Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "LXD"

From Funtoo
Jump to navigation Jump to search
(Prepared the page for translation)
Line 1: Line 1:
<languages/>
<translate>
</translate>
{{Subpages|GPU Acceleration}}
{{Subpages|GPU Acceleration}}
<translate>


== Introduction ==
== Introduction ==
Line 5: Line 10:
LXD is a container "hypervisor" designed to provide an easy set of tools to manage Linux containers, and its development is currently being led by employees at Canonical. You can learn more about the project in general at https://linuxcontainers.org/lxd/ .  
LXD is a container "hypervisor" designed to provide an easy set of tools to manage Linux containers, and its development is currently being led by employees at Canonical. You can learn more about the project in general at https://linuxcontainers.org/lxd/ .  


LXD is currently used for container infrastructure for [[Funtoo Containers]] and is also very well-supported under Funtoo Linux. For this reason, it's recommended that you check out LXD and see what it can do for you.
LXD is currently used for container infrastructure for [[Special:MyLanguage/Funtoo Containers|Funtoo Containers]] and is also very well-supported under Funtoo Linux. For this reason, it's recommended that you check out LXD and see what it can do for you.
 


== Basic Setup on Funtoo ==
== Basic Setup on Funtoo ==


The following steps will show you how to set up a basic LXD environment under Funtoo Linux. This environment will essentially use the default LXD setup -- a will be created called {{c|lxdbr0}} which will use NAT to provide Internet access to your containers. In addition, a default storage pool will be created that will simply use your existing filesystem's storage, creating a directory at {{f|/var/lib/lxd/storage-pools/default}} to store any containers you create. More sophisticated configurations are possible that use dedicated network bridges connected to physical interfaces without NAT, as well as dedicated storage pools that use [[ZFS]] and [[BTRFS]] -- however, these types of configurations are generally overkill for a developer workstation and should only be attempted by advanced users. So we won't cover them here.
The following steps will show you how to set up a basic LXD environment under Funtoo Linux. This environment will essentially use the default LXD setup -- a will be created called {{c|lxdbr0}} which will use NAT to provide Internet access to your containers. In addition, a default storage pool will be created that will simply use your existing filesystem's storage, creating a directory at {{f|/var/lib/lxd/storage-pools/default}} to store any containers you create. More sophisticated configurations are possible that use dedicated network bridges connected to physical interfaces without NAT, as well as dedicated storage pools that use [[Special:MyLanguage/ZFS|ZFS]] and [[Special:MyLanguage/BTRFS|BTRFS]] -- however, these types of configurations are generally overkill for a developer workstation and should only be attempted by advanced users. So we won't cover them here.
 


=== Requirements ===
=== Requirements ===
Line 17: Line 24:
The first step is to emerge LXD and its dependencies. Perform the following:
The first step is to emerge LXD and its dependencies. Perform the following:


</translate>
{{console|body=
{{console|body=
# ##i##emerge -a lxd
# ##i##emerge -a lxd
}}
}}
<translate>


Once LXD is done emerging, we will want to enable it to start by default:
Once LXD is done emerging, we will want to enable it to start by default:


</translate>
{{console|body=
{{console|body=
# ##i##rc-update add lxd default
# ##i##rc-update add lxd default
}}
}}
<translate>


In addition, we will want to set up the following files. {{f|/etc/security/limits.conf}} should be modified to have the following lines in it:
In addition, we will want to set up the following files. {{f|/etc/security/limits.conf}} should be modified to have the following lines in it:


</translate>
{{file|name=/etc/security/limits.conf|body=
{{file|name=/etc/security/limits.conf|body=
*      soft    nofile  1048576
*      soft    nofile  1048576
Line 38: Line 50:
# End of file
# End of file
}}
}}
<translate>


In addition, we will want to map a set of user ids and group ids to the root user so they are available for its use. Do this by creating the {{f|/etc/subuid}} and {{f|/etc/subgid}} files with the following identical contents:
In addition, we will want to map a set of user ids and group ids to the root user so they are available for its use. Do this by creating the {{f|/etc/subuid}} and {{f|/etc/subgid}} files with the following identical contents:


</translate>
{{file|name=/etc/subuid|body=
{{file|name=/etc/subuid|body=
root:100000:1000000000
root:100000:1000000000
}}
}}
<translate>


</translate>
{{file|name=/etc/subgid|body=
{{file|name=/etc/subgid|body=
root:100000:1000000000
root:100000:1000000000
}}
}}
<translate>


At this point we are ready to initialize and start LXD.
At this point we are ready to initialize and start LXD.


=== Initialization ===
=== Initialization ===
Line 55: Line 73:
To configure LXD, first we will need to start LXD. This can be done as follows:
To configure LXD, first we will need to start LXD. This can be done as follows:


</translate>
{{console|body=
{{console|body=
# ##i##/etc/init.d/lxd start
# ##i##/etc/init.d/lxd start
}}
}}
<translate>


At this point, we can run {{c|lxd init}} to run a configuration wizard to set up LXD:
At this point, we can run {{c|lxd init}} to run a configuration wizard to set up LXD:


</translate>
{{console|body=
{{console|body=
# ##i##lxd init
# ##i##lxd init
Line 77: Line 98:
#
#
}}
}}
<translate>


As you can see, we chose all the default 'except' for storage pool, where we opted for using a directory-based container
As you can see, we chose all the default 'except' for storage pool, where we opted for using a directory-based container
storage rather than [[BTRFS]]. Now, we should be able to run {{c|lxc image list}} and get a response from the LXD daemon:
storage rather than [[Special:MyLanguage/BTRFS|BTRFS]]. Now, we should be able to run {{c|lxc image list}} and get a response from the LXD daemon:


</translate>
{{console|body=
{{console|body=
# ##i##lxc image list
# ##i##lxc image list
+-------+-------------+--------+-------------+------+------+-------------+
+-------+-------------+--------+-------------+------+------+-------------+
{{!}} ALIAS {{!}} FINGERPRINT {{!}} PUBLIC {{!}} DESCRIPTION {{!}} ARCH {{!}} SIZE {{!}} UPLOAD DATE {{!}}
{{!}}
<translate> ALIAS {{!}} FINGERPRINT {{!}} PUBLIC {{!}} DESCRIPTION {{!}} ARCH {{!}} SIZE {{!}} UPLOAD DATE {{!}}
+-------+-------------+--------+-------------+------+------+-------------+
+-------+-------------+--------+-------------+------+------+-------------+
#
#
Line 95: Line 119:
the following file using {{c|wget}}:
the following file using {{c|wget}}:


</translate>
{{console|body=
{{console|body=
# ##i##wget https://build.funtoo.org/1.3-release-std/x86-64bit/intel64-skylake/lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz
# ##i##wget https://build.funtoo.org/1.3-release-std/x86-64bit/intel64-skylake/lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz
}}
}}
<translate>


Once downloaded, this image can be installed using the following command:
Once downloaded, this image can be installed using the following command:
</translate>
{{console|body=
{{console|body=
# ##i##lxc image import lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz --alias funtoo
# ##i##lxc image import lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz --alias funtoo
Image imported with fingerprint: fe4d27fb31bfaf3bd4f470e0ea43d26a6c05991de2a504b9e0a3b1a266dddc69
Image imported with fingerprint: fe4d27fb31bfaf3bd4f470e0ea43d26a6c05991de2a504b9e0a3b1a266dddc69
}}
}}
<translate>


Now you will see the image available in our image list:
Now you will see the image available in our image list:


</translate>
{{console|body=
{{console|body=
# ##i##lxc image list
# ##i##lxc image list
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
{{!}} ALIAS  {{!}} FINGERPRINT  {{!}} PUBLIC {{!}}                DESCRIPTION                {{!}}  ARCH  {{!}}  SIZE  {{!}}        UPLOAD DATE          {{!}}
{{!}}
<translate> ALIAS  {{!}} FINGERPRINT  {{!}} PUBLIC {{!}}                DESCRIPTION                {{!}}  ARCH  {{!}}  SIZE  {{!}}        UPLOAD DATE          {{!}}
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
{{!}} funtoo {{!}} fe4d27fb31bf {{!}} no    {{!}} 1.3 Release Skylake 64bit [std] 2019-06-14 {{!}} x86_64 {{!}} 279.35MB {{!}} Jun 15, 2019 at 3:09am (UTC) {{!}}
</translate>
{{!}}
<translate> funtoo {{!}} fe4d27fb31bf {{!}} no    {{!}} 1.3 Release Skylake 64bit [std] 2019-06-14 {{!}} x86_64 {{!}} 279.35MB {{!}} Jun 15, 2019 at 3:09am (UTC) {{!}}
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
#
#
}}
}}


=== First Containeer ===
=== First Containeer ===
Line 121: Line 154:
It is now time to launch our first container. This can be done as follows:
It is now time to launch our first container. This can be done as follows:


</translate>
{{console|body=
{{console|body=
# ##i##lxc launch funtoo testcontainer
# ##i##lxc launch funtoo testcontainer
Line 126: Line 160:
Starting testcontainer
Starting testcontainer
}}
}}
<translate>


We can now see the container running via {{c|lxc list}}:
We can now see the container running via {{c|lxc list}}:


</translate>
{{console|body=
{{console|body=
# ##i##lxc list
# ##i##lxc list
+---------------+---------+------+-----------------------------------------------+------------+-----------+
+---------------+---------+------+-----------------------------------------------+------------+-----------+
{{!}}    NAME      {{!}}  STATE  {{!}} IPV4 {{!}}                    IPV6                      {{!}}    TYPE    {{!}} SNAPSHOTS {{!}}
{{!}}
<translate>     NAME      {{!}}  STATE  {{!}} IPV4 {{!}}                    IPV6                      {{!}}    TYPE    {{!}} SNAPSHOTS {{!}}
+---------------+---------+------+-----------------------------------------------+------------+-----------+
+---------------+---------+------+-----------------------------------------------+------------+-----------+
{{!}} testcontainer {{!}} RUNNING {{!}}      {{!}} fd42:8063:81cb:988c:216:3eff:fe2a:f901 (eth0) {{!}} PERSISTENT {{!}}          {{!}}
</translate>
{{!}}
<translate> testcontainer {{!}} RUNNING {{!}}      {{!}} fd42:8063:81cb:988c:216:3eff:fe2a:f901 (eth0) {{!}} PERSISTENT {{!}}          {{!}}
+---------------+---------+------+-----------------------------------------------+------------+-----------+
+---------------+---------+------+-----------------------------------------------+------------+-----------+
#
#
Line 141: Line 180:
By default, our new container {{c|testcontainer}} will use the default profile, which will connect an {{c|eth0}} interface in the container to NAT, and will also use our directory-based LXD storage pool. We can now enter the container as follows:
By default, our new container {{c|testcontainer}} will use the default profile, which will connect an {{c|eth0}} interface in the container to NAT, and will also use our directory-based LXD storage pool. We can now enter the container as follows:


</translate>
{{console|body=
{{console|body=
# ##i##lxc exec testcontainer -- su --login
# ##i##lxc exec testcontainer -- su --login
%testcontainer%
%testcontainer%
}}
}}
<translate>


As you might have noticed, we do not yet have any IPv4 networking configured. While LXD has set up a bridge and NAT for us, along with a DHCP server to query, we actually need to use {{c|dhcpcd}} to query for an IP address, so let's get that set up:
As you might have noticed, we do not yet have any IPv4 networking configured. While LXD has set up a bridge and NAT for us, along with a DHCP server to query, we actually need to use {{c|dhcpcd}} to query for an IP address, so let's get that set up:


</translate>
{{console|body=
{{console|body=
%testcontainer% ##i##echo "template=dhcpcd" > /etc/conf.d/netif.eth0
%testcontainer% ##i##echo "template=dhcpcd" > /etc/conf.d/netif.eth0
Line 161: Line 203:
%testcontainer% ##i##
%testcontainer% ##i##
}}
}}
<translate>


You can now see that {{c|eth0}} has a valid IPv4 address:
You can now see that {{c|eth0}} has a valid IPv4 address:


</translate>
{{console|body=
{{console|body=
%testcontainer% ##i##ifconfig
%testcontainer% ##i##ifconfig
Line 176: Line 220:
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
}}
}}
<translate>


Time to have some fun!
Time to have some fun!


</translate>
{{console|body=
{{console|body=
%testcontainer% ##i##ego sync
%testcontainer% ##i##ego sync
}}
}}
<translate>


== Another Nice LXD Administration Tutorial ==
== Another Nice LXD Administration Tutorial ==


This section contains another nice LXD tutorial that can be used to learn more about profiles and other features of LXD.
This section contains another nice LXD tutorial that can be used to learn more about profiles and other features of LXD.


=== Terminology ===
=== Terminology ===
Line 192: Line 241:


LXD is '''image''' based, all LXD containers come from an image. Images are typically clean Linux distribution images similar to what you would use for a virtual machine or cloud instance. It is possible to “publish” a container, making an image from it which can then be used by the local or remote LXD hosts.
LXD is '''image''' based, all LXD containers come from an image. Images are typically clean Linux distribution images similar to what you would use for a virtual machine or cloud instance. It is possible to “publish” a container, making an image from it which can then be used by the local or remote LXD hosts.


=== Our first image ===
=== Our first image ===
Let's get our hands even more dirty and create our first image. We will be using a generic 64 bit Funtoo Linux image.  
Let's get our hands even more dirty and create our first image. We will be using a generic 64 bit Funtoo Linux image.  


</translate>
{{note|The Funtoo's default build host is building only westmere stage for now.}}
{{note|The Funtoo's default build host is building only westmere stage for now.}}
<translate>


Grab the image here:
Grab the image here:
Line 204: Line 257:
https://build.funtoo.org/funtoo-current/x86-64bit/intel64-westmere/lxd-latest.tar.xz.hash.txt
https://build.funtoo.org/funtoo-current/x86-64bit/intel64-westmere/lxd-latest.tar.xz.hash.txt


</translate>
{{tip|Check the hash of the downloaded file against the one from server. Proceed if they match. }}
{{tip|Check the hash of the downloaded file against the one from server. Proceed if they match. }}
<translate>


==== Import the image ====
==== Import the image ====
After we have successfully downloaded the archive we can now finally import it into LXD and start using it as our "seed" image for all our containers.
After we have successfully downloaded the archive we can now finally import it into LXD and start using it as our "seed" image for all our containers.
</translate>
{{console|body=
{{console|body=
###i## lxc image import lxd-latest.tar.xz --alias funtoo
###i## lxc image import lxd-latest.tar.xz --alias funtoo
Line 218: Line 276:
+--------+--------------+--------+------------------------------------+--------+----------+-----------------------------+
+--------+--------------+--------+------------------------------------+--------+----------+-----------------------------+
</nowiki>}}
</nowiki>}}
<translate>
And there we have our very first Funtoo Linux image imported inside LXD.  You can reference the image through the alias or through the fingerprint. Aliases can be added also later.
And there we have our very first Funtoo Linux image imported inside LXD.  You can reference the image through the alias or through the fingerprint. Aliases can be added also later.


Let me show you some basic usage then.
Let me show you some basic usage then.


=== Creating your first container ===
=== Creating your first container ===
So now we can launch our first container. That is done using this command:
So now we can launch our first container. That is done using this command:


</translate>
{{console|body=
{{console|body=
###i## lxc launch funtoo fun-1
###i## lxc launch funtoo fun-1
Line 236: Line 298:
+-------+---------+------+-----------------------------------------------+------------+-----------+
+-------+---------+------+-----------------------------------------------+------------+-----------+
</nowiki>}}
</nowiki>}}
<translate>


</translate>
{{tip|lxc launch is a shortcut for lxc init and lxc start, lxc init creates the container without starting it. }}
{{tip|lxc launch is a shortcut for lxc init and lxc start, lxc init creates the container without starting it. }}
<translate>


==== Profiles intermezzo ====
==== Profiles intermezzo ====
LXD has the ability to change quite a few container settings, including resource limitation, control of container startup and a variety of device pass-through options using what is called profiles. Multiple profiles can be applied to a single container, and the last profile overrides the other ones it the resources being configured is the same for multiple profiles. Let me show you how can this be used.
LXD has the ability to change quite a few container settings, including resource limitation, control of container startup and a variety of device pass-through options using what is called profiles. Multiple profiles can be applied to a single container, and the last profile overrides the other ones it the resources being configured is the same for multiple profiles. Let me show you how can this be used.


This is the default profile that gets inherited by all containers.
This is the default profile that gets inherited by all containers.
</translate>
{{console|body=
{{console|body=
###i## lxc profile list
###i## lxc profile list
Line 267: Line 335:
- /1.0/containers/fun-1
- /1.0/containers/fun-1
}}
}}
<translate>


Now let's edit this profile for our funtoo containers. It will include some useful stuff.
Now let's edit this profile for our funtoo containers. It will include some useful stuff.


</translate>
{{console|body=
{{console|body=
###i## lxc profile set default raw.lxc "lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir"
###i## lxc profile set default raw.lxc "lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir"
Line 276: Line 346:
###i## lxc profile set default environment.LC_COLLATE "POSIX"
###i## lxc profile set default environment.LC_COLLATE "POSIX"
}}
}}
<translate>


Profiles can store any configuration that a container can (key/value or devices) and any number of profiles can be applied to a container. Profiles are applied in the order they are specified so the last profile to specify a specific key wins. In any case, resource-specific configuration always overrides that coming from the profiles.
Profiles can store any configuration that a container can (key/value or devices) and any number of profiles can be applied to a container. Profiles are applied in the order they are specified so the last profile to specify a specific key wins. In any case, resource-specific configuration always overrides that coming from the profiles.
Line 281: Line 352:
The default profile is set for any new container created which doesn't specify a different profiles list.
The default profile is set for any new container created which doesn't specify a different profiles list.


</translate>
{{note|LXD supports simple instance types. Those are represented as a string which can be passed at container creation time. [https://github.com/lxc/lxd/blob/master/doc/containers.md#instance-types containers.md#instance-types]}}
{{note|LXD supports simple instance types. Those are represented as a string which can be passed at container creation time. [https://github.com/lxc/lxd/blob/master/doc/containers.md#instance-types containers.md#instance-types]}}
<translate>


=== Using our first container ===
=== Using our first container ===
After we have done all these customizations we can now start using our container.
After we have done all these customizations we can now start using our container.
The next command will give us shell inside the container.
The next command will give us shell inside the container.


</translate>
{{console|body=
{{console|body=
###i## lxc exec fun-1 bash
###i## lxc exec fun-1 bash
}}
}}
<translate>


Now you should see a different prompt starting with
Now you should see a different prompt starting with


</translate>
{{console|body=
{{console|body=
fun-1 ~ #
fun-1 ~ #
}}
}}
<translate>


If we run top or ps for example we will see only the processes of the container.
If we run top or ps for example we will see only the processes of the container.


</translate>
{{console|body=
{{console|body=
fun-1 ~ # ps aux
fun-1 ~ # ps aux
Line 307: Line 387:
root      317  0.0  0.0  19200  2260 ?        R+  13:29  0:00 ps aux
root      317  0.0  0.0  19200  2260 ?        R+  13:29  0:00 ps aux
}}
}}
<translate>


As you can see only the container's processes are shown. User running the processes is root here. What happens if we search for all sshd processes for example on the host box?
As you can see only the container's processes are shown. User running the processes is root here. What happens if we search for all sshd processes for example on the host box?


</translate>
{{console|body=
{{console|body=
###i## <nowiki>ps aux|grep ssh
###i## <nowiki>ps aux|grep ssh
Line 317: Line 399:
###i##
###i##
}}
}}
<translate>


So as you can see, the sshd process is running under user with uid 100000 on the host machine and has a different PID.
So as you can see, the sshd process is running under user with uid 100000 on the host machine and has a different PID.


=== Basic actions with containers ===
=== Basic actions with containers ===
==== Listing containers ====
==== Listing containers ====
</translate>
{{console|body=
{{console|body=
###i##  lxc ls
###i##  lxc ls
Line 331: Line 419:
+-------+---------+-----------------------+------------------------------------------------+------------+-----------+
+-------+---------+-----------------------+------------------------------------------------+------------+-----------+
</nowiki>}}
</nowiki>}}
<translate>
lxc ls also accepts arguments as filters. For example lxc ls web will list all containers that have web in their name.
lxc ls also accepts arguments as filters. For example lxc ls web will list all containers that have web in their name.


==== Container details ====
==== Container details ====
</translate>
{{console|body=
{{console|body=
###i## lxc info c1
###i## lxc info c1
Line 370: Line 462:
       Packets sent: 0
       Packets sent: 0
}}
}}
<translate>


==== Container configuration ====
==== Container configuration ====
</translate>
{{console|body=
{{console|body=
###i##  lxc config edit c1
###i##  lxc config edit c1
Line 415: Line 511:
description: ""
description: ""
}}
}}
<translate>


One can also add environment variables.
One can also add environment variables.
</translate>
{{console|body=
{{console|body=
###i## lxc config set <container> environment.LANG en_US.UTF-8
###i## lxc config set <container> environment.LANG en_US.UTF-8
###i## lxc config set <container> environment.LC_COLLATE POSIX
###i## lxc config set <container> environment.LC_COLLATE POSIX
}}
}}
<translate>


=== Managing files ===
=== Managing files ===


=== Snapshots ===
=== Snapshots ===


=== Cloning, copying and moving containers ===
=== Cloning, copying and moving containers ===


=== Resource control ===
=== Resource control ===
LXD offers a variety of resource limits. Some of those are tied to the container itself, like memory quotas, CPU limits and I/O priorities. Some are tied to a particular device instead, like I/O bandwidth or disk usage limits.
LXD offers a variety of resource limits. Some of those are tied to the container itself, like memory quotas, CPU limits and I/O priorities. Some are tied to a particular device instead, like I/O bandwidth or disk usage limits.


Line 434: Line 538:


All limits can also be inherited through profiles in which case each affected container will be constrained by that limit. That is, if you set limits.memory=256MB in the default profile, every container using the default profile (typically all of them) will have a memory limit of 256MB.
All limits can also be inherited through profiles in which case each affected container will be constrained by that limit. That is, if you set limits.memory=256MB in the default profile, every container using the default profile (typically all of them) will have a memory limit of 256MB.


==== Disk ====
==== Disk ====
Setting a size limit on the container’s filesystem and have it enforced against the container. Right now LXD only supports disk limits if you’re using the ZFS or btrfs storage backend.
Setting a size limit on the container’s filesystem and have it enforced against the container. Right now LXD only supports disk limits if you’re using the ZFS or btrfs storage backend.


To set a disk limit (requires btrfs or ZFS):
To set a disk limit (requires btrfs or ZFS):


</translate>
{{console|body=
{{console|body=
###i## lxc config device set c1 root size 20GB
###i## lxc config device set c1 root size 20GB
}}
}}
<translate>


==== CPU ====
==== CPU ====
To just limit a container to any 2 CPUs, do:
To just limit a container to any 2 CPUs, do:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.cpu 2
###i## lxc config set c1 limits.cpu 2
}}
}}
<translate>


To pin to specific CPU cores, say the second and fourth:
To pin to specific CPU cores, say the second and fourth:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.cpu 1,3
###i## lxc config set c1 limits.cpu 1,3
}}
}}
<translate>


More complex pinning ranges like this works too:
More complex pinning ranges like this works too:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.cpu 0-3,7-11
###i## lxc config set c1 limits.cpu 0-3,7-11
}}
}}
<translate>


==== Memory ====
==== Memory ====
To apply a straightforward memory limit run:
To apply a straightforward memory limit run:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.memory 256MB
###i## lxc config set c1 limits.memory 256MB
}}
}}
<translate>


(The supported suffixes are kB, MB, GB, TB, PB and EB)
(The supported suffixes are kB, MB, GB, TB, PB and EB)
Line 474: Line 594:
To turn swap off for the container (defaults to enabled):
To turn swap off for the container (defaults to enabled):


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.memory.swap false
###i## lxc config set c1 limits.memory.swap false
}}
}}
<translate>
To tell the kernel to swap this container’s memory first:
To tell the kernel to swap this container’s memory first:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.memory.swap.priority 0
###i## lxc config set c1 limits.memory.swap.priority 0
}}
}}
<translate>
And finally if you don’t want hard memory limit enforcement:
And finally if you don’t want hard memory limit enforcement:


</translate>
{{console|body=
{{console|body=
###i## lxc config set c1 limits.memory.enforce soft
###i## lxc config set c1 limits.memory.enforce soft
}}
}}
<translate>


==== Network ====
==== Network ====
==== Block I/O ====
==== Block I/O ====


=== Resource limits using profile - Funtoo Containers example ===
=== Resource limits using profile - Funtoo Containers example ===
So I am going to create 3 profiles to mimic the resource limits for current Funtoo Containers.  
So I am going to create 3 profiles to mimic the resource limits for current Funtoo Containers.  


</translate>
{{TableStart}}
{{TableStart}}
<translate>
<tr class="danger"><th>Price</th><th>RAM</th><th>CPU Threads</th><th>Disk Space</th><th>Sign Up</th></tr>
<tr class="danger"><th>Price</th><th>RAM</th><th>CPU Threads</th><th>Disk Space</th><th>Sign Up</th></tr>
<tr><td>'''$15/mo'''</td><td>4GB</td><td>6 CPU Threads</td><td>50GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_small Sign Up! (small)]</td></tr>
<tr><td>'''$15/mo'''</td><td>4GB</td><td>6 CPU Threads</td><td>50GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_small Sign Up! (small)]</td></tr>
<tr><td>'''$30/mo'''</td><td>12GB</td><td>12 CPU Threads</td><td>100GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_medium Sign Up! (medium)]</td></tr>
<tr><td>'''$30/mo'''</td><td>12GB</td><td>12 CPU Threads</td><td>100GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_medium Sign Up! (medium)]</td></tr>
<tr><td>'''$45/mo'''</td><td>48GB</td><td>24 CPU Threads</td><td>200GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_large Sign Up! (large)]</td></tr>
<tr><td>'''$45/mo'''</td><td>48GB</td><td>24 CPU Threads</td><td>200GB</td><td>[https://funtoo.chargebee.com/hosted_pages/plans/container_large Sign Up! (large)]</td></tr>
</translate>
{{TableEnd}}
{{TableEnd}}
<translate>


I am going to create one profile and copy/edit it for the remaining two options.
I am going to create one profile and copy/edit it for the remaining two options.


</translate>
{{console|body=
{{console|body=
###i## lxc profile create res-small
###i## lxc profile create res-small
Line 527: Line 663:
###i## lxc profile device set res-large root size 200GB
###i## lxc profile device set res-large root size 200GB
}}
}}
<translate>
Now let's create a container and assign the res-small and funtoo profiles to it.
Now let's create a container and assign the res-small and funtoo profiles to it.
</translate>
{{console|body=
{{console|body=
###i## lxc init funtoo c-small
###i## lxc init funtoo c-small
Line 533: Line 671:
###i## lxc profile add c-small funtoo
###i## lxc profile add c-small funtoo
}}
}}
<translate>


=== Image manipulations ===
=== Image manipulations ===


=== Remote hosts ===
=== Remote hosts ===


== Running systemd container on a non-systemd host ==
== Running systemd container on a non-systemd host ==
To use systemd in the container, a recent enough (>=4.6) kernel version with support for cgroup namespaces is needed. Funtoo's openrc has the fix to mount systemd cgroups, which is sufficient to run systemd based distributions lxd containers.  
To use systemd in the container, a recent enough (>=4.6) kernel version with support for cgroup namespaces is needed. Funtoo's openrc has the fix to mount systemd cgroups, which is sufficient to run systemd based distributions lxd containers.  


If you want to get <code>systemd</code> hierarchy mounted automatically on system startup, using <code>/etc/fstab</code> will not work, but the  
If you want to get <code>systemd</code> hierarchy mounted automatically on system startup, using <code>/etc/fstab</code> will not work, but the  
{{Package|dev-libs/libcgroup}} can be used for this. First you needed to edit the <code>/etc/cgroup/cgconfig.conf</code> and add:
</translate>
{{Package|dev-libs/libcgroup}}
<translate> can be used for this. First you needed to edit the <code>/etc/cgroup/cgconfig.conf</code> and add:
</translate>
{{file|name=/etc/cgroup/cgconfig.conf|body=mount {
{{file|name=/etc/cgroup/cgconfig.conf|body=mount {
     "name=systemd" = /sys/fs/cgroup/systemd;
     "name=systemd" = /sys/fs/cgroup/systemd;
}
}
}}
}}
<translate>
Then you need to start the cgconfig daemon:
Then you need to start the cgconfig daemon:
</translate>
{{console|body=
{{console|body=
###i## rc-service cgconfig start
###i## rc-service cgconfig start
}}
}}
<translate>
The daemon can be started as needed, or automatically at system start by simply adding it to default group:
The daemon can be started as needed, or automatically at system start by simply adding it to default group:
</translate>
{{console|body=
{{console|body=
###i## rc-update add cgconfig default
###i## rc-update add cgconfig default
}}
}}
<translate>


<hr>
<hr>
<hr>
<hr>


== [[LXD/LXD in LXD|PART X - LXD in LXD]] ==
== [[LXD/Docker in LXD|PART Y - Docker in LXD]] ==


== [[LXD/FAQ|PART Z - LXD FAQ]] ==
== [[Special:MyLanguage/LXD/LXD in LXD|PART X - LXD in LXD]] ==
 
 
== [[Special:MyLanguage/LXD/Docker in LXD|PART Y - Docker in LXD]] ==
 
 
== [[Special:MyLanguage/LXD/FAQ|PART Z - LXD FAQ]] ==
 


== List of tested and working images ==
== List of tested and working images ==
These are images from the https://images.linuxcontainers.org repository available by default in lxd. You can  
These are images from the https://images.linuxcontainers.org repository available by default in lxd. You can  
list all available images by typing following command (beware the list is very long):
list all available images by typing following command (beware the list is very long):
</translate>
{{console|body=
{{console|body=
###i## lxc image list images:
###i## lxc image list images:
Line 599: Line 757:
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
</nowiki>}}
</nowiki>}}
<translate>


These are the images that are known to work with current LXD setup on Funtoo Linux:
These are the images that are known to work with current LXD setup on Funtoo Linux:
Line 663: Line 822:
| Ubuntu Trusty (14.04 LTS) - EOL 2019-04 || upstart || Working
| Ubuntu Trusty (14.04 LTS) - EOL 2019-04 || upstart || Working
|}
|}


== Features ==
== Features ==
Line 673: Line 833:
* Image based (no more distribution templates, only good, trusted images)
* Image based (no more distribution templates, only good, trusted images)
* Live migration
* Live migration


==== Unprivileged Containers ====
==== Unprivileged Containers ====
Line 689: Line 850:
* Setting up per-container maps
* Setting up per-container maps
* Punching holes into the map to expose host users and groups
* Punching holes into the map to expose host users and groups


=== Relationship with LXC ===
=== Relationship with LXC ===
LXD isn't a rewrite of LXC, in fact it's building on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding
LXD isn't a rewrite of LXC, in fact it's building on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding
to create and manage the containers.
to create and manage the containers.
Line 698: Line 861:
[[Category:Virtualization]]
[[Category:Virtualization]]
[[Category:Official Documentation]]
[[Category:Official Documentation]]
</translate>

Revision as of 15:16, October 4, 2019

Other languages:


Introduction

LXD is a container "hypervisor" designed to provide an easy set of tools to manage Linux containers, and its development is currently being led by employees at Canonical. You can learn more about the project in general at https://linuxcontainers.org/lxd/ .

LXD is currently used for container infrastructure for Funtoo Containers and is also very well-supported under Funtoo Linux. For this reason, it's recommended that you check out LXD and see what it can do for you.


Basic Setup on Funtoo

The following steps will show you how to set up a basic LXD environment under Funtoo Linux. This environment will essentially use the default LXD setup -- a will be created called lxdbr0 which will use NAT to provide Internet access to your containers. In addition, a default storage pool will be created that will simply use your existing filesystem's storage, creating a directory at /var/lib/lxd/storage-pools/default to store any containers you create. More sophisticated configurations are possible that use dedicated network bridges connected to physical interfaces without NAT, as well as dedicated storage pools that use ZFS and BTRFS -- however, these types of configurations are generally overkill for a developer workstation and should only be attempted by advanced users. So we won't cover them here.


Requirements

This section will guide you through setting up the basic requirements for creating an LXD environment.

The first step is to emerge LXD and its dependencies. Perform the following:

root # emerge -a lxd

Once LXD is done emerging, we will want to enable it to start by default:

root # rc-update add lxd default

In addition, we will want to set up the following files. /etc/security/limits.conf should be modified to have the following lines in it:

   /etc/security/limits.conf
*       soft    nofile  1048576
*       hard    nofile  1048576
root    soft    nofile  1048576
root    hard    nofile  1048576
*       soft    memlock unlimited
*       hard    memlock unlimited
# End of file

In addition, we will want to map a set of user ids and group ids to the root user so they are available for its use. Do this by creating the /etc/subuid and /etc/subgid files with the following identical contents:

   /etc/subuid
root:100000:1000000000
   /etc/subgid
root:100000:1000000000

At this point we are ready to initialize and start LXD.


Initialization

To configure LXD, first we will need to start LXD. This can be done as follows:

root # /etc/init.d/lxd start

At this point, we can run lxd init to run a configuration wizard to set up LXD:

root # lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: dir↵
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
root #

As you can see, we chose all the default 'except' for storage pool, where we opted for using a directory-based container storage rather than BTRFS. Now, we should be able to run lxc image list and get a response from the LXD daemon:

root # lxc image list
+-------+-------------+--------+-------------+------+------+-------------+
|
 ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+------+------+-------------+
root #

If you are able to do this, you have successfully set up the core parts of LXD! Note that we used the command lxc and not lxd like we did for lxd init -- from this point forward, you will use the lxc command. Don't let this confuse you -- the lxc command is the primary command-line tool for working with LXD containers.

Above, you can see that no images are installed. Images are installable snapshots of containers that we can use to create new containers ourselves. So, as a first step, let's go ahead and grab an image we can use. You will want to browse https://build.funtoo.org for an LXD image that will work on your computer hardware. For example, I was able to download the following file using wget:

root # wget https://build.funtoo.org/1.3-release-std/x86-64bit/intel64-skylake/lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz

Once downloaded, this image can be installed using the following command:

root # lxc image import lxd-intel64-skylake-1.3-release-std-2019-06-11.tar.xz --alias funtoo
Image imported with fingerprint: fe4d27fb31bfaf3bd4f470e0ea43d26a6c05991de2a504b9e0a3b1a266dddc69

Now you will see the image available in our image list:

root # lxc image list
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
|
 ALIAS  | FINGERPRINT  | PUBLIC |                DESCRIPTION                 |  ARCH  |   SIZE   |         UPLOAD DATE          |
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
|
 funtoo | fe4d27fb31bf | no     | 1.3 Release Skylake 64bit [std] 2019-06-14 | x86_64 | 279.35MB | Jun 15, 2019 at 3:09am (UTC) |
+--------+--------------+--------+--------------------------------------------+--------+----------+------------------------------+
root #


First Containeer

It is now time to launch our first container. This can be done as follows:

root # lxc launch funtoo testcontainer
Creating testcontainer
Starting testcontainer

We can now see the container running via lxc list:

root # lxc list
+---------------+---------+------+-----------------------------------------------+------------+-----------+
|
     NAME      |  STATE  | IPV4 |                     IPV6                      |    TYPE    | SNAPSHOTS |
+---------------+---------+------+-----------------------------------------------+------------+-----------+
|
 testcontainer | RUNNING |      | fd42:8063:81cb:988c:216:3eff:fe2a:f901 (eth0) | PERSISTENT |           |
+---------------+---------+------+-----------------------------------------------+------------+-----------+
root #

By default, our new container testcontainer will use the default profile, which will connect an eth0 interface in the container to NAT, and will also use our directory-based LXD storage pool. We can now enter the container as follows:

root # lxc exec testcontainer -- su --login
testcontainer #

As you might have noticed, we do not yet have any IPv4 networking configured. While LXD has set up a bridge and NAT for us, along with a DHCP server to query, we actually need to use dhcpcd to query for an IP address, so let's get that set up:

testcontainer # echo "template=dhcpcd" > /etc/conf.d/netif.eth0
testcontainer # cd /etc/init.d
testcontainer # ln -s netif.tmpl netif.eth0
testcontainer # rc-update add netif.eth0 default
 * service netif.eth0 added to runlevel default
testcontainer # rc
 * rc is deprecated, please use openrc instead.
 * Caching service dependencies ...                             [ ok ]
 * Starting DHCP Client Daemon ...                              [ ok ]
 * Network dhcpcd eth0 up ...                                   [ ok ]
testcontainer # 

You can now see that eth0 has a valid IPv4 address:

testcontainer # ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.212.194.17  netmask 255.255.255.0  broadcast 10.212.194.255
        inet6 fd42:8063:81cb:988c:25ea:b5bd:603d:8b0d  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::216:3eff:fe2a:f901  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:2a:f9:01  txqueuelen 1000  (Ethernet)
        RX packets 45  bytes 5385 (5.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20  bytes 2232 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Time to have some fun!

testcontainer # ego sync


Another Nice LXD Administration Tutorial

This section contains another nice LXD tutorial that can be used to learn more about profiles and other features of LXD.


Terminology

Container snapshots as the name states snapshots of the container in time and cannot be modified in any way. It is worth noting that because snapshots can store the container runtime state, which gives us ability of “stateful” snapshots. That is, the ability to rollback the container including its cpu and memory state at the time of the snapshot.

LXD is image based, all LXD containers come from an image. Images are typically clean Linux distribution images similar to what you would use for a virtual machine or cloud instance. It is possible to “publish” a container, making an image from it which can then be used by the local or remote LXD hosts.


Our first image

Let's get our hands even more dirty and create our first image. We will be using a generic 64 bit Funtoo Linux image.

   Note

The Funtoo's default build host is building only westmere stage for now.

Grab the image here: https://build.funtoo.org/funtoo-current/x86-64bit/intel64-westmere/lxd-latest.tar.xz

Grab also the hash file: https://build.funtoo.org/funtoo-current/x86-64bit/intel64-westmere/lxd-latest.tar.xz.hash.txt

   Tip

Check the hash of the downloaded file against the one from server. Proceed if they match.


Import the image

After we have successfully downloaded the archive we can now finally import it into LXD and start using it as our "seed" image for all our containers.

root # lxc image import lxd-latest.tar.xz --alias funtoo
Image imported with fingerprint: 6c2ca3af0222d503656f5a1838885f1b9b6aed2c1994f1d7ef94e2efcb7233c4
root # lxc image ls
+--------+--------------+--------+------------------------------------+--------+----------+-----------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |            DESCRIPTION             |  ARCH  |   SIZE   |         UPLOAD DATE         |
+--------+--------------+--------+------------------------------------+--------+----------+-----------------------------+
| funtoo | 6c2ca3af0222 | no     | Funtoo Current Generic Pure 64-bit | x86_64 |227.99MB  | Dec 13, 2017 at 11:01pm (UTC)  |
+--------+--------------+--------+------------------------------------+--------+----------+-----------------------------+

And there we have our very first Funtoo Linux image imported inside LXD. You can reference the image through the alias or through the fingerprint. Aliases can be added also later.

Let me show you some basic usage then.


Creating your first container

So now we can launch our first container. That is done using this command:

root # lxc launch funtoo fun-1
Creating fun-1
Starting fun-1
root #  lxc ls
+-------+---------+------+-----------------------------------------------+------------+-----------+
| NAME  |  STATE  | IPV4 |                     IPV6                      |    TYPE    | SNAPSHOTS |
+-------+---------+------+-----------------------------------------------+------------+-----------+
| fun-1 | RUNNING |      | fd42:156d:4593:a619:216:3eff:fef7:c1c2 (eth0) | PERSISTENT | 0         |
+-------+---------+------+-----------------------------------------------+------------+-----------+
   Tip

lxc launch is a shortcut for lxc init and lxc start, lxc init creates the container without starting it.


Profiles intermezzo

LXD has the ability to change quite a few container settings, including resource limitation, control of container startup and a variety of device pass-through options using what is called profiles. Multiple profiles can be applied to a single container, and the last profile overrides the other ones it the resources being configured is the same for multiple profiles. Let me show you how can this be used.

This is the default profile that gets inherited by all containers.

root # lxc profile list
+---------+---------+
|  NAME   | USED BY |
+---------+---------+
| default | 1       |
+---------+---------+

root #  lxc profile show default
config: {}
description: Default LXD profile
devices:
  eth0:
    nictype: bridged
    parent: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
name: default
used_by:
- /1.0/containers/fun-1

Now let's edit this profile for our funtoo containers. It will include some useful stuff.

root # lxc profile set default raw.lxc "lxc.mount.entry = none dev/shm tmpfs rw,nosuid,nodev,create=dir"
root # lxc profile set default environment.LANG "en_US.UTF-8"
root # lxc profile set default environment.LC_ALL "en_US.UTF-8"
root # lxc profile set default environment.LC_COLLATE "POSIX"

Profiles can store any configuration that a container can (key/value or devices) and any number of profiles can be applied to a container. Profiles are applied in the order they are specified so the last profile to specify a specific key wins. In any case, resource-specific configuration always overrides that coming from the profiles.

The default profile is set for any new container created which doesn't specify a different profiles list.

   Note

LXD supports simple instance types. Those are represented as a string which can be passed at container creation time. containers.md#instance-types


Using our first container

After we have done all these customizations we can now start using our container. The next command will give us shell inside the container.

root # lxc exec fun-1 bash

Now you should see a different prompt starting with

fun-1 ~ #

If we run top or ps for example we will see only the processes of the container.

fun-1 ~ # ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   4248   748 ?        Ss+  13:20   0:00 init [3]
root       266  0.0  0.0  30488   472 ?        Ss   13:20   0:00 /usr/sbin/sshd
root       312  0.2  0.0  17996  3416 ?        Ss   13:29   0:00 bash
root       317  0.0  0.0  19200  2260 ?        R+   13:29   0:00 ps aux

As you can see only the container's processes are shown. User running the processes is root here. What happens if we search for all sshd processes for example on the host box?

root # ps aux|grep ssh
root     14505  0.0  0.0  30564  1508 ?        Ss   Sep07   0:00 /usr/sbin/sshd   
100000   25863  0.0  0.0  30488   472 ?        Ss   15:20   0:00 /usr/sbin/sshd   
root     29487  0.0  0.0   8324   828 pts/2    S+   15:30   0:00 grep --colour=auto sshd
root #

So as you can see, the sshd process is running under user with uid 100000 on the host machine and has a different PID.


Basic actions with containers

Listing containers

root #  lxc ls
+-------+---------+-----------------------+------------------------------------------------+------------+-----------+
| NAME  |  STATE  |         IPV4          |                      IPV6                      |    TYPE    | SNAPSHOTS |
+-------+---------+-----------------------+------------------------------------------------+------------+-----------+
| fun-1 | RUNNING | 10.214.101.187 (eth0) | fd42:156d:4593:a619:a5ad:edaf:7270:e6c4 (eth0) | PERSISTENT | 0         |
|       |         |                       | fd42:156d:4593:a619:216:3eff:fef7:c1c2 (eth0)  |            |           |
+-------+---------+-----------------------+------------------------------------------------+------------+-----------+

lxc ls also accepts arguments as filters. For example lxc ls web will list all containers that have web in their name.


Container details

root # lxc info c1
Name: c1
Remote: unix://
Architecture: x86_64
Created: 2017/09/08 02:07 UTC
Status: Running
Type: persistent
Profiles: default, prf-funtoo
Pid: 6366
Ips:
  eth0: inet    10.214.101.79   vethFG4HXG
  eth0: inet6   fd42:156d:4593:a619:8619:546e:43f:2089  vethFG4HXG
  eth0: inet6   fd42:156d:4593:a619:216:3eff:fe4a:3d4f  vethFG4HXG
  eth0: inet6   fe80::216:3eff:fe4a:3d4f        vethFG4HXG
  lo:   inet    127.0.0.1
  lo:   inet6   ::1
Resources:
  Processes: 6
  CPU usage:
    CPU usage (in seconds): 25
  Memory usage:
    Memory (current): 69.01MB
    Memory (peak): 258.92MB
  Network usage:
    eth0:
      Bytes received: 83.65kB
      Bytes sent: 9.44kB
      Packets received: 188
      Packets sent: 93
    lo:
      Bytes received: 0B
      Bytes sent: 0B
      Packets received: 0
      Packets sent: 0


Container configuration

root #  lxc config edit c1
root ### This is a yaml representation of the configuration.
root ### Any line starting with a '# will be ignored.
root ###
root ### A sample configuration looks like:
root ### name: container1
root ### profiles:
root ### - default
root ### config:
root ###   volatile.eth0.hwaddr: 00:16:3e:e9:f8:7f
root ### devices:
root ###   homedir:
root ###     path: /extra
root ###     source: /home/user
root ###     type: disk
root ### ephemeral: false
root ###
root ### Note that the name is shown but cannot be changed

architecture: x86_64
config:
  image.architecture: x86_64
  image.description: Funtoo Current Generic Pure 64-bit
  image.name: funtoo-generic_64-pure64-funtoo-current-2016-12-10
  image.os: funtoo
  image.release: "1.0"
  image.variant: current
  volatile.base_image: e279c16d1a801b2bd1698df95e148e0a968846835f4769b24988f2eb3700100f
  volatile.eth0.hwaddr: 00:16:3e:4a:3d:4f
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
devices: {}
ephemeral: false
profiles:
- default
- prf-funtoo
stateful: false
description: ""

One can also add environment variables.

root # lxc config set <container> environment.LANG en_US.UTF-8
root # lxc config set <container> environment.LC_COLLATE POSIX


Managing files

Snapshots

Cloning, copying and moving containers

Resource control

LXD offers a variety of resource limits. Some of those are tied to the container itself, like memory quotas, CPU limits and I/O priorities. Some are tied to a particular device instead, like I/O bandwidth or disk usage limits.

As with all LXD configuration, resource limits can be dynamically changed while the container is running. Some may fail to apply, for example if setting a memory value smaller than the current memory usage, but LXD will try anyway and report back on failure.

All limits can also be inherited through profiles in which case each affected container will be constrained by that limit. That is, if you set limits.memory=256MB in the default profile, every container using the default profile (typically all of them) will have a memory limit of 256MB.


Disk

Setting a size limit on the container’s filesystem and have it enforced against the container. Right now LXD only supports disk limits if you’re using the ZFS or btrfs storage backend.

To set a disk limit (requires btrfs or ZFS):

root # lxc config device set c1 root size 20GB


CPU

To just limit a container to any 2 CPUs, do:

root # lxc config set c1 limits.cpu 2

To pin to specific CPU cores, say the second and fourth:

root # lxc config set c1 limits.cpu 1,3

More complex pinning ranges like this works too:

root # lxc config set c1 limits.cpu 0-3,7-11


Memory

To apply a straightforward memory limit run:

root # lxc config set c1 limits.memory 256MB

(The supported suffixes are kB, MB, GB, TB, PB and EB)

To turn swap off for the container (defaults to enabled):

root # lxc config set c1 limits.memory.swap false

To tell the kernel to swap this container’s memory first:

root # lxc config set c1 limits.memory.swap.priority 0

And finally if you don’t want hard memory limit enforcement:

root # lxc config set c1 limits.memory.enforce soft


Network

Block I/O

Resource limits using profile - Funtoo Containers example

So I am going to create 3 profiles to mimic the resource limits for current Funtoo Containers.

PriceRAMCPU ThreadsDisk SpaceSign Up
$15/mo4GB6 CPU Threads50GBSign Up! (small)
$30/mo12GB12 CPU Threads100GBSign Up! (medium)
$45/mo48GB24 CPU Threads200GBSign Up! (large)

I am going to create one profile and copy/edit it for the remaining two options.

root # lxc profile create res-small
root # lxc profile edit res-small
config:
  limits.cpu: "6"
  limits.memory: 4GB
description: Small Variant of Funtoo Containers
devices:
  root:
    path: /
    pool: default
    size: 50GB
    type: disk
name: small
used_by: []
root # lxc profile copy res-small res-medium
root # lxc profile copy res-small res-large
root # lxc profile set res-medium limits.cpu 12
root # lxc profile set res-medium limits.memory 12GB
root # lxc profile device set res-medium root size 100GB
root # lxc profile set res-large limits.cpu 24
root # lxc profile set res-large limits.memory 48GB
root # lxc profile device set res-large root size 200GB

Now let's create a container and assign the res-small and funtoo profiles to it.

root # lxc init funtoo c-small
root # lxc profile assign c-small res-small
root # lxc profile add c-small funtoo


Image manipulations

Remote hosts

Running systemd container on a non-systemd host

To use systemd in the container, a recent enough (>=4.6) kernel version with support for cgroup namespaces is needed. Funtoo's openrc has the fix to mount systemd cgroups, which is sufficient to run systemd based distributions lxd containers.

If you want to get systemd hierarchy mounted automatically on system startup, using /etc/fstab will not work, but the No results

can be used for this. First you needed to edit the /etc/cgroup/cgconfig.conf and add:
   /etc/cgroup/cgconfig.conf
mount {
    "name=systemd" = /sys/fs/cgroup/systemd;
}

Then you need to start the cgconfig daemon:

root # rc-service cgconfig start

The daemon can be started as needed, or automatically at system start by simply adding it to default group:

root # rc-update add cgconfig default



PART X - LXD in LXD

PART Y - Docker in LXD

PART Z - LXD FAQ

List of tested and working images

These are images from the https://images.linuxcontainers.org repository available by default in lxd. You can list all available images by typing following command (beware the list is very long):

root # lxc image list images:
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
|              ALIAS              | FINGERPRINT  | PUBLIC |               DESCRIPTION                |  ARCH   |   SIZE   |          UPLOAD DATE          |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.3 (3 more)             | ef69c8dc37f6 | yes    | Alpine 3.3 amd64 (20171018_17:50)        | x86_64  | 2.00MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.3/armhf (1 more)       | 5ce4c80edcf3 | yes    | Alpine 3.3 armhf (20170103_17:50)        | armv7l  | 1.53MB   | Jan 3, 2017 at 12:00am (UTC)  |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.3/i386 (1 more)        | cd1700cb7c97 | yes    | Alpine 3.3 i386 (20171018_17:50)         | i686    | 1.84MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.4 (3 more)             | bd4f1ccfabb5 | yes    | Alpine 3.4 amd64 (20171018_17:50)        | x86_64  | 2.04MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.4/armhf (1 more)       | 9fe7c201924c | yes    | Alpine 3.4 armhf (20170111_20:27)        | armv7l  | 1.58MB   | Jan 11, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.4/i386 (1 more)        | 188a31315773 | yes    | Alpine 3.4 i386 (20171018_17:50)         | i686    | 1.88MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.5 (3 more)             | 63bebc672163 | yes    | Alpine 3.5 amd64 (20171018_17:50)        | x86_64  | 1.70MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
| alpine/3.5/i386 (1 more)        | 48045e297515 | yes    | Alpine 3.5 i386 (20171018_17:50)         | i686    | 1.73MB   | Oct 18, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
...
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
|                                 | fd95a7a754a0 | yes    | Alpine 3.5 amd64 (20171016_17:50)        | x86_64  | 1.70MB   | Oct 16, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
|                                 | fef66668f5a2 | yes    | Debian stretch arm64 (20171016_22:42)    | aarch64 | 96.56MB  | Oct 16, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
|                                 | ff18aa2c11d7 | yes    | Opensuse 42.3 amd64 (20171017_00:53)     | x86_64  | 58.92MB  | Oct 17, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+
|                                 | ff4ef0d824b6 | yes    | Ubuntu zesty s390x (20171017_03:49)      | s390x   | 86.88MB  | Oct 17, 2017 at 12:00am (UTC) |
+---------------------------------+--------------+--------+------------------------------------------+---------+----------+-------------------------------+

These are the images that are known to work with current LXD setup on Funtoo Linux:

Image Init Status
CentOS 7 systemd Working
Debian Jessie (8) - EOL April/May 2020 systemd Working (systemd - no failed units)
Debian Stretch (9) - EOL June 2022 systemd Working
Fedora 26 systemd with cgroup v2 Not Working
Fedora 25 systemd Working
Fedora 24 systemd Working
Oracle 7 systemd Working (systemd - no failed units)
OpenSUSE 42.2 systemd Working
OpenSUSE 42.3 systemd Working
Ubuntu Xenial (16.04 LTS) - EOL 2021-04 systemd Working
Ubuntu Zesty (17.04) - EOL 2018-01 systemd Working
Alpine 3.3 OpenRC Working
Alpine 3.4 OpenRC Working
Alpine 3.5 OpenRC Working
Alpine 3.6 OpenRC Working
Alpine Edge OpenRC Working
Archlinux systemd with cgroup v2 Not Working
CentOS 6 upstart Working (systemd - no failed units)
Debian Buster systemd with cgroup v2 Not Working
Debian Sid systemd with cgroup v2 Not working
Debian Wheezy (7) - EOL May 2018 ? ? (more testing needed)
Gentoo OpenRC Working (all services started)
Oracle 6 upstart ? (mount outputs nothing)
Plamo 5 ? ?
Plamo 6 ? ?
Sabayon systemd with cgroup v2 Not Working
Ubuntu Artful (17.10) - EOL 2018-07 systemd with cgroup v2 Not Working
Ubuntu Core 16 ? ?
Ubuntu Trusty (14.04 LTS) - EOL 2019-04 upstart Working


Features

Some of the biggest features of LXD are:

  • Secure by design (unprivileged containers, resource restrictions and much more)
  • Scalable (from containers on your laptop to thousand of compute nodes)
  • Intuitive (simple, clear API and crisp command line experience)
  • Image based (no more distribution templates, only good, trusted images)
  • Live migration


Unprivileged Containers

LXD uses unprivileged containers by default. The difference between an unprivileged container and a privileged one is whether the root user in the container is the “real” root user (uid 0 at the kernel level).

The way unprivileged containers are created is by taking a set of normal UIDs and GIDs from the host, usually at least 65536 of each (to be POSIX compliant) and mapping those into the container.

The most common example and what most LXD users will end up with by default is a map of 65536 UIDs and GIDs, with a host base id of 100000. This means that root in the container (uid 0) will be mapped to the host uid 100000 and uid 65535 in the container will be mapped to uid 165535 on the host. UID/GID 65536 and higher in the container aren’t mapped and will return an error if you attempt to use them.

From a security point of view, that means that anything which is not owned by the users and groups mapped into the container will be inaccessible. Any such resource will show up as being owned by uid/gid “-1” (rendered as 65534 or nobody/nogroup in userspace). It also means that should there be a way to escape the container, even root in the container would find itself with just as much privileges on the host as a nobody user.

LXD does offer a number of options related to unprivileged configuration:

  • Increasing the size of the default uid/gid map
  • Setting up per-container maps
  • Punching holes into the map to expose host users and groups


Relationship with LXC

LXD isn't a rewrite of LXC, in fact it's building on top of LXC to provide a new, better user experience. Under the hood, LXD uses LXC through liblxc and its Go binding to create and manage the containers.

It's basically an alternative to LXC's tools and distribution template system with the added features that come from being controllable over the network.