Linux container technology-LXC-related technical knowledge

Source: Internet
Author: User
Linux container technology-LXC related technical knowledge 1. lxcbr0 when USE_LXC_BRIDGE & quot; true & quot; in/etc/default/lxc, lxcbr0 is automatically created at lxc startup and assigned the IP address 10.0.3.1, the lxc instance of this bridge can be upgraded from 10.0.3.0/2...
Linux container technology-LXC related technical knowledge 1. lxcbr0 when USE_LXC_BRIDGE = "true" in/etc/default/lxc, lxcbr0 is automatically created at lxc startup and assigned the IP address 10.0.3.1, the lxc instance of this bridge can assign ip addresses from 10.0.3.0/24. A dnsmasq instance runs in the background to listen to lxcbr0 and implement dns and dhcp functions. Www.2cto.com 2. the isolated file system is used as the lxc instance to store the configuration information of the lxc instance and the root file system are stored in the/var/lib/lxc Directory. In addition, if an instance is not created, it will be cached in the/var/lib/lxc directory. If you want to use a file system other than/var, you can use either of the following methods: sudo mkdir/srv/lxclib/srv/lxccachesudo rm-rf/var/lib/lxc/var/cache/lxcsudo ln-s/srv/lxclib/var/lib/lxcsudo ln- s/srv/lxccache/var/cache/lxc or: sudo mkdir/srv/lxclib/srv/lxccachesudo sed-I '$ a \ www.2cto.com/srv/lxclib/var/lib/lxc none ULTS ults, bind 0 0 \/srv/lxccache/var/cache/lxc none defaults, bind 0 0'/etc/fstabsudo mount-
3. LXC security-apparmor (application access control system) AppArmor is similar to selinux and mainly serves to set access control permissions for an executable program, you can restrict the program to read/write a directory/File, open/read/write network ports, and so on. By default, AppArmor is installed and loaded. It uses the profiles of each program to determine what files and permissions the program requires. Some packages will install their own profiles. Additional profiles can be found in the apparmor-profiles package. The following briefly introduces the use of AppArmor: (1) apparmor_status is the sudo apparmor_status (2) aa-complain that is used to view the current state of the AppArmor configuration file. Sudo aa-complain/path/to/bin // path of the executable program (3) aa-enforce places a program into the enforce mode sudo aa-enforce/path/to/bin // path of the executable program/etc/apparmor. the d directory is where the AppArmor configuration file is located. It can be used to operate the mode of all configuration files.
(4) to put all configuration files in complain mode, enter sudo aa-complain/etc/apparmor. d/* www.2cto.com (5) put all configuration files into the enforce mode: sudo aa-enforce/etc/apparmor. d/* (6) apparmor_parser is used to load a configuration file to the kernel. It can also re-load the currently loaded configuration file by using the-r option. To load a configuration file: cat/etc/apparmor. d/profile. name | sudo apparmor_parser-a (7) re-load a configuration file: cat/etc/apparmor. d/profile. name | sudo apparmor_parser-r (8)/etc/init. d/apparmor can be used to reload all configuration files: sudo/etc/init. d/apparmor reload (9) The/etc/apparmor. the d/disable directory can be used with the apparmor_parser-R option to disable a configuration file. Sudo ln-s/etc/apparmor. d/profile. name/etc/apparmor. d/disable/sudo apparmor_parser-R/etc/apparmor. d/profile. name
(10) to reactivate a disabled configuration file, delete the soft link to its configuration file in/etc/apparmor. d/disable. Then use option-a to load the configuration file. Sudo rm/etc/apparmor. d/disable/profile. namecat/etc/apparmor. d/profile. name | sudo apparmor_parser-a (11) AppArmor can be disabled. its kernel module can be uninstalled by running the following command: www.2cto.com sudo/etc/init. d/apparmor stopsudo update-rc.d-f apparmor remove (12) to re-enable AppArmor, enter: sudo/etc/init. d/apparmor startsudo update-rc.d apparmor defaults as to how to write the configuration file for AppArmor, will be introduced in later articles! Let's get back to the AppArmor in lxc. LXC uses the AppArmor configuration file to protect the host from malicious behaviors of instances in the container, such: the instances in the container do not have the write permission on most files in the/proc/sysrq-tigger and/sys directories. In addition, the usr. bin. lxc-start configuration file is used to prevent lxc-start from mounting other files listed in the container root directory. Before executing the init process of the container instance, go back to/etc/apparmor. d/lxc-default to check the permission and disable init from accessing some dangerous resources. In the next article, we will focus on the cgroup mechanism! Author ustc_dylan
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.