[libvirt-users] LXC container driver
Dear all, I am slowly building a Arch Linux VM guest on my Arch Linux host. The guest machine is now built and is recognized as shown by this command : gabx@hortensia ➤➤ ~ % machinectl list MACHINE CONTAINER SERVICE dahlia container nspawn 1 machines listed. I an following the libvirt.org documentation. Now, according this page[1] about lxc driver, i am dealing with namespace requirements. This sentence, in bold, puzzles me: A suitably configured UID/GID mapping is a pre-requisite to making containers secure, in the absence of sVirt confinement. If I understand what a namespace is, I have no idea how to make sure my UIG/GID mapping is well configured. I would appreciate having any hints abut this part of the settings. Another question : is there any advantage/disadvantage using the lxc Userspace tools[2] instead of libvirt to manage these namespaces ? Thank you for help. [1]http://libvirt.org/drvlxc.html [2]http://linuxcontainers.org/
On Wed, Feb 12, 2014 at 12:51:10PM +0100, arnaud gaboury wrote:
Dear all,
I am slowly building a Arch Linux VM guest on my Arch Linux host.
The guest machine is now built and is recognized as shown by this command :
gabx@hortensia ➤➤ ~ % machinectl list MACHINE CONTAINER SERVICE dahlia container nspawn
1 machines listed.
I an following the libvirt.org documentation. Now, according this page[1] about lxc driver, i am dealing with namespace requirements. This sentence, in bold, puzzles me:
A suitably configured UID/GID mapping is a pre-requisite to making containers secure, in the absence of sVirt confinement.
If I understand what a namespace is, I have no idea how to make sure my UIG/GID mapping is well configured. I would appreciate having any hints abut this part of the settings.
Basically this means that uid == 0 in the container has the same access as uid == 0 in the host. So if the container can see sysfs, for example, it would be able to write to any files owned by the uid == 0 which is clearly not what you want a container to be able todo :-) To avoid this you must setup an UID+GID mapping in the container using the <idmap> syntax, and also make sure that the filesystem you give to the container has corresponding changes. eg if you set the XML to remap container uid==0 to uid == 3000 on the host then the container's filesystemm must also use uid == 3000 for any files that are intended to be accessible to root in the container. Likewise for other uid's beyond root. http://libvirt.org/formatdomain.html#elementsOSContainer NB user namespaces are a fairly new piece of functionality that is still somewhat rough around the edges. You usuaully want to have the most recent kernel.org stable kernel available when using this.
Another question : is there any advantage/disadvantage using the lxc Userspace tools[2] instead of libvirt to manage these namespaces ?
They are broadly speaking functionally equivalent but using libvirt gives you all the usual benefits libvirt has. Stable API, accessible from multiple programming languages, stable configuration, integration with other apps using libvirt. eg you can use virt-top to monitor things or virt-manager as a GUI frontend, etc, etc Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
NB user namespaces are a fairly new piece of functionality that is still somewhat rough around the edges. You usuaully want to have the most recent kernel.org stable kernel available when using this.
Yes, I confirm it is a little bit touchy for me. gabx@hortensia ➤➤ ~ % uname -a Linux hortensia 3.12.9-2-ARCH #1 SMP PREEMPT Fri Jan 31 10:22:54 CET 2014 x86_64 GNU/Linux I do think my kernel is not too old.
They are broadly speaking functionally equivalent but using libvirt gives you all the usual benefits libvirt has. Stable API, accessible from multiple programming languages, stable configuration, integration with other apps using libvirt. eg you can use virt-top to monitor things or virt-manager as a GUI frontend, etc, etc
Ok, I understand and it is the reason why I decided to stay away from LXC. So, even if it is less user-friendly, I will keep libvirt, as in the past it gave me full satisfaction, the mailing-list tool included :-)
I am totally lost in this UID/GID mapping. Maybe all this stuff is just beyond my competence. For now, I am writing a basic mydomain.xml file following these 3 wiki: LXC container from libvirt.org[1] Linux containers guide from Rad Hat 7[2] getting start with lxc from P.Berrange [3] This is the basic .xml file: <domain type='lxc'> <name>dahlia</name> <memory>409600</memory> <os> <type arch='x86_64'>exec</type> <init>/bin/init</init> * systemd is default and PID1 is init on my Arch box <vcpu>4</vcpu> </os> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> * it is the path on Arch <console type='pty'/> </devices> </domain> Unfortunately : gabx@hortensia ➤➤ /drawer/vm # virsh define dahlia.xml error: Failed to define domain from dahlia.xml error: internal error: unexpected domain type lxc, expecting one of these: qemu, kqemu, kvm, xen What is wrong ? [1]http://libvirt.org/drvlxc.html [2]https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/... [3]https://www.berrange.com/posts/2011/09/27/getting-started-with-lxc-using-lib...
On Wed, Feb 12, 2014 at 03:21:18PM +0100, arnaud gaboury wrote:
I am totally lost in this UID/GID mapping. Maybe all this stuff is just beyond my competence.
For now, I am writing a basic mydomain.xml file following these 3 wiki: LXC container from libvirt.org[1] Linux containers guide from Rad Hat 7[2] getting start with lxc from P.Berrange [3]
This is the basic .xml file:
<domain type='lxc'> <name>dahlia</name> <memory>409600</memory> <os> <type arch='x86_64'>exec</type>
NB, you want 'exe' not 'exec'
<init>/bin/init</init> * systemd is default and PID1 is init on my Arch box <vcpu>4</vcpu> </os> <devices> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> * it is the path on Arch <console type='pty'/> </devices> </domain>
Unfortunately :
gabx@hortensia ➤➤ /drawer/vm # virsh define dahlia.xml error: Failed to define domain from dahlia.xml error: internal error: unexpected domain type lxc, expecting one of these: qemu, kqemu, kvm, xen
What is wrong ?
You didn't specify any URI for the hypervisor so libvirt will have guessed on. From the error it sounds like it guessed QEMU instead of LXC. Either use virsh -c lxc:///, or set LIBVIRT_DEFAULT_URI=lxc:/// or edit your libvirt.conf to set a default http://libvirt.org/uri.html#URI_libvirt Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
You didn't specify any URI for the hypervisor so libvirt will have guessed on. From the error it sounds like it guessed QEMU instead of LXC. Either use virsh -c lxc:///, or set LIBVIRT_DEFAULT_URI=lxc:/// or edit your libvirt.conf to set a default
I am getting very tired :-( 1- libvirt was NOT installed on my Arch box !! Shame on me 2- edited libvirt.conf: uri_default = "lxc:///" 3. edited dahlia.xml as it has a typo : exec instead of exe in the os section Result: gabx@hortensia ➤➤ /drawer/vm # virsh define dahlia.xml Domain dahlia defined from dahlia.xml Now I have to read more about all this UID/GID mapping story, or get more sleep maybe. TY so much Daniel for your help
participants (2)
-
arnaud gaboury -
Daniel P. Berrange