linux:lxc
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
linux:lxc [2018/06/17 11:59] – frank | linux:lxc [2023/09/23 16:16] (aktuell) – [Container erstellen] frank | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== LXC ====== | ||
+ | apt-get install lxc | ||
+ | |||
+ | ===== Container erstellen ===== | ||
+ | |||
+ | lxc-create -n < | ||
+ | #/ | ||
+ | |||
+ | lxc-create -n < | ||
+ | #/ | ||
+ | | ||
+ | lxc-create -t download -n bookworm-web -- -d debian -r bookworm -a arm64 | ||
+ | |||
+ | alternativ vorhandenen Container (Ordner mit Namen in / | ||
+ | |||
+ | nach dem Erstellen muss das Root-Passwort gesetzt werden | ||
+ | |||
+ | lxc-start -n < | ||
+ | lxc-attach -n < | ||
+ | ===== Konfiguration ===== | ||
+ | |||
+ | / | ||
+ | < | ||
+ | # Template used to create this container: / | ||
+ | # Parameters passed to the template: -r stretch -a armhf | ||
+ | # Template script checksum (SHA-1): 127e2020d76da79709d5e4e0c7e347f40a6a793b | ||
+ | # For additional config options, please look at lxc.container.conf(5) | ||
+ | |||
+ | # Uncomment the following line to support nesting containers: | ||
+ | # | ||
+ | # (Be aware this has security implications) | ||
+ | |||
+ | # | ||
+ | lxc.rootfs = / | ||
+ | lxc.rootfs.backend = dir | ||
+ | |||
+ | # Common configuration | ||
+ | lxc.include = / | ||
+ | |||
+ | # Container specific configuration | ||
+ | lxc.tty = 4 | ||
+ | lxc.utsname = stretch | ||
+ | lxc.arch = armhf | ||
+ | |||
+ | lxc.start.auto = 1 | ||
+ | |||
+ | # | ||
+ | lxc.start.delay = 5 | ||
+ | # | ||
+ | # | ||
+ | |||
+ | lxc.network.type = veth | ||
+ | lxc.network.link = lxcbr0 | ||
+ | lxc.network.flags = up | ||
+ | lxc.network.ipv4 = 10.0.3.10/ | ||
+ | lxc.network.ipv4.gateway = auto | ||
+ | |||
+ | #/var/www | ||
+ | # | ||
+ | lxc.mount.entry = /var/www / | ||
+ | </ | ||
+ | |||
+ | bootstrapped Dateisystem in / | ||
+ | |||
+ | in die / | ||
+ | |||
+ | auto eth0 | ||
+ | iface eth0 inet manual | ||
+ | ==== LXCBR0 ==== | ||
+ | |||
+ | / | ||
+ | < | ||
+ | auto lxcbr0 | ||
+ | iface lxcbr0 inet static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_maxwait 0 | ||
+ | address 10.0.3.1 | ||
+ | netmask 255.255.255.0 | ||
+ | </ | ||
+ | |||
+ | ==== Portforwarding ==== | ||
+ | < | ||
+ | ${ipt} -t nat -A PREROUTING ! -i ppp0 -m addrtype --dst-type LOCAL -p tcp --dport 80 -j DNAT --to-destination 10.0.3.10: | ||
+ | </ | ||
+ | dies leitet den Port 80 bei Zugriff auf alle Schnittstellen (außer ppp0) auf die IP-Adresse des LXC-Containers weiter | ||
+ | zum Vergleich...alle Ports (inkl. ppp0) hier für https: | ||
+ | < | ||
+ | ${ipt} -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p tcp --dport 443 -j DNAT --to-destination 10.0.3.10: | ||
+ | </ | ||
+ | ===== Bedienung ===== | ||
+ | ==== starten/ | ||
+ | lxc-start -n < | ||
+ | lxc-stop -n name | ||
+ | ==== betreten / Befehle ausführen ==== | ||
+ | |||
+ | lxc-console -n < | ||
+ | #strg+a,q zum verlassen | ||
+ | lxc-attach -n < | ||
+ | |||
+ | ==== Kommunikation container/ | ||
+ | |||
+ | dieses habe ich via ssh-pubkey realisiert | ||
+ | |||
+ | <code bash> | ||
+ | #Erstellen eines neuen Schlüssels in dem container | ||
+ | ssh-keygen -b 4096 | ||
+ | #public-key auf den host übertragen | ||
+ | ssh-copy-id -i .ssh/ | ||
+ | #testen vom container aus | ||
+ | ssh -i .ssh/ | ||
+ | </ | ||
+ | |||
+ | === Host === | ||
+ | |||
+ | / | ||
+ | |||
+ | command="/ | ||
+ | |||
+ | / | ||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | |||
+ | line=$1 | ||
+ | read line | ||
+ | |||
+ | case $line in | ||
+ | " | ||
+ | hostname | ||
+ | ;; | ||
+ | " | ||
+ | df -h |grep -v tmpfs | ||
+ | ;; | ||
+ | #... | ||
+ | esac | ||
+ | </ | ||
+ | === Container === | ||
+ | |||
+ | / | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | #echo $0 $1 | ||
+ | SSHOPT="" | ||
+ | if [ " | ||
+ | SSHOPT=" | ||
+ | fi | ||
+ | |||
+ | if [ -n " | ||
+ | echo " | ||
+ | fi | ||
+ | </ | ||
+ | |||
+ | == Webserver-Integration == | ||
+ | |||
+ | / | ||
+ | < | ||
+ | www-data ALL=(frank) NOPASSWD: / | ||
+ | </ | ||
+ | |||
+ | index.php | ||
+ | <code php> | ||
+ | $ret=""; | ||
+ | echo "< | ||
+ | $lastline=system ("sudo -u frank / | ||
+ | // | ||
+ | $command=" | ||
+ | $output = shell_exec($command); | ||
+ | $output = explode(PHP_EOL, | ||
+ | print_r($output); | ||
+ | // echo " | ||
+ | echo "</ | ||
+ | </ | ||
+ | |||
+ | === Autologin (qnap) === | ||
+ | |||
+ | / | ||
+ | |||
+ | [Service] | ||
+ | ExecStart=-/ | ||
+ | |||
+ | ==== lxc2 => lxc3 ==== | ||
+ | |||
+ | bei Fehlermeldung | ||
+ | |||
+ | Unknown configuration key " | ||
+ | |||
+ | lxc-update-config -c / | ||
+ | |||
+ | grundsätzlich ändert sich folgendes: | ||
+ | |||
+ | < | ||
+ | < lxc.rootfs = / | ||
+ | < lxc.rootfs.backend = dir | ||
+ | --- | ||
+ | > lxc.rootfs.path = / | ||
+ | |||
+ | < lxc.tty = 4 | ||
+ | < lxc.utsname = buster | ||
+ | --- | ||
+ | > lxc.tty.max = 4 | ||
+ | > lxc.uts.name = buster | ||
+ | |||
+ | < lxc.network.type = veth | ||
+ | < lxc.network.link = lxcbr0 | ||
+ | < lxc.network.flags = up | ||
+ | < lxc.network.ipv4 = 10.0.3.10/ | ||
+ | < lxc.network.ipv4.gateway = auto | ||
+ | --- | ||
+ | > lxc.net.0.type = veth | ||
+ | > lxc.net.0.link = lxcbr0 | ||
+ | > lxc.net.0.flags = up | ||
+ | > lxc.net.0.ipv4.address = 10.0.3.10/ | ||
+ | > lxc.net.0.ipv4.gateway = auto | ||
+ | </ | ||
+ | ==== debug ==== | ||
+ | |||
+ | lxc-start -Fn buster-web -o debug -l debug | ||
+ | |||
+ | foreground-modus (-F) und debug | ||
+ | |||
+ | ==== kein login-prompt mit lxc-console ==== | ||
+ | |||
+ | beim Erstellen eines bullseye-containers ist mir das aufgefallen | ||
+ | |||
+ | mit lxc-attach (lxc-attach -n NAME -- login) oder " | ||
+ | |||
+ | # mknod /dev/tty0 c 4 0 | ||
+ | # systemctl restart getty@tty1.service | ||
+ | # systemctl status getty@tty1.service | ||
+ | |||
+ | https:// |