[CentOS-virt] LXC on CentOS 7 HowTo: PAM Configuration

Tue Feb 9 17:02:53 UTC 2016
Scott Dowdle <dowdle at montanalinux.org>


----- Original Message -----
> I am trying to implement something like an "LXC on CentOS 7 HowTo"
> for internal use. (Might as well get public afterwards.) I am following
> the HowTo for CentOS 6
> (https://wiki.centos.org/HowTos/LXC-on-CentOS6). So, here's what I
> did so far (Steps 1-6 can easily be omitted, but I am trying to be
> complete.)

Do you want to use the libvirt tools or the lxc-{whatever} tools?

I haven't worked with LXC on EL6 nor EL7 much at all... but I have been playing with it some on Fedora 23.

Anyway, to create a CentOS container, the lxc tools can do a lot of the work for you... and I don't know that all of the steps are needed from that wiki... at least if you use the lxc tools rather than libvirt... although you'll still use libvirt for it's networking stuff.

To create a CentOS 7 container:

lxc-create -t download -n {desired-name}

That should give you a list of available Templates... and you would type in:

Distribution: centos
Release: 7
Architecture: amd64

It should download the template and put it under /var/cache/lxc/ and create the container under /var/lib/lxc/.

The Template should just work and not require any fiddling with... I'm hoping.

LXC is still rather lacking in isolation features as it does not give the container a subset of /proc... so within the container you can see all of the RAM and disk... and your root user can do bad things if you don't trust them.  That is with a "privileged" container.  Supposedly there is a way to run a container as a user and then grant capabilities as needed to reduce the security footprint but I don't know much about that.

Docker is a subset of that design for Applications (rather than the full distro with an init system of its own) that provides a really nice image library and image builder... but unless you are trying to do fleet computing (aka microservices) then Docker really isn't the container I've been looking for.

If you want privileged containers you don't have to worry about, you'll most likely want tp create an OpenVZ host (warning, third-party repo / kernel / tools needed).  The current stable version of OpenVZ is "OpenVZ Legacy" which is EL6-based.  They have been working hard on "Virtuozzo 7" which is merger of OpenVZ and the upstream Virtuozzo product-line still offering a FLOSS version... that is based on EL7 and also provides KVM VM management along-side of containers.  They are trying to integrate Virtuozzo support into libvirt and the libvirt-based tools like virsh and virt-manager... and get as much of that work upstreamed as possible... and switch from the kernel-patch based checkpoint code they have in OpenVZ Legacy to the mostly upstreamed CRIU C/R.  Hopefully in the next 3-6 months Virtuozzo 7 will go GA.  They basically have created a complete distro for it which is based on CentOS.

I'd be interested to hear of the lxc tools work for you or not.  The little bit I tried them on EL7 I seemed to get journald CPU max-outs on the host node.

Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]