Category Archives: LXC

State of LXC in Ubuntu 11.04

Posted on 2011/05/04 by Stéphane Graber

A while ago I posted about LXC and how to use it on Ubuntu 9.10, I think it’s time to update these instructions to the current state of LXC in Ubuntu 11.04.

As a quick reminder LXC stands for Linux Containers and uses the relatively recent cgroup and namespace features of the Linux kernel to offer something that’s between a chroot and a virtual machine. That’s, basically a chroot but with fine grained resource allocation, its own network stack and its own pid namespace.
LXC is very similar to OpenVZ and Linux-Vserver but doesn’t depend on kernel patches to work.

So here’s now how to get it working on Ubuntu 11.04 in a much easier way than back in Ubuntu 9.10, thanks to all the work done upstream.

To get LXC working on Ubuntu 11.04, you’ll need to do the following:

  • Install a few packages: lxc, debootstrap and bridge-utils
  • Create a bridge interface with masquerading and a local IP address
  • Create a mountpoint for the cgroup filesystem and make sure it’s mounted
  • Write a network configuration file for your container
  • Create your container (the template gets generated with the first container)

To make it even easier, I wrote the following script that you can start as root to do all the above.
It’ll add a “br-lxc” interface using the 192.168.254.0/24 network and configure masquerading.
The cgroup filesystem will be mounted at boot time in /cgroup.
A first container called natty01 will be created and started with IP 192.168.254.2 and default root password “root”.

The script is (I think) well commented and I’ve clearly indicated what’s to be run once (to setup LXC) and what’s to be run for every container you may want to create.
Script can be downloaded from: http://www.stgraber.org/download/lxc-demo.sh.

Once you have a container started, you can start playing with:

  • Attach to a VT: lxc-console –name natty01
  • Get the status: lxc-info –name natty01
  • Get the list of running processes: lxc-ps –name natty01 aux
  • Start/Stop containers: lxc-start/lxc-stop

Have fun!

Posted in Canonical voices, LXC, Planet Revolution-Linux, Planet Ubuntu | 20 Comments

Test drive the whole Ubuntu archive with WebLive

Posted on 2011/04/07 by Stéphane Graber

In my last blog post about WebLive I announced the availability on WebLive of the top-50 apps from the new Ratings & Review service.

Today I’m happy to announce that this feature is no longer necessary as you can now test drive anything that’s available in the Ubuntu archive.

Sylpheed installing on WebLive

At the moment that’s over 1300 desktop application that you can test this way.
That’s basically any GUI app that requires less than 150MB of space to install and that’s not in one of my blacklists (video editing, 3D, VOIP, VMs, …).

As a reminder, all that you need is an up to date Ubuntu 11.04 system and the qtnx package installed (default in Edubuntu).
Full desktop sessions are still available at: http://www.edubuntu.org/weblive

This feature uses another of my pet projects Arkose to dynamically create containers (see LXC) whenever someone logs in. Each user is allocated up to 500MB for the test drive feature. On login, the system will check if it already has the requested app in the default system and if not, will download and install it when you connect.

Enjoy !

NOTE: The current blacklist isn’t perfect, so if you notice any package that has a Test drive button in the Software Center and doesn’t work, please file a bug here: https://launchpad.net/weblive/+filebug

http://www.stgraber.org/2011/03/27/more-on-weblive-and-the-software-center-integration/
Posted in Arkose, Canonical voices, Edubuntu, LXC, Planet Ubuntu, Sandbox, WebLive | 9 Comments

Sandbox changes name to become Arkose

Posted on 2011/01/09 by Stéphane Graber

Sandbox started as a quick hack I wrote at the Ubuntu Developer Summit in Orlando, FL back in October.

Since then it evolved quite a bit, getting a decent user interface and even a nautilus plugin.

Only thing that really was missing before making it an “official” project is a “real” name.
After thinking about it for a while (trust me, I’m really bad at finding names), I finally ended up browsing sand-related pages on Wikipedia and chose to go ahead with “Arkose”.

Arkose (pronounced /ˈɑrkoʊz/) is a detrital sedimentary rock, specifically a type of sandstone containing at least 25% feldspar.

Arkose

I really liked “sandbox” as a name though, but it was a bit of a pain to Google for, apt-cache was returning multiple results too and finding relevant dent/tweet was a really difficult. So instead, I’ll mostly be using “Arkose – desktop sandboxing”. The name itself being a lot less common and “desktop sandboxing” is already giving very good Google results.

I finally created a Launchpad project and moved the branch to it. I’m expecting packages to hit the archive over the next few days.

PPA is available at: https://launchpad.net/~arkose-devel/+archive/stable

Posted in Arkose, LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

Getting ready for IPV6

Posted on 2010/12/31 by Stéphane Graber

I’ve been regularly playing with IPV6 since mid-2006 when I first opened an account at SixXS ang got my first IPV6 tunnel up and running. Sadly at that point, there wasn’t much Point of Presence for tunnels, not even mentioning the state of native IPV6 networks…

Relatively recently my dedicated server provider started offering native IPV6 connectivity in their Nuremberg-based datacenter. They offer a /64 per server which should be plenty enough for most users and allows for stateless configuration of a single network. Unfortunately in my case, I’m running OpenVZ, LXC and KVM on that box, meaning multiple distinct networks with bridging and firewalls.

As I also wanted IPV6 connectivity for my home network and would rather have a single provider for both, I started looking at the current state of tunnel brokers to end up choosing Hurricane Electric who offer free IPV6 tunnels and one /48 network per subnet which is exactly what I needed. They have Point of Presence pretty much all around the world which means very low latency IPV6 for all my networks.
They also happen to be one of the two upstream providers of the ISP we use at the office.

So I started configuring my Vyatta (Debian-based router distribution) routers to handle the IPV6 tunnel, send Router Advertisement to all my networks (radvd), relay DHCPv6 to my DHCP server and firewall incoming traffic.
That was surprisingly easy, taking only a few minutes, copy/pasting the configuration provided by the tunnel broker and setting up the firewall rules.

I then made sure all my main services are working properly with IPV6, for now that includes, DNS servers, Web servers, Mail servers and shell access. Backported Natty’s isc-dhcp-server to 10.04 LTS and moved my DHCP to using it and created a minimal configuration to get stateless DHCPv6 to announce my NTP and DNS servers.
I also updated my public DNS to include AAAA records for all services that have dual-stack support and got my registar to add IPV6 glue records to my domain.

I’ve now been running that setup for a week or so for my home network, dedicated server and office network. Running wireshark for a few hours showed that almost half of my connections are IPV6 (mostly on my own networks).

I’ve been surprised to see how well Ubuntu Natty’s NetworkManager copes with IPV6 network. In my case, it successfully noticed the “other-config” flag in the router advertisement and started dhclient to grab the DNS and NTP configuration from the DHCPv6 server.

So I now have a working environment to developer the next generation LTSP-Cluster which is supposed to have complete IPV6 support from the first release.

Let’s hope we’ll see more IPV6 deployment in 2011.
Happy new year everyone !

Posted in LTSP, LXC, Planet Revolution-Linux, Planet Ubuntu | Tagged | Leave a comment

Having fun with containers

Posted on 2010/12/12 by Stéphane Graber

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments