4ca0 LXC - Telecomix Crypto Munitions Bureau


From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

LXC (Linux Containers) - lightweight framework for virtual machines, present in kernel by default. Probably the simplest way to set up Linux-based virtual machines (except Qemu but it is veeery slow).

For each container, minimum is filesystem (rootfs) and config file. No need to create disk images!


[edit] Quick start for Debian

Warning: this mini-tutorial is not applicable for offering virtual machines to untrusted users! TCMB has to investigate how to secure the host system.

Do everything as root.

[edit] Prepare host system

See http://sutas.eu/setting-up-lxc-on-debian-squeeze/

  • Install LXC userspace utils - aptitude should do the work.
  • mount cgroups
  • Add bridge network interface if you want, but we will focus later on more sophisticated networking.
  • mkdir /lxc - base lxc directory

[edit] Minimalistic OS container setup

Not for serious tasks, but it works.

  • mkdir -p /lxc/vm1
  • Download and unpack the rootfs from [1]
    • The minimalistic rootfs is dedicated for playing with networking. It was made from Debian binaries.
  • Download config from [2] (based on Debian's default), put in /lxc/vm1/config
  • lxc-start -n vm1 -f /lxc/vm1/config

[edit] Debian container setup

This is for patient people...

  • Set up container for testing
    1. mkdir /lxc/vm0
    2. Install Debian in it: /usr/lib/lxc/templates/lxc-debian -p /lxc/vm0
    3. Note the root password (if you lose it, it won't hurt, however)
  • Do some corrections in newly created container:
    • For now, comment out lxc.network.link = br0 in /lxc/vm0/config (near the end of the file). You may also want to change "lxc.utsname" parameter which means container hostname.
    • Chroot into container chroot /lxc/vm0/rootfs and:
      1. dpkg-reconfigure openssh-server
      2. apt-get install vim (or nano which is smaller and more user-friendly)
      3. edit /etc/inittab commenting out lines similar to 2:23:respawn:/sbin/getty 38400 tty2 except tty1
      4. mknod /dev/tty1 c 4 1
      5. exit chroot by pressing Ctrl-D in shell
  • Start the container! lxc-start -n vm0 -f /lxc/vm0/config
  • From other shell, lxc-console -n vm0 -t 1. Congratulations, you're on the VM.

[edit] Other tasks

  • If you want the container to be running after reboot, consider symlinking its config to /etc/lxc/auto/

[edit] Securing the host system


[edit] Encryption


[edit] Anonymity and Networking


[edit] Tips

  • Warning: killing lxc-related processes from host may cause htop to segfault. There is no known workaround for it. kill(1) works just fine.
  • Do not use kill -9 to switch off virtual machine. Use lxc-stop -n vmn.
  • REAL DANGER: DO NOT EVEN TRY TO USE /proc/sysrq-trigger INSIDE CONTAINER, IT WILL AFFECT HOST SYSTEM! This is security flaw that will have to be investigated.

[edit] See also

Personal tools