In continue of the previous article with CentOS 8 – Run LXC CentOS 8 container with bridged network under CentOS 8, here is an updated version with CentOS Stream 9 running LXC container. In this case, the LXC container is CentOS Stream 9, too.
Under CentOS 8, the LXC software is from branch 3.x, but in CentOS Stream 9 the LXC is 4.x and there are some differences in the LXC configuration file.
It’s worth mentioning the differences between docker/podman containers and LXC from the previous article:
- Multiprocesses.
- Easy configuration modification. Even hot-plugin supported.
- Unprivileged Linux containers.
- Complex network setups. Multiple network interfaces connected to different networks, for example.
- Live systemd, i.e. systemd or SysV init are booted as usual. Much of the software relies on systemd/udev features and in many cases, it is really hard to run software without a systemd or init process
Here are the steps to boot a CentOS Stream 9 container under CentOS Stream 9 host server:
STEP 1) Install EPEL repository.
EPEL CentOS Stream 9 repository now includes LXC 4.0 software.
dnf install -y epel-release
STEP 2) Install LXC software and start LXC service.
At present, the LXC software version is 4.0.12. The package lxc-templates includes template scripts to create a Linux distribution environment like CentOS, Ubuntu, Debian, Gentoo, ArchLinux, Oracle, Alpine, and many others and it also includes the configuration templates to start these Linux distributions. In fact, lxc-templates now includes a download script to download images from the Internet.
dnf install -y lxc lxc-templates container-selinux dnf install -y wget tar
The wget and tar are required if LXC templates installation is going to be performed.
There is an additional package for container’s SELinux, which should be installed before starting the LXC service, because some of the SELinux rules may not apply in the system. If the SELinux is disabled the installation of container-selinux package might be skipped.
STEP 3) Create a CentOS Stream 9 container with the help of LXC templates and run it.
Use the lxc-templates to prepare a CentOS Stream 9 container environment. The currently available containers are listed here http://images.linuxcontainers.org/, which now redirects to http://uk.lxd.images.canonical.com/ (an Ubuntu lxd images mirror). Check out the URL and choose the right container. Here the CentOS Stream 9 amd64, i.e. release 9-Stream, is used.
[root@srv ~]# lxc-create --template download -n mycontainer -- --dist centos --release 9-Stream --arch amd64
In addition, there is a “–variant” option along with “--dist” and “--release” to specify which variant to install – default, cloud, desktop or other. There is a variant column in the table on the images’ page mentioned above.
The lxc-create commands downloads the CentOS Stream 9 x86_64 image and it installs the CentOS Stream 9 files under “/var/lib/lxc/mycontainer/rootfs”:
[root@srv ~]# ls -altr /var/lib/lxc/mycontainer/ total 16 drwxr-xr-x. 19 root root 4096 Sep 26 07:18 rootfs drwxr-xr-x. 3 root root 4096 Sep 26 15:26 .. -rw-r-----. 1 root root 810 Sep 26 15:26 config drwxrwx---. 3 root root 4096 Sep 26 15:26 . [root@srv ~]# ls -altr /var/lib/lxc/mycontainer/rootfs/ total 76 drwxrwxrwt. 2 root root 4096 Aug 9 2021 tmp drwxr-xr-x. 2 root root 4096 Aug 9 2021 srv lrwxrwxrwx. 1 root root 8 Aug 9 2021 sbin -> usr/sbin drwxr-xr-x. 2 root root 4096 Aug 9 2021 opt drwxr-xr-x. 2 root root 4096 Aug 9 2021 mnt drwxr-xr-x. 2 root root 4096 Aug 9 2021 media lrwxrwxrwx. 1 root root 9 Aug 9 2021 lib64 -> usr/lib64 lrwxrwxrwx. 1 root root 7 Aug 9 2021 lib -> usr/lib drwxr-xr-x. 2 root root 4096 Aug 9 2021 home dr-xr-xr-x. 2 root root 4096 Aug 9 2021 boot lrwxrwxrwx. 1 root root 7 Aug 9 2021 bin -> usr/bin dr-xr-xr-x. 2 root root 4096 Aug 9 2021 afs dr-xr-xr-x. 2 root root 4096 Sep 26 07:14 sys dr-xr-xr-x. 2 root root 4096 Sep 26 07:14 proc drwxr-xr-x. 12 root root 4096 Sep 26 07:14 usr drwxr-xr-x. 8 root root 4096 Sep 26 07:14 run drwxr-xr-x. 18 root root 4096 Sep 26 07:14 var dr-xr-x---. 2 root root 4096 Sep 26 07:15 root drwxr-xr-x. 2 root root 4096 Sep 26 07:15 selinux drwxr-xr-x. 19 root root 4096 Sep 26 07:18 . drwxr-xr-x. 3 root root 4096 Sep 26 15:26 dev drwxr-xr-x. 63 root root 4096 Sep 26 15:26 etc drwxrwx---. 3 root root 4096 Sep 26 15:26 .. [root@srv ~]#
The create command installs a configuration file /var/lib/lxc/mycontainer/config with predefined parameters:
# Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: --dist centos --release 9-Stream --arch amd64 # Template script checksum (SHA-1): 47a9fc1ce184c958ecafc88dfd5f21c06f728288 # For additional config options, please look at lxc.container.conf(5) # Uncomment the following line to support nesting containers: #lxc.include = /usr/share/lxc/config/nesting.conf # (Be aware this has security implications) # Distribution configuration lxc.include = /usr/share/lxc/config/common.conf lxc.arch = x86_64 # Container specific configuration lxc.rootfs.path = dir:/var/lib/lxc/mycontainer/rootfs lxc.uts.name = mycontainer # Network configuration lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:aa:6a:44
Start and enable lxc service. It is responsible for the Autoload feature.
[root@srv ~]# systemctl start lxc [root@srv ~]# systemctl enable lxc Created symlink /etc/systemd/system/multi-user.target.wants/lxc.service → /usr/lib/systemd/system/lxc.service.
STEP 4) Additional host configuration.
To enable the autostart of the LXC container just add the following lines to the configuration:
# Autostart lxc.group = onboot lxc.start.auto = 1 lxc.start.delay = 10
The Autostart executes immediately after the LXC service is started.
To create a bridge device (just follow this article – Replace current interface configuration with a bridge device using nmcli (NetworkManager)).
Or use the following commands for just a bridged device of the internal network – multiple LXC containers will share an internal local network in the server. Internet could be routed to the bridge device with the firewall-cmd command
nmcli connection add type bridge ifname br0 con-name br0 ipv4.method manual ipv4.addresses "10.10.10.1/24" nmcli connection up br0 firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-forward firewall-cmd --reload
In this case, the bridge device is used only in the server and no MAC addresses (of the bridge device or the LXC containers) are visible in the network connected to the router network interface of the server (if any).
The LXC configuration file /var/lib/lxc/mycontainer/config will look like:
# Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: --dist centos --release 9-Stream --arch amd64 # Template script checksum (SHA-1): 47a9fc1ce184c958ecafc88dfd5f21c06f728288 # For additional config options, please look at lxc.container.conf(5) # Uncomment the following line to support nesting containers: #lxc.include = /usr/share/lxc/config/nesting.conf # (Be aware this has security implications) # Distribution configuration lxc.include = /usr/share/lxc/config/common.conf lxc.arch = x86_64 # Container specific configuration lxc.rootfs.path = dir:/var/lib/lxc/mycontainer/rootfs lxc.uts.name = mycontainer # Network configuration lxc.net.0.type = veth lxc.net.0.link = br0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:aa:6a:44 lxc.group = onboot lxc.start.auto = 1 lxc.start.delay = 10
STEP 5) LXC network configuration.
By default a DHCP configuration is used when the LXC container boots. To set a static IP just edit the network configuration file of the LXC container /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection from your host (or the same path, but without the /var/lib/lxc/mycontainer/rootfs when in the container). By default the container’s network interface is with name eth0 and the NetworkManager is used (when installing from the LXC templates!). Here is what to use to create a network connection with eth0 interface, which NetworkManager will activate it on boot of the container.
Put the following configuration in /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection:
[connection] id=ethernet-eth0 uuid=e87463e7-48ba-4f5a-a9df-93f0aacfe2fd type=ethernet interface-name=eth0 [ethernet] [ipv4] address1=10.10.10.2/24,10.10.10.1 dns=8.8.8.8;8.8.4.4; method=manual [ipv6] addr-gen-mode=default method=auto [proxy]
Last, make sure the permission of this NetworkManager file are 600 and the user:group is root:root or it will be ignored by the NetworkManager! If there is no network in the container, check the permissions of this file.
[root@srv ~]# chown root:root /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection [root@srv ~]# chmod 600 /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection
STEP 6) Start the LXC container.
Start the container with:
lxc-start -n mycontainer
Attach to the container using the lxc-attach. Reset the container root password with chroot:
[root@srv ~]# chroot /var/lib/lxc/mycontainer/rootfs/ [root@srv /]# . /etc/profile [root@srv /]# passwd Changing password for user root. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@srv /]# exit
This image doesn’t come with agetty daemon for console login, so lxc-attach may be used to get inside of the container.
[root@srv ~]# lxc-attach -n mycontainer
[root@mycontainer ~]# hostnamectl
Static hostname: n/a
Transient hostname: mycontainer
Icon name: computer-container
Chassis: container ☐
Machine ID: 528dd34dea51471fae3ba97a9773b3e7
Boot ID: 1b29abe589d84410b2be09441ccf30c8
Virtualization: lxc
Operating System: CentOS Stream 9
CPE OS Name: cpe:/o:centos:centos:9
Kernel: Linux 5.14.0-165.el9.x86_64
Architecture: x86-64
[root@mycontainer ~]# ps axuf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 166 0.0 0.1 7420 4308 pts/5 Ss 11:04 0:00 /bin/bash
root 177 0.0 0.0 10140 3524 pts/5 R+ 11:04 0:00 \_ ps axuf
root 1 0.0 0.3 20580 11512 ? Ss 10:59 0:00 /sbin/init
root 44 0.0 0.2 25964 8552 ? Ss 10:59 0:00 /usr/lib/systemd/systemd-journald
root 53 0.0 0.1 163904 7084 ? Ssl 10:59 0:00 /usr/sbin/rsyslogd -n
root 54 0.0 0.1 17736 6636 ? Ss 10:59 0:00 /usr/lib/systemd/systemd-logind
root 55 0.0 0.4 256308 18392 ? Ssl 10:59 0:00 /usr/sbin/NetworkManager --no-daemon
dbus 56 0.0 0.1 10812 4340 ? Ss 10:59 0:00 /usr/bin/dbus-broker-launch --scope system
dbus 60 0.0 0.0 4992 2780 ? S 10:59 0:00 \_ dbus-broker --log 4 --controller 9 --ma
root 67 0.0 0.0 5648 1096 pts/0 Ss+ 10:59 0:00 /sbin/agetty -o -p -- \u --noclear --keep-b
root 68 0.0 0.0 8584 3628 ? Ss 10:59 0:00 /usr/sbin/crond -n
[root@mycontainer ~]# exit
exit
[root@srv ~]#
Bonus 1) Start the LXC container in foreground to see the booting.
[root@srv ~]# lxc-stop -n mycontainer
[root@srv ~]# lxc-start -F -n mycontainer
systemd 250-11.el9 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS -FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to CentOS Stream 9!
Queued start job for default target Graphical Interface.
[ OK ] Created slice Slice /system/getty.
[ OK ] Created slice Slice /system/modprobe.
[ OK ] Created slice User and Session Slice.
[ OK ] Started Dispatch Password Requests to Console Directory Watch.
[ OK ] Started Forward Password Requests to Wall Directory Watch.
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Reached target Local Integrity Protected Volumes.
[ OK ] Reached target Path Units.
[ OK ] Reached target Remote File Systems.
[ OK ] Reached target Slice Units.
[ OK ] Reached target Swaps.
[ OK ] Reached target Local Verity Protected Volumes.
[ OK ] Listening on Process Core Dump Socket.
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Listening on Journal Socket.
Mounting POSIX Message Queue File System...
Starting Read and set NIS domainname from /etc/sysconfig/network...
Starting Journal Service...
Starting Generate network units from Kernel command line...
Starting Remount Root and Kernel File Systems...
Starting Apply Kernel Variables...
[ OK ] Mounted POSIX Message Queue File System.
[ OK ] Finished Read and set NIS domainname from /etc/sysconfig/network.
[ OK ] Finished Generate network units from Kernel command line.
[ OK ] Reached target Preparation for Network.
[ OK ] Finished Apply Kernel Variables.
[ OK ] Finished Remount Root and Kernel File Systems.
Starting Create Static Device Nodes in /dev...
[ OK ] Started Journal Service.
Starting Flush Journal to Persistent Storage...
[ OK ] Finished Create Static Device Nodes in /dev.
[ OK ] Reached target Preparation for Local File Systems.
[ OK ] Reached target Local File Systems.
[ OK ] Finished Flush Journal to Persistent Storage.
Starting Create Volatile Files and Directories...
[ OK ] Finished Create Volatile Files and Directories.
Starting Record System Boot/Shutdown in UTMP...
[ OK ] Finished Record System Boot/Shutdown in UTMP.
[ OK ] Reached target System Initialization.
[ OK ] Started dnf makecache --timer.
[ OK ] Started Daily rotation of log files.
[ OK ] Started Daily Cleanup of Temporary Directories.
[ OK ] Reached target Timer Units.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Reached target Socket Units.
[ OK ] Reached target Basic System.
Starting Turn off network device...
Starting System Logging Service...
Starting User Login Management...
[ OK ] Finished Turn off network device.
Starting Network Manager...
[ OK ] Started System Logging Service.
Starting D-Bus System Message Bus...
[ OK ] Started D-Bus System Message Bus.
[ OK ] Started User Login Management.
[ OK ] Started Network Manager.
[ OK ] Reached target Network.
Starting Network Manager Wait Online...
Starting Permit User Sessions...
Starting Hostname Service...
[ OK ] Finished Permit User Sessions.
[ OK ] Started Console Getty.
[ OK ] Started Command Scheduler.
[ OK ] Reached target Login Prompts.
[ OK ] Reached target Multi-User System.
[ OK ] Reached target Graphical Interface.
Starting Record Runlevel Change in UTMP...
[ OK ] Started Hostname Service.
[ OK ] Finished Record Runlevel Change in UTMP.
Starting Network Manager Script Dispatcher Service...
[ OK ] Started Network Manager Script Dispatcher Service.
[ OK ] Finished Network Manager Wait Online.
[ OK ] Reached target Network is Online.
CentOS Stream 9
Kernel 5.14.0-165.el9.x86_64 on an x86_64
mycontainer login: root
Password:
[root@mycontainer ~]#
[root@mycontainer ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─crond
├─dbus-broker-lau───dbus-broker
├─login───bash───pstree
├─rsyslogd───2*[{rsyslogd}]
├─systemd───(sd-pam)
├─systemd-journal
└─systemd-logind
[root@mycontainer ~]#
logout
CentOS Stream 9
Kernel 5.14.0-165.el9.x86_64 on an x86_64
mycontainer login: root
Password:
Last login: Tue Sep 27 11:06:41 on console
[root@mycontainer ~]# poweroff
Stopping Session 1 of User root...
[ OK ] Removed slice Slice /system/getty.
[ OK ] Removed slice Slice /system/modprobe.
[ OK ] Stopped target Graphical Interface.
[ OK ] Stopped target Multi-User System.
[ OK ] Stopped target Login Prompts.
[ OK ] Stopped target Network is Online.
[ OK ] Stopped target Timer Units.
[ OK ] Stopped dnf makecache --timer.
[ OK ] Stopped Daily rotation of log files.
[ OK ] Stopped Daily Cleanup of Temporary Directories.
[ OK ] Closed Process Core Dump Socket.
[ OK ] Stopped Network Manager Wait Online.
Stopping Console Getty...
Stopping Command Scheduler...
Stopping System Logging Service...
Stopping Hostname Service...
[ OK ] Stopped Command Scheduler.
[ OK ] Stopped Console Getty.
[ OK ] Stopped Hostname Service.
[ OK ] Stopped Session 1 of User root.
Stopping User Login Management...
Stopping User Manager for UID 0...
[ OK ] Stopped User Login Management.
[ OK ] Stopped User Manager for UID 0.
Stopping User Runtime Directory /run/user/0...
[ OK ] Unmounted /run/user/0.
[ OK ] Stopped User Runtime Directory /run/user/0.
[ OK ] Removed slice User Slice of UID 0.
[ OK ] Reached target Unmount All Filesystems.
Stopping Permit User Sessions...
[ OK ] Stopped Permit User Sessions.
[ OK ] Stopped target Network.
[ OK ] Stopped target Remote File Systems.
Stopping Network Manager...
[ OK ] Stopped Network Manager.
[ OK ] Stopped target Preparation for Network.
[ OK ] Stopped Turn off network device.
[ OK ] Stopped System Logging Service.
[ OK ] Stopped target Basic System.
[ OK ] Stopped target Path Units.
[ OK ] Stopped target Slice Units.
[ OK ] Removed slice User and Session Slice.
[ OK ] Stopped target Socket Units.
Stopping D-Bus System Message Bus...
[ OK ] Stopped D-Bus System Message Bus.
[ OK ] Closed D-Bus System Message Bus Socket.
[ OK ] Stopped target System Initialization.
[ OK ] Stopped target Local Encrypted Volumes.
[ OK ] Stopped Dispatch Password Requests to Console Directory Watch.
[ OK ] Stopped Forward Password Requests to Wall Directory Watch.
[ OK ] Stopped target Local Integrity Protected Volumes.
[ OK ] Stopped target Swaps.
[ OK ] Stopped target Local Verity Protected Volumes.
[ OK ] Stopped Read and set NIS domainname from /etc/sysconfig/network.
[ OK ] Stopped Apply Kernel Variables.
Stopping Record System Boot/Shutdown in UTMP...
[ OK ] Stopped Record System Boot/Shutdown in UTMP.
[ OK ] Stopped Create Volatile Files and Directories.
[ OK ] Stopped target Local File Systems.
[ OK ] Stopped target Preparation for Local File Systems.
[ OK ] Stopped Remount Root and Kernel File Systems.
[ OK ] Stopped Create Static Device Nodes in /dev.
[ OK ] Reached target System Shutdown.
[ OK ] Reached target Late Shutdown Services.
[ OK ] Finished System Power Off.
[ OK ] Reached target System Power Off.
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
All filesystems, swaps, loop devices, MD devices and DM devices detached.
Powering off.
[root@srv ~]#
Bonus 2) Processes on the host
[root@srv ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─agetty
├─auditd─┬─sedispatch
│ └─2*[{auditd}]
├─chronyd
├─crond
├─dbus-broker-lau───dbus-broker
├─firewalld───{firewalld}
├─irqbalance───{irqbalance}
├─lxc-start───systemd─┬─NetworkManager───2*[{NetworkManager}]
│ ├─agetty
│ ├─crond
│ ├─dbus-broker-lau───dbus-broker
│ ├─rsyslogd───2*[{rsyslogd}]
│ ├─systemd-journal
│ └─systemd-logind
├─mcelog
├─mdadm
├─polkitd───5*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd───sshd───sshd───bash───pstree
├─systemd───(sd-pam)
├─systemd-journal
├─systemd-logind
└─systemd-udevd
[root@srv ~]#
Bonus 3) Installation and Running a CentOS Stream 9 LXC container – the complete output
[root@srv ~]# dnf install -y epel-release
CentOS Stream 9 - BaseOS 41 kB/s | 11 kB 00:00
CentOS Stream 9 - AppStream 19 kB/s | 12 kB 00:00
CentOS Stream 9 - Extras packages 20 kB/s | 12 kB 00:00
Dependencies resolved.
=========================================================================================
Package Architecture Version Repository Size
=========================================================================================
Installing:
epel-release noarch 9-2.el9 extras-common 17 k
Installing weak dependencies:
epel-next-release noarch 9-2.el9 extras-common 8.1 k
Transaction Summary
=========================================================================================
Install 2 Packages
Total download size: 25 k
Installed size: 26 k
Downloading Packages:
(1/2): epel-next-release-9-2.el9.noarch.rpm 16 kB/s | 8.1 kB 00:00
(2/2): epel-release-9-2.el9.noarch.rpm 25 kB/s | 17 kB 00:00
-----------------------------------------------------------------------------------------
Total 19 kB/s | 25 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-9-2.el9.noarch 1/2
Installing : epel-next-release-9-2.el9.noarch 2/2
Running scriptlet: epel-next-release-9-2.el9.noarch 2/2
Verifying : epel-next-release-9-2.el9.noarch 1/2
Verifying : epel-release-9-2.el9.noarch 2/2
Installed:
epel-next-release-9-2.el9.noarch epel-release-9-2.el9.noarch
Complete!
[root@srv ~]# dnf install -y lxc lxc-templates container-selinux
Last metadata expiration check: 0:00:29 ago on Tue 27 Sep 2022 01:08:43 PM UTC.
Dependencies resolved.
=========================================================================================
Package Architecture Version Repository Size
=========================================================================================
Installing:
container-selinux noarch 3:2.189.0-1.el9 appstream 49 k
lxc x86_64 4.0.12-1.el9 epel 334 k
lxc-templates x86_64 4.0.12-1.el9 epel 19 k
Installing dependencies:
lxc-libs x86_64 4.0.12-1.el9 epel 535 k
Transaction Summary
=========================================================================================
Install 4 Packages
Total download size: 936 k
Installed size: 2.6 M
Downloading Packages:
(1/4): lxc-libs-4.0.12-1.el9.x86_64.rpm 1.9 MB/s | 535 kB 00:00
(2/4): lxc-4.0.12-1.el9.x86_64.rpm 1.1 MB/s | 334 kB 00:00
(3/4): lxc-templates-4.0.12-1.el9.x86_64.rpm 361 kB/s | 19 kB 00:00
(4/4): container-selinux-2.189.0-1.el9.noarch.rpm 74 kB/s | 49 kB 00:00
-----------------------------------------------------------------------------------------
Total 491 kB/s | 936 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : lxc-libs-4.0.12-1.el9.x86_64 1/4
Running scriptlet: lxc-libs-4.0.12-1.el9.x86_64 1/4
Installing : lxc-4.0.12-1.el9.x86_64 2/4
Installing : lxc-templates-4.0.12-1.el9.x86_64 3/4
Running scriptlet: container-selinux-3:2.189.0-1.el9.noarch 4/4
Installing : container-selinux-3:2.189.0-1.el9.noarch 4/4
Running scriptlet: container-selinux-3:2.189.0-1.el9.noarch 4/4
Verifying : container-selinux-3:2.189.0-1.el9.noarch 1/4
Verifying : lxc-4.0.12-1.el9.x86_64 2/4
Verifying : lxc-libs-4.0.12-1.el9.x86_64 3/4
Verifying : lxc-templates-4.0.12-1.el9.x86_64 4/4
Installed:
container-selinux-3:2.189.0-1.el9.noarch lxc-4.0.12-1.el9.x86_64
lxc-libs-4.0.12-1.el9.x86_64 lxc-templates-4.0.12-1.el9.x86_64
Complete!
[root@srv ~]# dnf install -y wget tar
Last metadata expiration check: 0:01:08 ago on Tue 27 Sep 2022 01:08:43 PM UTC.
Package wget-1.21.1-7.el9.x86_64 is already installed.
Dependencies resolved.
=========================================================================================
Package Architecture Version Repository Size
=========================================================================================
Installing:
tar x86_64 2:1.34-5.el9 baseos 886 k
Transaction Summary
=========================================================================================
Install 1 Package
Total download size: 886 k
Installed size: 3.0 M
Downloading Packages:
tar-1.34-5.el9.x86_64.rpm 2.5 MB/s | 886 kB 00:00
-----------------------------------------------------------------------------------------
Total 891 kB/s | 886 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : tar-2:1.34-5.el9.x86_64 1/1
Running scriptlet: tar-2:1.34-5.el9.x86_64 1/1
Verifying : tar-2:1.34-5.el9.x86_64 1/1
Installed:
tar-2:1.34-5.el9.x86_64
Complete!
[root@srv ~]# systemctl enable lxc
Created symlink /etc/systemd/system/multi-user.target.wants/lxc.service → /usr/lib/systemd/system/lxc.service.
[root@srv ~]# systemctl start lxc
[root@srv ~]# systemctl status lxc
● lxc.service - LXC Container Initialization and Autoboot Code
Loaded: loaded (/usr/lib/systemd/system/lxc.service; enabled; vendor preset: disabl>
Active: active (exited) since Tue 2022-09-27 13:11:18 UTC; 1min 26s ago
Docs: man:lxc-autostart
man:lxc
Process: 3127 ExecStartPre=/usr/libexec/lxc/lxc-apparmor-load (code=exited, status=0>
Process: 3129 ExecStart=/usr/libexec/lxc/lxc-containers start (code=exited, status=0>
Main PID: 3129 (code=exited, status=0/SUCCESS)
CPU: 112ms
Sep 27 13:10:47 srv systemd[1]: Starting LXC Container Initialization and Autoboot Code.>
Sep 27 13:11:18 srv systemd[1]: Finished LXC Container Initialization and Autoboot Code.
[root@srv ~]# lxc-create --template download -n mycontainer -- --dist centos --release 9-Stream --arch amd64
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created a Centos 9-Stream x86_64 (20220927_07:09) container.
[root@srv ~]# nmcli connection add type bridge ifname br0 con-name br0 ipv4.method manual ipv4.addresses "10.10.10.1/24"
Connection 'br0' (52ab3d53-4069-485f-825c-96348fb222c3) successfully added.
[root@srv ~]# nmcli connection up br0
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@srv ~]# firewall-cmd --permanent --add-masquerade
success
[root@srv ~]# firewall-cmd --reload
success
[root@srv ~]# cat /var/lib/lxc/mycontainer/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist centos --release 9-Stream --arch amd64
# Template script checksum (SHA-1): 47a9fc1ce184c958ecafc88dfd5f21c06f728288
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = x86_64
# Container specific configuration
lxc.rootfs.path = dir:/var/lib/lxc/mycontainer/rootfs
lxc.uts.name = mycontainer
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:aa:6a:44
lxc.group = onboot
lxc.start.auto = 1
lxc.start.delay = 10
[root@srv ~]# cat /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection
[code lang="text"]
[connection]
id=ethernet-eth0
uuid=e87463e7-48ba-4f5a-a9df-93f0aacfe2fd
type=ethernet
interface-name=eth0
[ethernet]
[ipv4]
address1=10.10.10.2/24,10.10.10.1
dns=8.8.8.8;8.8.4.4;
method=manual
[ipv6]
addr-gen-mode=default
method=auto
[proxy]
[root@srv ~]# chown root:root /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection
[root@srv ~]# chmod 600 /var/lib/lxc/mycontainer/rootfs/etc/NetworkManager/system-connections/ethernet-eth0.nmconnection
[root@srv ~]# lxc-attach -n mycontainer
[root@srv ~]# lxc-start -n mycontainer
[root@srv ~]# ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
From 10.10.10.1 icmp_seq=1 Destination Host Unreachable
From 10.10.10.1 icmp_seq=2 Destination Host Unreachable
From 10.10.10.1 icmp_seq=3 Destination Host Unreachable
From 10.10.10.1 icmp_seq=4 Destination Host Unreachable
From 10.10.10.1 icmp_seq=5 Destination Host Unreachable
From 10.10.10.1 icmp_seq=6 Destination Host Unreachable
From 10.10.10.1 icmp_seq=7 Destination Host Unreachable
From 10.10.10.1 icmp_seq=8 Destination Host Unreachable
From 10.10.10.1 icmp_seq=9 Destination Host Unreachable
From 10.10.10.1 icmp_seq=10 Destination Host Unreachable
From 10.10.10.1 icmp_seq=11 Destination Host Unreachable
From 10.10.10.1 icmp_seq=12 Destination Host Unreachable
From 10.10.10.1 icmp_seq=13 Destination Host Unreachable
From 10.10.10.1 icmp_seq=14 Destination Host Unreachable
From 10.10.10.1 icmp_seq=15 Destination Host Unreachable
From 10.10.10.1 icmp_seq=16 Destination Host Unreachable
From 10.10.10.1 icmp_seq=17 Destination Host Unreachable
From 10.10.10.1 icmp_seq=18 Destination Host Unreachable
From 10.10.10.1 icmp_seq=19 Destination Host Unreachable
From 10.10.10.1 icmp_seq=20 Destination Host Unreachable
From 10.10.10.1 icmp_seq=21 Destination Host Unreachable
From 10.10.10.1 icmp_seq=22 Destination Host Unreachable
From 10.10.10.1 icmp_seq=23 Destination Host Unreachable
From 10.10.10.1 icmp_seq=24 Destination Host Unreachable
64 bytes from 10.10.10.2: icmp_seq=25 ttl=64 time=2048 ms
64 bytes from 10.10.10.2: icmp_seq=26 ttl=64 time=1024 ms
64 bytes from 10.10.10.2: icmp_seq=27 ttl=64 time=0.090 ms
64 bytes from 10.10.10.2: icmp_seq=28 ttl=64 time=0.057 ms
64 bytes from 10.10.10.2: icmp_seq=29 ttl=64 time=0.252 ms
64 bytes from 10.10.10.2: icmp_seq=30 ttl=64 time=0.191 ms
64 bytes from 10.10.10.2: icmp_seq=31 ttl=64 time=0.072 ms
64 bytes from 10.10.10.2: icmp_seq=32 ttl=64 time=0.108 ms
64 bytes from 10.10.10.2: icmp_seq=33 ttl=64 time=0.068 ms
......
......
64 bytes from 10.10.10.2: icmp_seq=34 ttl=64 time=0.130 ms
^C
--- 10.10.10.2 ping statistics ---
113 packets transmitted, 89 received, +24 errors, 21.2389% packet loss, time 114728ms
rtt min/avg/max/mdev = 0.055/34.675/2048.261/240.259 ms, pipe 3
[root@srv ~]# lxc-attach -n mycontainer
[root@mycontainer ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─agetty
├─crond
├─dbus-broker-lau───dbus-broker
├─rsyslogd───2*[{rsyslogd}]
├─systemd-journal
└─systemd-logind
[root@mycontainer ~]# exit
exit
[root@srv ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─agetty
├─anacron
├─auditd─┬─sedispatch
│ └─2*[{auditd}]
├─chronyd
├─crond
├─dbus-broker-lau───dbus-broker
├─firewalld───3*[{firewalld}]
├─irqbalance───{irqbalance}
├─lxc-start───systemd─┬─NetworkManager───2*[{NetworkManager}]
│ ├─agetty
│ ├─crond
│ ├─dbus-broker-lau───dbus-broker
│ ├─rsyslogd───2*[{rsyslogd}]
│ ├─systemd-journal
│ └─systemd-logind
├─mcelog
├─mdadm
├─polkitd───5*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd─┬─sshd───sshd───bash───pstree
│ └─sshd───sshd───bash
├─systemd───(sd-pam)
├─systemd-journal
├─systemd-logind
└─systemd-udevd