0. Warum das Ganze?

Die Raspberries haben in der Regel dank SD-Karte ordentlich Plattenplatz, aber leider relativ wenig CPU-Power. Das schreit geradezu nach einer leichtgewichtigen Isolationslösung wie LXC. Damit können dann die verschiedensten Dinge ausprobiert werden, ohne das Hostsystem zu verschmutzen.

1. /etc/fstab anpassen

Aus

/dev/mmcblk0p2  /               ext4    nodiratime,noatime,errors=remount-ro,discard  0  1
/dev/mmcblk0p1  /boot/firmware  vfat    nodiratime,noatime,ro,defaults                0  2

wird so

/dev/mmcblk0p2  /               ext4    nodiratime,noatime,errors=remount-ro,discard  0  1
/dev/mmcblk0p1  /boot/firmware  vfat    nodiratime,noatime,ro,defaults                0  2
cgroup          /sys/fs/cgroup  cgroup  defaults                                      0  0

2. /boot/firmware/cmdline.txt anpassen

raspi ~ » cat /boot/firmware/cmdline.txt
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 rootwait net.ifnames=1 cgroup_enable=memory swapaccount=1

Die letzten beiden Optionen müssen hinzugefügt werden. Danach einmal neustarten.

3. LXC installieren

raspi ~ » sudo apt install lxc
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
  dh-python libapparmor1 libmpdec2 libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib libseccomp2 python3 python3-minimal python3.4 python3.4-minimal
Vorgeschlagene Pakete:
  lua5.2 python3-doc python3-tk python3-venv python3.4-venv python3.4-doc binutils binfmt-support
Die folgenden NEUEN Pakete werden installiert:
  dh-python libapparmor1 libmpdec2 libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib libseccomp2 lxc python3 python3-minimal python3.4 python3.4-minimal
0 aktualisiert, 12 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
Es müssen 4.955 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 19,2 MB Plattenplatz zusätzlich benutzt.
Holen: 1 http://httpredir.debian.org/debian/ jessie/main libmpdec2 armhf 2.4.1-1 [70,7 kB]
Holen: 2 http://httpredir.debian.org/debian/ jessie/main libpython3.4-minimal armhf 3.4.2-1 [485 kB]
Holen: 3 http://httpredir.debian.org/debian/ jessie/main libpython3.4-stdlib armhf 3.4.2-1 [2.011 kB]
…
…
dh-python (1.20141111-2) wird eingerichtet ...
Trigger für libc-bin (2.19-18+deb8u2) werden verarbeitet ...
raspi ~ »

Kurze Kontrolle ob alles funktioniert hat:

tsterminalserver ~ » sudo lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

4. Einen ersten Container installieren

Ich habe mich mal für ein Standard-Jessie (a.k.a. Debian Stable zum Zeitpunkt des Blogeintrags) entschieden:

raspi ~ » sudo lxc-create -t debian --name debian8 -- -r jessie
debootstrap ist /usr/sbin/debootstrap
Checking cache download in /var/cache/lxc/debian/rootfs-jessie-armhf ...
Downloading debian minimal ...
I: Retrieving Release 
…
…
Current default time zone: 'Europe/Berlin'
Local time is now:      Tue Feb  9 01:03:46 CET 2016.
Universal Time is now:  Tue Feb  9 00:03:46 UTC 2016.

Root password is <meeep>, please change !
tsterminalserver ~ »

5. LXC starten

tsterminalserver ~ » sudo lxc-start -n debian8
systemd 215 running in system mode. (+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR)
Detected virtualization 'lxc'.
Detected architecture 'arm'.

Welcome to Debian GNU/Linux 8 (jessie)!

Set hostname to <debian8>.
Cannot add dependency job for unit dbus.socket, ignoring: Unit dbus.socket failed to load: No such file or directory.
[  OK  ] Reached target Remote File Systems (Pre).
[  OK  ] Started Update UTMP about System Runlevel Changes.
…
…
Debian GNU/Linux 8 debian8 console

debian8 login: root
Passwort: 
Letzte Anmeldung: Dienstag, den 09. Februar 2016, 00:10:56 CET auf console
Linux debian8 3.18.0-trunk-rpi2 #1 SMP PREEMPT Debian 3.18.5-1~exp1.co1 (2015-02-02) armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@debian8:~#

Fertig. :)

Update: Was tun, wenn lxc-start nicht hochkommt?

Symptom:

igor ~ » lxc-start -n igorina --logpriority DEBUG --logfile /dev/stdout
      lxc-start 1455802896.362 INFO     lxc_start_ui - using rcfile /var/lib/lxc/igorina/config
      lxc-start 1455802896.363 WARN     lxc_confile - unsupported personality 'armhf'
      lxc-start 1455802896.363 WARN     lxc_log - lxc_log_init called with log already initialized
      lxc-start 1455802896.364 INFO     lxc_lsm - LSM security driver nop
      lxc-start 1455802896.366 INFO     lxc_seccomp - processing: .[all].
      lxc-start 1455802896.367 INFO     lxc_seccomp - processing: .kexec_load errno 1.
      lxc-start 1455802896.367 INFO     lxc_seccomp - Adding non-compat rule for kexec_load action 327681
      lxc-start 1455802896.367 INFO     lxc_seccomp - processing: .open_by_handle_at errno 1.
      lxc-start 1455802896.367 INFO     lxc_seccomp - Adding non-compat rule for open_by_handle_at action 327681
      lxc-start 1455802896.367 INFO     lxc_seccomp - processing: .init_module errno 1.
      lxc-start 1455802896.367 INFO     lxc_seccomp - Adding non-compat rule for init_module action 327681
      lxc-start 1455802896.367 INFO     lxc_seccomp - processing: .finit_module errno 1.
      lxc-start 1455802896.367 INFO     lxc_seccomp - Adding non-compat rule for finit_module action 327681
      lxc-start 1455802896.368 INFO     lxc_seccomp - processing: .delete_module errno 1.
      lxc-start 1455802896.368 INFO     lxc_seccomp - Adding non-compat rule for delete_module action 327681
      lxc-start 1455802896.372 DEBUG    lxc_conf - allocated pty '/dev/pts/3' (5/6)
      lxc-start 1455802896.373 DEBUG    lxc_conf - allocated pty '/dev/pts/4' (7/8)
      lxc-start 1455802896.374 DEBUG    lxc_conf - allocated pty '/dev/pts/5' (9/10)
      lxc-start 1455802896.375 DEBUG    lxc_conf - allocated pty '/dev/pts/6' (11/12)
      lxc-start 1455802896.375 INFO     lxc_conf - tty's configured
      lxc-start 1455802896.375 DEBUG    lxc_start - sigchild handler set
      lxc-start 1455802896.376 DEBUG    lxc_console - opening /dev/tty for console peer
      lxc-start 1455802896.376 DEBUG    lxc_console - using '/dev/tty' as console
      lxc-start 1455802896.377 DEBUG    lxc_console - 370 got SIGWINCH fd 17
      lxc-start 1455802896.377 DEBUG    lxc_console - set winsz dstfd:14 cols:274 rows:78
      lxc-start 1455802896.379 INFO     lxc_start - 'igorina' is initialized
      lxc-start 1455802896.382 DEBUG    lxc_start - Not dropping cap_sys_boot or watching utmp
      lxc-start 1455802896.383 INFO     lxc_cgroup - cgroup driver cgroupfs initing for igorina
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.deny' set to 'a'
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c *:* m'
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'b *:* m'
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:3 rwm'
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:5 rwm'
      lxc-start 1455802896.397 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:0 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:1 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:8 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:9 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:2 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 136:* rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 254:0 rm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:229 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:200 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:7 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:228 rwm'
      lxc-start 1455802896.398 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:232 rwm'
      lxc-start 1455802896.398 INFO     lxc_cgfs - cgroup has been setup
      lxc-start 1455802896.409 DEBUG    lxc_conf - mounted '/var/lib/lxc/igorina/rootfs' on '/usr/lib/arm-linux-gnueabihf/lxc/rootfs'
      lxc-start 1455802896.410 INFO     lxc_conf - 'igorina' hostname has been setup
      lxc-start 1455802896.410 INFO     lxc_conf - network has been setup
      lxc-start 1455802896.410 INFO     lxc_conf - Mounting /dev under /usr/lib/arm-linux-gnueabihf/lxc/rootfs
      lxc-start 1455802896.410 DEBUG    lxc_conf - entering mount_check_fs for /dev
      lxc-start 1455802896.411 DEBUG    lxc_conf - mount_check_fs returning 1 last devtmpfs
      lxc-start 1455802896.416 DEBUG    lxc_conf - Bind mounting /dev/.lxc/igorina.82c095b71a99b5c7 to /usr/lib/arm-linux-gnueabihf/lxc/rootfs/dev
      lxc-start 1455802896.417 INFO     lxc_conf - Mounted /dev under /usr/lib/arm-linux-gnueabihf/lxc/rootfs
      lxc-start 1455802896.423 INFO     lxc_conf - mount points have been setup
      lxc-start 1455802896.426 DEBUG    lxc_conf - mounted 'proc' on '/usr/lib/arm-linux-gnueabihf/lxc/rootfs/proc', type 'proc'
      lxc-start 1455802896.427 DEBUG    lxc_conf - mounted 'sysfs' on '/usr/lib/arm-linux-gnueabihf/lxc/rootfs/sys', type 'sysfs'
      lxc-start 1455802896.427 INFO     lxc_conf - mount points have been setup
      lxc-start 1455802896.428 INFO     lxc_conf - Creating initial consoles under /usr/lib/arm-linux-gnueabihf/lxc/rootfs/dev
      lxc-start 1455802896.428 INFO     lxc_conf - Populating /dev under /usr/lib/arm-linux-gnueabihf/lxc/rootfs
      lxc-start 1455802896.428 INFO     lxc_conf - Populated /dev under /usr/lib/arm-linux-gnueabihf/lxc/rootfs
      lxc-start 1455802896.429 INFO     lxc_conf - console has been setup
      lxc-start 1455802896.433 INFO     lxc_conf - 4 tty(s) has been setup
      lxc-start 1455802896.433 INFO     lxc_conf - I am 1, /proc/self points to '1'
      lxc-start 1455802896.442 DEBUG    lxc_conf - created '/usr/lib/arm-linux-gnueabihf/lxc/rootfs/lxc_putold' directory
      lxc-start 1455802896.442 DEBUG    lxc_conf - mountpoint for old rootfs is '/usr/lib/arm-linux-gnueabihf/lxc/rootfs/lxc_putold'
      lxc-start 1455802896.442 DEBUG    lxc_conf - pivot_root syscall to '/usr/lib/arm-linux-gnueabihf/lxc/rootfs' successful
      lxc-start 1455802896.496 DEBUG    lxc_conf - umounted '/lxc_putold/dev/shm'
      lxc-start 1455802896.536 DEBUG    lxc_conf - umounted '/lxc_putold/dev/pts'
      lxc-start 1455802896.576 DEBUG    lxc_conf - umounted '/lxc_putold/dev/mqueue'
      lxc-start 1455802896.606 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/systemd'
      lxc-start 1455802896.636 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/cpuset'
      lxc-start 1455802896.676 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/cpu,cpuacct'
      lxc-start 1455802896.706 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/blkio'
      lxc-start 1455802896.736 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/memory'
      lxc-start 1455802896.776 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/devices'
      lxc-start 1455802896.816 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/freezer'
      lxc-start 1455802896.856 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup/net_cls'
      lxc-start 1455802896.896 DEBUG    lxc_conf - umounted '/lxc_putold/sys/kernel/debug'
      lxc-start 1455802896.936 DEBUG    lxc_conf - umounted '/lxc_putold/sys/kernel/config'
      lxc-start 1455802896.966 DEBUG    lxc_conf - umounted '/lxc_putold/proc/sys/fs/binfmt_misc'
      lxc-start 1455802896.996 DEBUG    lxc_conf - umounted '/lxc_putold/run/lock'
      lxc-start 1455802897.046 DEBUG    lxc_conf - umounted '/lxc_putold/etc/machine-id'
      lxc-start 1455802897.086 DEBUG    lxc_conf - umounted '/lxc_putold/boot'
      lxc-start 1455802897.126 DEBUG    lxc_conf - umounted '/lxc_putold/dev'
      lxc-start 1455802897.166 DEBUG    lxc_conf - umounted '/lxc_putold/sys/fs/cgroup'
      lxc-start 1455802897.196 DEBUG    lxc_conf - umounted '/lxc_putold/proc'
      lxc-start 1455802897.236 DEBUG    lxc_conf - umounted '/lxc_putold/run'
      lxc-start 1455802897.276 DEBUG    lxc_conf - umounted '/lxc_putold/sys'
      lxc-start 1455802897.306 DEBUG    lxc_conf - umounted '/lxc_putold'
      lxc-start 1455802897.307 DEBUG    lxc_conf - drop capability 'sys_module' (16)
      lxc-start 1455802897.308 DEBUG    lxc_conf - drop capability 'mac_admin' (33)
      lxc-start 1455802897.309 DEBUG    lxc_conf - drop capability 'mac_override' (32)
      lxc-start 1455802897.310 DEBUG    lxc_conf - drop capability 'sys_time' (25)
      lxc-start 1455802897.310 DEBUG    lxc_conf - capabilities have been setup
      lxc-start 1455802897.311 NOTICE   lxc_conf - 'igorina' is setup.
      lxc-start 1455802897.312 DEBUG    lxc_cgfs - cgroup 'devices.deny' set to 'a'
      lxc-start 1455802897.313 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c *:* m'
      lxc-start 1455802897.314 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'b *:* m'
      lxc-start 1455802897.315 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:3 rwm'
      lxc-start 1455802897.316 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:5 rwm'
      lxc-start 1455802897.317 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:0 rwm'
      lxc-start 1455802897.318 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:1 rwm'
      lxc-start 1455802897.319 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:8 rwm'
      lxc-start 1455802897.320 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:9 rwm'
      lxc-start 1455802897.321 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 5:2 rwm'
      lxc-start 1455802897.322 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 136:* rwm'
      lxc-start 1455802897.323 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 254:0 rm'
      lxc-start 1455802897.324 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:229 rwm'
      lxc-start 1455802897.324 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:200 rwm'
      lxc-start 1455802897.325 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 1:7 rwm'
      lxc-start 1455802897.326 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:228 rwm'
      lxc-start 1455802897.327 DEBUG    lxc_cgfs - cgroup 'devices.allow' set to 'c 10:232 rwm'
      lxc-start 1455802897.328 INFO     lxc_cgfs - cgroup has been setup
      lxc-start 1455802897.329 ERROR    lxc_seccomp - Error loading the seccomp policy
      lxc-start 1455802897.331 ERROR    lxc_sync - invalid sequence number 1. expected 4
      lxc-start 1455802897.332 ERROR    lxc_start - failed to spawn 'igorina'
      lxc-start 1455802897.335 INFO     lxc_conf - Cleaning /dev/.lxc/igorina.82c095b71a99b5c7
      lxc-start 1455802897.337 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/net_cls/lxc/igorina
      lxc-start 1455802897.339 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/freezer/lxc/igorina
      lxc-start 1455802897.341 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/devices/lxc/igorina
      lxc-start 1455802897.343 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/memory/lxc/igorina
      lxc-start 1455802897.346 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/blkio/lxc/igorina
      lxc-start 1455802897.348 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpu,cpuacct/lxc/igorina
      lxc-start 1455802897.350 ERROR    lxc_cgfs - Device or resource busy - cgroup_rmdir: failed to delete /sys/fs/cgroup/cpuset/lxc/igorina
      lxc-start 1455802897.352 ERROR    lxc_start_ui - The container failed to start.
      lxc-start 1455802897.354 ERROR    lxc_start_ui - Additional information can be obtained by setting the --logfile and --logpriority options.

Lösung:

  1. /usr/share/lxc/config/debian.common.conf nach /etc/lxc/ kopieren
  2. /etc/lxc/debian.common.conf editieren und folgende Zeile auskommentieren:
# Blacklist some syscalls which are not safe in privileged
# containers
# lxc.seccomp = /etc/lxc/empty.seccomp <---

3. /var/lib/lxc/<name>/config editieren und die neue Datei verwenden.
comments powered by Disqus

Published

Last Updated

Category

tech

Tags

Contact