This project is a way to compress my existing virtualization servers down to more manageable footprints. I have decided to use Ubuntu Server 20.04.2 LTS, since setting up LXC and LXD are easier than it is in Debian.
I am installing to a VM to make testing easier, but I’m going to make it as portable to bare metal as I can. First, I’m not going to use LVM, since it’s a major pain for me to transport an operating system from one PV to another, and every time I try, it becomes a huge headache. I’d rather just use a basic EXT4 partitioned disk, and put /lib on a second partition or drive. It makes upgrading fairly simple, and adding drive space isn’t much of an issue, since bulk storage is planned to be on separate drives and shared though other means.
After Ubuntu is done installing to the VM, the first thing is to do
#sudo apt-get update && sudo apt-get upgrade
Then install lxc and lxd:
#sudo apt-get install lxc
#sudo snap install lxd
I have never liked using Netplan, and I have not been able to get it to work with host-bridges so now I disable Netplan and go back to network/interfaces. I also like the formatting of ifconfig, so I’ll install net-tools and bridge-utils too.
#sudo apt-get install ifupdown net-tools bridge-utils
Update /etc/network/interfaces file:
auto lo
iface lo inet loopback
auto enp0s3
iface enp0s3 inet manual
auto br0
iface br0 inet static
address 10.0.2.200
broadcast 10.0.2.255
netmask 255.255.255.0
gateway 10.0.2.1
dns-nameservers 10.0.2.1 1.1.1.1
bridge_ports enp0s3
bridge_stp off
bridge_waitport 0
bridge_fd 0
Then:
# systemctl stop systemd-networkd.socket systemd-networkd \
networkd-dispatcher systemd-networkd-wait-online
# systemctl disable systemd-networkd.socket systemd-networkd \
networkd-dispatcher systemd-networkd-wait-online
# systemctl mask systemd-networkd.socket systemd-networkd \
networkd-dispatcher systemd-networkd-wait-online
# apt-get purge nplan netplan.io
After that, it seems I need to reboot for the changes to go into effect correctly and for the bridge to come up. If this is running inside a VirtualBox VM, make sure to go to the advanced network settings for this VM, and change “Promiscuous Mode” to “Allow All”, or the bridged containers won’t be able to connect to anything.
Also, /etc/systemd/resolved.conf needs to be updated:
..
..
DNS=10.0.2.1 1.1.1.1
..
..
Restart the resolver service:
#sudo systemctl restart systemd-resolved
At this point, I have network access by IP address, but on some machines the dns requests go on IPv6 for some reason, which fails since the interfaces file isn’t using IPv6. To disable IPv6, edit /etc/sysctl.conf and add the following lines:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.enp0s3.disable_ipv6 = 1
net.ipv6.conf.br0.disable_ipv6 = 1
#sysctl -p /etc/sysctl.conf
Now it’s time to install the prerequisites for LXDUI:
#sudo apt install -y git build-essential libssl-dev python3-venv python3-pip python3-dev zfsutils-linux
Next, clone the git repository:
#git clone https://github.com/AdaptiveScale/lxdui.git
#cd lxdui
#pip3 install . --user
Now create the service file:
#nano /usr/lib/systemd/system/lxdui.service
[Unit]
Description=Web UI for the native Linux container technology LXD/LXC
After=network.target snapd.service
Requires=snapd.service
[Service]
Type=simple
User=sysadmin
PIDFile=/run/lxdui/lxdui.pid
ExecStart=/home/sysadmin/.local/bin/lxdui start
ExecStop=/home/sysadmin/.local/bin/lxdui stop
[Install]
WantedBy=multi-user.target
After creating the service file, update systemd so it can see the service, then enable the service:
#systemctl daemon-reload
#systemctl enable lxdui.service
#systemctl start lxdui.service
LXDui should now be running, but it hasn’t been initialized yet and is using a default user/password of admin/admin. To change the admin password:
#~/.local/bin/lxdui user update -u admin
Now the web interface should be accessible at http://%5BIP Address]:15151
Once the interface is up and running, you’ll need to download some template images.
There are plenty of basic templates that are easily accessible through the lxdui interface. I haven’t figured out how to get it to see the TurnkeyLinux templates they have for proxmox yet, but those can be turned into a template, in a roundabout way, one at a time.
At this point, we have a functioning container host, and containers can be easily added, using a bridged network, but there isn’t yet a great way to access network storage; that has to be somewhat hacked in. I like to use NFS on my storage servers, and have my filesharing machines access and share data that way. It makes data management a bit more resilient; if there’s a problem with a machine, I don’t have to worry too much about it affecting the data files. The problem is that by default, containers are not allowed to use NFS internally, and mounting on the host into the container’s storage area doesn’t work either. The host will see the mounted share, but the guest only sees the folder as it was when it was unmounted. Fortunately, the fix seems to be pretty simple. For each container that needs NFS access, go to that container’s advanced properties and set “security.privileged” to 1, and set “raw.apparmor” to “mount fstype-nfs,”. Although this is less secure than running unprivileged containers, the attack surface should be fairly small, especially if the container thats using NFS is only doing 1 or 2 things, like a fileserver.
NFS mounts are only necessary if the physical data drives don’t exist on the container host. In the case of data drives being local to the container host, it’s better to do a different type of mount, for which there are many options.
In the Mind of Chris 