HOWTO: Configure a LXC Linux Container CentOS 6

1. Introduction to LXC

LXC isn't a real Virtualization technique, but is more like a chroot environment, but on "steroids". More information about LXC here : http://lxc.sourceforge.net

2. Install libvirt stack

yum install libvirt libvirt-client python-virtinst 

3. Configuring a LXC container

Suppose you want to create a full container, similar to a minimal CentOS 6 setup.

On your machine, please be sure that libvirtd is started (service libvirtd start).

We'll initialize a CentOS 6 x86_64 container, assuming

• RootFS will be /var/lib/libvirt/lxc/centos-6-x86_64/
• Root password will be MYROOTPASS
• Arch will be the same that on the host, so x86_64 in our example

• Container name is test

3.1. on your machine filesystem

{{{ mkdir /var/lib/libvirt/lxc/centos-6-x86_64/etc/yum.repos.d/ -p cat /etc/yum.repos.d/CentOS-Base.repo |sed s/'$releasever'/6/g > /var/lib/libvirt/lxc/centos-6-x86_64/etc/yum.repos.d/CentOS-Base.repo yum groupinstall core --installroot=/var/lib/libvirt/lxc/centos-6-x86_64/ --nogpgcheck -y yum install plymouth libselinux-python --installroot=/var/lib/libvirt/lxc/centos-6-x86_64/ --nogpgcheck -y }}}

Selinux note : You have to create a selinux policy to allow virtd_lxc_t to use dbus :

{{{ module lxc 1.0;

require {

• type hald_t; type virtd_lxc_t; class dbus send_msg;

}

#============= hald_t ============== allow hald_t virtd_lxc_t:dbus send_msg; }}}

See the excellent http://wiki.centos.org/HowTos/SELinux guide/wiki page to know how to accomplish that step

Note that you can't use LXC with SELinux disabled, instead try to set it to permissive (see https://bugzilla.redhat.com/show_bug.cgi?id=995897)

3.2. in the chroot'ed filesystem

All the following steps will be done in the chroot'ed environment :

{{{ chroot /var/lib/libvirt/lxc/centos-6-x86_64/

echo MYROOTPASS |passwd root --stdin

#Fix root login on console

echo "pts/0" >>/etc/securetty

sed -i s/"session required pam_selinux.so close"/"#session required pam_selinux.so close"/g /etc/pam.d/login

sed -i s/"session required pam_selinux.so open"/"#session required pam_selinux.so open"/g /etc/pam.d/login

sed -i s/"session required pam_loginuid.so"/"#session required pam_loginuid.so"/g /etc/pam.d/login

#Configuring basic networking

cat > /etc/sysconfig/network << EOF

NETWORKING=yes

HOSTNAME=lxc1.test.centos.org

EOF

cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF

DEVICE=eth0

BOOTPROTO=dhcp

ONBOOT=yes

EOF

#Enabling sshd

chkconfig sshd on

# Fixing root login for sshd

sed -i s/"session required pam_selinux.so close"/"#session required pam_selinux.so close"/g /etc/pam.d/sshd

sed -i s/"session required pam_loginuid.so"/"#session required pam_loginuid.so"/g /etc/pam.d/sshd

sed -i s/"session required pam_selinux.so open env_params"/"#session required pam_selinux.so open env_params"/g /etc/pam.d/sshd

# Leaving the chroot'ed filesystem

exit }}}

3.3. back on your machine

# now creating the LXC container from that filesystem

{{{ virt-install --connect lxc:/// --name test --ram 512 --vcpu 1 --filesystem /var/lib/libvirt/lxc/centos-6-x86_64/,/ --noautoconsole }}}

You can access to the LXC container by using: {{{ virsh console test }}} OR {{{ ssh -l root CONTAINER_IP }}}

To get IP address of the LXC container, look for mac address (can be found in /etc/libvirt/lxc/test.xml) in dhcp leases /var/lib/libvirt/dnsmasq/default.leases

3.4. Note on using LXC inside KVM VM with default network

When using LXC inside KVM VM (both using libvirt), the default network is 192.168.122.0/24 which will create a conflict when you try to start LXC container, to fix this you should change IP range in the guest VM's libvirtd (the one that runs containers).

service libvirtd stop
sed -i 's/"192\.168\.122\./"192.168.120./' /etc/libvirt/qemu/networks/default.xml
service libvirtd start