ubuntu18.04にLXCでコンテナインストールしてsshまでやってみる

tech-memo LPIC

Lpic304の勉強がてら試したのでメモ。

参考

Linux Containers - LXC - はじめに

環境

Ubuntu 18.04 LTS

インストール

mukkun@mukkun-ubuntu:~$ sudo apt-get install lxc

## 初期設定
ブリッジの設定を追記する
mukkun@mukkun-ubuntu:~$ cat /etc/lxc/lxc-usernet
# USERNAME TYPE BRIDGE COUNT
mukkun veth lxcbr0 10

mukkun@mukkun-ubuntu:~$ mkdir ~/.config
mukkun@mukkun-ubuntu:~$ mkdir ~/.config/lxc
mukkun@mukkun-ubuntu:~$ cp /etc/lxc/default.conf ~/.config/lxc/default.conf

mukkun@mukkun-ubuntu:~$ grep $USER /etc/subgid
mukkun:165536:65536

↑この値と合わせる
cat << EOT >> ~/.config/lxc/default.conf
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
EOT

コンテナ作成・確認

mukkun@mukkun-ubuntu:~$ lxc-create -t download -n my-container
Setting up the GPG keyring
Downloading the image index

---
DIST    RELEASE ARCH    VARIANT BUILD
---
alpine  3.10    amd64   default 20200709_13:00
・
・
・

↑リストが出るので選ぶ。

Distribution:
ubuntu
Release:
xenial
Architecture:
i386

Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an Ubuntu xenial i386 (20200709_07:42) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.

コンテナの確認

mukkun@mukkun-ubuntu:~$ lxc-ls -f
NAME         STATE   AUTOSTART GROUPS IPV4       IPV6 UNPRIVILEGED
my-container RUNNING 0         -      10.0.3.175 -    true

起動

mukkun@mukkun-ubuntu:~$ lxc-start -n my-container -d

確認

mukkun@mukkun-ubuntu:~$ lxc-info my-container
Name:           my-container
State:          RUNNING
PID:            3888
IP:             10.0.3.175
Memory use:     18.60 MiB
KMem use:       7.08 MiB
Link:           vethUNE5V1
 TX bytes:      1.62 KiB
 RX bytes:      2.29 KiB
 Total bytes:   3.91 KiB

コンテナのユーザー作成

mukkun@mukkun-ubuntu:~$ lxc-attach -n my-container
root@my-container:/# adduser lahm
Adding user `lahm' ...
Adding new group `lahm' (1001) ...
Adding new user `lahm' (1001) with group `lahm' ...
Creating home directory `/home/lahm' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for lahm
Enter the new value, or press ENTER for the default
        Full Name []: lahm
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
root@my-container:/#

sudoにも追加しておく

root@my-container:/# gpasswd -a lahm sudo
Adding user lahm to group sudo

openssh-server入れておく
root@my-container:/# apt-get -y install openssh-server

root@my-container:/# exit
exit

ログインしてみる

mukkun@mukkun-ubuntu:~$ lxc-console -n my-container

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Login incorrect
my-container login:
Login timed out after 60 seconds.

Ubuntu 16.04.6 LTS my-container pts/0

my-container login: lahm
Password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-109-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

lahm@my-container:~$

ネットワーク確認

lahm@my-container:~$ ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0
    inet 10.0.3.175/24 brd 10.0.3.255 scope global eth0
       valid_lft forever preferred_lft forever
lahm@my-container:~$
lahm@my-container:~$ ip route
default via 10.0.3.1 dev eth0
10.0.3.0/24 dev eth0  proto kernel  scope link  src 10.0.3.175

ちゃんと外に出れる

lahm@my-container:~$ ping yahoo.co.jp
PING yahoo.co.jp (182.22.59.229) 56(84) bytes of data.
64 bytes from f1.top.vip.ssk.yahoo.co.jp (182.22.59.229): icmp_seq=1 ttl=49 time=4.49 ms
64 bytes from f1.top.vip.ssk.yahoo.co.jp (182.22.59.229): icmp_seq=2 ttl=49 time=4.18 ms

コンソールから抜ける時は Ctrl + a押した後にqを押せば抜けられる

ホストからコンテナにsshしてみる

mukkun@mukkun-ubuntu:~$ ssh lahm@10.0.3.175
The authenticity of host '10.0.3.175 (10.0.3.175)' can't be established.
ECDSA key fingerprint is SHA256:PB7M16D3fCJtHqLnrd4pJ+aYgjey+u1hj+pUeNZDnWk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.3.175' (ECDSA) to the list of known hosts.
lahm@10.0.3.175's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-109-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Fri Jul 10 00:46:19 2020
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

lahm@my-container:~$

コンテナ停止

<Code>
mukkun@mukkun-ubuntu:~$ lxc-ls -f
NAME         STATE   AUTOSTART GROUPS IPV4       IPV6 UNPRIVILEGED
my-container RUNNING 0         -      10.0.3.175 -    true
mukkun@mukkun-ubuntu:~$
mukkun@mukkun-ubuntu:~$ lxc-stop -n my-container
mukkun@mukkun-ubuntu:~$ lxc-ls -f
NAME         STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
my-container STOPPED 0         -      -    -    true