Last active
September 27, 2018 06:05
-
-
Save genewitch/3370d12dc3c5d3d5ca7c4e3a471d0348 to your computer and use it in GitHub Desktop.
how to do gentoo lxc without any nonsense
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################# INFO / TO-DO | |
| You need to update to the latest stable kernel | |
| this document was written using: 4.14.65-gentoo | |
| and MAKEOPTS="-j40"; using 60% of a 40 core kvm hypervisor | |
| ################################# GENERAL | |
| curl https://wiki.gentoo.org/wiki/LXC#Kernel_options_required | |
| General setup ---> | |
| [*] Control Group support ---> | |
| [*] Freezer cgroup subsystem | |
| [*] Device controller for cgroups | |
| [*] Cpuset support | |
| [*] Include legacy /proc/<pid>/cpuset file | |
| [*] Simple CPU accounting cgroup subsystem | |
| [*] Resource counters | |
| [*] Memory Resource Controller for Control Groups | |
| [*] Memory Resource Controller Swap Extension | |
| [*] Memory Resource Controller Swap Extension enabled by default | |
| [*] Enable perf_event per-cpu per-container group (cgroup) monitoring | |
| [*] Group CPU scheduler ---> | |
| [*] Group scheduling for SCHED_OTHER | |
| [*] Group scheduling for SCHED_RR/FIFO | |
| <*> Block IO controller | |
| -*- Namespaces support | |
| [*] UTS namespace | |
| [*] IPC namespace | |
| [*] User namespace (EXPERIMENTAL) | |
| [*] PID Namespaces | |
| [*] Network namespace | |
| [*] Networking support ---> | |
| Networking options ---> | |
| <M> 802.1d Ethernet Bridging | |
| <M> 802.1Q VLAN Support | |
| Device Drivers ---> | |
| [*] Network device support ---> | |
| <M> MAC-VLAN support (EXPERIMENTAL) | |
| <M> Virtual ethernet pair device | |
| Character devices ---> | |
| -*- Unix98 PTY support | |
| [*] Support multiple instances of devpts | |
| KERNEL namespaces | |
| General Setup | |
| -> Namespaces support | |
| CONFIG_NAMESPACES / "Namespaces" ('General Setup -> Namespaces support') | |
| CONFIG_UTS_NS / "Utsname namespace" ('General Setup -> Namespaces Support / UTS namespace') | |
| CONFIG_IPC_NS / "Ipc namespace" ('General Setup -> Namespaces Support / IPC namesapce') | |
| CONFIG_USER_NS / "User namespace" ('General Setup -> Namespaces Support / User namespace (EXPERIMENTAL)') | |
| CONFIG_PID_NS / "Pid namespace" ('General Setup -> Namespaces Support / PID Namespaces') | |
| CONFIG_NET_NS / "Network namespace" ('General Setup -> Namespaces Support -> Network namespace') | |
| Device Drivers | |
| -> Character devices | |
| -> Unix98 PTY support -> ... | |
| CONFIG_DEVPTS_MULTIPLE_INSTANCES / "Multiple /dev/pts instances" ('Device Drivers -> Character devices -> Unix98 PTY support -> Support multiple instances of devpts') | |
| KERNEL control groups | |
| # -> General Setup -> Control Group support -> ... | |
| CONFIG_CGROUPS / "Cgroup" ('General Setup -> Control Group support') | |
| CONFIG_CGROUP_DEVICE / "Cgroup device" ('General Setup -> Control Group support -> Device controller for cgroups') | |
| CONFIG_CPUSETS / "Cgroup cpuset" | |
| Freezer support | |
| Freezer support allows you to 'freeze' and 'thaw' a running guest, something like 'suspend' under VMware products. It appears to be under heavy development as of October 2010 (LXC list) but is apparently mostly functional. Please add additional notes on this page if you explore further. | |
| CONFIG_CGROUP_FREEZER / "Freeze/thaw support" ('General Setup -> Control Group support -> Freezer cgroup subsystem') | |
| Scheduling options | |
| Scheduling allows you to specify how much hardware access (CPU bandwidth, block device bandwidth, etc.) control groups have. | |
| CONFIG_CGROUP_SCHED / "Cgroup sched" ('General Setup -> Control Group support -> Group CPU scheduler') | |
| FAIR_GROUP_SCHED / "Group scheduling for SCHED_OTHER" ('General Setup -> Control Group support -> Group CPU scheduler -> Group scheduling for SCHED_OTHER') | |
| CONFIG_BLK_CGROUP / "Block IO controller" ('General Setup -> Control Group support -> Block IO controller') | |
| CONFIG_CFQ_GROUP_IOSCHED / "CFQ Group Scheduling support" ('Enable the block layer -> IO Schedulers -> CFQ I/O scheduler -> CFQ Group Scheduling support') | |
| Memory/swap accounting | |
| To measure resource utilization in your guest... | |
| CONFIG_CGROUP_MEM_RES_CTLR / "Cgroup memory controller" ('General Setup -> Control Group support -> Resource counters -> Memory Resource Controller for Control Groups') | |
| If you want to also count swap utilization, also select... | |
| CONFIG_CGROUP_MEM_RES_CTLR_SWAP / "Memory Resource Controller Swap Extension(EXPERIMENTAL)" ('General Setup -> Control Group support -> Resource counters -> Memory Resource Controller for Control Groups -> Memory Resource Controller Swap Extension') | |
| Resource counters were recently removed from the kernel and replaced with page counters which are now automatically selected when the above is selected. Ignore any userland warnings about missing resource counter config. | |
| CPU accounting | |
| This allows you to measure the CPU utilization of your control groups. | |
| CONFIG_CGROUP_CPUACCT / "Cgroup cpu account" ('General Setup -> Control Group support -> Simple CPU accounting cgroup subsystem') | |
| Networking options | |
| Ethernet bridging, veth, macvlan and vlan (802.1q) support are optional, but you probably want at least one of these: | |
| CONFIG_BRIDGE / "802.1d Ethernet Bridging" ('Networking support -> Networking options -> 802.1d Ethernet Bridging') | |
| CONFIG_VETH / "Veth pair device" | |
| CONFIG_MACVLAN / "Macvlan" | |
| CONFIG_VLAN_8021Q / "Vlan" | |
| ################################# SNAPSHOTS | |
| #to create snapshot | |
| lxc-snapshot -n <container name> | |
| # to restore that (first) snapshot to the same container | |
| # WARNING: this seems to replace the config file in /var/lib/lxc/<container name>/config | |
| lxc-snapshot -n <container name> -r snap0 | |
| ################################# NETWORKING | |
| sysctl net.ipv4.ip_forward=1 and/or sysctl net.ipv6.ip_forward=1 (Optionally also set these in /etc/systctl.conf to persist after reboot) | |
| iptables -t nat -A POSTROUTING -o outward-interface -j MASQUERADE (Where outward-interface is the name of the interface that carries traffic to/from the host and the internet, or other destination that you wish to allow the guest to connect to. Different distributions have different ways to persist these iptables rules, but you can use iptables-save >some-ruleset and iptables-restore <some-ruleset on any distribution) | |
| # install the bridge-utils package (gentoo: emerge bridge-utils) | |
| brctl addbr br1 (create a bridge called br0) | |
| brctl setfd br1 0 (set forward delay of zero for optimisation) | |
| ifconfig br1 192.168.33.1 255.255.255.0 (select an address range) | |
| #brctl addif br1 <guest-interface> (add guest to bridge) {this is automatic. -ed. | |
| # lxc-info -n <container name> | |
| # to see that a veth device is available on container | |
| in /var/lib/lxc/<guestname>/config: | |
| lxc.net.0.type = veth | |
| lxc.net.0.flags = up | |
| lxc.net.0.link = br1 | |
| lxc.net.0.ipv4.address = 192.168.33.2 | |
| lxc.net.0.ipv4.gateway = 192.168.33.1 | |
| #ON GUEST: (if not set in the config file above) | |
| #ip addr add 192.168.33.2 dev eth0 | |
| #ip link set eth0 up | |
| #ip route add default via 192.168.33.1 | |
| nano /etc/resolv.conf #make sure the container can reach this nameserver | |
| DONE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment