Re: [lxc-users] Bind public IP that is available on host's ens3:1 to a specific LXD container?
Hi Thomas, Can you list the steps you went through to get it working? I'm in the same boat. thanks. On Fri, May 19, 2017 at 8:31 PM, Thomas Ward wrote: > Thanks to some off-list replies and some help from other online > resources, I've been able to switch this to a bridged method, with the > host interfaces set to 'manual', an inet0 bridge created that is static > IP'd for the host system to have its primary IP, and can have manual IP > assignments to containers on that bridged network for the other > non-primary IPs. I've also kept an `lxdbr0` device from the older > lxd-bridge setup that I still had for NAT'd containers, since I have > more containers than public IPs, and many of the containers don't need > to be on public IPs. > > Thank you to the people who replied to me off-list, but also the people > in general who help people new to LXC/LXD networking get started working > through issues they've run into! > > > Thomas > > > On 05/19/2017 10:01 PM, Thomas Ward wrote: >> Hello. >> >> I've got a VDS from RamNode - which is essentially a KVM VPS with >> dedicated CPUs, and larger RAM capacity. This VDS has three IPs. I'm >> going to obfuscate them here, but essentially the host box is configured >> like this: >> >> >> # The primary network interface >> auto ens3 >> iface ens3 inet static >> address 1.2.3.107 >> netmask 255.255.255.0 >> gateway 1.2.3.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> auto ens3:1 >> iface ens3:2 inet static >> address 1.2.4.17 >> netmask 255.255.255.0 >> gateway 1.2.4.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> auto ens3:2 >> iface ens3:2 inet static >> address 1.2.4.34 >> netmask 255.255.255.0 >> gateway 1.2.4.1 >> dns-nameserver 8.8.8.8 8.8.4.4 >> >> >> Now, I've got a container I'd like to route the 1.2.4.17 to a specific >> container once I've created it, but ens3 is the only actual physical NIC >> on the system, and I don't have the ability to add any more physical NICs. >> >> How would I go about routing 1.2.4.17 to the 'new' container I'm going >> to create? >> >> Note that by default, new containers are attached to an 'lxdbr0' which >> NATs container traffic, this new container would have to reside outside >> that obviously, but I'm not fluent in LXC/LXD networking so a guide >> and/or how-tos for this would be wonderful to have. >> >> >> -- >> >> Thomas >> > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Short howto re lxd-container-on-LAN for impatient dummies?
This would be great! I have a kvm machine in the cloud with 5 public IPs, one for the host and 4 for containers. (eth0 and eth0:0-3 are the interfaces) I installed lxd as so: apt install -t xenial-backports lxd lxd-client ran lxd init and created a few containers. all good. But now I want to assign a public IP to a container and don't find a succinct way to do it. lxd init created lxdbr0 I'm not sure if I need to delete that and create a new bridge, or what. I'm running ubuntu 16.04 on host and in containers. On Sat, Apr 22, 2017 at 8:52 AM, Dan Kegel wrote: > TL;dr: > > For Ubuntu 16.04 users who have lxd-2.0.9 from xenial-updates, > what is the fast path towards simple lxd container-on-the-lan happiness? > (Extra credit: allow ssh between the host and the guest, also part of > Things Just Working.) > > Long version: > > The issue > https://github.com/lxc/lxd/issues/1294 > was closed, but as far as I can tell, is still valid: > lxc users don't care about bridges, they just Want Things To Work. > And so the tutorials for setting up lxd containers that act like > they're on the LAN, e.g. > https://www.stgraber.org/2016/10/27/network-management-with-lxd-2-3/ > https://www.simpleprecision.com/ubuntu-16-04-lxd-networking-simple-bridge/ > leave them cold, leading to questions like > > http://stackoverflow.com/questions/41826430/how-to-setup-lxd-containers-that-communicate-over-the-lan > Note the length of the answer. Users who Just Want Things To Work > don't want to have to learn about bridges. I know, it's their loss, but > that's the way it is. This hinders adoption. > > (Docker probably has similar problems, but has wrappers like weave, > pipework, flannel, and socketplane to smooth things over for users, I hear.) > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxc/docker security on hackernews
Abusing Privileged and Unprivileged Linux Containers https://news.ycombinator.com/item?id=11816852 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] apt-get dist-upgrade inside container?
have host and containers running ubuntu 14.04. When I apt-get dist-upgrade the host, do I need to apt-get dist-upgrade in the containers as well, or just apt-get upgrade? Are there best practices for keeping a bunch of containers up to date? thanks, -joe ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] User input on resource limits for containers
We are using lxc to house a shared hosting environment. Currently just limiting on CPU. Most interested in limiting disk and network IO (separately) Would also like to limit IO on a per user basis inside of the lxc container. Ideally would like something like cloudlinux cagefs LVE: http://docs.cloudlinux.com/understanding_lve.html I do not know of any open source equivalent. On Wed, Aug 5, 2015 at 8:53 AM, Stéphane Graber wrote: > Hello, > > The LXD team is currently busy working on resource limitations and > reporting. > The goal is to design a user friendly experience around CPU, memory and > I/O limits which doesn't require any specific understanding of the > implementation (cgroup knobs, ...). > > As we are going through ideas, it would be very useful to us to know how > LXC users are currently using resource limits (lxc.cgroup.*, ...), what's > working for you and what isn't so we can try to improve things as much > as possible. > > > Here are a few questions to try and get things going. Please don't feel > limited to those though, any feedback is appreciated! > > - Are you using resource limits with LXC? > > - What kind of resource limits are you setting (cpu, memory, I/O, ...)? > > - Are you updating the resource limits of running containers? > > - Are you reading the current resource usage of your containers? > > - Are you using resource limits only to prevent containers from using >all the host resources or as a way to provide different tier of >containers, some faster than others? > > - Would percentage based limits (percentage of the host resources) be >useful to you? > > - Are you using the cpuset controller only as a way to limit the number of >CPUs exposed to the container or is pinning to specific physical CPUs >actually important to you? > > - Would you be interested in being able to limit network IOps and >bandwidth for a container? > > - Is the split between memory, swap and kernel memory useful to you? > > - Would you like a way to prevent overprovisioning, causing container >failure if the stated resource limits exceeds what's available on the >host? > > > Thanks! > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users > ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] ntpdate errors in vivid container
host is Ubuntu 14.04.2 LTS container is Ubuntu 15.04 (vivid) lxc is 1.1.2 using bridging for networking. container /etc/network/interfaces looks like: auto lo iface lo inet loopback auto eth0 iface eth0 inet static bringing it up, everything works fine, but there is a 2 minute delay in the bootup process. delay from (i think bringing up network calls ntpdate): Jun 26 12:20:32 vivweb ntpdate[611]: Can't adjust the time of day: Operation not permitted Jun 26 12:22:25 vivweb systemd[1]: ifup-wait-all-auto.service start operation timed out. Terminating. Jun 26 12:22:25 vivweb systemd[1]: Failed to start Wait for all "auto" /etc/network/interfaces to be up for network-online.target. Jun 26 12:22:25 vivweb systemd[1]: Unit ifup-wait-all-auto.service entered failed state. Jun 26 12:22:25 vivweb systemd[1]: ifup-wait-all-auto.service failed. other errors: Jun 26 12:22:25 vivweb systemd[1]: Failed to reset devices.list on /lxc/vivweb/system.slice/networking.service: Permission denied Jun 26 12:22:26 vivweb systemd[1]: Failed to reset devices.list on /lxc/vivweb/system.slice/systemd-update-utmp-runlevel.service: Permission denied any idea why these errors are occuring? ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] networking and permissions questions
On Mon, Apr 27, 2015 at 8:05 PM, Fajar A. Nugraha wrote: > On Tue, Apr 28, 2015 at 6:53 AM, Joe McDonald wrote: >> 1) Do I need to specify this IP in both the >> config file and the rootfs/etc/network/interfaces file? >> Is there a better way to do this? > > IMHO the best way is on container's interfaces file Ah! So I don't need to specify IP in config, just in containers network/interface. I tried that and the double IP went away, also, lag time for ssh disappeared as well, could ssh in as soon as container was up. Thanks! > Long version: > There's a workaround that I posted sometime ago, which in essence does > NOT use bridging, but use routing + proxy_arp. However it currently > ONLY works on priviledged container (since it needs persistent veth > name on the host side, which is currently not possible for > unpriviledged containers) Hopefully this will be possible with unprivileged containers in the future as it would be handy. thanks, -joe ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] networking and permissions questions
Hi, I have 5 publicly routed ips from my isp. On the host (Ubuntu 14.04.2 LTS) Have /etc/network/interfaces as so: # The loopback network interface auto lo p4p1 iface lo inet loopback iface p4p1 inet manual auto br0 iface br0 inet static bridge_ports p4p1 bridge_stp off bridge_fd 0 bridge_maxwait 0 address 104.250.137.138 netmask 255.255.255.248 gateway 104.250.137.137 dns-nameservers 8.8.8.8 #--- I create a user (lxcuser) that will have unprivileged containers. When I create containers, I edit (as user lxcuser): ~/.local/share/lxc/$container/config and change: lxc.network.ipv4 = $ipnumber i.e. lxc.network.ipv4 = 104.250.137.141 I also change ~/.local/share/lxc/$container/rootfs/etc/network/interfaces and put in there like: # The loopback network interface auto lo iface lo inet loopback #auto eth0 #iface eth0 inet dhcp auto eth0 iface eth0 inet static address 104.250.137.141 gateway 104.250.137.137 netmask 255.255.255.248 # I have a couple of containers running and it shows: lxc-ls --fancy NAME STATEIPV4 IPV6 GROUPS AUTOSTART --- ubpdns RUNNING 104.250.137.139 - - NO ubsharedweb RUNNING 104.250.137.141, 104.250.137.141 - - NO a few questions: 1) Do I need to specify this IP in both the config file and the rootfs/etc/network/interfaces file? Is there a better way to do this? 2) why does one container (ubsharedweb) show the same IP address twice? 3) How is user lxcuser able to just take whatever IP's it wants? I have: "lxcuser veth lxcbr0 100" in /etc/lxc/lxc-usernet So I'm guessing that is how it can do it, but how can I constrain lxcuser to only use IP's within a certain range? 4) starting up a container (ubuntu 14.04) takes about 8 seconds, I can then lxc-attach to it. But it takes a couple of minutes before I can ssh into it. Is this normal? 5) in ~/.local/share/lxc I see: drwxrwx--- 3 296608 lxcuser 4096 Apr 27 16:08 ubsharedweb should that container directory be owned by lxcuser or is 296608 the correct user id? all container directories are the same except for one which is lxcuser:lxcuser. I don't know why the one is different. thanks in advance, -joe ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] upgrading to lxd-daily and migrating to unprivileged containers
I am on lxc 1.07 and would like to upgrade to lxd and latest lxc. I have: ppa:ubuntu-lxc/stable as a repository. Do I need to remove that and remove lxc before following the instructions on https://github.com/lxc/lxd/blob/master/README.md ? Or will following those instructions simply upgrade my system? Also, my lxc containers are currently privileged containers on /var/lib/lxc is there any way to "migrate" them to unprivileged containers? Finally I want to thank Bostjan Skufca and Fajar Nugraha for helping me with lxc bridging question, solution worked great. I haven't been approved for the mailing list yet and so can't reply. thanks, Joe ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] upgrading to lxd-daily and migrating to unprivileged containers
Great. upgrade went smoothly. thank you. question: are the /usr/bin/lxc-* commands now deprecated in favor of plain "lxc"? how to do lxc-attach ? using the lxc-attach no longer works: $ lxc-attach -n first lxc-attach: attach.c: lxc_attach: 632 failed to get the init pid get errors for other lxc-* commands as well. is "lxc exec first /bin/bash" the new lxc-attach? thanks in advance, -joe On Thu, Mar 19, 2015 at 7:08 PM, Serge Hallyn wrote: > Quoting Joe McDonald (ideafil...@gmail.com): >> I am on lxc 1.07 and would like to upgrade to lxd and latest lxc. >> I have: ppa:ubuntu-lxc/stable as a repository. >> Do I need to remove that and remove lxc before following the > > No, you can keep it. > >> instructions on https://github.com/lxc/lxd/blob/master/README.md ? >> Or will following those instructions simply upgrade my system? >> >> Also, my lxc containers are currently privileged containers >> on /var/lib/lxc is there any way to "migrate" them to >> unprivileged containers? > > Hm, shouldn't be hard to write a script to do that. The rootfs will > need to be moved, and the configuration moved into the database. > >> Finally I want to thank Bostjan Skufca and Fajar Nugraha for helping >> me with lxc bridging question, solution worked great. >> ___ >> lxc-users mailing list >> lxc-users@lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-users > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] upgrading to lxd-daily and migrating to unprivileged containers
I am on lxc 1.07 and would like to upgrade to lxd and latest lxc. I have: ppa:ubuntu-lxc/stable as a repository. Do I need to remove that and remove lxc before following the instructions on https://github.com/lxc/lxd/blob/master/README.md ? Or will following those instructions simply upgrade my system? Also, my lxc containers are currently privileged containers on /var/lib/lxc is there any way to "migrate" them to unprivileged containers? Finally I want to thank Bostjan Skufca and Fajar Nugraha for helping me with lxc bridging question, solution worked great. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxc bridge setup
I have 5 public IPs (/29) and would like to make them available to lxc containers. I am on ubuntu 14.04. What is the procedure? I tried to duplicate br0 with br1, etc and incrementing the IP#, but it didn't like it. I'd like to make 1 IP for the host system, and the other 4 IP's each go to a container. I have this in /etc/network/interfaces: # The loopback network interface auto lo p4p1 iface lo inet loopback iface p4p1 inet manual auto br0 iface br0 inet static bridge_ports p4p1 bridge_stp off bridge_fd 0 bridge_maxwait 0 address 104.250.x.x netmask 255.255.255.248 gateway 104.250.x.x dns-nameservers 8.8.8.8 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users