LXD/LXC: Installation auf Ubuntu-22.04 mit Netzwerk
Hier beschreibe ich, wie ich LXD/LXC auf Ubuntu-22.04
in Betrieb nehme. Grob startet die Beschreibung
mit dieser hier: LXD/LXC: Installation auf Ubuntu-22.04.
Danach wird das Netzwerk konfiguriert und damit der
Zugriff auf die LXC-Container via im DNS hinterlegten
Containernamen ermöglicht.
Die ganze Aktion dauert grob 1 Stunde,
wenn man halbwegs weiß, was man zu erledigen hat.
Die Doku habe ich durchgespielt mit Ubuntu-22.04.1
und LXD-5.9.
Aktualisieren
12
sudo apt update
sudo apt upgrade
LXD installieren
1
sudo snap install lxd
Plattenbereich für LXC anlegen
123456789101112
$ sudo vgdisplay
--- Volume group ---
VG Name ubuntu-vg
...
VG Size 500 GiB
PE Size 4,00 MiB
Total PE 125000
Alloc PE / Size 61684 / 240,95 GiB
Free PE / Size 57366 / 224,09 GiB
VG UUID CZfxss-UeDu-a12223
$ sudo lvcreate -n $(hostname)-lxclv -L 50G ubuntu-vg
Logical volume "cslpc55-lxclv" created.
$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, ceph, dir, lvm, zfs) [default=zfs]: btrfs
Create a new BTRFS pool? (yes/no) [default=yes]: yes
Would you like to use an existing block device? (yes/no) [default=no]: yes
Path to the existing block device: /dev/mapper/ubuntu--vg-cslpc55--lxclv
Would you like to connect to a MAAS server? (yes/no) [default=no]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]: no
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: no
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: yes
config:
images.auto_update_interval: "0"
networks:
- config:
ipv4.address: auto
ipv6.address: auto
description: ""
name: lxdbr0
type: ""
project: default
storage_pools:
- config:
source: /dev/mapper/ubuntu--vg-cslpc55--lxclv
description: ""
name: default
driver: btrfs
profiles:
- config: {}
description: ""
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
name: default
projects: []
cluster: null
# DNS address
root@cslpc55:~# lxc network get lxdhostonly ipv4.address
10.2.210.1/24
root@cslpc55:~# lxc network get lxdnat ipv4.address
10.38.231.1/24
# DNS domain
root@cslpc55:~# lxc network get lxdhostonly dns.domain
root@cslpc55:~# lxc network get lxdnat dns.domain
# If this option is not set, the default domain name is lxd
Temporär aktivieren
123456789101112131415161718192021
root@cslpc55:~# resolvectl dns lxdhostonly 10.2.210.1
root@cslpc55:~# resolvectl domain lxdhostonly '~lxd'
root@cslpc55:~# resolvectl dns lxdnat 10.38.231.1
root@cslpc55:~# resolvectl domain lxdnat '~lxd'
# Test
root@cslpc55:~# lxc start ubuntu-2204
root@cslpc55:~# lxc ls
+-------------+---------+---------------------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-------------+---------+---------------------+------+-----------+-----------+
| ubuntu-2204 | RUNNING | 10.2.210.114 (eth0) | | CONTAINER | 0 |
+-------------+---------+---------------------+------+-----------+-----------+
root@cslpc55:~# ping ubuntu-2204.lxd
PING ubuntu-2204.lxd (10.2.210.114) 56(84) bytes of data.
64 bytes from ubuntu-2204.lxd (10.2.210.114): icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from ubuntu-2204.lxd (10.2.210.114): icmp_seq=2 ttl=64 time=0.084 ms
^C
--- ubuntu-2204.lxd ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1029ms
rtt min/avg/max/mdev = 0.045/0.064/0.084/0.019 ms
root@cslpc55:~# cat >/tmp/service-template <<EOF
[Unit]
Description=LXD per-link DNS configuration for NETWORK_BRIDGE
BindsTo=sys-subsystem-net-devices-NETWORK_BRIDGE.device
After=sys-subsystem-net-devices-NETWORK_BRIDGE.device
[Service]
Type=oneshot
ExecStart=/usr/bin/resolvectl dns NETWORK_BRIDGE DNS_ADDRESS
ExecStart=/usr/bin/resolvectl domain NETWORK_BRIDGE DNS_DOMAIN
ExecStopPost=/usr/bin/resolvectl revert NETWORK_BRIDGE
RemainAfterExit=yes
[Install]
WantedBy=sys-subsystem-net-devices-NETWORK_BRIDGE.device
EOF
root@cslpc55:~# sed -e "s/NETWORK_BRIDGE/lxdhostonly/g"\
-e "s/DNS_ADDRESS/10.2.210.1/g"\
-e "s/DNS_DOMAIN/~lxd/g"\
/tmp/service-template >/etc/systemd/system/lxd-dns-lxdhostonly.service
root@cslpc55:~# sed -e "s/NETWORK_BRIDGE/lxdnat/g"\
-e "s/DNS_ADDRESS/10.38.231.1/g"\
-e "s/DNS_DOMAIN/~lxd/g"\
/tmp/service-template >/etc/systemd/system/lxd-dns-lxdnat.service
root@cslpc55:~# rm -f /tmp/service-template
root@cslpc55:~# systemctl daemon-reload
root@cslpc55:~# systemctl enable --now lxd-dns-lxdhostonly
Created symlink /etc/systemd/system/sys-subsystem-net-devices-lxdhostonly.device.wants/lxd-dns-lxdhostonly.service → /etc/systemd/system/lxd-dns-lxdhostonly.service.
Unit /etc/systemd/system/lxd-dns-lxdhostonly.service is added as a dependency to a non-existent unit sys-subsystem-net-devices-lxdhostonly.device.
root@cslpc55:~# systemctl enable --now lxd-dns-lxdnat
Created symlink /etc/systemd/system/sys-subsystem-net-devices-lxdnat.device.wants/lxd-dns-lxdnat.service → /etc/systemd/system/lxd-dns-lxdnat.service.
Unit /etc/systemd/system/lxd-dns-lxdnat.service is added as a dependency to a non-existent unit sys-subsystem-net-devices-lxdnat.device.
Warnung ignorieren, Reboot und Test:
12345678910111213141516171819202122232425
root@cslpc55:~# lxc ls
+-------------+---------+---------------------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+-------------+---------+---------------------+------+-----------+-----------+
| ubuntu-2204 | RUNNING | 10.2.210.114 (eth0) | | CONTAINER | 0 |
+-------------+---------+---------------------+------+-----------+-----------+
root@cslpc55:~# ping ubuntu-2204.lxd
PING ubuntu-2204.lxd (10.2.210.114) 56(84) bytes of data.
64 bytes from ubuntu-2204.lxd (10.2.210.114): icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from ubuntu-2204.lxd (10.2.210.114): icmp_seq=2 ttl=64 time=0.086 ms
^C
--- ubuntu-2204.lxd ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1032ms
rtt min/avg/max/mdev = 0.044/0.065/0.086/0.021 ms
root@cslpc55:~# systemctl status lxd-dns-lxdhostonly
● lxd-dns-lxdhostonly.service - LXD per-link DNS configuration for lxdhostonly
Loaded: loaded (/etc/systemd/system/lxd-dns-lxdhostonly.service; enabled; vendor preset: enabled)
Active: active (exited) since Sat 2022-12-24 09:57:05 CET; 58s ago
Process: 7003 ExecStart=/usr/bin/resolvectl dns lxdhostonly 10.2.210.1 (code=exited, status=0/SUCCESS)
Process: 7007 ExecStart=/usr/bin/resolvectl domain lxdhostonly ~lxd (code=exited, status=0/SUCCESS)
Main PID: 7007 (code=exited, status=0/SUCCESS)
CPU: 6ms
Dez 24 09:57:05 cslpc55 systemd[1]: Starting LXD per-link DNS configuration for lxdhostonly...
Dez 24 09:57:05 cslpc55 systemd[1]: Finished LXD per-link DNS configuration for lxdhostonly.
Isolierte Benutzerkennungen für Container aktivieren
Üblicherweise werden bei LXC-Containern in allen Containern
gleichartige Nutzerkennungen (UIDs) verwendet. Ich habe gerne
höhere Sicherheit und nutze separate UIDs für die Container.
123456789101112
root@cslpc55:~# cat >>/etc/subuid <<EOF
lxd:100000:1000000000
root:100000:1000000000
EOF
root@cslpc55:~# cat >>/etc/subgid <<EOF
lxd:100000:1000000000
root:100000:1000000000
EOF
root@cslpc55:~# systemctl restart snap.lxd.daemon
# Kontrolle via Log geht leider nicht mehr
Profile für Netzwerkkonfiguration und isolierte Benutzerkennungen anlegen
Ausgangslage
123456
root@cslpc55:~# lxc profile list
+---------+---------------------+---------+
| NAME | DESCRIPTION | USED BY |
+---------+---------------------+---------+
| default | Default LXD profile | 1 |
+---------+---------------------+---------+
Profil ohne Internet-Zugriff (hostonly)
1234
root@cslpc55:~# lxc profile copy default hostonly
root@cslpc55:~# lxc profile set hostonly security.idmap.isolated=true
root@cslpc55:~# lxc profile device set hostonly eth0 network=lxdhostonly
root@cslpc55:~# lxc profile show hostonly|sed -e 's/^description:.*$/description: HOSTONLY LXD profile (without internet access)/'|lxc profile edit hostonly
root@cslpc55:~# lxc profile list
+----------+------------------------------------------------+---------+
| NAME | DESCRIPTION | USED BY |
+----------+------------------------------------------------+---------+
| default | Default LXD profile | 1 |
+----------+------------------------------------------------+---------+
| hostonly | HOSTONLY LXD profile (without internet access) | 0 |
+----------+------------------------------------------------+---------+
| nat | NAT LXD profile (with internet access) | 0 |
+----------+------------------------------------------------+---------+
root@cslpc55:~# lxc profile show hostonly
config:
security.idmap.isolated: "true"
description: HOSTONLY LXD profile (without internet access)
devices:
eth0:
name: eth0
network: lxdhostonly
type: nic
root:
path: /
pool: default
type: disk
name: hostonly
used_by: []
root@cslpc55:~# lxc profile show nat
config:
security.idmap.isolated: "true"
description: NAT LXD profile (with internet access)
devices:
eth0:
name: eth0
network: lxdhostonly
type: nic
eth1:
network: lxdnat
type: nic
root:
path: /
pool: default
type: disk
name: nat
used_by: []
Anpassungen für Server
Mit der bislang erfolgten Konfiguration
werden neue Container per Standard mit aktiviertem Internet-Zugriff
angelegt. Das passt für meinen Arbeitsplatz wunderbar. Bei Servern
ist es mit lieber, wenn die Container keinen Internet-Zugriff haben:
1
# lxc profile device set default eth0 network=lxdhostonly