Differences between revisions 1 and 9 (spanning 8 versions)
Revision 1 as of 2017-10-24 16:47:04
Size: 897
Comment:
Revision 9 as of 2019-11-18 06:36:48
Size: 3914
Editor: ?DmitryBorodaenko
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
== systemd containers == = systemd containers =
Line 8: Line 8:
== system preparing ==
we should enable namespaces kernel feature
{{{#!highlight bash numbers=disable
$ echo 'kernel.unprivileged_userns_clone=1' >/etc/sysctl.d/nspawn.conf
$ systemctl restart systemd-sysctl.service
}}}
It's require action to make work UIDs mapping. You can read more from official [[https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#-U|documentation]].
== creating Debian container ==
Require DebianPts:debootstrap package to get basic environment for our container
{{{#!highlight bash numbers=disable
$ debootstrap --include=systemd-container stable /var/lib/machines/debian
I: Target architecture can be executed
I: Retrieving InRelease
I: Checking Release signature
...
}}}
systemd-container package required to login container using machinectl
Line 9: Line 26:
After bootstrapping we can login to container to make additional changes
{{{#!highlight bash numbers=disable
$ systemd-nspawn -D /var/lib/machines/debian -U --machine debian
Spawning container buster on /var/lib/machines/buster.
Press ^] three times within 1s to kill container.
Selected user namespace base 818610176 and range 65536.
Line 10: Line 33:
=== Usage example === # set root password
root@stable:~# passwd
New password:
Retype new password:
passwd: password updated successfully

# allow login via local tty
root@stable:~# echo 'pts/0' >>/etc/securetty

# logout from container using ctrl+D
root@buster:~# logout
Container buster exited successfully.
}}}
now we can boot container using systemd-nspawn@.service unit
{{{
$ systemctl start systemd-nspawn@debian
}}}

@debian - that name should be same as machine folder name in /var/lib/machines/

checking state of machine

{{{#!highlight bash numbers=disable
$ machinectl list
MACHINE CLASS SERVICE OS VERSION ADDRESSES
debian container systemd-nspawn debian 10 -

# or
$ systemctl status systemd-nspawn@buster
● systemd-nspawn@buster.service - Container buster
   Loaded: loaded (/lib/systemd/system/systemd-nspawn@.service; disabled; vendor preset: enabled)
   Active: active (running) since ...
}}}

now we can login to console
{{{
$ machinectl login buster
Connected to machine debian. Press ^] three times within 1s to exit session.

Debian GNU/Linux 10 debian pts/0

debian login:
}}}

== Networking ==
container communicates with host machine using virtual interface named ve-{container_name}
{{{
$ ip a show dev ve-buster
77: ve-buster@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ... brd ff:ff:ff:ff:ff:ff link-netnsid 1
}}}

Enable and start systemd-networkd.service on the host and in the container to automatically provision the virtual link via DHCP with routing onto host's external network interfaces.

TODO: Describe advanced networking configuration

== Usage example ==
Line 17: Line 96:
$ sudo debootstrap sid $CDIR $ sudo debootstrap --include=systemd-container sid $CDIR
Line 19: Line 98:
root@FreedomBox:~# apt-get install -y freedombox-setup

# workaround for #862758
root@FreedomBox:~# apt-get install -y gir1.2-nm-1.0
root@FreedomBox:~# apt-get install -y freedombox
Line 26: Line 102:
root@FreedomBox:~# halt root@FreedomBox:~# ^D
Line 32: Line 108:

# To stop the container, either issue:
$ sudo machinectl stop FreedomBox

# or log in and run "halt". Simply logging out does not stop a container started with "-b"
Line 33: Line 114:

----

CategorySoftware | CategoryVirtualization | CategorySystemAdministration

systemd containers

systemd-nspawn and machinectl are lightweight container management tools.

They are deployed as part of systemd with the systemd-container package.

system preparing

we should enable namespaces kernel feature

$ echo 'kernel.unprivileged_userns_clone=1' >/etc/sysctl.d/nspawn.conf
$ systemctl restart systemd-sysctl.service

It's require action to make work UIDs mapping. You can read more from official documentation.

creating Debian container

Require debootstrap package to get basic environment for our container

$ debootstrap --include=systemd-container stable /var/lib/machines/debian
I: Target architecture can be executed
I: Retrieving InRelease
I: Checking Release signature
...

systemd-container package required to login container using machinectl

After bootstrapping we can login to container to make additional changes

$ systemd-nspawn -D /var/lib/machines/debian -U --machine debian
Spawning container buster on /var/lib/machines/buster.
Press ^] three times within 1s to kill container.
Selected user namespace base 818610176 and range 65536.

# set root password
root@stable:~# passwd
New password:
Retype new password:
passwd: password updated successfully

# allow login via local tty
root@stable:~# echo 'pts/0' >>/etc/securetty

# logout from container using ctrl+D
root@buster:~# logout
Container buster exited successfully.

now we can boot container using systemd-nspawn@.service unit

$ systemctl start systemd-nspawn@debian

@debian - that name should be same as machine folder name in /var/lib/machines/

checking state of machine

$ machinectl list
MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
debian container systemd-nspawn debian 10      -

# or
$ systemctl status systemd-nspawn@buster
● systemd-nspawn@buster.service - Container buster
   Loaded: loaded (/lib/systemd/system/systemd-nspawn@.service; disabled; vendor preset: enabled)
   Active: active (running) since ...

now we can login to console

$ machinectl login buster
Connected to machine debian. Press ^] three times within 1s to exit session.

Debian GNU/Linux 10 debian pts/0

debian login:

Networking

container communicates with host machine using virtual interface named ve-{container_name}

$ ip a show dev ve-buster
77: ve-buster@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ... brd ff:ff:ff:ff:ff:ff link-netnsid 1

Enable and start systemd-networkd.service on the host and in the container to automatically provision the virtual link via DHCP with routing onto host's external network interfaces.

TODO: Describe advanced networking configuration

Usage example

Deploy FreedomBox on a Sid container. This will take around 1.2 GB of disk space.

# create a new container using debootstrap
$ CDIR=/var/lib/machines/freedombox
$ sudo debootstrap --include=systemd-container sid $CDIR
$ sudo systemd-nspawn -D $CDIR --machine FreedomBox
root@FreedomBox:~# apt-get install -y freedombox

# set root password and stop the container
root@FreedomBox:~# passwd root
root@FreedomBox:~# ^D

# start the container and its services
$ sudo systemd-nspawn -D $CDIR --machine FreedomBox -b

# Browse to https://127.0.0.1/

# To stop the container, either issue:
$ sudo machinectl stop FreedomBox

# or log in and run "halt". Simply logging out does not stop a container started with "-b"


CategorySoftware | CategoryVirtualization | CategorySystemAdministration