Talk:Linux Containers

@Lahwaacz - While I agree that we don't want to duplicate content in other articles, I feel that providing a working configuration within the article is welcomed for completeness just as we do in the beginners guide. Therefore, a few common set ups are needed in my opinion. See, https://wiki.archlinux.org/index.php?title=Linux_Containers&diff=373914&oldid=373913 Graysky (talk) 19:20, 16 May 2015 (UTC)Reply[reply]

I'm sorry but these two approaches are opposite: we can either avoid duplication or follow the BG style. What is wrong with instructions such as "Create a bridge named ... as described in ..." which is still sufficiently (IMO) complete? -- Lahwaacz (talk) 21:16, 16 May 2015 (UTC)Reply[reply]

I think the article should keep the two examples following the BG style. Just my $0.02. Graysky (talk) 01:24, 17 May 2015 (UTC)Reply[reply]

+1 for merging, the wired network section is practically a copy of Bridge with netctl, I don't see anything specific to Linux Containers here. — Kynikos (talk) 03:33, 18 May 2015 (UTC)Reply[reply]

-1 for merging the network stuff. The examples provided in the article are appropriate. For me as a consumer of information, the Archwiki merges the past couple years have led to more confusing, fragmented articles/how-to's because now, you end up having to flip back and forth between multiple browser tabs, searching entire articles for the one or two bits that relate to what you are actually trying to accomplish, rather than having relevant info provided in context, right where you need/want it. Sure, have the larger, more exhaustive networking article that I can reference for the nitty, gritty details. And I get that that may also be desirable from wiki maintainers perspective. For a user perspective, however, it's much less efficient for me have to search through it all, try to figure out what context is applicable or not, etc. Tough balancing act. I've just been noticing that as of late things that used to be fairly easy and straight forward to follow, no longer are, and require much more jumping around to sort out the bits you're actually looking for. Peace. Kgunders (talk) 17:33, 28 September 2015 (UTC)Reply[reply]

-1 for merging for the reasons nicely articulated by Kgunders. Graysky (talk) 19:11, 28 September 2015 (UTC)Reply[reply]

I was looking at the above-mentined section, and it does not make any sense to me. First, a bridge interface for containers has nothing to do with whether the host uses wired or wireless connection. Why is it necessary to add an external interface to the bridge? The topology of a network for containers, and how it is connected to the internet is a separate issue.

Therefore, I suggest that I rewrite this section by providing an example of an empty bridge interface. Then, it can be NAT'ed or or whatever. I would argue that NAT is the best setup option because it automatically protects containers from possible malicious network traffic. Lisaev (talk) 02:12, 30 November 2016 (UTC)Reply[reply]

Describing this sensibly is difficult because it's not specific to Linux Containers. There is already much info about this on this wiki, see e.g. QEMU#Networking. I think there should be a separate page with the general info about topologies and virtual interfaces, on which other pages could build, adding their specifics etc. -- Lahwaacz (talk) 06:23, 30 November 2016 (UTC)Reply[reply]

I agree. To me, sensibly means what I use most in practice on dosens of containers -- an empty bridge with veth interfaces dynamically created by LXC and NAT'ed behind the host. The point here is not to give a complete overview of all LXC networking capabilities, because LXC documentation is written well enough, but to give a starting working configuration. I agree that it is not the only possible configuration, but I think that in the current form the host network section is unnecessary confusing :) Lisaev (talk) 05:11, 2 December 2016 (UTC)Reply[reply]

Hi, I've added a section on how to enable the legacy lxcbr0 (before i was aware of exactly how talks work. This information was not easy to come by when sitting on a laptop with just WIFI, and if I want it someone else will was the general idea... --Izznogooood (talk) 20:04, 17 October 2017 (UTC)Reply[reply]

LXC documentation is written well enough

Pretty opposite! Manpages are the only official upstream documentation for LXC CLI, and they are just very poor, most lxc-*` commands do not have a proper manpage. Most of them are not but some superficial one-line description of commands' options.

There is also an official "Getting started"[1] manual that explains the very basics.

Arash (talk) 11:14, 25 February 2024 (UTC)Reply[reply]

Apologize: I'm not English mother tongue, it will be very hard for me to have grammatical validation

Since LXC is version 3, the whole templates has been revamped. In order to create container, the choice is now to download the templates from a central place:

[mrakotomandimby@arch-00 arch-00]$ sudo lxc-create -n test -t download
Setting up the GPG keyring
Downloading the image index

---
DIST	RELEASE	ARCH	VARIANT	BUILD
---
...
alpine	edge	amd64	default	20180331_17:50
...
archlinux	current	amd64	default	20180330_01:27
...
centos	7	amd64	default	20180331_02:16
...
debian	jessie	amd64	default	20180330_22:42
...

It will prompt you the Distrubution, Release, then Architecture.

If you prefer the one line version:

[mrakotomandimby@arch-00 ~]$ sudo lxc-create -n test -t download -- --dist archlinux --release current --arch amd64

—This unsigned comment is by Rakotomandimby (talk) 19:30, 31 March 2018‎. Please sign your posts with ~~~~!

I updated the article, please review. Graysky (talk) 11:06, 1 April 2018 (UTC)Reply[reply]

Arch provides archlinux-bootstrap images that can be used when pacman is not available (on non-arch systems or when it is broken). In fact, I think it is the simplest method that other distros should use. I verified this method on Fedora 24 server system.

Any objections if I add this? Lisaev (talk) 02:39, 30 November 2016 (UTC)Reply[reply]

Like the section above, this is not specific to Linux Containers. Bootstrapping Arch is already described in Install_from_existing_Linux#Method_A:_Using_the_bootstrap_image_.28recommended.29, making a container from that should be fairly trivial. Perhaps some links would be enough? -- Lahwaacz (talk) 06:27, 30 November 2016 (UTC)Reply[reply]

Actually, I dodn't know about that section you mentioned :) Yes, then it should be mostly a link... I suggested the edit because on non-arch distros, the default lxc-archlinux template fails if pacman is not found. Of course, this is stupid because pacman is not needed at all! Unfortunately, the archlinux template is a bloated mess of features (even if pacman is present) because it does not have a dedicated maintainer who would block some features, and upstream LXC accepts almost any patch that is formally correct. Hence, I wanted to provide a 5-line set of instructions so that ppl who run non-arch hosts could deploy arch guests witjout building pacman... Lisaev (talk) 05:18, 2 December 2016 (UTC)Reply[reply]

When login to the container with lxc-console -n CONTAINER_NAME a problem with a double tty presents.

The problem can be avoided using lxc-console -n CONTAINER_NAME -t 0 but i don't know if it is a good workaround.

I have added that to the page in the section Basic_usage.

More information on the problem:

• https://github.com/lxc/lxc/issues/484
• https://github.com/lxc/lxc/issues/520

Monty programador (talk) 09:54, 28 February 2017 (UTC)Reply[reply]

"You also need to install Dnsmasq which is a dependency for lxcbr0." This instruction is false, therefor this wiki needs an update. After weeks of trying via the Arch wiki and further asking in IRC, I could not get a working network. Today a Mastodon connection added a blog post with a simple gotcha "Do not install the dnsmasq package. Indeed, dnsmasq-base contains the binary and the doc, whereas dnsmasq also contains the service. However, lxc-net spawns its own dnsmasq process, so if you install dnsmasq, it will run on its own and cause a conflict with lxc-net". They go on to describe the exact error I returned when following the steps described in this Arch wiki.

Essentially DNSMASQ duplicates the call to the network socket. Disabling it, stopping it, and restoring resolv.conf (I'd previously edited to accommodate OpenNIC DNS's) resulted in a working bridged network to the LXC container.

Bunnybooboo (talk) 11:36, 17 February 2018 (UTC)Reply[reply]

In regards to merging with netctl bridge:

I think it is still important to note something about how to set this up here since it is not clear either here or in upstream docs how to setup networking without NAT. IE without lxc-net config.

—This unsigned comment is by Bch24 (talk) 14:36, 2 October 2018‎. Please sign your posts with ~~~~!

Maybe, but that's not a reason to duplicate content of other pages. Use links whenever possible. -- Lahwaacz (talk) 15:50, 3 October 2018 (UTC)Reply[reply]

Following some tests and if I understand correctly these comments, it seems that in order for LXC's control groups to be set up correctly, the pam_cgfs.so PAM module added to /etc/pam.d/system-login needs to be placed after the pam_systemd.so module. Thithib (talk) 21:13, 14 October 2019 (UTC)Reply[reply]

The example seems to be for root, but root doesn't need privileged rights and it's confusing about knowing if we had to do this both for root and user to run from user or that we had to replace all for user. And if we need to replace for user, it's not explained where to get the ID for the user. And it's blurry about if we had to replace the values for default.conf, subuid and /etc/subgid or just subuid and /etc/subgid

—This unsigned comment is by Nsqm (talk) 20:59, 20 April 2020‎. Please sign your posts with ~~~~!

Late reply, but to avoid missunderstandings: I think you missunderstand the concept.

The username for the subuid/gid changes is always root, the reason for this seems to be that it defines the userspace for the root user inside lxd/lxc-containers, see also:

https://ubuntu.com/blog/custom-user-mappings-in-lxd-containers

G3ro (talk) 20:59, 11 October 2020 (UTC) G3roReply[reply]

As of the end of May, 2020, CoreOS Container Linux is officially ended. rkt was a part of CoreOS, and rkt has been declared End Of Project. It is no longer used in Fedora CoreOS or Flatcar Linux.

IMHO, the reference to rkt as a container alternative should be removed. Cmsigler (talk) 12:24, 29 May 2020 (UTC)Reply[reply]

Without objection, I am rewording mention of rkt with reference to End of Project announcement. Cmsigler (talk) 17:20, 5 June 2020 (UTC)Reply[reply]

I am not a LXC user myself, I only use LXD so I can't be sure, but some things here look a bit outdated, for example:

• Xorg program considerations: At least for LXD you can now use "proxy" devices instead, that also allows for using unpriviledged containers. But I don't know if thats possible to replicate under LXC.

So could someone who is an active user of LXC maybe check if something is outdated?

G3ro (talk) 20:33, 13 October 2020 (UTC) G3roReply[reply]

This option allows for using per container maps. https://ubuntu.com/blog/custom-user-mappings-in-lxd-containers

G3ro (talk) 20:56, 14 October 2020 (UTC) G3roReply[reply]

According to Bug 70329 pam_cgfs.so does not support cgroups v2 which are now enabled by default, thus workarounds need to be applied.

Are there any other more recent instructions available? LXC and LXD should support cgroup v2 already (according to LXC 4.0 Release Notes).

G3ro (talk) 18:50, 8 April 2021 (UTC)Reply[reply]

According to the developers, cgroup v2 is not supported in the context of pam_cgfs. See Comment in the official forum. Thus cgroup v1 seems to be the only rather secure alternative.

G3ro (talk) 18:38, 17 April 2021 (UTC)Reply[reply]

I think the instruction specific to unprivileged users running containers, in this section, is completely paralysed! If you read the reference link that is provided with the section[2], you will see that many more steps and configurations are required to create and run a container as an unprivileged user!

Specially setting up setuid(5) and setguid(5) for the user, setting up /etc/lxc/lxc-usernet for the user for the porpuse of setting up network devices, creating $HOME/.config/lxc/default.conf etc.... Some of them are partially described in another section way down this super section.

This section, also describes cgroup subsystem delegation to users, which is already well described in cgroup#User delegation. It does not provide any kind of more information to be merged with cgroup#User delegation and has to be simply removed and referred to the main article!

Arash (talk) 23:45, 27 February 2024 (UTC)Reply[reply]

First, regarding user delegation issue, I suggest removing the duplicate part and refer the reader to the related article/section.

Second, I think Linux Containers#Running containers as non-root user section has to be merged to this section.

Third, instructions about "creating and running unprivileged containers as non-root" can be:

1. Comprehensive
   in this case, no reference link will be required. Since there is only one documentation at upstream about the subject. Which contains no more details.
2. As minimal as possible, and referring to the upstream documentation. For more reading.

I personally was going to do the number one… But now, I think that this project is a fast moving object. It's developing alongside Linux kernel development. And advancing alongside advancement of computing hardware products. So any manual would get deprecated after a while. Or details would not work any more. Or may come newer best practises for that. Most of the current documentations are more suitable for LXC v3<= or v4<=.

However, even if that would not be the case, I personally can't write anything which is more complete than the current manuals of LXC.

Perhaps, the best approach is to suffice referring to LXC official manuals/docs for this section and just document what is not already documented upstream. (Currently, I can see find to be the case)

The only caveat for a link is that it may break. But fixing a broken link is much easier than fixing a whole document.

Arash (talk) 17:35, 28 February 2024 (UTC)Reply[reply]