LXD/LXC Basic Setup
LXD Initial Setup
First add your Linux user to the lxd
group in order to operate with the containers without sudo
– note you nay need to cog-out and log-in.
sudo usermod -aG lxd <user>
Initialize LXD.
lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]: yes
Name of the new storage pool [default=default]: default
Name of the storage backend to use (dir, lvm, zfs, ceph, btrfs) [default=zfs]: dir
Would you like to connect to a MAAS server? (yes/no) [default=no]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]: yes
What should the new bridge be called? [default=lxdbr0]: lxdbr0
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: auto
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: auto
Would you like the LXD server to be available over the network? (yes/no) [default=no]: no
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: yes
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: yes
config: {}
networks:
- config:
ipv4.address: auto
ipv6.address: auto
description: ""
name: lxdbr0
type: ""
project: default
storage_pools:
- config: {}
description: ""
name: default
driver: dir
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
projects: []
cluster: null
List the available images by the following commands and find the name of an image of a desired distribution – in this case Ubuntu Server 22.04.
lxc image list
lxc image list ubuntu:22.04
lxc image list ubuntu:22.04 | grep x86_64
Install a certain image. We will name the container lxc-webserver
. We will add a capability to the container to run other containers inside, for more details read the article Nested containers in LXD.
lxc launch ubuntu:22.04 lxc-webserver -c security.nesting=true
Creating lxc-webserver
Starting lxc-webserver
In order to add (or remove) the nesting option to an existing LXC, use:
lxc config set lxc-webserver security.nesting true
List the containers available within the LXD in use.
lxc list --columns ns4 # name, state and IPv4
+---------------+---------+-----------------------+
| NAME | STATE | IPV4 |
+---------------+---------+-----------------------+
| lxc-webserver | RUNNING | 10.127.198.222 (eth0) |
+---------------+---------+-----------------------+
Configure the container to obtain a static IP assignment.
lxc config device override lxc-webserver eth0
Device eth0 overridden for lxc-webserver
lxc config device set lxc-webserver eth0 ipv4.address 10.127.198.222 # no output mean everything is fine
lxc restart lxc-webserver
lxc list --columns ns4 | grep eth0 # check the ip
| lxc-webserver | RUNNING | 10.127.198.222 (eth0) |
LXD Basic operation
Restart the service.
sudo snap restart lxd
Mount a host directory to a directory inside a container. Map the permissions.
printf "lxd:$(id -u):1\nroot:$(id -u):1\n" | sudo tee -a /etc/subuid # Allow LXD’s use of our user uid
printf "lxd:$(id -g):1\nroot:$(id -g):1\n" | sudo tee -a /etc/subgid # Allow LXD’s use of our user gid
sudo snap restart lxd # Restart LXD to have it load the new map
printf "uid $(id -u) 1000\ngid $(id -g) 1000" | lxc config set lxc-webserver raw.idmap - # Set a custom map for our container
lxc restart lxc-webserver # Restart the container to have the new map apply
lxc config device add lxc-webserver Git disk source=/home/<user>/Git path=/home/<user>/Git # Mount the directory
Do the actual share (mount) of some directories.
lxc config device add lxc-webserver Git disk source=/home/<user>/Git path=/home/<user>/Git
lxc config device add lxc-webserver VSC disk source=/home/<user>/.vscode-server path=/home/<user>/.vscode-server
References
- Linux containers LXD: Server configuration settings
- Canonical Ubuntu Blog: Custom user mappings in LXD containers
- Canonical Ubuntu Blog: Mounting your home directory in LXD
- Ask Ubuntu: Adding a shared host directory to an LXC/LXD Container (for privileged container)
LXC Basic operations
List available containers.
lxc list
lxc list -c ns4
Login to a container (note lxc-webserver
is a container name).
lxc shell lxc-webserver
Execute a command against the container from the host.
lxc exec lxc-webserver -- apt install apache2
Start, stop or delete container.
lxc (start|stop|delete) container-name
Create a snapshot.
lxc snapshot lxc-webserver snapshot-name
Delete a snapshot.
lxc delete lxc-webserver/snapshot-name
Restore a snapshot.
lxc restore lxc-webserver snapshot-name
Create a backup.
lxc export lxc-webserver ./lxc-webserver-backup.tar.gz
Restore a backup.
lxc import ./lxc-webserver-backup.tar.gz
Get info about the container (and its snapshots at the bottom).
lxc info lxc-webserver
Limit the container's memory usage.
lxc config set lxc-webserver limits.memory 1GB
Auto-start a container.
lxc config set lxc-webserver boot.autostart 1
Set an auto-start delay for a container.
lxc config set lxc-webserver boot.autostart.delay 30
Set an auto-start order number for a container.
lxc config set lxc-database boot.autostart.order 2
lxc config set lxc-webserver boot.autostart.order 3
Disable IPv6 for the containers – reference.
lxc network set lxdbr0 ipv6.address none
Backup LXC Containers
Here are provided notes about backing up the containers,
Local export approach
* */12 * * * /snap/bin/lxc export lxc-webserver $HOME/backups/lxc-webserver-backup.tar.gz >/tmp/crontab.${USER}.lxc-webserver-backup.tar.gz.log 2>&1
The command could be a part of your backup script. Also they say it is better to export a snap shot… Then a remote instance can fetch it by rsync
via SSH.
References
- Linux containers LXD: Backing up a LXD server
- CiberCity: How to move/migrate LXD VM to another host on Linux
- NixCraft: How to backup and restore LXD containers
- StackOverflow: Copy lxd containers between hosts
Remote export approach
In this section, the LXD that is running the actual LXC that we want to backup will be called remote-lxd.host
. The LXD that will fetch (export) the backups will be called local-lxd.host
. Here is used the most simple settings and the connection between the servers will be carry out via SSH tunnel.
1. First, at the remote-lxd.host
run the following command.
lxc config set core.https_address :8443
lxc config set core.trust_password 'p@s$********wD'
2. Then at the local server local-lxd.host
add the necessary entry for a connection with port forwarding of port 8443
in the file ~/.ssh/config
.
nano ~/.ssh/config
Host fwd.remote-lxd.host
HostName 158.113.3.106
IdentityFile ~/.ssh/id_ed25519
User <user>
Port 22
Compression yes
LocalForward 8443 localhost:8443
After that test the connection bi the following commands.
ssh lxd.fwd.metalevel.tech -fTN
sudo netstat -tnupa | grep 8443
3. If everything looks fine, do the Init setup for this instance (answer with no at all questions if wont run local LXCs) and then execute the following command to add the remote server.
# Default auth type: TLS + password; 'mlt' stands for 'metalevel.tech'
lxc remote add mlt 127.0.0.1:8443
ficate fingerprint: 1778ec79530...
ok (y/n/[fingerprint])? y
Admin password for metalevel.tech: ***
Client certificate now trusted by server: mlt
Then you can switch the default remote server and list the running containers as follow.
lxc remote list
lxc remote switch mlt
lxc list
The above procedure must be done for all users that will manipulate the remote instance – in this count the root
account!
In order to export a backup from the remote instance you can perform the following steps.
lxc snapshot mlt:lxc-webserver backup
lxc export mlt:lxc-webserver/backup ./mlt.lxc-webserver.tar.gz
Note you need to have enough space at the remote instance, because the snapshots are created there, also backups before to be moved to the destination place are created there as temporary archive.
lxc export mlt:lxc-webserver ./mlt.lxc-webserver.tar.gz
References
- Linux containers LXD: Advanced guide Introduction, Section: Remote LXD Server
- Linux containers LXD: Backing up a LXD server
- Mi blog lah: How to use LXC remote with the LXD snap
Forward the HTTP Traffic from the LXD host to a LXC via IPTables
First install the iptables-persistent
package and migrate to iptables-nft
.
- RedHat Developers: iptables: The two variants and their relationship with nftables
- Ask Ubuntu: Warning: iptables-legacy tables present
sudo apt install iptables-persistent # iptables-save > /etc/iptables/rules.{v4,v6}
sudo apt install ipset-persistent # ipset save > /etc/ipset/ipsets
sudo update-alternatives --set iptables /usr/sbin/iptables-nft
sudo update-alternatives --remove iptables /usr/sbin/iptables-legacy
sudo modprobe -r iptable_filter iptable_nat iptable_mangle iptable_raw iptable_security
The second step is to add and make persistent the Iptables rules that will redirect the traffic at ports 80
and 433
to the lxc-webserver
container IP 10.127.198.222
. The server has the following IP addresses:
- eth0:
158.113.3.106
: The public address of the server, we are using Floating IP137.112.134.165
for the domainmetalevel.tech
, so we do not expect any traffic at the web ports on this IP. - eth0:
10.14.1.5
: The Floating IP137.112.134.165
redirects everything to this interface so we will forward the traffic at this port. - eth1:
10.123.1.2
: This is the IP in the private virtual network at DigitalOcean – so probably in the future other resources could access the droplet vi this interface so we will forward the traffic at this port.
Here is a template command:
sudo iptables -t nat -I PREROUTING -i $IFACE -p TCP -d $PUBLIC_IP --dport $PORT -j DNAT --to-destination $CONTAINER_IP:$PORT -m comment --comment "forward to lxc-webserver"
It should be executed for each set of the following values.
PORT=80 PUBLIC_IP=10.14.1.5 CONTAINER_IP=10.127.198.222 IFACE=eth0
PORT=443 PUBLIC_IP=10.14.1.5 CONTAINER_IP=10.127.198.222 IFACE=eth0
PORT=80 PUBLIC_IP=10.123.1.2 CONTAINER_IP=10.127.198.222 IFACE=eth0
PORT=443 PUBLIC_IP=10.123.1.2 CONTAINER_IP=10.127.198.222 IFACE=eth0
sudo iptables -t nat -L PREROUTING
# sudo iptables -t nat -F PREROUTING
sudo iptables-save | sudo tee /etc/iptables/rules.v4
# sudo iptables-restore < /etc/iptables/rules.v4
References
- DigitalOcean: How To Install and Configure LXD on Ubuntu 20.04
- Linux containers LXD: Getting Started with LXD
- Canonical Ubuntu Server: LXD
- LearnLinuxTV: Getting started with LXD Containerization (Full Guide!)
- Ask Ubuntu: apt-key deprecation warning when updating system
- Ask Ubuntu: At what point is the ~/.bashrc file created?