Linux container technology-LXC related technical knowledge 1. lxcbr0 when USE_LXC_BRIDGE = "true" in/etc/default/lxc, lxcbr0 is automatically created at lxc startup and assigned the IP address 10.0.3.1, the lxc instance of this bridge can assign ip addresses from 10.0.3.0/24. A dnsmasq instance runs in the background to listen to lxcbr0 and implement dns and dhcp functions. Www.2cto.com 2. the isolated file system is used as the lxc instance to store the configuration information of the lxc instance and the root file system are stored in the/var/lib/lxc directory. In addition, if an instance is not created, it will be cached in the/var/lib/lxc directory. If you want to use a file system other than/var, you can use either of the following methods: sudo mkdir/srv/lxclib/srv/lxccachesudo rm-rf/var/lib/lxc/var/cache/lxcsudo ln-s/srv/lxclib/var/lib/lxcsudo ln- s/srv/lxccache/var/cache/lxc or: sudo mkdir/srv/lxclib/srv/lxccachesudo sed-I '$ a \ www.2cto.com/srv/lxclib/var/lib/lxc none ults, bind 0 0 \/srv/lxccache/var/cache/lxc none defaults, bind 0 0'/etc/fstabsudo mount-
3. LXC security-apparmor (Application Access Control System) AppArmor is similar to selinux and mainly serves to set access control permissions for an executable program, you can restrict the program to read/write a directory/file, open/read/write network ports, and so on. By default, AppArmor is installed and loaded. It uses the profiles of each program to determine what files and permissions the program requires. Some packages will install their own profiles. Additional profiles can be found in the apparmor-profiles package. The following briefly introduces the use of AppArmor: (1) apparmor_status is The sudo apparmor_status (2) aa-complain that is used to view the current state of the AppArmor configuration file. Sudo aa-complain/path/to/bin // path of the executable program (3) aa-enforce places a program into the enforce mode sudo aa-enforce/path/to/bin // path of the executable program/etc/apparmor. the d directory is where the AppArmor configuration file is located. It can be used to operate the mode of all configuration files.
(4) To put all configuration files in complain mode, enter sudo aa-complain/etc/apparmor. d/* www.2cto.com (5) Put all configuration files into the enforce mode: sudo aa-enforce/etc/apparmor. d/* (6) apparmor_parser is used to load a configuration file to the kernel. It can also re-load the currently loaded configuration file by using the-r option. To load a configuration file: cat/etc/apparmor. d/profile. name | sudo apparmor_parser-a (7) re-load a configuration file: cat/etc/apparmor. d/profile. name | sudo apparmor_parser-r (8)/etc/init. d/apparmor can be used to reload all configuration files: sudo/etc/init. d/apparmor reload (9) The/etc/apparmor. the d/disable directory can be used with the apparmor_parser-R option to disable a configuration file. Sudo ln-s/etc/apparmor. d/profile. name/etc/apparmor. d/disable/sudo apparmor_parser-R/etc/apparmor. d/profile. name
(10) to reactivate a disabled configuration file, delete the soft link to its configuration file in/etc/apparmor. d/disable. Then use option-a to load the configuration file. Sudo rm/etc/apparmor. d/disable/profile. namecat/etc/apparmor. d/profile. name | sudo apparmor_parser-a (11) AppArmor can be disabled. Its kernel module can be uninstalled by running the following command: www.2cto.com sudo/etc/init. d/apparmor stopsudo update-rc.d-f apparmor remove (12) to re-enable AppArmor, enter: sudo/etc/init. d/apparmor startsudo update-rc.d apparmor defaults as to how to write the configuration file for AppArmor, will be introduced in later articles! Let's get back to the AppArmor in lxc. LXC uses the AppArmor configuration file to protect the host from malicious behaviors of instances in the container, such: the instances in the container do not have the write permission on most files in the/proc/sysrq-tigger and/sys directories. In addition, the usr. bin. lxc-start configuration file is used to prevent lxc-start from mounting other files listed in the container root directory. Before executing the init process of the container instance, go back to/etc/apparmor. d/lxc-default to check the permission and disable init from accessing some dangerous resources. In the next article, we will focus on the cgroup mechanism! Author ustc_dylan