Difference between revisions of "Lxc.fjfi.cvut.cz"
From NMS
(→Instalace a konfigurace) |
(→Kontejnery systemd-nspawn - CentOS8) |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
;HW : virtuální (Xen) - paravirtualizace x86_64 | ;HW : virtuální (Xen) - paravirtualizace x86_64 | ||
;OS : [http://www.centos.org CentOS7] | ;OS : [http://www.centos.org CentOS7] | ||
| − | ;Využití : LXC kontejnery ([http://gitlab.fjfi.cvut.cz gitlab], [http://indico.fjfi.cvut.cz indico]) | + | ;Využití : LXC kontejnery ([http://gitlab.fjfi.cvut.cz gitlab], [http://indico.fjfi.cvut.cz indico], [[vhost.fjfi.cvut.cz|vhost]], ...) |
;Konto : - | ;Konto : - | ||
=Instalace a konfigurace= | =Instalace a konfigurace= | ||
| + | * standardní (minimální) instalace operačního systému | ||
| + | * standardní puppet konfigurace pro server (certifikáty, logging, monitoring, ...) | ||
* default instalace s podporou LXC + libvirt | * default instalace s podporou LXC + libvirt | ||
| + | |||
| + | =Kontejnery= | ||
| + | |||
| + | ==Kontejnery libvirt-lxc== | ||
| + | * podporovány (a funkční) pouze v CentOS 7.0 (od 7.1 deprecated a segfaultují) | ||
* každý kontejner v nainstalován do LVM oddílu | * každý kontejner v nainstalován do LVM oddílu | ||
lvcreate -L 50G -T lxc/thinpool | lvcreate -L 50G -T lxc/thinpool | ||
lvcreate -V1G -T lxc/thinpool -n name | lvcreate -V1G -T lxc/thinpool -n name | ||
| − | + | * připojen do standardního umístění pro libvirt filesystémy se symlinkem z <tt>/root/fs-name</tt> | |
| − | + | * informace o instalaci a konfiguraci uloženy v adresáři <tt>/root/inst-name</tt> | |
yum -y --installroot=/var/lib/libvirt/filesystems/name --releasever=7 --nogpg install systemd initscripts passwd yum centos-release # ... | yum -y --installroot=/var/lib/libvirt/filesystems/name --releasever=7 --nogpg install systemd initscripts passwd yum centos-release # ... | ||
virt-install --connect lxc:// --name name --ram 1024 --filesystem /var/lib/libvirt/filesystems/name/,/ | virt-install --connect lxc:// --name name --ram 1024 --filesystem /var/lib/libvirt/filesystems/name/,/ | ||
| Line 26: | Line 33: | ||
# ... | # ... | ||
virsh -c lxc:// start --console name | virsh -c lxc:// start --console name | ||
| + | |||
| + | ==Kontejnery systemd-nspawn - CentOS7 == | ||
| + | * podporovány v CentOS 7.0 (systemd 209, bez rozumné podpory sítí), ale pro základní rozumné použití nutný alespoň CentOS 7.2 (systemd 219) | ||
| + | * na stroji, kde budou provozovány systemd-nspawn kontejnery je potřeba přidat <tt>machines.target</tt> | ||
| + | systemctl enable machines.target | ||
| + | * každý kontejner v nainstalován do LVM oddílu | ||
| + | lvcreate -L 50G -T centos_nspawn/pool00 | ||
| + | lvcreate -V1G -T centos_nspawn/pool00 -n NAME | ||
| + | mkfs.ext4 /dev/centos_nspawn/NAME | ||
| + | * připojen do standardního umístění <tt>/var/lib/machines/NAME</tt> se symlinkem z <tt>/root/fs-NAME</tt> | ||
| + | mkdir /var/lib/machines/NAME | ||
| + | echo "/dev/centos_nspawn/NAME /var/lib/machines/NAME ext4 defaults 1 2" >> /etc/fstab | ||
| + | mount /dev/centos_nspawn/NAME | ||
| + | * informace o instalaci a konfiguraci konkrétního kontejneru uloženy v adresáři <tt>/root/inst-NAME</tt> | ||
| + | yum -y --installroot=/var/lib/machines/NAME --releasever=7 --nogpg install \ | ||
| + | systemd systemd-networkd systemd-resolved initscripts passwd centos-release # ... | ||
| + | |||
| + | # allow login from console | ||
| + | echo "pts/0" >> /var/lib/machines/NAME/etc/securetty | ||
| + | echo "pts/1" >> /var/lib/machines/NAME/etc/securetty | ||
| + | echo "pts/2" >> /var/lib/machines/NAME/etc/securetty | ||
| + | echo "pts/3" >> /var/lib/machines/NAME/etc/securetty | ||
| + | # basic "postinstall" configuration | ||
| + | /bin/ln -fs ../usr/share/zoneinfo/Europe/Prague /var/lib/machines/NAME/etc/localtime | ||
| + | /bin/cp /etc/skel/.bashrc /var/lib/machines/NAME/root | ||
| + | /bin/cp /etc/skel/.bash_profile /var/lib/machines/NAME/root | ||
| + | /bin/rm /var/lib/machines/NAME/etc/resolv.conf | ||
| + | /bin/ln -s /run/systemd/resolve/resolv.conf /var/lib/machines/NAME/etc/resolv.conf | ||
| + | /bin/mkdir /var/lib/machines/NAME/etc/systemd/network | ||
| + | /bin/cp 10-static-host0.network /var/lib/machines/NAME/etc/systemd/network/10-static-host0.network | ||
| + | #/bin/cp iptables /var/lib/machines/NAME/etc/sysconfig/iptables | ||
| + | #/bin/cp ip6tables /var/lib/machines/NAME/etc/sysconfig/ip6tables | ||
| + | |||
| + | # use network bridging for containers (changed in override.conf) | ||
| + | /bin/mkdir /etc/systemd/system/systemd-nspawn@NAME.service.d | ||
| + | /bin/cp override.conf /etc/systemd/system/systemd-nspawn@NAME.service.d/override.conf | ||
| + | systemctl daemon-reload | ||
| + | |||
| + | # don't allow excessive journal mem/file size | ||
| + | perl -p -i -e 's/^#SystemMaxUse=.*/SystemMaxUse=100M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#SystemMaxFileSize=.*/SystemMaxFileSize=10M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#RuntimeMaxUse=.*/RuntimeMaxUse=25M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#RuntimeMaxFileSize=.*/RuntimeMaxFileSize=5M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | |||
| + | # change root password in container (doesn't work with SELinux enabled) | ||
| + | setenforce 0 | ||
| + | chroot /var/lib/machines/NAME /bin/passwd root | ||
| + | # systemd-nspawn -D /var/lib/machines/NAME | ||
| + | # passwd | ||
| + | setenforce 1 | ||
| + | |||
| + | # rename hostname in container and enable required services | ||
| + | chroot /var/lib/machines/NAME hostnamectl set-hostname NAME.fjfi.cvut.cz | ||
| + | chroot /var/lib/machines/NAME systemctl enable systemd-networkd | ||
| + | chroot /var/lib/machines/NAME systemctl enable systemd-resolved | ||
| + | |||
| + | # [http://www.freedesktop.org/software/systemd/man/systemd.resource-control.html resource-control] | ||
| + | #systemctl show systemd-nspawn@NAME | ||
| + | systemctl set-property systemd-nspawn@NAME MemoryLimit=$((1024*1024*1024)) | ||
| + | systemctl daemon-reload | ||
| + | |||
| + | # comment out last line in postlogin (btmp updates can take too much time) | ||
| + | #vi /var/lib/machines/NAME/etc/pam.d/postlogin | ||
| + | |||
| + | # I don't know why is next manual login neccessary!? | ||
| + | # but without first "manual" login standard `machinectl` | ||
| + | # commands doesn't work | ||
| + | systemd-nspawn -bD /var/lib/machines/NAME | ||
| + | |||
| + | machinectl start NAME | ||
| + | machinectl login NAME | ||
| + | # to exit container console press three times ctrl+] | ||
| + | machinectl status NAME | ||
| + | machinectl poweroff NAME | ||
| + | machinectl enable NAME | ||
| + | |||
| + | * 10-static-host0.network | ||
| + | [Match] | ||
| + | Name=host0 | ||
| + | |||
| + | #[Link] | ||
| + | MACAddress=00:11:22:33:44:55 | ||
| + | |||
| + | [Network] | ||
| + | Address=192.0.2.123/24 | ||
| + | Gateway=192.0.2.1 | ||
| + | Address=2001:DB8::123/64 | ||
| + | Gateway=2001:DB8::1 | ||
| + | DNS=192.0.2.2 | ||
| + | DNS=2001:DB8::2 | ||
| + | |||
| + | * override.conf | ||
| + | [Unit] | ||
| + | After=network-online.target | ||
| + | Wants=network-online.target | ||
| + | |||
| + | [Service] | ||
| + | ExecStart= | ||
| + | ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 --machine=%I | ||
| + | |||
| + | * [https://bugzilla.redhat.com/show_bug.cgi?id=1219729 SELinux prevents container start] (`<tt>machinectl start NAME</tt>`) | ||
| + | grep dbus-daemon /var/log/audit/audit.log | audit2allow -M bug-machinectl-login | ||
| + | semodule -i bug-machinectl-login.pp | ||
| + | |||
| + | ==Kontejnery systemd-nspawn - CentOS8 == | ||
| + | * CentOS8 (systemd 239) nadále neobsahuje podporu systemd-networkd and systemd-resolvd, protože RedHat do budoucna planuje podporu konfigurace sítě pouze s využitím NetworkManageru a ostatní způsoby jsou označeny jako deprecated | ||
| + | * na stroji, kde budou provozovány systemd-nspawn kontejnery je potřeba přidat <tt>machines.target</tt> | ||
| + | systemctl enable machines.target | ||
| + | * každý kontejner v nainstalován do LVM oddílu, přičemž na aktuální platformě je použito čisté LVM (bez thin provisioningu) | ||
| + | lvcreate -L 50G -n NAME kmvirt | ||
| + | mkfs.ext4 /dev/mapper/kmvirt-NAME | ||
| + | * připojen do standardního umístění <tt>/var/lib/machines/NAME</tt> se symlinkem z <tt>/root/fs-NAME</tt> (lze řešit i elegantlněji čiste přes systemd a var-lib-machines.mount) | ||
| + | mkdir /var/lib/machines/NAME | ||
| + | echo "/dev/mappper/kmvirt-NAME /var/lib/machines/NAME ext4 defaults 1 2" >> /etc/fstab | ||
| + | mount /var/lib/machines/NAME | ||
| + | * informace o instalaci a konfiguraci konkrétního kontejneru uloženy v adresáři <tt>/root/inst-NAME</tt> | ||
| + | yum -y --installroot=/var/lib/machines/NAME --releasever=8 --nogpg install \ | ||
| + | centos-release systemd coreutils passwd NetworkManager nftables # ... | ||
| + | |||
| + | # basic "postinstall" configuration | ||
| + | ln -fs ../usr/share/zoneinfo/Europe/Prague /var/lib/machines/NAME/etc/localtime | ||
| + | cp /etc/skel/{.bashrc,.bash_profile} /var/lib/machines/NAME/root | ||
| + | |||
| + | # use network bridging for containers (changed in override.conf) | ||
| + | mkdir /etc/systemd/system/systemd-nspawn@NAME.service.d | ||
| + | cat > /etc/systemd/system/systemd-nspawn@NAME.service.d/override.conf <<EOF | ||
| + | [Unit] | ||
| + | After=network-online.target | ||
| + | Wants=network-online.target | ||
| + | [Service] | ||
| + | ExecStart= | ||
| + | ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 -U --settings=override --machine=%i | ||
| + | EOF | ||
| + | |||
| + | # [http://www.freedesktop.org/software/systemd/man/systemd.resource-control.html resource-control] | ||
| + | #systemctl show systemd-nspawn@NAME | ||
| + | systemctl set-property systemd-nspawn@NAME MemoryLimit=$((1024*1024*1024)) | ||
| + | |||
| + | systemctl daemon-reload | ||
| + | |||
| + | # don't allow excessive journal mem/file size | ||
| + | perl -p -i -e 's/^#SystemMaxUse=.*/SystemMaxUse=128M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#SystemMaxFileSize=.*/SystemMaxFileSize=16M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#RuntimeMaxUse=.*/RuntimeMaxUse=32M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | perl -p -i -e 's/^#RuntimeMaxFileSize=.*/RuntimeMaxFileSize=8M/' /var/lib/machines/NAME/etc/systemd/journald.conf | ||
| + | |||
| + | # change root password in container (doesn't work with SELinux enabled) | ||
| + | chroot /var/lib/machines/NAME /bin/passwd root | ||
| + | # systemd-nspawn -D /var/lib/machines/NAME | ||
| + | # passwd | ||
| + | |||
| + | # rename hostname in container and enable required services | ||
| + | echo NAME.fjfi.cvut.cz > /var/lib/machines/NAME/etc/hostname | ||
| + | echo 'LANG="en_US.UTF-8"' > /var/lib/machines/NAME/etc/locale.conf | ||
| + | |||
| + | # comment out last line in postlogin (btmp updates can take too much time) | ||
| + | #vi /var/lib/machines/NAME/etc/pam.d/postlogin | ||
| + | |||
| + | # I don't know why is next manual login neccessary!? | ||
| + | # but without first "manual" login standard `machinectl` | ||
| + | # commands doesn't work | ||
| + | systemd-nspawn -bD /var/lib/machines/NAME | ||
| + | |||
| + | nmcli con mod 'Wired connection 1' ipv4.method manual ipv4.addresses 147.32.9.xxx/26 ipv4.gateway 147.32.9.1 ipv4.dns 147.32.9.4,147.32.1.20 | ||
| + | nmcli con mod 'Wired connection 1' ipv6.method manual ipv6.addresses 2001:718:2:1900::xxxx/64 ipv6.gateway 2001:718:2:1900::1 ipv6.dns 2001:718:2:1900::4,2001:718:2:2200::100 | ||
| + | |||
| + | machinectl start NAME | ||
| + | machinectl login NAME # to exit container console press three times ctrl+] | ||
| + | machinectl status NAME | ||
| + | machinectl poweroff NAME | ||
| + | machinectl enable NAME | ||
| + | |||
| + | ==Kontejnery systemd-nspawn - Alma9 == | ||
| + | * Alma9 (systemd 252) sice neobsahuje systemd-networkd and systemd-resolvd v `baseos`, ale jsou dostupné v EPELu a fungují stejně jako na CentOS7 (viz. výše) | ||
| + | |||
| + | ==Kontejnery docker== | ||
| + | * odlišný přístup ke správě kontejnerů běžících z předem připravených "imagů" | ||
| + | * standardně používá vlastní privátní NATovanou síť | ||
| + | * pro zpřístupnění služeb lze probridgovat normální síť | ||
| + | ** pro více kontejnerů managovanou pres OVS | ||
| + | ** OVS není standardní součástí CentOS7 (a součástí jsou i jaderné moduly) | ||
| + | |||
| + | ==Kontejnery LXC== | ||
| + | * balíčky jsou součástí EPELu | ||
| + | * nemájí/neměli šablony pro "nové" systemy (CentOS7) | ||
Latest revision as of 09:59, 22 April 2024
| Servery / Služby |
| Přístupné komukoliv |
| Omezený/individuální účet |
| Služby |
| backup · DHCP · DNS · doména FJFI · eduroam · fileserver · IdM · forum · gitlab · lists · moodle · indico · mailgw · K4 · mailserver · NMS · openvpn · skolniftp · ssh · videokonference · VoIP · video · VPN · wififjfi · wiki · www |
| Učebny |
| e-sklipek · KFE unixlab · KFE pclab · PD1 · KM 105 · KM 115 |
| Ostatní |
| Network · Blokované porty |
| [edit] · [view] |
Contents
Základní informace lxc
- Správce
- Petr Vokáč
- HW
- virtuální (Xen) - paravirtualizace x86_64
- OS
- CentOS7
- Využití
- LXC kontejnery (gitlab, indico, vhost, ...)
- Konto
- -
Instalace a konfigurace
- standardní (minimální) instalace operačního systému
- standardní puppet konfigurace pro server (certifikáty, logging, monitoring, ...)
- default instalace s podporou LXC + libvirt
Kontejnery
Kontejnery libvirt-lxc
- podporovány (a funkční) pouze v CentOS 7.0 (od 7.1 deprecated a segfaultují)
- každý kontejner v nainstalován do LVM oddílu
lvcreate -L 50G -T lxc/thinpool lvcreate -V1G -T lxc/thinpool -n name
- připojen do standardního umístění pro libvirt filesystémy se symlinkem z /root/fs-name
- informace o instalaci a konfiguraci uloženy v adresáři /root/inst-name
yum -y --installroot=/var/lib/libvirt/filesystems/name --releasever=7 --nogpg install systemd initscripts passwd yum centos-release # ... virt-install --connect lxc:// --name name --ram 1024 --filesystem /var/lib/libvirt/filesystems/name/,/ virsh -c lxc:// shutdown name chroot /var/lib/libvirt/filesystems/name /bin/passwd root echo "pts/0" >> /var/lib/libvirt/filesystems/name/etc/securetty cp /var/lib/libvirt/filesystems/indico/usr/share/zoneinfo/Europe/Prague /var/lib/libvirt/filesystems/name/etc/localtime cp /etc/skel/.bashrc /var/lib/libvirt/filesystems/name/root cp /etc/skel/.bash_profile /var/lib/libvirt/filesystems/name/root # ... virsh -c lxc:// start --console name
Kontejnery systemd-nspawn - CentOS7
- podporovány v CentOS 7.0 (systemd 209, bez rozumné podpory sítí), ale pro základní rozumné použití nutný alespoň CentOS 7.2 (systemd 219)
- na stroji, kde budou provozovány systemd-nspawn kontejnery je potřeba přidat machines.target
systemctl enable machines.target
- každý kontejner v nainstalován do LVM oddílu
lvcreate -L 50G -T centos_nspawn/pool00 lvcreate -V1G -T centos_nspawn/pool00 -n NAME mkfs.ext4 /dev/centos_nspawn/NAME
- připojen do standardního umístění /var/lib/machines/NAME se symlinkem z /root/fs-NAME
mkdir /var/lib/machines/NAME echo "/dev/centos_nspawn/NAME /var/lib/machines/NAME ext4 defaults 1 2" >> /etc/fstab mount /dev/centos_nspawn/NAME
- informace o instalaci a konfiguraci konkrétního kontejneru uloženy v adresáři /root/inst-NAME
yum -y --installroot=/var/lib/machines/NAME --releasever=7 --nogpg install \
systemd systemd-networkd systemd-resolved initscripts passwd centos-release # ...
# allow login from console
echo "pts/0" >> /var/lib/machines/NAME/etc/securetty
echo "pts/1" >> /var/lib/machines/NAME/etc/securetty
echo "pts/2" >> /var/lib/machines/NAME/etc/securetty
echo "pts/3" >> /var/lib/machines/NAME/etc/securetty
# basic "postinstall" configuration
/bin/ln -fs ../usr/share/zoneinfo/Europe/Prague /var/lib/machines/NAME/etc/localtime
/bin/cp /etc/skel/.bashrc /var/lib/machines/NAME/root
/bin/cp /etc/skel/.bash_profile /var/lib/machines/NAME/root
/bin/rm /var/lib/machines/NAME/etc/resolv.conf
/bin/ln -s /run/systemd/resolve/resolv.conf /var/lib/machines/NAME/etc/resolv.conf
/bin/mkdir /var/lib/machines/NAME/etc/systemd/network
/bin/cp 10-static-host0.network /var/lib/machines/NAME/etc/systemd/network/10-static-host0.network
#/bin/cp iptables /var/lib/machines/NAME/etc/sysconfig/iptables
#/bin/cp ip6tables /var/lib/machines/NAME/etc/sysconfig/ip6tables
# use network bridging for containers (changed in override.conf)
/bin/mkdir /etc/systemd/system/systemd-nspawn@NAME.service.d
/bin/cp override.conf /etc/systemd/system/systemd-nspawn@NAME.service.d/override.conf
systemctl daemon-reload
# don't allow excessive journal mem/file size
perl -p -i -e 's/^#SystemMaxUse=.*/SystemMaxUse=100M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#SystemMaxFileSize=.*/SystemMaxFileSize=10M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#RuntimeMaxUse=.*/RuntimeMaxUse=25M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#RuntimeMaxFileSize=.*/RuntimeMaxFileSize=5M/' /var/lib/machines/NAME/etc/systemd/journald.conf
# change root password in container (doesn't work with SELinux enabled)
setenforce 0
chroot /var/lib/machines/NAME /bin/passwd root
# systemd-nspawn -D /var/lib/machines/NAME
# passwd
setenforce 1
# rename hostname in container and enable required services
chroot /var/lib/machines/NAME hostnamectl set-hostname NAME.fjfi.cvut.cz
chroot /var/lib/machines/NAME systemctl enable systemd-networkd
chroot /var/lib/machines/NAME systemctl enable systemd-resolved
# resource-control
#systemctl show systemd-nspawn@NAME
systemctl set-property systemd-nspawn@NAME MemoryLimit=$((1024*1024*1024))
systemctl daemon-reload
# comment out last line in postlogin (btmp updates can take too much time)
#vi /var/lib/machines/NAME/etc/pam.d/postlogin
# I don't know why is next manual login neccessary!?
# but without first "manual" login standard `machinectl`
# commands doesn't work
systemd-nspawn -bD /var/lib/machines/NAME
machinectl start NAME
machinectl login NAME
# to exit container console press three times ctrl+]
machinectl status NAME
machinectl poweroff NAME
machinectl enable NAME
- 10-static-host0.network
[Match] Name=host0 #[Link] MACAddress=00:11:22:33:44:55 [Network] Address=192.0.2.123/24 Gateway=192.0.2.1 Address=2001:DB8::123/64 Gateway=2001:DB8::1 DNS=192.0.2.2 DNS=2001:DB8::2
- override.conf
[Unit] After=network-online.target Wants=network-online.target [Service] ExecStart= ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 --machine=%I
- SELinux prevents container start (`machinectl start NAME`)
grep dbus-daemon /var/log/audit/audit.log | audit2allow -M bug-machinectl-login semodule -i bug-machinectl-login.pp
Kontejnery systemd-nspawn - CentOS8
- CentOS8 (systemd 239) nadále neobsahuje podporu systemd-networkd and systemd-resolvd, protože RedHat do budoucna planuje podporu konfigurace sítě pouze s využitím NetworkManageru a ostatní způsoby jsou označeny jako deprecated
- na stroji, kde budou provozovány systemd-nspawn kontejnery je potřeba přidat machines.target
systemctl enable machines.target
- každý kontejner v nainstalován do LVM oddílu, přičemž na aktuální platformě je použito čisté LVM (bez thin provisioningu)
lvcreate -L 50G -n NAME kmvirt mkfs.ext4 /dev/mapper/kmvirt-NAME
- připojen do standardního umístění /var/lib/machines/NAME se symlinkem z /root/fs-NAME (lze řešit i elegantlněji čiste přes systemd a var-lib-machines.mount)
mkdir /var/lib/machines/NAME echo "/dev/mappper/kmvirt-NAME /var/lib/machines/NAME ext4 defaults 1 2" >> /etc/fstab mount /var/lib/machines/NAME
- informace o instalaci a konfiguraci konkrétního kontejneru uloženy v adresáři /root/inst-NAME
yum -y --installroot=/var/lib/machines/NAME --releasever=8 --nogpg install \
centos-release systemd coreutils passwd NetworkManager nftables # ...
# basic "postinstall" configuration
ln -fs ../usr/share/zoneinfo/Europe/Prague /var/lib/machines/NAME/etc/localtime
cp /etc/skel/{.bashrc,.bash_profile} /var/lib/machines/NAME/root
# use network bridging for containers (changed in override.conf)
mkdir /etc/systemd/system/systemd-nspawn@NAME.service.d
cat > /etc/systemd/system/systemd-nspawn@NAME.service.d/override.conf <<EOF
[Unit]
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 -U --settings=override --machine=%i
EOF
# resource-control
#systemctl show systemd-nspawn@NAME
systemctl set-property systemd-nspawn@NAME MemoryLimit=$((1024*1024*1024))
systemctl daemon-reload
# don't allow excessive journal mem/file size
perl -p -i -e 's/^#SystemMaxUse=.*/SystemMaxUse=128M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#SystemMaxFileSize=.*/SystemMaxFileSize=16M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#RuntimeMaxUse=.*/RuntimeMaxUse=32M/' /var/lib/machines/NAME/etc/systemd/journald.conf
perl -p -i -e 's/^#RuntimeMaxFileSize=.*/RuntimeMaxFileSize=8M/' /var/lib/machines/NAME/etc/systemd/journald.conf
# change root password in container (doesn't work with SELinux enabled)
chroot /var/lib/machines/NAME /bin/passwd root
# systemd-nspawn -D /var/lib/machines/NAME
# passwd
# rename hostname in container and enable required services
echo NAME.fjfi.cvut.cz > /var/lib/machines/NAME/etc/hostname
echo 'LANG="en_US.UTF-8"' > /var/lib/machines/NAME/etc/locale.conf
# comment out last line in postlogin (btmp updates can take too much time)
#vi /var/lib/machines/NAME/etc/pam.d/postlogin
# I don't know why is next manual login neccessary!?
# but without first "manual" login standard `machinectl`
# commands doesn't work
systemd-nspawn -bD /var/lib/machines/NAME
nmcli con mod 'Wired connection 1' ipv4.method manual ipv4.addresses 147.32.9.xxx/26 ipv4.gateway 147.32.9.1 ipv4.dns 147.32.9.4,147.32.1.20
nmcli con mod 'Wired connection 1' ipv6.method manual ipv6.addresses 2001:718:2:1900::xxxx/64 ipv6.gateway 2001:718:2:1900::1 ipv6.dns 2001:718:2:1900::4,2001:718:2:2200::100
machinectl start NAME
machinectl login NAME # to exit container console press three times ctrl+]
machinectl status NAME
machinectl poweroff NAME
machinectl enable NAME
Kontejnery systemd-nspawn - Alma9
- Alma9 (systemd 252) sice neobsahuje systemd-networkd and systemd-resolvd v `baseos`, ale jsou dostupné v EPELu a fungují stejně jako na CentOS7 (viz. výše)
Kontejnery docker
- odlišný přístup ke správě kontejnerů běžících z předem připravených "imagů"
- standardně používá vlastní privátní NATovanou síť
- pro zpřístupnění služeb lze probridgovat normální síť
- pro více kontejnerů managovanou pres OVS
- OVS není standardní součástí CentOS7 (a součástí jsou i jaderné moduly)
Kontejnery LXC
- balíčky jsou součástí EPELu
- nemájí/neměli šablony pro "nové" systemy (CentOS7)
