Установка и настройка LXC на Centos7

Октябрь 25th, 2016

Evgeniy Kamenev

1.Установка LXС и необходимых утилит

Установка EPEL-репозитария

# yum -y install epel-release

1	# yum -y install epel-release

Установка LXC

# yum install bridge-utils debootstrap lxc lxc-templates

1	# yum install bridge-utils debootstrap lxc lxc-templates

Проверка наличия и расположения cgroup

# mount -l | grep cgroup

1	# mount -l \| grep cgroup

tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)

tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)

cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)

cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)

cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)

cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)

cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)

cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)

cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)

cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)

cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)

cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)

Проверка параметров LXC/корректность установки LXC

# lxc-checkconfig

1	# lxc-checkconfig

Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.0-327.36.2.el7.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Kernel configuration not found at /proc/config.gz; searching...

Kernel configuration found at /boot/config-3.10.0-327.36.2.el7.x86_64

--- Namespaces ---

Namespaces: enabled

Utsname namespace: enabled

Ipc namespace: enabled

Pid namespace: enabled

User namespace: enabled

Network namespace: enabled

Multiple /dev/pts instances: enabled

--- Control groups ---

Cgroup: enabled

Cgroup clone_children flag: enabled

Cgroup device: enabled

Cgroup sched: enabled

Cgroup cpu account: enabled

Cgroup memory controller: enabled

Cgroup cpuset: enabled

--- Misc ---

Veth pair device: enabled

Macvlan: enabled

Vlan: enabled

Bridges: enabled

Advanced netfilter: enabled

CONFIG_NF_NAT_IPV4: enabled

CONFIG_NF_NAT_IPV6: enabled

CONFIG_IP_NF_TARGET_MASQUERADE: enabled

CONFIG_IP6_NF_TARGET_MASQUERADE: enabled

CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled

--- Checkpoint/Restore ---

checkpoint restore: enabled

CONFIG_FHANDLE: enabled

CONFIG_EVENTFD: enabled

CONFIG_EPOLL: enabled

CONFIG_UNIX_DIAG: enabled

CONFIG_INET_DIAG: enabled

CONFIG_PACKET_DIAG: enabled

CONFIG_NETLINK_DIAG: enabled

File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration

usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Просмотр шаблонов, которые могут быть использованы при создании новых контейнеров для различных дистрибутивов и их разновидностей

# rpm -ql lxc-templates | grep templates

1	# rpm -ql lxc-templates \| grep templates

/usr/share/lxc/templates/lxc-alpine
/usr/share/lxc/templates/lxc-altlinux
/usr/share/lxc/templates/lxc-archlinux
/usr/share/lxc/templates/lxc-busybox
/usr/share/lxc/templates/lxc-centos
/usr/share/lxc/templates/lxc-cirros
/usr/share/lxc/templates/lxc-debian
/usr/share/lxc/templates/lxc-download
/usr/share/lxc/templates/lxc-fedora
/usr/share/lxc/templates/lxc-gentoo
/usr/share/lxc/templates/lxc-openmandriva
/usr/share/lxc/templates/lxc-opensuse
/usr/share/lxc/templates/lxc-oracle
/usr/share/lxc/templates/lxc-plamo
/usr/share/lxc/templates/lxc-sshd
/usr/share/lxc/templates/lxc-ubuntu
/usr/share/lxc/templates/lxc-ubuntu-cloud

/usr/share/lxc/templates/lxc-alpine

/usr/share/lxc/templates/lxc-altlinux

/usr/share/lxc/templates/lxc-archlinux

/usr/share/lxc/templates/lxc-busybox

/usr/share/lxc/templates/lxc-centos

/usr/share/lxc/templates/lxc-cirros

/usr/share/lxc/templates/lxc-debian

/usr/share/lxc/templates/lxc-download

/usr/share/lxc/templates/lxc-fedora

/usr/share/lxc/templates/lxc-gentoo

/usr/share/lxc/templates/lxc-openmandriva

/usr/share/lxc/templates/lxc-opensuse

/usr/share/lxc/templates/lxc-oracle

/usr/share/lxc/templates/lxc-plamo

/usr/share/lxc/templates/lxc-sshd

/usr/share/lxc/templates/lxc-ubuntu

/usr/share/lxc/templates/lxc-ubuntu-cloud

Запск и проверка состояния LXC

# systemctl start lxc

1	# systemctl start lxc

# systemctl status lxc

1	# systemctl status lxc

● lxc.service - LXC Container Initialization and Autoboot Code
   Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)
   Active: active (exited) since Mon 2016-10-17 22:29:34 EEST; 16s ago
  Process: 1258 ExecStart=/usr/libexec/lxc/lxc-autostart-helper start (code=exited, status=0/SUCCESS)
  Process: 1250 ExecStartPre=/usr/libexec/lxc/lxc-devsetup (code=exited, status=0/SUCCESS)
 Main PID: 1258 (code=exited, status=0/SUCCESS)

Oct 17 22:29:04 centos71.kamaok.org.ua systemd[1]: Starting LXC Container Initialization and Autoboot Code...
Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: Creating /dev/.lxc
Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: /dev is devtmpfs
Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: Creating /dev/.lxc/user
Oct 17 22:29:34 centos71.kamaok.org.ua lxc-autostart-helper[1258]: Starting LXC autoboot containers:  [  OK  ]
Oct 17 22:29:34 centos71.kamaok.org.ua systemd[1]: Started LXC Container Initialization and Autoboot Code.

● lxc.service - LXC Container Initialization and Autoboot Code

Loaded: loaded (/usr/lib/systemd/system/lxc.service; disabled; vendor preset: disabled)

Active: active (exited) since Mon 2016-10-17 22:29:34 EEST; 16s ago

Process: 1258 ExecStart=/usr/libexec/lxc/lxc-autostart-helper start (code=exited, status=0/SUCCESS)

Process: 1250 ExecStartPre=/usr/libexec/lxc/lxc-devsetup (code=exited, status=0/SUCCESS)

Main PID: 1258 (code=exited, status=0/SUCCESS)

Oct 17 22:29:04 centos71.kamaok.org.ua systemd[1]: Starting LXC Container Initialization and Autoboot Code...

Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: Creating /dev/.lxc

Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: /dev is devtmpfs

Oct 17 22:29:04 centos71.kamaok.org.ua lxc-devsetup[1250]: Creating /dev/.lxc/user

Oct 17 22:29:34 centos71.kamaok.org.ua lxc-autostart-helper[1258]: Starting LXC autoboot containers: [ OK ]

Oct 17 22:29:34 centos71.kamaok.org.ua systemd[1]: Started LXC Container Initialization and Autoboot Code.

Добавление в автозагрузку LXC

# systemctl enable  lxc

1	# systemctl enable lxc

Created symlink from /etc/systemd/system/multi-user.target.wants/lxc.service to /usr/lib/systemd/system/lxc.service.

1	Created symlink from /etc/systemd/system/multi-user.target.wants/lxc.service to /usr/lib/systemd/system/lxc.service.

2. Создание контейнера

Установка Debian8

# lxc-create -n debian8 -t debian

1	# lxc-create -n debian8 -t debian

debootstrap is /usr/sbin/debootstrap
Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ...
Downloading debian minimal ...
Download complete.
Copying rootfs to /var/lib/lxc/debian8/rootfs...
……
Root password is 'root', please change !
Generation complete.

debootstrap is /usr/sbin/debootstrap

Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ...

Downloading debian minimal ...

Download complete.

Copying rootfs to /var/lib/lxc/debian8/rootfs...

……

Root password is 'root', please change !

Generation complete.

Контейнер установлен

Login: root
Password: root

1 2	Login: root Password: root

Установка Centos7

# lxc-create -n centos7 -t centos

1	# lxc-create -n centos7 -t centos

……………
The temporary root password is stored in:
        '/var/lib/lxc/centos7/tmp_root_pass'

……………

The temporary root password is stored in:

'/var/lib/lxc/centos7/tmp_root_pass'

Также пароль можно изменить командой, если контейнер включен

# chroot /var/lib/lxc/centos7/rootfs passwd

1	# chroot /var/lib/lxc/centos7/rootfs passwd

# cat /var/lib/lxc/centos7/tmp_root_pass

1	# cat /var/lib/lxc/centos7/tmp_root_pass

Root-centos7-TewacR

1	Root-centos7-TewacR

Настройка сети на ноде и в контейнере для выпуска контейнеров в Интернет

Использование сетевого стека хост-системы (type = veth)
При запуске контейнера с таким типом сети, на хост-машине создается специальный виртуальный интерфейс (в примере ниже, он называется veth-*). Этот виртуальный интерфейс фактически и использует контейнер для взаимодействия с внешней средой.

Включение маршрутизации

# nano /etc/sysctl.conf

1	# nano /etc/sysctl.conf

net.ipv4.ip_forward = 1

# sysctl -p

1	# sysctl -p

Bridge-режим
Настройка хостовой ноды

# cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-br0

1	# cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-br0

# nano /etc/sysconfig/network-scripts/ifcfg-ens33

1	# nano /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=ens33
DEVICE=ens33
ONBOOT=yes
BRIDGE=br0

TYPE=Ethernet

BOOTPROTO=none

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=no

NAME=ens33

DEVICE=ens33

ONBOOT=yes

BRIDGE=br0

# nano /etc/sysconfig/network-scripts/ifcfg-br0

1	# nano /etc/sysconfig/network-scripts/ifcfg-br0

STP=no
TYPE=Bridge
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=br0
DEVICE=br0
ONBOOT=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
DNS1=8.8.8.8
DNS2=8.8.4.4
DOMAIN=kamaok.org.ua
IPADDR=192.168.1.86
PREFIX=24
GATEWAY=192.168.1.1

STP=no

TYPE=Bridge

BOOTPROTO=none

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=no

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_FAILURE_FATAL=no

NAME=br0

DEVICE=br0

ONBOOT=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_PRIVACY=no

DNS1=8.8.8.8

DNS2=8.8.4.4

DOMAIN=kamaok.org.ua

IPADDR=192.168.1.86

PREFIX=24

GATEWAY=192.168.1.1

Перезагрузка ноды

# reboot

# reboot

# ifconfig

1	# ifconfig

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.86  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 00:0c:29:b8:3b:66  txqueuelen 0  (Ethernet)
        RX packets 106  bytes 11117 (10.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 79  bytes 16686 (16.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:b8:3b:66  txqueuelen 1000  (Ethernet)
        RX packets 793  bytes 196543 (191.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 99  bytes 23166 (22.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 12  bytes 1060 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 1060 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.1.86 netmask 255.255.255.0 broadcast 192.168.1.255

ether 00:0c:29:b8:3b:66 txqueuelen 0 (Ethernet)

RX packets 106 bytes 11117 (10.8 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 79 bytes 16686 (16.2 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

ether 00:0c:29:b8:3b:66 txqueuelen 1000 (Ethernet)

RX packets 793 bytes 196543 (191.9 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 99 bytes 23166 (22.6 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 0 (Local Loopback)

RX packets 12 bytes 1060 (1.0 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 12 bytes 1060 (1.0 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Настройка контейнера
Настройка конфигурационного файла контейнера(предварительно останавливаем контейнер,если он был ранее запущен)
Debian8

# nano /var/lib/lxc/debian8/config

1	# nano /var/lib/lxc/debian8/config

lxc.network.type = veth
lxc.network.link = br0
lxc.network.veth.pair = veth-01
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.1.10/24
lxc.network.ipv4.gateway = 192.168.1.1
lxc.network.hwaddr = 00:16:3e:12:83:74

lxc.network.type = veth

lxc.network.link = br0

lxc.network.veth.pair = veth-01

lxc.network.flags = up

lxc.network.name = eth0

lxc.network.ipv4 = 192.168.1.10/24

lxc.network.ipv4.gateway = 192.168.1.1

lxc.network.hwaddr = 00:16:3e:12:83:74

# nano /var/lib/lxc/debian8/rootfs/etc/resolv.conf

1	# nano /var/lib/lxc/debian8/rootfs/etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

1 2	nameserver 8.8.8.8 nameserver 8.8.4.4

# nano /var/lib/lxc/debian8/rootfs/etc/network/interfaces

1	# nano /var/lib/lxc/debian8/rootfs/etc/network/interfaces

auto lo
iface lo inet loopback

# auto eth0
# iface eth0 inet dhcp

auto lo

iface lo inet loopback

# auto eth0

# iface eth0 inet dhcp

Запуск контейнера

# lxc-start -n debian8 -d

1	# lxc-start -n debian8 -d

# lxc-info -n debian8
Name:           debian8
State:          RUNNING
PID:            1625
IP:             192.168.1.10
CPU use:        0.11 seconds
BlkIO use:      0 bytes
Memory use:     1.32 MiB
KMem use:       0 bytes
Link:           veth-01
 TX bytes:      15.26 KiB
 RX bytes:      541.96 KiB
 Total bytes:   557.22 KiB

# lxc-info -n debian8

Name: debian8

State: RUNNING

PID: 1625

IP: 192.168.1.10

CPU use: 0.11 seconds

BlkIO use: 0 bytes

Memory use: 1.32 MiB

KMem use: 0 bytes

Link: veth-01

TX bytes: 15.26 KiB

RX bytes: 541.96 KiB

Total bytes: 557.22 KiB

На ноде поднялся интерфейс

veth-01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:e5:bf:76:50:a3  txqueuelen 1000  (Ethernet)
        RX packets 18  bytes 2670 (2.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 1085 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth-01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

ether fe:e5:bf:76:50:a3 txqueuelen 1000 (Ethernet)

RX packets 18 bytes 2670 (2.6 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 8 bytes 1085 (1.0 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Подключение к консоли контейнера

# lxc-console -n debian8

1	# lxc-console -n debian8

Debian GNU/Linux 8 debian8 tty1

debian8 login: root
Password:
Linux debian8 3.10.0-327.36.2.el7.x86_64 #1 SMP Mon Oct 10 23:08:37 UTC 2016 x86_64

Debian GNU/Linux 8 debian8 tty1

debian8 login: root

Password:

Linux debian8 3.10.0-327.36.2.el7.x86_64 #1 SMP Mon Oct 10 23:08:37 UTC 2016 x86_64

Проверка сети на контейнере Debian и доступ в Интернет с контейнера

# ifconfig

1	# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3e:12:83:74
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe12:8374/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4923 (4.8 KiB)  TX bytes:2950 (2.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr 00:16:3e:12:83:74

inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::216:3eff:fe12:8374/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:50 errors:0 dropped:0 overruns:0 frame:0

TX packets:22 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:4923 (4.8 KiB) TX bytes:2950 (2.8 KiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# apt-get update && apt-get install iputils-ping

1	# apt-get update && apt-get install iputils-ping

..........
Do you want to continue? [Y/n]

1 2	.......... Do you want to continue? [Y/n]

Настройка сети контейнера с Centos7

# nano /var/lib/lxc/centos7/config

1	# nano /var/lib/lxc/centos7/config

lxc.network.type = veth
lxc.network.link = br0
lxc.network.veth.pair = veth-02
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.1.20/24
lxc.network.ipv4.gateway = 192.168.1.1
lxc.network.hwaddr = fe:4c:c4:c0:00:46

lxc.network.type = veth

lxc.network.link = br0

lxc.network.veth.pair = veth-02

lxc.network.flags = up

lxc.network.name = eth0

lxc.network.ipv4 = 192.168.1.20/24

lxc.network.ipv4.gateway = 192.168.1.1

lxc.network.hwaddr = fe:4c:c4:c0:00:46

# nano /var/lib/lxc/centos7/rootfs/etc/resolv.conf

1	# nano /var/lib/lxc/centos7/rootfs/etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

1 2	nameserver 8.8.8.8 nameserver 8.8.4.4

# nano /var/lib/lxc/centos7/rootfs/etc/sysconfig/network-scripts/ifcfg-eth0

1	# nano /var/lib/lxc/centos7/rootfs/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
……

DEVICE=eth0

BOOTPROTO=none

ONBOOT=yes

……

Запуск контейнера

# lxc-start -n centos7 -d

1	# lxc-start -n centos7 -d

# lxc-info -n centos7

1	# lxc-info -n centos7

Name:           centos7
State:          RUNNING
PID:            1863
IP:             192.168.1.20
CPU use:        0.21 seconds
BlkIO use:      14.95 MiB
Memory use:     8.67 MiB
KMem use:       0 bytes
Link:           veth-02
 TX bytes:      578 bytes
 RX bytes:      0 bytes
 Total bytes:   578 bytes

Name: centos7

State: RUNNING

PID: 1863

IP: 192.168.1.20

CPU use: 0.21 seconds

BlkIO use: 14.95 MiB

Memory use: 8.67 MiB

KMem use: 0 bytes

Link: veth-02

TX bytes: 578 bytes

RX bytes: 0 bytes

Total bytes: 578 bytes

На ноде поднялся интерфейс

veth-02: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:7c:47:ff:a9:7b  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 418 (418.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth-02: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

ether fe:7c:47:ff:a9:7b txqueuelen 1000 (Ethernet)

RX packets 5 bytes 418 (418.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 0 bytes 0 (0.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Подключение к консоли контейнера Centos

# lxc-console -n centos7

1	# lxc-console -n centos7

CentOS Linux 7 (Core)
Kernel 3.10.0-327.36.2.el7.x86_64 on an x86_64
centos7 login: root
Password:
Last login: Mon Oct 17 21:06:07 from 192.168.1.86
[root@centos7 ~]#

CentOS Linux 7 (Core)

Kernel 3.10.0-327.36.2.el7.x86_64 on an x86_64

centos7 login: root

Password:

Last login: Mon Oct 17 21:06:07 from 192.168.1.86

[root@centos7 ~]#

Проверка сети на контейнере Centos и доступ в Интернет с контейнера

# ip addr show

1	# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fe:4c:c4:c0:00:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.20/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fc4c:c4ff:fec0:46/64 scope link
       valid_lft forever preferred_lft forever

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether fe:4c:c4:c0:00:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 192.168.1.20/24 brd 192.168.1.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::fc4c:c4ff:fec0:46/64 scope link

valid_lft forever preferred_lft forever

# ping i.ua

1	# ping i.ua

PING i.ua (91.198.36.14) 56(84) bytes of data.
64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=44 time=39.1 ms
....

PING i.ua (91.198.36.14) 56(84) bytes of data.

64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=44 time=39.1 ms

....

NAT-режим

Настройка хостовой ноды

# nano /etc/sysconfig/network-scripts/ifcfg-ens33

1	# nano /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=ens33
UUID=3d050167-31ae-4c68-9404-d2de5d8c7c70
DEVICE=ens33
ONBOOT=yes
DNS1=8.8.8.8
DNS2=8.8.4.4
DOMAIN=kamaok.org.ua
IPADDR=192.168.1.86
PREFIX=24
GATEWAY=192.168.1.1

TYPE=Ethernet

BOOTPROTO=none

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=no

NAME=ens33

UUID=3d050167-31ae-4c68-9404-d2de5d8c7c70

DEVICE=ens33

ONBOOT=yes

DNS1=8.8.8.8

DNS2=8.8.4.4

DOMAIN=kamaok.org.ua

IPADDR=192.168.1.86

PREFIX=24

GATEWAY=192.168.1.1

# nano /etc/sysconfig/network-scripts/ifcfg-br0-nat

1	# nano /etc/sysconfig/network-scripts/ifcfg-br0-nat

STP=no
TYPE=Bridge
BOOTPROTO=static
NAME=lxc-bridge-nat
DEVICE=lxc-bridge-nat
ONBOOT=yes
IPADDR=192.168.10.86
PREFIX=24

STP=no

TYPE=Bridge

BOOTPROTO=static

NAME=lxc-bridge-nat

DEVICE=lxc-bridge-nat

ONBOOT=yes

IPADDR=192.168.10.86

PREFIX=24

Перезагружаем ноду

# reboot

# reboot

# ifconfig

1	# ifconfig

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.86  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 00:0c:29:b8:3b:66  txqueuelen 1000  (Ethernet)
        RX packets 65  bytes 8579 (8.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 63  bytes 10711 (10.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 4  bytes 340 (340.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 340 (340.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lxc-bridge-nat: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.10.86  netmask 255.255.255.0  broadcast 192.168.10.255
        ether be:cc:58:d3:d7:f9  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 42 (42.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.1.86 netmask 255.255.255.0 broadcast 192.168.1.255

ether 00:0c:29:b8:3b:66 txqueuelen 1000 (Ethernet)

RX packets 65 bytes 8579 (8.3 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 63 bytes 10711 (10.4 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

loop txqueuelen 0 (Local Loopback)

RX packets 4 bytes 340 (340.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 4 bytes 340 (340.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lxc-bridge-nat: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500

inet 192.168.10.86 netmask 255.255.255.0 broadcast 192.168.10.255

ether be:cc:58:d3:d7:f9 txqueuelen 0 (Ethernet)

RX packets 0 bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1 bytes 42 (42.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Настройка iptables

# yum install iptables iptables-services

1	# yum install iptables iptables-services

# iptables -t nat -A POSTROUTING -o ens33 -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.86

1	# iptables -t nat -A POSTROUTING -o ens33 -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.86

Или, если внешний адрес нода получает динамически

# iptables -t nat -A POSTROUTING -o ens33 -s 192.168.10.0/24 -j MASQUERADE

1	# iptables -t nat -A POSTROUTING -o ens33 -s 192.168.10.0/24 -j MASQUERADE

# service iptables save && systemctl restart iptables

1	# service iptables save && systemctl restart iptables

Настройка конфигурационного файла контейнера Debian
(предварительно останавливаем контейнер,если он был ранее запущен)

Debian8

# nano /var/lib/lxc/debian8/config

1	# nano /var/lib/lxc/debian8/config

lxc.network.type = veth
lxc.network.link = lxc-bridge-nat
lxc.network.veth.pair = veth-01
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.10.10/24
lxc.network.ipv4.gateway = 192.168.10.86
lxc.network.hwaddr = 00:16:3e:12:83:74

lxc.network.type = veth

lxc.network.link = lxc-bridge-nat

lxc.network.veth.pair = veth-01

lxc.network.flags = up

lxc.network.name = eth0

lxc.network.ipv4 = 192.168.10.10/24

lxc.network.ipv4.gateway = 192.168.10.86

lxc.network.hwaddr = 00:16:3e:12:83:74

В результате, данный контейнер должен получить при старте ip=192.168.10.10 и через шлюз 192.168.10.86, и далее через 192.168.1.86 — выход в сеть.

# lxc-start -n debian8 -d

1	# lxc-start -n debian8 -d

На ноде поднялся интерфейс

veth-01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:e2:ae:0b:14:49  txqueuelen 1000  (Ethernet)
        RX packets 11  bytes 830 (830.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 182 (182.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth-01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

ether fe:e2:ae:0b:14:49 txqueuelen 1000 (Ethernet)

RX packets 11 bytes 830 (830.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 3 bytes 182 (182.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Подключение к консоли контейнера Debian

# lxc-console -n debian8

1	# lxc-console -n debian8

Проверка сети на контейнере Debian и доступ в Интернет с контейнера

root@debian8:~# ifconfig

1	root@debian8:~# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:16:3e:12:83:74
          inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe12:8374/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0 Link encap:Ethernet HWaddr 00:16:3e:12:83:74

inet addr:192.168.10.10 Bcast:192.168.10.255 Mask:255.255.255.0

inet6 addr: fe80::216:3eff:fe12:8374/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

# ping i.ua

1	# ping i.ua

PING i.ua (91.198.36.14) 56(84) bytes of data.
64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=43 time=38.9 ms
...

PING i.ua (91.198.36.14) 56(84) bytes of data.

64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=43 time=38.9 ms

...

Настройка конфигурационного файла контейнера Centos
(предварительно останавливаем контейнер,если он был ранее запущен)

# nano /var/lib/lxc/centos7/config

1	# nano /var/lib/lxc/centos7/config

lxc.network.type = veth
lxc.network.link = lxc-bridge-nat
lxc.network.veth.pair = veth-02
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.ipv4 = 192.168.10.20/24
lxc.network.ipv4.gateway = 192.168.10.86
lxc.network.hwaddr = fe:4c:c4:c0:00:46

lxc.network.type = veth

lxc.network.link = lxc-bridge-nat

lxc.network.veth.pair = veth-02

lxc.network.flags = up

lxc.network.name = eth0

lxc.network.ipv4 = 192.168.10.20/24

lxc.network.ipv4.gateway = 192.168.10.86

lxc.network.hwaddr = fe:4c:c4:c0:00:46

В результате, данный контейнер должен получить при старте ip=192.168.10.20 и через шлюз 192.168.10.86, и далее через 192.168.1.86 — выход в сеть.

# lxc-start -n centos7 -d

1	# lxc-start -n centos7 -d

Подключение к консоли контейнера Centos

# lxc-console -n centos7

1	# lxc-console -n centos7

Проверка сети на контейнере Centos и доступ в Интернет с контейнера

# ip addr show

1	# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fe:4c:c4:c0:00:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fc4c:c4ff:fec0:46/64 scope link
       valid_lft forever preferred_lft forever

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether fe:4c:c4:c0:00:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0

inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::fc4c:c4ff:fec0:46/64 scope link

valid_lft forever preferred_lft forever

# ping i.ua

1	# ping i.ua

PING i.ua (91.198.36.14) 56(84) bytes of data.
64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=43 time=39.3 ms
...

PING i.ua (91.198.36.14) 56(84) bytes of data.

64 bytes from www.i.ua (91.198.36.14): icmp_seq=1 ttl=43 time=39.3 ms

...

Полезные команды LXC и ограничение ресурсов контейнера с помощью lxc-cgroup были рассмотрены в статьях
Установка и настройка LXC на Debian8
Установка и настройка LXC на Ubuntu14

Источник:

http://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-linux-container-with-lxc-on-centos-7-rhel-7.html
http://www.tecmint.com/install-create-run-lxc-linux-containers-on-centos/
http://www.thegeekstuff.com/2016/01/create-lxc-containers/

Опубликовано в рубрике Centos, Virtualization

Метки: container, LXC, virtualization

Комментирование и размещение ссылок запрещено.

Комментарии закрыты.

Установка и настройка LXC на Centos7

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель