[lxc-users] Mount additional storage into unprivileged container
Hi, all! I am learning LXC features because we are going to implement it in our production environment. Could somebody explain me is there any well documented way to mount additional filesystems or (preferable) block devices into Unprivileged containers? is it supports live migration of container? I've read a lot of articles and man pages but unfortunatly this question is still unclear for me... Currently my config looks like: name: test-container profiles: - default config: raw.lxc: lxc.aa_profile=unconfined * security.privileged: "true"* volatile.base_image: a19c9ae2bd2e7bf99b0e2d31a0707cc534781a4eba47f44f172f486d2e01c96b volatile.eth0.hwaddr: 00:16:3e:87:d6:d9 volatile.last_state.idmap: '[]' devices: data: path: /datastorage source: /dev/sdf type: disk But when I try to change security.privileged to ‘false’ I lost an ability to write to /datastorage path inside container. Currently I’m using version 2.0.5 of LXC -- WBR, Andriy Tovstik ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Mount additional storage into unprivileged container
Greetings, Andriy Tovstik! > I am learning LXC features because we are going to implement it in our > production environment. LXC or LXD? Your configuration smells the latter. > Could somebody explain me is there any well documented way to mount > additional filesystems or (preferable) block devices into Unprivileged > containers? is it supports live migration of container? You could do better at explaining, what you need that for. It'll speed up the answer. Normally, you don't need to "mount block devices into container". > I've read a lot of articles and man pages but unfortunatly this question is > still unclear for me... > > Currently my config looks like: > > > > name: test-container > profiles: > - default > config: > raw.lxc: lxc.aa_profile=unconfined > security.privileged: "true" > volatile.base_image: > a19c9ae2bd2e7bf99b0e2d31a0707cc534781a4eba47f44f172f486d2e01c96b > volatile.eth0.hwaddr: 00:16:3e:87:d6:d9 > volatile.last_state.idmap: '[]' > devices: > data: > path: /datastorage > source: /dev/sdf > type: disk > > But when I try to change security.privileged to ‘false’ I lost an ability > to write to /datastorage path inside container. > > Currently I’m using version 2.0.5 of LXC Doesn't match to your listed config. Smells like LXD. -- With best regards, Andrey Repin Tuesday, November 8, 2016 13:13:21 Sorry for my terrible english... ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Mount additional storage into unprivileged container
Hi, Andrey! вт, 8 нояб. 2016 г. в 12:20, Andrey Repin : > Greetings, Andriy Tovstik! > > > I am learning LXC features because we are going to implement it in our > > production environment. > > LXC or LXD? Your configuration smells the latter. > > LXD, you are right. But AFAIK LXD is an extension that was built over LXC subsystem, isn't it? > Could somebody explain me is there any well documented way to mount > > additional filesystems or (preferable) block devices into Unprivileged > > containers? is it supports live migration of container? > > You could do better at explaining, what you need that for. It'll speed up > the > answer. > Normally, you don't need to "mount block devices into container". > > Well... I'm going to use LXD to isolate two applications that will be heavily loaded. May be it will be necessary to give for each other dedicated storage. Rootfs i'll put to ZFS pool. Alternative way is to use zfs over high speed storage system and use IOPS limit for each container... > I've read a lot of articles and man pages but unfortunatly this question > is still unclear for me... > > > > Currently my config looks like: > > > > > > > > name: test-container > > profiles: > > - default > > config: > > raw.lxc: lxc.aa_profile=unconfined > > security.privileged: "true" > > volatile.base_image: > a19c9ae2bd2e7bf99b0e2d31a0707cc534781a4eba47f44f172f486d2e01c96b > > volatile.eth0.hwaddr: 00:16:3e:87:d6:d9 > > volatile.last_state.idmap: '[]' > > devices: > > data: > > path: /datastorage > > source: /dev/sdf > > type: disk > > > > > But when I try to change security.privileged to ‘false’ I lost an ability > > to write to /datastorage path inside container. > > > > Currently I’m using version 2.0.5 of LXC > > Doesn't match to your listed config. Smells like LXD. > > All versions looks like something like this: ii lxc-common 2.0.5-0ubuntu1~ubuntu16.04.2 amd64Linux Containers userspace tools (common tools) ii lxc2 2.0.5-0ubuntu1~ubuntu16.04.1 all Container hypervisor based on LXC - metapackage ii lxcfs 2.0.4-0ubuntu1~ubuntu16.04.1 amd64FUSE based filesystem for LXC ii lxd2.0.5-0ubuntu1~ubuntu16.04.1 amd64Container hypervisor based on LXC - daemon ii lxd-client 2.0.5-0ubuntu1~ubuntu16.04.1 amd64Container hypervisor based on LXC - client ii lxd-tools 2.0.5-0ubuntu1~ubuntu16.04.1 amd64Container hypervisor based on LXC - extra tools > > -- > With best regards, > Andrey Repin > Tuesday, November 8, 2016 13:13:21 > > Sorry for my terrible english... > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- WBR, Andriy Tovstik ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Mount additional storage into unprivileged container
Greetings, Andriy Tovstik! >>> I am learning LXC features because we are going to implement it in our >>> production environment. >> >> LXC or LXD? Your configuration smells the latter. > LXD, you are right. But AFAIK LXD is an extension that was built over LXC > subsystem, isn't it? LXD is an environment by and in itself. It uses different configuration tools to setup and manage containers. My (overly simplified) explanation of use case is that LXC is what I'd use if I need to setup a system once and forget (as a figure of speech) it exists, while LXD is a tool for mass-deployment of applications/appliances. With leaning to the latter, since LXD deploys entire stack in a single container. >>> Could somebody explain me is there any well documented way to mount >>> additional filesystems or (preferable) block devices into Unprivileged >>> containers? is it supports live migration of container? >> >> You could do better at explaining, what you need that for. It'll speed up >> the >> answer. >> Normally, you don't need to "mount block devices into container". > Well... I'm going to use LXD to isolate two applications that will be > heavily loaded. May be it will be necessary to give for each other dedicated > storage. You can do that by just mounting that dedicated storage in the profile. You don't really need block devices inside a container, unless your use case demands specifically block-level access. F.e. if you want to prepare bootable media from inside a container (there was a thread about it a while ago, apparently, OP's host OS was unable to produce desirable results, and they wanted to use a container with a newer OS (thus newer toolchain) to prepare the media). > Rootfs i'll put to ZFS pool. Alternative way is to use zfs over high speed > storage system and use IOPS limit for each container... >>> I've read a lot of articles and man pages but unfortunatly this question is >>> still unclear for me... >>> >>> Currently my config looks like: >>> >>> >>> >>> name: test-container >>> profiles: >>> - default >>> config: >>> raw.lxc: lxc.aa_profile=unconfined >>> security.privileged: "true" >>> volatile.base_image: >>> a19c9ae2bd2e7bf99b0e2d31a0707cc534781a4eba47f44f172f486d2e01c96b >>> volatile.eth0.hwaddr: 00:16:3e:87:d6:d9 >>> volatile.last_state.idmap: '[]' >>> devices: >>> data: >>> path: /datastorage >>> source: /dev/sdf >>> type: disk >>> >>> >>> But when I try to change security.privileged to ‘false’ I lost an ability >>> to write to /datastorage path inside container. >>> >>> Currently I’m using version 2.0.5 of LXC >> >> Doesn't match to your listed config. Smells like LXD. > All versions looks like something like this: You have LXD installed. "lxc2" is an alternative name for it. LXC is named "lxc1" in the repository. > ii lxc-common 2.0.5-0ubuntu1~ubuntu16.04.2 amd64 Linux > Containers userspace tools (common tools) > ii lxc2 2.0.5-0ubuntu1~ubuntu16.04.1 all Container > hypervisor based on LXC - metapackage > ii lxcfs 2.0.4-0ubuntu1~ubuntu16.04.1 amd64 FUSE based > filesystem for LXC > ii lxd 2.0.5-0ubuntu1~ubuntu16.04.1 amd64 Container > hypervisor based on LXC - daemon > ii lxd-client 2.0.5-0ubuntu1~ubuntu16.04.1 amd64 Container > hypervisor based on LXC - client > ii lxd-tools 2.0.5-0ubuntu1~ubuntu16.04.1 amd64 Container > hypervisor based on LXC - extra tools aptitude show lxc2 Package: lxc2 State: not installed Version: 2.0.5-0ubuntu1~ubuntu14.04.1 Priority: extra Section: universe/metapackages Maintainer: Ubuntu Developers Architecture: all Uncompressed Size: 57,3 k Depends: lxd, lxd-client Description: Container hypervisor based on LXC - metapackage LXD offers a REST API to remotely manage containers over the network, using an image based workflow and with support for live migration. This is a dummy metapackage to install LXD and its client. Homepage: https://linuxcontainers.org/ -- With best regards, Andrey Repin Tuesday, November 8, 2016 14:25:33 Sorry for my terrible english... ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] Mount additional storage into unprivileged container
вт, 8 нояб. 2016 г. в 13:57, Andrey Repin : > Greetings, Andriy Tovstik! > > >>> I am learning LXC features because we are going to implement it in our > >>> production environment. > >> > >> LXC or LXD? Your configuration smells the latter. > > > LXD, you are right. But AFAIK LXD is an extension that was built over LXC > > subsystem, isn't it? > > LXD is an environment by and in itself. It uses different configuration > tools > to setup and manage containers. Ok, lets forget about lxc, lets talking about lxd. > > My (overly simplified) explanation of use case is that LXC is what I'd use > if > I need to setup a system once and forget (as a figure of speech) it exists, > while LXD is a tool for mass-deployment of applications/appliances. With > leaning to the latter, since LXD deploys entire stack in a single > container. > I have big plans :) so LXD looks more suitable for me > >>> Could somebody explain me is there any well documented way to mount > >>> additional filesystems or (preferable) block devices into Unprivileged > >>> containers? is it supports live migration of container? > >> > >> You could do better at explaining, what you need that for. It'll speed > up the > >> answer. > >> Normally, you don't need to "mount block devices into container". > > > Well... I'm going to use LXD to isolate two applications that will be > > heavily loaded. May be it will be necessary to give for each other > dedicated storage. > > You can do that by just mounting that dedicated storage in the profile. You > don't really need block devices inside a container, unless your use case > demands specifically block-level access. > Ok, let me clarify my question. As i've read in https://github.com/lxc/lxd/blob/master/doc/configuration.md there are two storage option can be mounted into container: disk and unix-block device. I played with the both ones. Lets talk about disk device. As you can see in my example i've used disk device with a block device as a source. I can change source option and set directory as a source. Anyway i recieve "permission denied" error when i try to access to this directory inside my container... Remember we talk about unprivileged container. Privileged container works fine. I have found a lot of topics about this problem, but i'm seeking for official, best practice soluiton. -- > With best regards, > Andrey Repin > Tuesday, November 8, 2016 14:25:33 > > Sorry for my terrible english... > ___ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users -- WBR, Andriy Tovstik ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users