Use the lxc non-authorized container in Ubuntu 14.04

The largest feature of lxc 1.0 is a non-privileged container. Through clever uidmap, the common users (UID and GID) of the physical machine are mapped to the root (uid = 0, gid = 0), greatly improving the lxc security.

Lxc 1.0 has requirements on the kernel and Python versions. Therefore, the following uses Ubuntu 14.04 as an example to create a non-privileged lxc container using Dell, a common user.

(The following operations, unless otherwise specified, are all root operations. The command prompt is)

1. Install lxc

apt-get install lxc uidmap

2. Create a common user

useradd -m dellmkdir -p /home/dell/.local/share/lxcmkdir -p /home/dell.config/lxc

3. Configure uidmap

usermod -v 10000-65535 dellusermod -w 10000-65535 dellecho "lxc.id_map = u 0 10000 65535" >> /etc/lxc/default.confecho "lxc.id_map =g 0 10000 65535" >> /etc/lxc/default.conf

4. Modify the lxc Configuration

echo "dell veth lxcbr0 10" >> /etc/lxc/lxc-usernetcat /etc/lxc/lxc-usernet >/home/dell/.config/lxc/default.conf

5. Modify permissions

chmod +x /home/dellchown -R dell:dell /home/dell

6. Log On As A Dell user and create a container

The creation of a non-authorized container is somewhat different. It uses a download template to download the specified packaged complete system, rather than using APT/yum.

lxc-create -n my-ubuntu -t download

-N indicates -- name, container name

-T indicates -- template, which template to use

Next, a text dialog is displayed. The template includes the mainstream releases, centos, Debian, and ubuntu. Select the release version, version number, and CPU architecture you need.

Ubuntu supports non-authorized containers very well. Here we select Ubuntu trusty amd64 (centos 6 can be created, but an unknoWn fault occurs during startup .)

You can also use the following command to skip the dialog and directly install the Ubuntu non-authorized container.

lxc-create -t download -n my-ubuntu -- -d ubuntu -r trusty -a amd64

The Default User and password of the Ubuntu template system are both Ubuntu and sudo can be used.

7. view the created non-authorized container

lxc-ls

8. Start a non-authorized container

lxc-start -n my-ubuntu

9. Tips

A. Let the container start with the System

Start

$ Echo "lxc. Start. Auto = 1">/home/Dell/. Local/share/lxc/My-Ubuntu/config

Startup delay

$ Echo "lxc. Start. Delay = 5">/home/Dell/. Local/share/lxc/My-Ubuntu/config

B. Restrict container Resources

CPU limit

$ Echo "lxc. cgroup. CPU. Shares = 256">/home/Dell/. Local/share/lxc/My-Ubuntu/config

Memory limit

$ Echo "lxc. cgroup. Memory. limit_in_bytes = 1024 M">/home/Dell/. Local/share/lxc/My-Ubuntu/config

Limited disk I/O

$ Echo "lxc. cgroup. blkio. Weight = 500">/home/Dell/. Local/share/lxc/My-Ubuntu/config

This article from the "Focus on Linux O & M" blog, please be sure to keep this source http://purplegrape.blog.51cto.com/1330104/1528503

Use the lxc non-authorized container in Ubuntu 14.04