docker,lxc

in/public/lxc/container.rst

@@ -0,0 +1,170 @@
+*********
+Container
+*********
+
+TODO
+====
+
+* look for creation through debootstrap
+
+Create
+======
+
+.. code:: shell
+
+  lxc-create \
+  --name="container_name" \
+  --template="debian" \
+  -- \
+  --release="stretch" \
+  --mirror="file:/mirrors/debian/debian-stretch" \
+  --security-mirror="file:/mirrors/debian/debian-stretch-security" \
+
+Configure
+=========
+
+In containers/directory/container_name :
+
+* config
+
+.. code:: ini
+
+  lxc.include = /usr/share/lxc/config/debian.common.conf
+
+  lxc.arch = amd64
+  lxc.autodev = 1
+  lxc.kmsg = 0
+  lxc.mount = /var/lib/lxc/container_name/fstab
+  lxc.rootfs = /var/lib/lxc/container_name/rootfs
+  lxc.rootfs.backend = dir
+  lxc.start.auto = 1
+  lxc.utsname = hostname
+
+  lxc.network.type = veth
+
+  lxc.network.flags = up
+  lxc.network.link = br0
+  lxc.network.name = eth0
+  lxc.network.veth.pair = container_name
+  lxc.network.hwaddr = virtual_mac_address
+
+Static addresses variant:
+
+.. code:: ini
+
+  lxc.network.ipv4 = container_ip4/network_mask_bits
+  lxc.network.ipv6 = container_ip6
+
+* fstab
+
+.. warning::
+
+  | Do not forget to create the data directories
+  | otherwise the container start process will fail!
+
+::
+
+  data/directory/container_name data none bind,create=dir
+  /mirrors mirrors none bind,create=dir
+
+* rootfs/
+
+    * TODO Debian configuration
+
+* rootfs/etc/network/interfaces.d/eth0
+
+    if the container uses DHCP:
+
+::
+
+  auto eth0
+  iface eth0 inet dhcp
+
+Start
+=====
+
+.. warning::
+
+  | Be patient, for it can take a container
+  | up to 1 minute to get its network stack up!
+
+.. code:: shell
+
+  lxc-start -n "container_name"
+
+.. code:: shell
+
+  lxc-start --name="container_name"
+
+Run command
+===========
+
+.. code:: shell
+
+  lxc-attach -n "container_name" -- command
+
+.. code:: shell
+
+  lxc-attach --name="container_name" -- command
+
+Stop
+====
+
+.. code:: shell
+
+  lxc-stop -n "container_name"
+
+.. code:: shell
+
+  lxc-stop --name="container_name"
+
+Backup
+======
+
+system
+------
+
+.. code:: shell
+
+  cd containers/directory
+  tar --numeric-owner -cvaf container_name.backup_name.txz container_name
+
+data
+----
+
+.. code:: shell
+
+  cd data/directory
+  tar --numeric-owner -cvaf container_name.backup_name.txz container_name
+
+Destroy
+=======
+
+.. code:: shell
+
+  lxc-destroy -n "container_name"
+
+.. code:: shell
+
+  lxc-destroy --name="container_name"
+
+Restore
+=======
+
+system
+------
+
+.. code:: shell
+
+  cd containers/directory
+  rm --recursive container_name
+  tar --numeric-owner -xvf container_name.backup_name.txz
+
+data
+----
+
+.. code:: shell
+
+  cd data/directory
+  rm --recursive container_name
+  tar --numeric-owner -xvf container_name.backup_name.txz

in/public/lxc/host.rst

@@ -0,0 +1,102 @@
+****
+Host
+****
+
+.. warning::
+
+ lxc service has to be enabled for autostart to work
+
+Check
+=====
+
+.. code:: shell
+
+  lxc-checkconfig
+
+List
+====
+
+.. code:: shell
+
+  lxc-ls -f
+
+.. code:: shell
+
+  lxc-ls --fancy
+
+Network bridge
+==============
+
+Create bridge br0 onto host's network main interface:
+
+* /etc/network/interfaces.d/br0
+
+::
+
+  auto br0
+  iface br0 inet static
+      address host_ip/network_mask_bits
+      gateway gateway_ip
+      bridge_fd 0
+      bridge_maxwait 0
+      bridge_ports eth0
+      bridge_stp on
+
+Example with a SoYouStart server:
+
+::
+
+ auto  br0
+ iface br0 inet static
+       address 192.99.37.216/24
+       gateway 192.99.37.254
+       bridge_fd 0
+       bridge_maxwait 0
+       bridge_ports enp4s0
+       bridge_stp on
+ iface br0 inet6 static
+       address 2607:5300:60:4cd8::/64
+       gateway 2607:5300:60:4cff:ff:ff:ff:ff
+       bridge_fd 0
+       bridge_maxwait 0
+       bridge_ports enp4s0
+       bridge_stp on
+
+Service
+=======
+
+Default configuration for new containers:
+
+* /etc/lxc/default.conf
+
+.. code:: ini
+
+  lxc.include = /usr/share/lxc/config/debian.common.conf
+
+  lxc.arch = amd64
+  lxc.autodev = 1
+  lxc.kmsg = 0
+  lxc.rootfs.backend = dir
+  lxc.start.auto = 1
+
+  lxc.network.type = veth
+
+  lxc.network.flags = up
+  lxc.network.link = br0
+  lxc.network.name = eth0
+
+Directories
+===========
+
+* 1 for the containers
+* 1 for their data
+
+.. code:: shell
+
+  mkdir --parents "containers/directory"
+  rmdir "/var/lib/lxc"
+  ln --symbolic "containers/directory" "/var/lib/lxc"
+
+.. code:: shell
+
+  mkdir --parents "data/directory"

in/public/lxc/index.rst

@@ -0,0 +1,28 @@
+lxc
+===
+
+.. toctree::
+
+   host
+   container
+   unprivileged
+
+ESX
+---
+
+.. warning::
+
+  | If the host is part of an ESX virtual network architecture,
+  | make sure to configure its virtual switch to avoid packet drops.
+
+* Edit Settings / Policies / Security
+
+=================== ======
+Key                 Value
+=================== ======
+Promiscuous Mode    Accept
+MAC Address Changes Accept
+Forged Transmits    Accept
+=================== ======
+
+.. todo:: same problem with VirtualBox network

in/public/lxc/unprivileged.rst

@@ -0,0 +1,55 @@
+Unprivileged
+============
+
+.. warning:: Work In Progress
+
+Mandatory
+---------
+
+Configuration
+^^^^^^^^^^^^^
+
+* config
+
+::
+
+ lxc.idmap = u 0 100000 65536
+ lxc.idmap = g 0 100000 65536
+
+Permissions
+^^^^^^^^^^^
+
+.. todo:: shift root's uid for rootfs
+
+Not sure
+--------
+
+Packages
+^^^^^^^^
+
+::
+
+ uidmap
+
+Configuration
+^^^^^^^^^^^^^
+
+* /etc/sysctl.conf
+
+::
+
+ kernel.unprivileged_userns_clone=1
+
+* /etc/subgid
+* /etc/subuid
+
+::
+
+ root:100000:65536
+
+* config
+
+::
+
+ lxc.include = /usr/share/lxc/config/userns.conf
+ lxc.apparmor.profile = unconfined