted in a working bridged network to the LXC container.
What does not work, "if using unprivileged containers"
At the end of section "Xorg program considerations (optional)" it says "Note: This will not work if using unprivileged containers." Does that refer to the entire section (i.e., "Xorg programs cannot be run from unprivileged containers") or does it refer to just a certain part of that section?
If it applies to the entire section, I'd vote for moving that note just below the corresponding heading.
- Just tried it with unprivileged containers and all of it seems to work, albeit with linux-hardened -- malet (talk) 21:30, 18 August 2019 (UTC)
Alternate Network - Bridge on same network as host
In regards to merging with netctl bridge:
I think it is still important to note something about how to set this up here since it is not clear either here or in upstream docs how to setup networking without NAT. IE without lxc-net config.
- Maybe, but that's not a reason to duplicate content of other pages. Use links whenever possible. -- Lahwaacz (talk) 15:50, 3 October 2018 (UTC)
Position of the control groups PAM module
Following some tests and if I understand correctly these comments, it seems that in order for LXC's control groups to be set up correctly, the
pam_cgfs.so PAM module added to
/etc/pam.d/system-login needs to be placed after the
pam_systemd.so module. Thithib (talk) 21:13, 14 October 2019 (UTC)
2.1.1. for non root user
The example seems to be for root, but root doesn't need privileged rights and it's confusing about knowing if we had to do this both for root and user to run from user or that we had to replace all for user. And if we need to replace for user, it's not explained where to get the ID for the user. And it's blurry about if we had to replace the values for default.conf, subuid and /etc/subgid or just subuid and /etc/subgid
- Late reply, but to avoid missunderstandings: I think you missunderstand the concept.
- The username for the subuid/gid changes is always root, the reason for this seems to be that it defines the userspace for the root user inside lxd/lxc-containers, see also:
PLEASE NOTE: rkt is officially End Of Project-ed
- Without objection, I am rewording mention of rkt with reference to End of Project announcement. Cmsigler (talk) 17:20, 5 June 2020 (UTC)
Check for update?
I am not a LXC user myself, I only use LXD so I can't be sure, but some things here look a bit outdated, for example:
- Xorg program considerations: At least for LXD you can now use "proxy" devices instead, that also allows for using unpriviledged containers. But I don't know if thats possible to replicate under LXC.
So could someone who is an active user of LXC maybe check if something is outdated?
Add instructions for custom user mappings?
This option allows for using per container maps. https://ubuntu.com/blog/custom-user-mappings-in-lxd-containers
pam_cgfs.so instructions outdated
According to Bug 70329 pam_cgfs.so does not support cgroups v2 which are now enabled by default, thus workarounds need to be applied.
Are there any other more recent instructions available? LXC and LXD should support cgroup v2 already (according to LXC 4.0 Release Notes).
- According to the developers, cgroup v2 is not supported in the context of pam_cgfs. See Comment in the official forum. Thus cgroup v1 seems to be the only rather secure alternative.