LXD
LXD is a container "hypervisor" and a new user experience for Linux Containers.
Setup
Required software
Install LXC and the lxdAUR package, then start lxd.service
.
Verify that the running kernel is properly configured to run a container:
$ lxc-checkconfig
Due to security concerns, the default Arch kernel does not ship with the ability to run containers as an unprivileged user. LXD however needs this ability to run. You can either build a kernel yourself that has CONFIG_USER_NS
enabled, or use linux-usernsAUR or linux-lts-usernsAUR from the AUR.
Sub{u,g}id configuration
You will need sub{u,g}ids for root, so that LXD can create the unprivileged containers:
$ echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid
Accessing LXD as a unprivileged user
By default the LXD daemon allows users in the lxd
group access, so add your user to the group:
$ usermod -a -G lxd <user>
LXD Networking
LXD uses LXC's networking capabilities. By default it connects containers to the lxcbr0
network device. Refer to the LXC documentation on network configuration to set up a bridge for your containers.
If you want to use a different interface than lxcbr0
edit the default using the lxc command line tool:
$ lxc profile edit default
An editor will open with a config file that by default contains:
name: default config: {} devices: eth0: name: eth0 nictype: bridged parent: lxcbr0 type: nic
You can set the parent
parameter to whichever bridge you want LXD to attach the containers to by default.
Example network configuration
Thanks to @jpic, the LXD package now provides some example networking configuration in /usr/share/lxd/
. To use this configuration run the following commands:
$ ln -s /usr/share/lxd/dnsmasq-lxd.conf /etc/dnsmasq-lxd.conf $ ln -s /usr/share/lxd/systemd/system/dnsmasq@lxd.service /etc/systemd/system/dnsmasq@lxd.service $ ln -s /usr/share/lxd/netctl/lxd /etc/netctl/lxd $ ln -s /usr/share/lxd/dbus-1/system.d/dnsmasq-lxd.conf /etc/dbus-1/system.d/dnsmasq-lxd.conf
If you use NetworkManager, also symlink the following file:
$ ln -s /usr/share/lxd/NetworkManager/dnsmasq.d/lxd.conf /etc/NetworkManager/dnsmasq.d/lxd.conf
Change parent: lxcbr0
to parent: lxd
:
$ lxc profile edit default
Finally, enable and start dnsmasq@lxd.service
and netctl@lxd.service
.
If you encounter issue with the provided example configuration, or have suggestions to improve it, please leave a comment on the lxdAUR page.
Basic usage
First steps
LXD has two parts, the daemon (the lxd binary), and the client (the lxc binary). Now that the daemon is all configured and running, you can create a container:
$ lxc launch ubuntu:14.04
Alternatively, you can also use a remote LXD host as a source of images. One comes pre-configured in LXD, called "images" (images.linuxcontainers.org)
$ lxc launch images:centos/7/amd64 centos
Advance usage
Modify processes and files limit
You may want to increase file descriptor limit or max user processes limit, since default file descriptor limit is 1024 on Archlinux
$ sudo systemctl edit lxd
And config as follow:
[Service] LimitNOFILE=infinity LimitNPROC=infinity TasksMax=infinity
Then restart lxd
$ sudo systemctl restart lxd
Troubleshooting
Launching container without CONFIG_USER_NS
For launching images you must provide security.privileged=true
during image creation:
$ lxc launch ubuntu:16.04 test_ubuntu -c security.privileged=true
Or for already existed image you may edit config:
$ lxc config edit test_ubuntu
name: test_ubuntu profiles: - default config: ... security.privileged: "true" ... devices: root: path: / type: disk ephemeral: false