New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Any good actual tutorial for LXC / LXD ?
Hello,
Please help we with good tutorial for LXC or LXD (what to choose?) containers?
I'm under debian 12 and want to start debian 11 under container (with networking).
P.S. I'm right that I should do everything with ssh at container, download&upload files into it and everything else?
What is debian 12 default for networking for containers. I see veth and bridge. This is bridge to local only or it will have access to internet by default? If no, how to give access to internet and at the same time have ssh access from the system?
Comments
Have you tried searching around the web for a tutorial?
Yes, all tutorials not covering everything and outdated.
I found that it's easy to start privileged containers and now understand how to do that, but tutorial for unprivileged does not work...
Is it big issue if I will run privileged container in production?
LXC is quite clunky when you want to do it by hand. I did it once and wasn't impressed at all. At least to me all the additional steps are enough to justify the overhead to simply use qemu.
LXD by default has unprivileged containers.
You have to tell it to run them privileged.
Keep in mind, LXD is just a wrapper to make stuff easier around LXC.
LXC has be configured to run unprivileged containers.
Now, I'm looking at LXD, because not really impressed about LXC as @totally_not_banned said... Will also look at qemu, never used it before
update. seems qemu is something like KVM. As I'm already under KVM, it's bit overhead. Will try LXD...
How to check this?
Check the documentation, that explains all of this.
Even with examples.
Even with examples.
Lol, reading.... zero mentioned how to check this. Only said that default is unprivileged. I will trust and use root as default user at container. Hope it's really safe
If you manage to break out of a container, which is unprivileged, you won't gain root, it used to be with OVZ.
However, as LXD runs them by default as unprivileged, if you somehow manage to break out, you run as a user, not as root.
If you keep your kernel up to date, e.g live patch, which I do on microLXC, the attacker has a really slim chance to escalate the privileges to root.
I'm doing the clunky thing on every server.
I wrote down the steps so that I don't have the re-figure out every time.
With QEMU, each guest needs to have its own RAM allocation.
With LXC, each container can use all the memory available on the host.
I consider this a benefit as long as it's me using all the containers.
microLXC zero day in 3…2…
How do you do the backups? I have rsync on cronjob that does a hot pass with the container running, then a cold pass with the container stopped. Tiny downtime. Maybe ZFS could reduce downtime further, but it sucks on linux.
There's no container level backup.
If a KVM server is lost or a container is deleted by mistake, I re-deploy from source code.
HnR on private trackers is a crash away.
With LXD I see
lxc snapshot
command, but don't know how it work.Yes, I read that, but the question was how to confirm that it's really running unprivileged. BTW, I already found that 1 of two
lxd
processes running under some random numerical user. Maybe this is it.If you just want to use it for convenience and want to use debian. I think you should choose to install PVE 8, for LXC everything - templates, network configurations and backups are available out of the box.
You can even install PVE8 directly from debian12.
lxc config get container-name security.privileged
Will return true or false.
lxc list security.privileged=true
Will list all privileged containers.
lxc config set container-name security.privileged true
Will turn an unprivileged container into privileged one (can also do the opposite with false)
Thanks, will google for review
root@xxx:~# lxc config get explorer security.privileged
root@xxx:~# lxc list security.privileged=true
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
root@xxx:~# lxc list security.privileged=false
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
return nothing, but hope that if it's not at config then it's really unprivileged by default
Fighting with connection to daemon that listen at 127.0.0.1:2307 port at host from LXD container. Am I right that lxd proxy (eg. lxc profile device add containername proxy-2307 proxy listen=tcp:0.0.0.0:2307 connect=tcp:127.0.0.1:2307 ) will not help and it open container port for connection from the host, not the reverse direction?
In other words, I want to connect from application at container to host opened port by another daemon.
How to make it work? Also tried to connect to default gateway ip, but zero success...
Maybe it's not possible to connect to host loopback from container? Should I bind the host daemon to other interface? lxdbr0?