lxc-ubuntu-x

lxc-ubuntu-x is a utility for creating Ubuntu (or Debian) LXC containers. It started out as an “experimental” refactoring of phbaer’s lxc-ubuntu script, hence the name, lxc-ubuntu-x. However, it has since been completely rewritten, and it has key improvements and new features that make it useful for creating a large number of Debian or Ubuntu LXC containers very quickly, and without human interaction. It also incorporates several LXC best practices gleaned from other sources. This script is not a drop-in replacement for lxc-ubuntu, because they are not command-line compatible. (The arguments are different.)

An LXC container created with this script can be managed and configured using the standard set of lxc commands, such as lxc-start, lxc-stop, and lxc-destroy. This script simply automates all of the tedious shell commands that system administrators usually run by hand when creating a new container. It also provides a set of standard configuration hooks that can be used to automate the configuration of mountpoints, authorized capabilities, network settings, and software installation, which is very useful for hosting environments. For example, this script gives you a place to grab new IP addresses out of a database, or generate user passwords.

The most useful new feature in this script that I have not seen anywhere else is the use of templates. Any other LXC container (or tarball) can be used as a base root filesystem. This allows immediate deployment of pre-configured LXC containers for network services. (A default template is automatically created the first time you create a container.)

LXC comes pre-installed on SerCon™ servers from CST. You can see it in this tutorial video, starting at 8m24s:

Features

  • Highly configurable; designed for customization.
  • Simple BASH script.
  • Uses current LXC best practices:
    1. An external fstab, for secure, shared, read-only mounts. (Both shared and non-shared examples are provided)
    2. Unique, randomized MAC addresses (with the high vendor address workaround for Launchpad bug:584048 )
    3. All non-essential capabilities are dropped by default
  • Includes two server templates:
    • The default template does a bare bones Ubuntu 10.4 install, creates a user “ubuntu”, and installs a new (unique) SSH server certificate.
    • The lamp template also installs the big LAMP packages (with common utilities and libararies), installs fail2ban (for security), turns on HTTPS (with a unique SSL certificate), turns on MySQL replication logs, and fixes the relevant init scripts to work with container-based init runlevels. The entire install is non-interactive.
  • Usage

    lxc-ubuntu-x can take zero, one, two, or three command-line arguments. In all cases, a new LXC container is created. The arguments simply tell lxc-ubuntu-x to override defaults with user-specified values for hostname, rootfs, and template.

    # Examples:
    # Zero arguments: Create a new LXC container.  (The $HOSTNAME of the new container is automatically generated.)
    ./lxc-ubuntu-x
    # One argument: 
    ./lxc-ubuntu-x my-wordpress-server
    # Two arguments:
    ./lxc-ubuntu-x my-gallery-server /mnt/MY_RAID/lxc/my-gallery-server
    # Three args:
    ./lxc-ubuntu-x my-web-server /lxc/my-web-server lamp
    
    • Arg #1: Use the supplied hostname for the new container, e.g. my-lamp-server
    • Arg #2: Use the supplied rootfs, full path to container root directory. By default, it will use /lxc/hostname.rootfs (or whatever $BASEDIR is set to, in lxc-ubuntu-x.conf)
    • Arg #3: Use the specified template (tarball) as the initial rootfs, and apply custom template configuration commands (if any). Templates effectively “cache” rootfs builds as a tarball, so that new LXC containers can be built in just a couple of seconds, without having to go through an entire debootstrap process for every new LXC container. It also gives you a way to use custom deployment commands.

      The template “default” is a vanilla deboostrap filesystem, created with a unique MAC address and OpenSSH server certificate. The template “lamp” is a unique LAMP server install.

    • No Args: Create a new LXC container, with the hostname, rootfs, and template all set to defaults. This is useful for building many test containers. Default values:
      • hostname: “server-lxc-N”, where ‘server’ is the parent’s hostname, and N is the first available integer
      • rootfs: “/lxc/server-lxc-N.rootfs”. The basedir of /lxc can be changed in lxc-ubuntu-x.conf.
      • template: “default”, a vanilla deboostrap filesystem created with a unique MAC address and OpenSSH server certificate.

    Templates

    A “template” in the context of lxc-ubuntu-x is just another LXC rootfs that is used as the starting root filesystem, before the configuration begins. Using templates you can reduce the time of container creation from several minutes to a few seconds. Every time you create a new LXC container with lxc-ubuntu-x, it is zipped up into a tarball. That file is then a new “template”.

    There is nothing special about a template tarball; you can manually delete them or overwrite them at any time. It’s just a rootfs, including the LXC and fstab config files. You can also configure a template to have special configuration run on it, for example, to generate unique SSH or SSL certificates, or to install non-packaged software. Since untarring an archive is much faster than a fresh software install, this drastically reduces deployment time (to just a couple of seconds).

    Requirements

    You must first have a working LXC install.

    sudo bash
    apt-get install lxc vlan bridge-utils python-software-properties debootstrap schroot
    mkdir /cgroup
    echo "none /cgroup cgroup defaults 0 0" >> /etc/fstab
    mount /cgroup
    # See also: https://help.ubuntu.com/community/LXC
    

    The default templates assume bridged networking on the parent host, and basic DHCP on the LXC containers. Feel free to modify “configure_network” to match your particular config.

    Installation

    Download, unzip, and run from the local directory. Or, install system-wide wherever you want.

    Packaged tarball:
    https://github.com/downloads/dereks/lxc-ubuntu-x/lxc-ubuntu-x-0.8.1.tgz

    Browse Source on GitHub:
    https://github.com/dereks/lxc-ubuntu-x

    (I am seeking a volunteer to package this for Ubuntu. Contact me if interested.)

    Configuration in lxc-ubuntu-x.conf:

    # Where to create newly-created LXC container rootfs filesystems, .fstabs, and .confs:
    BASEDIR="/lxc"
    
    # This user is added and given admin rights via sudo:
    INSTALL_USERNAME="ubuntu"
    
    # This is the cleartext password for the above user.
    INSTALL_PASSWORD="ubuntu"
    
    # This file gets copied into /home/$INSTALL_USERNAME/.ssh/ in the new rootfs.
    AUTHORIZED_KEYS_TO_COPY="/home/ubuntu/.ssh/authorized_keys"
    

     

    Customization

    lxc-ubuntu-x splits container creation into five distinct, named steps, for better organization and ease of maintenance.

    • Step 1. Initialize the root filesystem. This runs generic commands necessary for all LXC containers, due to how they inherently work. You will probably not need to customize these steps:
      initialize_rootfs() {
      	run_debootstrap $1 $2
      	fix_dev $1 $2
      	fix_mtab $1 $2
      	fix_init $1 $2
      }
      
    •  

    • Step 2-5: The next four steps configure the container, and are meant to be highly customized in the ./hooks.d directory. They are 100% configurable:
      • configure_fstab

        The fstab file created in /lxc/hostname.fstab holds the mountpoints the LXC containter can see. By using shared, read-only mountpoints, you can create very lean, unique SSH servers (as described in the IBM documentation). Edit configure_fstab to see a shared example.

      • configure_network

        This sets up the child LXC network config, incl. /etc/network/interfaces and /etc/hostname. The current template assumes basic DHCP on the LXC containers, but you could easily configure a static IP address from a database, environment variable, or any other source.

      • configure_software

        This calls apt-get to install software packages. There is also some custom configuration done to make the software launch properly (because init runlevels work a little differently under LXC), and to and generate unique server certificates.

      • configure_lxc

        This assumes bridged networking on the parent host and minimal capabilities for the LXC containers.

    Comments are closed.