Index
- Part 1: Introduction
- Part 2: Basic configuration files
- Part 3: Creating an unprivileged container on Slackware
- Part 4: Scripts overview
- Part 5: Natting example
- Browse the scripts' folder
- Changelog
This is an overview of my LXC scripts. As already said they are mostly wrappers of the LXC commands, that I wrote to execute common tasks both with privileged and unprivileged containers. All these scripts are able to guess if a container is unprivileged or not, to eventually determine its owner, and run the command accordingly with the correct syntax.
my_lxc-common
It defines common variables and functions to be imported in the following scripts.
lxu (lxc-start wrapper)
It starts a container. The usage is simple. You put UP a container in this way:
lxu <name>
If you want to pass the -F or -l or -o parameters to run the container in the foregroud and see the logs (you may want to do so when you have cgroups errors), use like this:
lxu -n <name> -F -l <LEVEL> -o <LOGFILE>
lxd (lxc-stop wrapper)
It stops (puts DOWN) a running container. Usage:
lxd <name>
lxr
It's just a combination of lxd and lxu, as it simply restarts a container. Usage:
lxr <name>
lxa (lxc-attach wrapper)
It runs a command in the container. If the container is stopped it will be started, then <command> will be executed. Usage:
lxa <name> [<command>]
If <command> is not provided the /bin/bash --rcfile /etc/profile shell will be executed.
It's worth to specify what it does behind the scene. The actual default command that will be run for an unprivileged container is:
sudo -u <user> lxc-attach -n <name> \ --keep-env \ --set-var HOSTNAME=<name>.<domain> \ --set-var USER=root \ --set-var HOME=/root \ -- /bin/bash --rcfile /etc/profile
where:
--keep-env will keep all the host's environment variables (eventually modify it for security reasons).
After that it passes some variables that we don't want to keep with respect to the host (adjust to your needs):
--set-var HOSTNAME=<name>.<domain> which sets the HOSTNAME
--set-var USER=root the shell will know that the current user is root
--set-var HOME=/root when you type cd, the shell will know where is your home dir, /root in this case, and you'll get no errors
-- /bin/bash --rcfile /etc/profile all the aliases and variables defined in /etc/profile will be loaded. Without this line, you would have a very bad prompt, and the ls command will be shown with no colours at all, for instance.
lxo (lxc-console wrapper)
It provides a console login for the specified container. Usage:
lxo <name>
lxi (lxc-info wrapper)
It queries informations about a container. Usage:
lxi <name>
lxe (lxc-execute wrapper)
It runs an application inside a container. Usage:
lxe -n <name> -- command
lxl (lxc-ls wrapper)
lxl is a lxc-ls wrapper and lists the containers, showing their status and info in a fancy color mode:
# lxl All containers NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED cont1 STOPPED 0 - - - true cont2 STOPPED 1 - - - true Unprivileged running containers of user cont3 NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED cont3 RUNNING 0 - 10.0.0.112 - false cont4 RUNNING 0 - 10.0.0.113 - false Unprivileged running containers of user cont5 NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED cont5 RUNNING 0 - 10.0.0.17 - false cont6 RUNNING 0 - 10.0.0.18 - false
lxcctl
This is a symbolic link of the /etc/rc.d/rc.lxc startup script, which is runned at boot time to launch the containers with the flag lxc.start.auto=1. It is a modification of the original script shipped with Slackware by Matteo Bernardini, but now it can start both unprivileged and privileged containers.
Usage:
lxcctl start|stop|restart
my_lxc-create
This is my lxc-create wrapper script that I use to create my Slackware containers. Its usage was covered in the previous page.
my_lxc-destroy
Wrapper script for lxc-destroy. Usage:
my_lxc-destroy <name>
my_lxc-container-userns-convert
It is a modification of the original script by Serge Hallyn, that changes the lxcpath of the container, already defined in my_lxc-common.
It converts a container to use user namespaces. In particular:
- it adds the
lxc.uidmaplines to the config file - it shifts the
uidsin therootfsby callinguidmapshift
Usage:
my_lxc-container-userns-convert <name> base-uid range
For example, to make the container c1's root be uid 100000 on the host, and a have a range of 10000 ids, you would use:
my_lxc-container-userns-convert c1 100000 10000
More info at http://bazaar.launchpad.net/~serge-hallyn/+junk/nsexec/files.
This program is called by my_lxc-turn_into_unprivileged to convert a given container to unprivileged. It can be used in standalone mode as well.
my_lxc-turn_into_unprivileged
It converts a privileged to an unprivileged container. In particular:
- It calls
my_lxc-container-userns-convertto convert a container to use user namespaces; - It creates the system user that will own the container if it doesn't exist yet;
- It configures
cgroupsandlxc-usernet.
This program is called by my_lxc-create in case the container to be created has to be unprivileged. You can also use it in standalone mode if you already have a privileged container and you want to convert it to unprivileged.
my_lxc-copy
Wrapper script for lxc-copy. Usage:
my_lxc-copy -n <name> -N <newname> [-R] [-i <ip> | -d] [-u <user>] [-h]
my_lxc-copy takes the following options:
-n <name> Name of the source container -N <newname> Name of the new container -R Rename the original container. If -R is provided the following options will be ignored. -d Use DHCP -i <ip> IP address of the container. Ignored if -d was declared -u <user> Set the system user that will own the container. <user> will be created if not existing yet. If not declared the container will be owned by the user who owns the source container and eventually remains privileged just like the source container. -h Print this help
You can rename a container like this:
my_lxc-copy -n <name> -N <newname> -R
my_lxc-freeze / my_lxc-unfreeze
lxc-freeze and lxc-unfreeze wrapper scripts. Usage:
my_lxc-freeze -n <name> my_lxc-unfreeze -n <name>
lxc-my_template
This is my LXC template for Slackware containers. It is derived from the one shipped with Slackware itself. Look at the previous page for more info.
