lxc / lxc-templates Goto Github PK

View Code? Open in Web Editor NEW

53.0 14.0 56.0 287 KB

Old style template scripts for LXC (prefer distrobuilder)

License: GNU Lesser General Public License v2.1

Makefile 0.29% Shell 97.48% M4 2.23%

lxc containers

lxc-templates's Introduction

lxc-templates's People

Contributors

Stargazers

Watchers

Forkers

tenforward mar-kolya licomonch hwoarang thomaslamprecht kunkku peacedata0 cc-hsu re4son ciari pecuna aggelis gurbhej-gill haitp yum-install-brains securecloud-biz joely1101 sdelafond bms8197 anders-code dm-kamaev brianrwlms p-eb h3 neoricalex tanyaeleventhgoddess tst-nstires isabella232 yeupou thomazbarros terrorizer1980 mbruzek akamas gobraves mmtj esaenz7 terceiro 4oo4 niklaushofer kyatons hootigger neilhanlon sunnyboob mittyorz elboulangero fedya krazykral seanpm2001 kevinoid dialloamadou loongson-cloud-community zhaixiaojuan devcjgcabatino gregorg gibmat

lxc-templates's Issues

Alpine Template not working

Firstly, all other attempted templates work just fine.

Required information

Distribution: Debian 11: Bullseye (nearly fresh install)

LXC Outputs

lxc-start --version: 4.0.6
lxc-checkconfig:

LXC version 4.0.6
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-5.10.0-9-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 


Cgroup v2 mount points: 
/sys/fs/cgroup

Cgroup v1 systemd controller: missing
Cgroup v1 freezer controller: missing
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

General System Outputs

uname -a: Linux <hostname> 5.10.0-9-amd64 lxc/lxc#1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
cat /proc/self/cgroup: 0::/user.slice/user-1000.slice/session-1.scope
cat /proc/1/mounts:

sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
udev /dev devtmpfs rw,nosuid,relatime,size=8137956k,nr_inodes=2034489,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=1637504k,mode=755 0 0
/dev/sda2 / ext4 rw,relatime,errors=remount-ro 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
none /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12720 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
/dev/sda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/sda5 /tmp ext4 rw,relatime 0 0
/dev/sda3 /var ext4 rw,relatime 0 0
/dev/sda6 /home ext4 rw,relatime 0 0
/dev/loop1 /snap/core/11993 squashfs ro,nodev,relatime 0 0
/dev/loop2 /snap/core20/1169 squashfs ro,nodev,relatime 0 0
lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
tmpfs /run/snapd/ns tmpfs rw,nosuid,nodev,noexec,relatime,size=1637504k,mode=755 0 0
tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=1637500k,nr_inodes=409375,mode=700,uid=1000,gid=1000 0 0

Steps to reproduce

Running sudo lxc-create -t alpine -n test1 will output:

Obtaining an exclusive lock... done

==> Fetching and/or verifying APK keys
[email protected]: OK
[email protected]: OK
[email protected]: OK
[email protected]: OK
[email protected]: OK
[email protected]: OK
[email protected]: OK
[email protected]: OK
Obtaining an exclusive lock... done

==> Installing Alpine Linux in /var/lib/lxc/test1/rootfs
(1/20) Installing musl (1.2.2-r3)
(2/20) Installing busybox (1.33.1-r3)
Executing busybox-1.33.1-r3.post-install
(3/20) Installing alpine-baselayout (3.2.0-r16)
Executing alpine-baselayout-3.2.0-r16.pre-install
Executing alpine-baselayout-3.2.0-r16.post-install
(4/20) Installing ifupdown-ng (0.11.3-r0)
(5/20) Installing openrc (0.43.3-r2)
Executing openrc-0.43.3-r2.post-install
(6/20) Installing alpine-conf (3.12.0-r0)
(7/20) Installing libcrypto1.1 (1.1.1l-r0)
(8/20) Installing libssl1.1 (1.1.1l-r0)
(9/20) Installing ca-certificates-bundle (20191127-r5)
(10/20) Installing libretls (3.3.3p1-r2)
(11/20) Installing ssl_client (1.33.1-r3)
(12/20) Installing zlib (1.2.11-r3)
(13/20) Installing apk-tools (2.12.7-r0)
(14/20) Installing busybox-suid (1.33.1-r3)
(15/20) Installing busybox-initscripts (3.3-r1)
Executing busybox-initscripts-3.3-r1.post-install
(16/20) Installing scanelf (1.3.2-r0)
(17/20) Installing musl-utils (1.2.2-r3)
(18/20) Installing libc-utils (0.7.2-r3)
(19/20) Installing alpine-keys (2.4-r0)
(20/20) Installing alpine-base (3.14.2-r0)
Executing busybox-1.33.1-r3.trigger
OK: 9 MiB in 20 packages
mknod: dev/zero: File exists
lxc-create: test1: lxccontainer.c: create_run_template: 1616 Failed to create container from template
lxc-create: test1: tools/lxc_create.c: main: 319 Failed to create container test1

Also, possibly related with nearly identical error: lxc/lxc#609 (yes, I know this is necromancy, but the error message makes me question its relationship)

Shrink archiso image by removing preinstalled packages

Hello,

I created containers from the archlinux template and saw, that they are 500MB each.
For an arch image, that is pretty much.

There are a lot of packages installed, that are not needed.
For example:

cryptsetup
dhcpcd
diffutils
e2fsprogs
gawk
gzip
jfsutils
less
licenses
man-db
man-oages
mdadm
nano
netctl
perl
reiserfsprogs
...
By not installing them by default, the image would be a lot smaller.
And all users, that need those packages, can install them either manually or automatically as dependency of packages.

Would it be possible, to remove them and maybe other non-required packages from the default archlinux image?

Missing Devuan Beowulf Templates

A Devuan template for the new release is missing. At least for the AMD64 platform.

E: The repository 'http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu lunar Release' does not have a Release file.

Gentoo template not usable out-of-the-box

Required information

Distribution: Proxmox
Distribution version: 6.1

Issue description

Hi there,

the Gentoo template is missing a feature to make the package manager work. To enable it, do the following:

echo 'FEATURES="-pid-sandbox"' >> /etc/portage/make.conf

Then the SSH server is not installed in the template, so a SSH connection to the container will not work, even if the public SSH key is given in the Proxmox GUI. To enable the SSH server, do the following:

emerge-webrsync
emerge --changed-use net-misc/openssh
rc-update add sshd default
rc-service sshd start

Further information (in German) can be found in https://www.goos-habermann.de/howto-10048-Gentoo-Proxmox-Paketverwaltung-LAMP-Software-Downgrade .

It would be nice, if you could include these "patches" into the next version of the Gentoo template. So it would be fully usable out-of-the-box.

Cu Hauke

Arch Linux template requires pacman to be installed on host system

The Arch Linux template fails to create a new container, unless the host system itself has pacman installed. Practically you can thus only create an Arch Linux container on an Arch Linux host.

Debian security release/updates does not have a Release file

The Debian template is building the security apt sources.list incorrectly. Apt update is failing with an error:

E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.

Steps to reproduce:

lxc-create --template debian --name bullseye-test -- --release bullseye
lxc-start bullseye-test                                                
lxc-attach bullseye-test
# apt update                                          
Hit:1 http://deb.debian.org/debian bullseye InRelease
Ign:2 http://security.debian.org bullseye/updates InRelease
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,241 kB]
Err:4 http://security.debian.org bullseye/updates Release                   
  404  Not Found [IP: 151.101.50.132 80]          
Reading package lists... Done                              
E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release f
ile.                                             
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

According to https://www.debian.org/security/ the sources.list security entry should have something like this:

deb http://security.debian.org/debian-security bullseye-security main contrib non-free

Rather than ${release}/updates

Looks like this line needs to change:

lxc-templates/templates/lxc-debian.in

Line 245 in 80ba0cb

${prefix} $SECURITY_MIRROR ${release}/updates main${non_main}

I edited the source.list to make sure this would work and the apt update was successful:

root@bullseye-test:~# cat /etc/apt/sources.list                                                  
deb http://deb.debian.org/debian          bullseye         main                                  
deb http://security.debian.org/ bullseye/updates main                                            
root@bullseye-test:~# sed -i "s|bullseye/updates|bullseye-security|" /etc/apt/sources.list       
root@bullseye-test:~# cat /etc/apt/sources.list                                                  
deb http://deb.debian.org/debian          bullseye         main                                 
deb http://security.debian.org/ bullseye-security main
root@bullseye-test:~# apt update                                                                 
Hit:1 http://deb.debian.org/debian bullseye InRelease                                            
Get:2 http://security.debian.org bullseye-security InRelease [44.1 kB]                           
Get:3 http://security.debian.org bullseye-security/main amd64 Packages [25.4 kB]                 
Get:4 http://security.debian.org bullseye-security/main Translation-en [12.5 kB]                 
Fetched 81.9 kB in 0s (244 kB/s)                             
Reading package lists... Done        
Building dependency tree... Done     
1 package can be upgraded. Run 'apt list --upgradable' to see it.

Let me know if you need any more information.

Why deprecated?

I quite liked your shell scripts.

distrobuilder is a big Go monster, the format is yaml (why should shell commands
be written as yaml?). I cannot find an equally big collection of supported Linux
distributions. I like to build locally against local caches of linux distros. etc.

Are you still accepting fixes and pull requests?

Any plans to keep this lxc-templates project maybe alive as is..

lxc-fedora unusable

Hello,

it seems that at the moment - in the current version - it is impossible to get an Fedora 28 conatiner with the template lxc-fedora used by lxc-create (at least on non fedora-hosts).

The template uses Fedora 25 (FEDORA_RELEASE_DEFAULT) as bootstrap and this is too old and doesn't contain the V28 keys, so the dnf-install step fails.
The template can't build the bootstrap enviroment with FEDORA_RELEASE_DEFAULT set to 26, 27 or 28. So lxc-create still fails.
Yeah, I know, I can setup a V27 and upgrade it ;)
And yep, I know that lxc-templates is going to be retired :-)

time for a release?

Hi,

It's been almost 3 years without a release. Would it be possible to get one?

lxc-centos on centos 7

This is what I get from: lxc-create -n c10 -t /path/to/lxc-template
I'm also unable to login with the root password from /var/lib/lxc/c10/tmp_root_pass

Copy /var/cache/lxc/centos/x86_64/7/rootfs to /var/lib/lxc/c10/rootfs ...
Copying rootfs to /var/lib/lxc/c10/rootfs ...
sed: can't read /var/lib/lxc/c10/rootfs/etc/init/tty.conf: No such file or directory
Storing root password in '/var/lib/lxc/c10/tmp_root_pass'
chpasswd: cannot open /etc/passwd
Expiring password for user root.
passwd: Libuser error at line: 413 - Error replacing `/etc/passwd': Permission denied.
passwd: Error
sed: can't read /var/lib/lxc/c10/rootfs/etc/rc.sysinit: No such file or directory
sed: can't read /var/lib/lxc/c10/rootfs/etc/rc.d/rc.sysinit: No such file or directory

Container rootfs and config have been created.
Edit the config file to check/enable networking setup.

The temporary root password is stored in:

    '/var/lib/lxc/c10/tmp_root_pass'

The root password is set up as expired and will require it to be changed
at first login, which you should do as soon as possible. If you lose the
root password or wish to change it without starting the container, you
can change it from the host by running the following command (which will
also reset the expired flag):

    chroot /var/lib/lxc/c10/rootfs passwd

Copy files with history

Because of the way this repository was created, all file history was lost.

Please delete this repository and re-create it, copying the files in such a way as to preserve their history. Instructions on how to do this can be found many places. Google works well for this kind of thing: https://www.google.com/search?q=github+one+repo+to+another+preserving+history

Thank you.

I failed to create rockylinux8 container on rockylinux8 host

I tried to create rockylinux8 container on rockylinux8 host by lxc 4.0.12.
I used "meta.tar.xz" and "rootfs.tar.xz" files I got from image-rockylinux

But I failed to make rockylinux8 container with some errors below.

# lxc-create -n test04 -t local -- -m meta.tar.xz -f rootfs.tar.xz
Unpacking the rootfs

---
You just created a Rockylinux 8 x86_64 (20230223_02:06) container.
lxc-create: test04: parse.c: lxc_file_for_each_line_mmap: 130 Failed to parse config file "/usr/local/share/lxc/config/common.conf" at line "lxc.seccomp.profile = /usr/local/share/lxc/config/common.seccomp"
lxc-create: test04: parse.c: lxc_file_for_each_line_mmap: 130 Failed to parse config file "/usr/local/var/lib/lxc/test04/config" at line "lxc.include = /usr/local/share/lxc/config/common.conf"
lxc-create: test04: tools/lxc_create.c: main: 317 Failed to create container test04

What should I do to solve this problem?

Debian `security bullseye/updates Release` does not have a Release file

Similar to #39, the current apt configuration in the image debian:bullseye seems to be broken. apt update fails with:

E: The repository 'http://security.debian.org/debian-security bullseye/updates Release' does not have a Release file.

Steps to reproduce:

$ lxc-create --template debian --name bullseye-test -- --release bullseye
$ lxc-start bullseye-test                                                
$ lxc-attach bullseye-test
# apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Ign:2 http://security.debian.org/debian-security bullseye/updates InRelease
Err:3 http://security.debian.org/debian-security bullseye/updates Release
  404  Not Found [IP: 146.75.122.132 80]
Get:4 http://deb.debian.org/debian bullseye/main Translation-en [6,240 kB]
Reading package lists... Done             
E: The repository 'http://security.debian.org/debian-security bullseye/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Content of /etc/apt/sources.list:

# cat /etc/apt/sources.list
deb http://deb.debian.org/debian          bullseye         main
deb http://security.debian.org/debian-security bullseye/updates main

AFAIK, the content of a new Debian Bullseye installation contains the following lines in /etc/apt/sources.list:

deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free

[Debian] Fix the way the encoding is fetched for some templates.

Hi,

Following up from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950840#16, there are some situations where this code, present in the lxc-debian template, will fail.

        encoding=$(echo "$LANG" | cut -d. -f2)                                                                
        chroot "$rootfs" sed -e "s/^# \(${LANG} ${encoding}\)/\1/" \                                          
            -i /etc/locale.gen 2> /dev/null                                                                   
        cat >> "$rootfs/etc/locale.gen" << EOF                                                                
$LANG $encoding

This is due to the fact that some LANG are only UTF-8 (eg en_IN), and hence LANG=en_IN and not LANG=en_IN.UTF-8. So the call to cut will not work.

I'll offer a patch in a PR.

With best regards.

failed to create a centos8 LXC container on centos8

The template below is mostly useful for bug reports and support questions.
Feel free to remove anything which doesn't apply to you and add more information where it makes sense.

Required information

Distribution: Centos
Distribution version: 8.0.1905
The output of
- lxc-start --version: 3.2.1
- uname -a: Linux arkadia 4.18.0-80.7.1.el8_0.x86_64 lxc/lxc#1 SMP Sat Aug 3 15:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Issue description

I installed LXC3 on Centos8 using:
https://copr.fedorainfracloud.org/coprs/ganto/lxc3/

and then tried to run:

root@arkadia ~]# lxc-create -n test2 -t centos -- -R 8 
Host CPE ID from /etc/os-release: cpe:/o:centos:centos:8
Checking cache download in /var/cache/lxc/centos/x86_64/8/rootfs ... 
Downloading CentOS minimal ...
Failed to set locale, defaulting to C
Failed to set locale, defaulting to C
Unable to detect release version (use '--releasever' to specify release version)
CentOS-8 - Base                                                                              36  B/s |  38  B     00:01    
Error: Failed to synchronize cache for repo 'base'
Reinstalling packages ...
mkdir: cannot create directory '/var/cache/lxc/centos/x86_64/8/partial/etc/yum.repos.disabled': File exists
mv: cannot stat '/var/cache/lxc/centos/x86_64/8/partial/etc/yum.repos.d/*.repo': No such file or directory
mknod: /var/cache/lxc/centos/x86_64/8/partial//var/cache/lxc/centos/x86_64/8/partial/dev/null: File exists
mknod: /var/cache/lxc/centos/x86_64/8/partial//var/cache/lxc/centos/x86_64/8/partial/dev/urandom: File exists
cp: cannot stat '/var/cache/lxc/centos/x86_64/8/partial/var/cache/yum/*': No such file or directory
chroot: failed to run command 'yum': No such file or directory
Failed to download the rootfs, aborting.
Failed to download 'CentOS base'
failed to install CentOS
lxc-create: test2: lxccontainer.c: create_run_template: 1648 Failed to create container from template
lxc-create: test2: tools/lxc_create.c: main: 331 Failed to create container test2

Steps to reproduce

Step one: get a centos8 minimal
Step two: install copr and lxc3 from ganto/lxc3 COPR repo
Step three: try to create a centos8 container

debian template support for archive

I want to install debian (6) squeeze in a container
i know, it is old ;)
is it possible anyways?
http://archive.debian.org/debian/dists/

[debian] Some containers' templates are calling lxc-destroy or rm in a wrong way

Hi,

Followup from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839843 , some templates are trapping singint in a way that can be dangerous.

e.g., if the path provided for the container creation is not the good one, when SIGINTint the create process, the directory is destroyed, which can sometimes be counter productive.

I'd suggest a prompt with a yes/no question offering to delete the directory.

Impacted templates : archlinux, centos, fedora, fedora-legacy, pld, and void-linux

Cheers.

Templates should setup "systemd-preset" (issue: Fedora 37 templates disable systemd-networkd on first boot)

Currently the template scripts manually create symlinks to enable/disable systemd services.

For instance, the fedora template script explicitly enables systemd-networkd, but systemd reverts back to the 'preset' state whenever there's no /etc/machine-id file at boot time, where fedora now explicitly disables systemd-networkd in favor of NetworkManager.
This is done via /usr/lib/systemd/system-preset/90-default.preset.

The template should probably additionally also ship a preset (eg. /etc/systemd/system-preset/00-lxc.preset or something) containin the enable systemd-networkd.service line (and potentially others that get enabled).

While this behavior is somewhat awkward, it'll probably also be "safer" as eg. systemd-networkd.service contains an Alias= and a few Also= lines by now which aren't taken into account in the template scripts either.

lxc-debian uses basename instead of dirname when setting up the interpreter for a foreign architecture

When attempting to copy a statically linked interpreter, the script intends to create the target folder mkdir -p. However, the target created is the basename, not the dirname of the target path of the interpreter. This will likely still function if the target directory happens to exist (e.g. rootfs/usr/bin), but may also create a nonsense folder in the working path. In the line below, basename should be replaced with dirname.

mkdir -p "$(basename "$cache/partial-$release-$arch/$interpreter_path")"

lxc / lxc-templates Goto Github PK

lxc-templates's Introduction

lxc-templates's People

Contributors

Stargazers

Watchers

Forkers

lxc-templates's Issues

Required information

LXC Outputs

General System Outputs

Steps to reproduce

Required information

Issue description

Required information

Issue description

Steps to reproduce

Recommend Projects

Recommend Topics

Recommend Org