LXC without chroot
LXC isn't a monolithic system. It's a collection of kernel features that can be used to isolate processes in various different ways, and a userspace tool to use all of these features together to create full-fledged containers. But the individual features are still usable on their own, without LXC. Furthermore, LXC does not require a chroot, and even when you give it a chroot, you can bind-mount directories from the host system into the container, sharing those particular directory trees between the host and the container.
For instance, cgroups are used by LXC to set resource limits on containers. But they can be used to set resource limits on groups of processes without using the LXC tools at all. You can manipulate /sys/fd/cgroup/memory
or /sys/fs/cgroup/cpuacct
directly, to put process into cgroups that limit the amount of memory or CPU they are allowed to use. Or if you're on a system using systemd
, you can control the memory limits for a group of processes using MemoryLimit=200M
or the like in the .service
file for a given service.
If you want to use LXC to do lightweight resource management, you can do that with or without a chroot. When starting an LXC container, you can choose which resources you want to isolate; so you could create a container with only a virtualized network, and nothing else; or a container with only memory limits, but sharing everything else with the host. The only things that will be isolated are those specified in the configuration file for your container. For example, lxc
ships with several example container definitions that only isolate the network; they share a root partition and almost everything else with the host. Here's how to run a container identical to the host system except it has no network interface:
sudo lxc-execute -n foo -f /usr/share/doc/lxc/examples/lxc-no-netns.conf /bin/bash
If you want some files to be shared with the host, but not others, you have two choices; you could use a shared root directory, and mount over the files that you want to be different in the container; or you could use a chroot, but mount the files that you do want to share in the container.
For example, here's the configuration for a container that shares everything with the host except for /home
; it instead bind-mounts /home/me/fake-home
over /home
within the container:
lxc.mount.entry = /home/me/fake-home /home none rw,bind 0 0
Or if you want to have a completely different root, but still share some directories like /usr
, you can bind mount a few directories into a directory, and use that as the root of the filesystem.
So you have lots of options, and can choose to isolate just one component, more than one, or as many as LXC supports, depending on your needs.
No lxc-clone found on system
lxc-clone
has been deprecated, and replaced by lxc-copy
.
Run a program inside an LXC container that is stored on the host
You can make you program to setns(2) (to some, but not all namespaces), chroot and then drop capabilities.
You can also attain something similar with dived (not actually chrooted, but having access to the container's chroot).
You can run [staticly linked] dived inside a container (with the appropriate options, for example, --client-chroot --root-to-current
), listening UNIX socket on some filesystem part that is visible both in the containter and on the host; and run dive
to ask that dived
to start your non-statically-linked program in container's namespace. The root filesystem will stay the same as your host (so your program can find libraries), and the containter's root filesystem will be set as current directory.
segfault appears in linux container start, but fine with chroot?
lxc-start works fine for me, pivot_root is not the problem.
1) just 'lxc-start -n mycontainer' is not good coz it will try to start the init
how about lxc-start -n mycontainer /bin/sh ?
LXC - Linux Containers - Add new network interface without restarting
It would very much depend on the configuration of the interface you're trying to add to the container.
If you have an existing interface on your host which you want to be visible inside the container:
# on the host:
pid=$(lxc-info -pHn foobar)
ip link set dev eth3 netns $pid name eth1
This will cause your host's eth3
interface to be moved to the container foobar
, renamed to eth1
. This is roughly equal to this configuration:
lxc.network.type=phys
lxc.network.link=eth3
lxc.network.name=eth1
Another useful scenario would be to create a new interface inside the container, bridged to an existing bridge on the host:
# on the host:
pid=$(lxc-info -pHn foobar)
ip link add name veth0 type veth peer name veth0_container
brctl addif br0 veth0
ip link set dev veth0_container netns $pid name veth0
This will create a pair of connected virtual-ethernet interfaces (veth0
and veth0_container
), add one of them to the br0
bridge, and move the other into the container foobar
. This is roughly equivalent to this configuration:
lxc.network.type=veth
lxc.network.link=br0
lxc.network.name=veth0
LXC using separate HDD/VOLUME
You can create storage pools for each of your disks. Then, when you create a LXD container, you can specify on which storage pool to be created in.
The commands to create the storage pools are:
lxc storage create pool1 zfs source=/dev/sdb
lxc storage create pool2 zfs source=/dev/sdc
lxc storage create pool3 zfs source=/dev/sdd
The commands to launch containers on specific storage pools are:
lxc launch ubuntu:20.04 container1 --storage pool1
lxc launch ubuntu:20.04 container2 --storage pool2
lxc launch ubuntu:20.04 container3 --storage pool3
Do note that such a setup may not be very optimal. See whether you can use either ZFS, LVM, or btrfs. With any of them, you can specify to use all those disks together in some form of RAID. More at https://linuxcontainers.org/lxd/docs/master/storage
Related Topics
How to Run a Command as a Specific User in an Init Script
The Meaning of Real, User, and Sys in Output of Linux Time Command
Grep String Inside Double Quotes
Unsupported Protocol While Download Tar.Gz Package
One Liner to Rename Bunch of Files
Where Do You Download Linux Source Code
Creating a Self-Extracting Zip Archive on a Linux Box
Which Perf Events Can Use Pebs
How to Catch Duplicate Entries in Text File in Linux
How to Pass All Arguments with Xargs in Middle of Command in Linux
How to Calculate the Total Size of Certain Files Only, Recursive, in Linux
Ldd Doesn't Work on Dynamically Linked Binary
How to Get Ec2 Load Balancing Properly Set Up to Allow for Real Time File Syncing
Is There a Clang Mingw Cross Compiler for Linux