Linux Containers (LXC) are the basic building blocks of my FreedomBox architecture. This article shows how the network must be configured in order to support LXC. It further shows how DHCP and DNS are used to support the LXC infrastructure. After installing LXC a simple script can be run to create LXC containers which are fully integrated into a local DNS domain (you can use: ssh firstname.lastname@example.org).
My FreedomBox uses Debian GNU/Linux in combination with LXC virtual machines. This article only describes a Debian configuration.
This article describes the installation of a local DHCP/DNS combination which must be the only DHCP/DNS service in the configured network segment. All other DHCP/DNS services (hint: on the router) must be disabled. The FreedomBox must be able to use a static IP address.
Some of the procedures in this article are not without risks and I cannot guaranty the accuracy of all the information in this article. If you follow any of the procedures mentioned in this article, you do so at your own risk.
The main risk is loosing the network connection to your box. If this happens and if ssh is the only way you can connect to your box, then the only way to correct this problem is to take out the HD and connect it to another Linux machine so you can edit the network configuration.
Preparing the network interface.
Each LXC container adds a virtual networking interface (card) to your system. In order to connect multiple networking interfaces you have to create a network bridge. Network bridges are very simple, if one network card does not know how to reach a specific IP address it asks all the other cards in the bridge if they can reach the IP address. A positive response is remembered by the bridge. If no card can reach the IP address, the gateway is used.
You can create a network bridge by:
apt-get install bridge-utils
# The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet dhcp
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address 192.168.1.3 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1
I am using the 192.168.1.0/24 network. Remember to change this if your router is using another network.
WARNING: Double-check /etc/network/interfaces. Restarting the network makes you lose your connection. Mistakes in the configuration may prevent you from connecting to your box again. If this happens you have to connect the HD to another GNU/Linux computer in order to correct the problem.
Restart the network.
You lose your network connection...
Connect to the new address.
I like domain names. What I want for my local LXC network is an integrated DHCP/DNS combination. After the DHCP server handout an address, the address must be communicated to a DNS server that binds it to a domain name. Fortunately there is a package that can do this: dnsmasq. It's ideal – lightweight, powerful and very easy to configure!
apt-get install dnsmasq
Find the following #settings and replace them by the settings on the next line:
#resolv-file= resolv-file=/etc/resolv_router.conf #local=/localnet/ local=/box/ #expand-hosts expand-hosts #domain=thekelleys.org.uk domain=freedom.box #dhcp-range=192.168.0.50,192.168.0.150,12h dhcp-range=192.168.1.50,192.168.1.250,12h #dhcp-option=3,220.127.116.11 dhcp-option=3,192.168.1.1
Change the name-server.
cd /etc cp resolv.conf resolv_router.conf edit resolv.conf change the IP address to: 192.168.1.3
This configuration creates the freedom.box domain. If you use my LXC installation script to create a LXC container with a name of “helloworld”, you can use helloworld.freedom.box to get it's IP address.
The LXC technology depends on a Linux kernel feature called cgroups. In order to use this feature you must do the following:
Create a /cgroup directory
Edit /etc/fstab, add the line:
cgroup /cgroup cgroup defaults 0 0
Mount the /cgroup directory.
apt-get install lxc
Check the installation.
Everything should be enabled except the cgroup memory controler. This feature has some performance issues and is not compiled into the kernel by default.
You can find some documentation in: /usr/share/doc/lxc.
In /usr/lib/lxc/templates you can find scripts to install containers with various GNU/Linux distributions.
In order to create a Debian container you have to install debootstrap first:
apt-get install debootstrap
The LXC utilities expect the containers to be created in subdirectories of /var/lib/lxc. This is hardcoded, so don't try to use another directory. To create a container you can do the following:
(this works, but don't do this. Use my slightly modified script... )
cd /var/lib/lxc mkdir mycontainer /usr/lib/lxc/templates/lxc-debian -n mycontainer -p /var/lib/lxc/mycontainer
After you have created the container you can start the container in two ways:
lxc-start -n mycontainer -d
lxc-start -n mycontainer
In daemon mode you can use ssh to connect to the container. The lxc-debian script does not give the container a domain name. You have to find the IP address of the container yourself.
In terminal mode you can use the standard password (root) to work inside the container. The terminal mode is “Hotel California” - you can check in any time you want, but you can never leave. To leave terminal mode you must use another terminal and issue the command:
lxc-stop -n mycontainer
If you use the lxc-debian script that comes with Squeeze you are in for a surprise. This script creates Lenny containers! In order to create Squeeze containers and give them a nice domain name I made a slightly modified version of the lxc-debian script. Download this lxc-debian-box script and put it into /usr/lib/lxc/templates.
Create a test container and have some fun.
Now everything is in place to start using LXC containers. Let's create one:
cd /var/lib/lxc mkdir test /usr/lib/lxc/templates/lxc-debian-box -n test -p /var/lib/lxc/test
Start the container as a daemon.
lxc-start -n test -d lxc-info -n test ssh email@example.com (default password: root) passwd dpkg-reconfigure tzdata apt-get update apt-get upgrade apt-get install lynx lynx freedomboxblog.nl