LXC - ether42/bootable-usb GitHub Wiki

Memory accounting

lxc.cgroup.memory.limit_in_bytes = 512M
# lxc.cgroup.memory.memsw.limit_in_bytes = 1G

Sharing a rootfs

Let's create a container that will serve as a base for every other container:

lxc-create -B lvm -n rootfs -t debian --fssize 16G -- -r stretch
# rm -rf /var/lib/lxc/rootfs

This a shorthand for the lvcreate and debootstrap operations. Once the example configuration has been backed up for reuse, it could be removed (the rootfs LXC should not be run as it's only a base system).

Create a helper script /etc/lxc/mount.sh, +x:

#!/bin/sh -eu

[ $# -eq 3 ]

name=$1
hook=$3
rootfs=/mnt/lxc/rootfs
lxcfs="/mnt/lxc/$name"

if [ "$hook" = pre-start ]; then
  if ! mountpoint -q "$rootfs"; then
    mkdir -p "$rootfs"
    mount /dev/lxc/rootfs "$rootfs"
  fi
  if ! mountpoint -q "$lxcfs"; then
    mkdir -p "$lxcfs"
    mount /dev/lxc/"$name" "$lxcfs"
  fi
  mkdir -p "$lxcfs"/delta
elif [ "$hook" = post-stop ]; then
  if mountpoint -q "$lxcfs"; then
    umount "$lxcfs"
  fi
  rmdir "$lxcfs"
fi

The scripts arguments are:

  • $1 is the LXC name
  • $2 is always lxc
  • $3 is the the hook name

Overlayfs requires three options to correctly function:

  • lowerdir: /mnt/lxc/rootfs
  • upperdir: /mnt/lxc/$name/delta
  • workdir: automatically set up by LXC as ../olwork, relative to the upperdir

workdir and upperdir must be on the same filesystem.

To avoid some typing, create /etc/lxc/mount.conf which will be included in the LXC configuration:

lxc.hook.pre-start = /etc/lxc/mount.sh
lxc.hook.post-stop = /etc/lxc/mount.sh
lxc.rootfs.backend = overlayfs

Creating an overlayed LXC could be done as follow:

lvcreate -L 512MiB -n $name lxc
mkfs.ext3 -L $name /dev/lxc/$name
mkdir /var/lib/lxc/$name
cp /var/lib/lxc/{rootfs,$name}/config

Edit the LXC configuration:

lxc.include = /etc/lxc/mount.conf
lxc.rootfs = overlayfs:/mnt/lxc/rootfs:/mnt/lxc/$name/delta

It's safe and advantageous to chroot into rootfs and modify the default configuration or install some packages, but care has to be taken to ensure the overlay doesn't mask the newly added files. The base rootfs should configure some common configuration (like rsyslog, dhclient, ...) and install every required service (but disable them by default if they aren't shared). Each overlay should only have to configure the hostname, the network and the necessary services.

Note that if any package is installed into an overlayed LXC, apt/dpkg states would come out of sync between the rootfs and the overlay. As such it is best to only install packages into the rootfs (and allow easier tracking of which service needs to be upgraded). The same goes for adding additional user, which may mask the original /etc/passwd and such (FIXME: add OpenLDAP to share non-system users between containers).

Cleanup

TTY

By default, the Debian LXC template will add 4 getty services to the getty target's dependencies. If it's not needed to connect to multiple consoles, most of them could be removed by:

for i in 2 3 4; do
  systemctl disable getty@tty$i.service
done

This should be enough to properly not start the services (getty-static's condition /dev/tty0 should not be met).

FIXME: console-getty, which provides a serial console, is still started even if it's disabled.

Network

/etc/network/interfaces should be set to:

source-directory /etc/network/interfaces.d

Ensure the the DHCP client configuration is correct.

Logs

Ensure the syslog configuration is correct.

Other

All services may be listed via systemctl list-unit-files.

systemctl disable apt-daily-upgrade.timer
systemctl disable apt-daily.timer