Re: [Lxc-users] lxc containers as backup 'replicas'
On 05/06/13, Fajar A. Nugraha (l...@fajar.net) wrote: > On Wed, Jun 5, 2013 at 6:50 PM, Rory Campbell-Lange > wrote: > > I'd be grateful to know if it is possible to sync 1. and 3. into the > > container when it is not running. In other words, to simply update the > > config files in /var/lib/lxc//rootfs/etc, for example? ... > However, personally I'd just forget for a moment that the backup will be > run on lxc and do the same things I'd do on a normal machine. > > In my case, I'd use zfs snapshot and send|receive (yes, you can use zfs > for root). In your case it'd probably be rsync or whatever you're happy with. Are there any files that shouldn't percolate between a normal running server's /etc/ and one in an lxc container? > > On another point I'd also like to know of the recommended way of using > > another mount point for lxc containers and the dpkg cache. For example, > > I wish to hold my containers in /dev/sdb/ mounted on /containers. Should > > I symlink /var/lib/lxc/ to this mount point? > > I'm pretty sure there were problems wiith that on some versions on lxc > (can't remember the exact details, sorry). A bind mount would probably > be safer. do you mean the exivalent of 'mount /dev/sdb1 /var/lib/lxc/' ? > > Finally I'd be grateful to learn of people's experiences with btrfs for > > snapshotting and managing containers. I personally use it for my laptop > > backups, but my host server is on a 3.2.0-4-amd64 kernel which is pretty > > old by btrfs standards. > > Is there a particular requirement for that version of kernel? In > RHEL/Centos/Ubuntu you can often use prebuilt latest vanilla kernel > with only minimum change required (although the distro won't offically > support it, obviously). > > If you're stuck with kernel 3.2 then I'd say use zfs. The devs take extra > care to make sure it works well on RHEL6 (with its ancient 2.6.32 kernel), > and should work on all kernel from that version up to 3.9. I'm on Debian stable and I like being there for production machines (even though this is a backup machine). I'm not sure about the availability of a 3.8+ kernel on Debian. I'm tempted by zfs but worried about its likely cohabitation -- licence-wise -- over time with the kernel. Thanks for your comments Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc containers as backup 'replicas'
On 05/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: > Quoting Rory Campbell-Lange (r...@campbell-lange.net): > > On another point I'd also like to know of the recommended way of using > > another mount point for lxc containers and the dpkg cache. For example, > > I wish to hold my containers in /dev/sdb/ mounted on /containers. Should > > I symlink /var/lib/lxc/ to this mount point? > > If you're on a new enough lxc (i.e. 0.9.0) I'd recommend using lxcpath. > You can set 'lxcpath = /srv/lxc' in /etc/lxc/lxc.conf, then all > containers will be created and run from /srv/lxc instead of > /var/lib/lxc. Or you can just add '-P /srv/lxc' to all lxc-* commands. I'm on Debian Wheezy which has 0.8.0~rc1-8+deb7u1. Looks like I should use the -P flag. > > Finally I'd be grateful to learn of people's experiences with btrfs for > > snapshotting and managing containers. I personally use it for my laptop > > backups, but my host server is on a 3.2.0-4-amd64 kernel which is pretty > > old by btrfs standards. > > yeah I don't know that I'd trust it under 3.2. I think 3.5 is where it > stopped losing data for me. But best to run some tests. When it > failed me, it generally did so after one or two subvolume commands. Cheers for those notes. Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] lxc containers as backup 'replicas'
Following the pretty successful tests** I've been making of using lxc containers I'd be grateful for some advice on using lxc containers as backp 'replicas' of running machines, to bring up in case the main host fails. **(I've been on the list to discuss routing problems which I've solved temporarily by turning off kernel ethernet filtering -- still an issue in discussion). There are 4 parts to a running machine that I will need to replicate to a lxc container, which I intend to do nightly. These are: 1. etc configuration (we back config files up through etckeeper) 2. binaries (we're happy with a dpkg -l listings here) 3. run-time config for web apps (we back up through a file backup) 4. database backup (backed up via log shipping) I'd be grateful to know if it is possible to sync 1. and 3. into the container when it is not running. In other words, to simply update the config files in /var/lib/lxc//rootfs/etc, for example? On another point I'd also like to know of the recommended way of using another mount point for lxc containers and the dpkg cache. For example, I wish to hold my containers in /dev/sdb/ mounted on /containers. Should I symlink /var/lib/lxc/ to this mount point? Finally I'd be grateful to learn of people's experiences with btrfs for snapshotting and managing containers. I personally use it for my laptop backups, but my host server is on a 3.2.0-4-amd64 kernel which is pretty old by btrfs standards. Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Michael H. Warfield (m...@wittsend.com) wrote: > > I'd be grateful to know if anyone has some firewall (iptables) advice for > > allowing traffic to the container? I expect to run another firewall on the > > container itself. > > That's probably your FORWARD chain there. Set that policy to ACCEPT and > flush all the rules from the FORWARD chain like this: > > iptables -P FORWARD ACCEPT > iptables -F FORWARD > > FORWARD chain is going to affect packets forwarded over the host's > bridge to the containers. The INPUT and OUTPUT chains will affect the > packets coming in and going out from the local host's OS interfaces. > > Depending on your distro, track down your persistent rule storage and > make those changes permanent. Fedora prior to firewalld (here we go > again), RedHat, and RH derivatives (CentOS et al) are generally > in /etc/sysconfig/iptables unless you've also installed one of the > sundry firewall toolkits. Ubuntu, I'm not so sure about. I'm using Debian, and I'm using a simple ufw firewall on the host server at present. The iptables -L output is here: http://pastebin.com/QzQKRDX0 I don't have any trouble with the firewall restarting. Thanks very much Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Rory Campbell-Lange (r...@campbell-lange.net) wrote: > On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: > > Quoting Rory Campbell-Lange (r...@campbell-lange.net): > > > On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: > > > The host is on aa.bb.cc.103 (a public net address) > > > and the container is on aa.bb.cc.87. > > > > > > I can get from 87 to 103, but I can't ping the gateway from the > > > container. > > 1. what does 'route -n' in the container (and on the host) show? > > > > 2. when you ping the ip address of your router, what does traceroute > > (wireshark, whatever) on the host show? > Going through the steps above showed me I had a firewall problem. Dropping the > firewall allowed the container to hit the internet. Apologies for this > beginner > problem. > > I'd be grateful to know if anyone has some firewall (iptables) advice for > allowing traffic to the container? I expect to run another firewall on the > container itself. It looks like I don't have to drop the firewall on the host if I do the following: for f in /proc/sys/net/bridge/bridge-nf-*; do echo 0 > $f; done Reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#No_traffic_gets_trough_.28except_ARP_and_STP.29 Is this recommended? Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 03/06/13, Serge Hallyn (serge.hal...@ubuntu.com) wrote: > Quoting Rory Campbell-Lange (r...@campbell-lange.net): > > On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: > > > > > > What is the IP address of the container? > > > > The host is on aa.bb.cc.103 (a public net address) > > and the container is on aa.bb.cc.87. > > > > I can get from 87 to 103, but I can't ping the gateway from the > > container. > > Hm, here's an idea. Lxc sets /proc/sys/net/ipv4/conf/$link/forwarding. > Perhaps that isn't enough. You might echo 1 > > /proc/sys/net/ipv4/conf/eth0/forwarding and > /proc/sys/net/ipv4/ip_forward. > > But, > > 1. what does 'route -n' in the container (and on the host) show? > > 2. when you ping the ip address of your router, what does traceroute > (wireshark, whatever) on the host show? Hi Serge Thanks very much for your email. Going through the steps above showed me I had a firewall problem. Dropping the firewall allowed the container to hit the internet. Apologies for this beginner problem. I'd be grateful to know if anyone has some firewall (iptables) advice for allowing traffic to the container? I expect to run another firewall on the container itself. Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: > > What is the IP address of the container? The host is on aa.bb.cc.103 (a public net address) and the container is on aa.bb.cc.87. I can get from 87 to 103, but I can't ping the gateway from the container. > If it's a private address and you want NAT, then the container > should be linked to another iface. Either to a dummy iface or eth1. I'm trying to do everything over br0 with fixed ip addresses, like http://wiki.debian.org/LXC/SimpleBridge > So your leave eth0 untouched and create br1 with eth1 and choose an > IP for the container from 192.168.9.9/27. > > Then setup the machine as gateway (ip_forward, NAT/MASQ). I'll give those a go if the br0/eth0 arrangement I'm trying doesn't work. I'm not keen to forward ports from the host, if I can avoid it. > > AFAIK, you can also choose a different network type, but I've never used. Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Routing issues
On 04/06/13, Papp Tamas (tom...@martos.bme.hu) wrote: > On 06/03/2013 06:55 PM, Rory Campbell-Lange wrote: > > > > I can ssh into the main host from the lxc host. However I cannot hit the > > internet from the lxc host. I'd be grateful for some pointers. > > > > At present I have the following configuration on the host: > > > > auto br0 > > iface br0 inet static > > bridge_ports eth0 > > bridge_fd 0 > > address aa.bb.cc.103 > > netmask 255.255.255.192 > > gateway aa.bb.cc.65 > > > > and the following in the container config: > > > > lxc.utsname = wheezy05 > > lxc.network.type = veth > > lxc.network.flags = up > > lxc.network.link = br0 > > lxc.network.ipv4 = aa.bb.cc.87/26 > > lxc.network.hwaddr = 00:1E:83:8D:7C:25 > > > > with the following in wheezy05's /etc/network/interfaces file: > > > > auto eth0 > > # iface eth0 inet dhcp > > iface eth0 inet static > > address aa.bb.cc.87 > > netmask 255.255.255.192 > > gateway aa.bb.cc.65 > > > > One specific issue I found: > > > > * it looks like the container address is assigned at startup and the > >'interfaces' network stanza is not run -- I have to assign the > >gateway by hand > > So you can or can not hit the internet? It's not clear, what your > problem is exactly It's also not clear, which one you mean by 'lxc > host'. > > Do you really mean the machine, where containers are running, or lxc > host is actually the guest? > > You don't need to use lxc.network.ipv4, if you setup the network from > the container. Hi Tamas Thanks very much for your email. First of all thanks very much for the note about the lxc.network.ipv4 paramenter -- I disabled that and routing seems to be fine. My question was unclear -- sorry! My host is on the internet. I can ssh from the guest to the host over the bridge, but I can't route out of the subnet. Do I need iptables masquerading on the host in this scenario? host 'ip addr' output with the guest running: 2: eth0: mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:e0:81:4c:bc:f7 brd ff:ff:ff:ff:ff:ff inet 192.168.9.9/27 brd 192.168.9.31 scope global eth1 inet6 fe80::2e0:81ff:fe4c:bcf7/64 scope link valid_lft forever preferred_lft forever 4: br0: mtu 1500 qdisc noqueue state UP link/ether 00:e0:81:4c:bc:f6 brd ff:ff:ff:ff:ff:ff inet aa.bb.cc.103/26 brd aa.bb.cc.127 scope global br0 inet6 fe80::2e0:81ff:fe4c:bcf6/64 scope link valid_lft forever preferred_lft forever 36: vethklhgjT: mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000 link/ether fe:ae:36:71:d7:2b brd ff:ff:ff:ff:ff:ff inet6 fe80::fcae:36ff:fe71:d72b/64 scope link valid_lft forever preferred_lft forever Regards Rory -- Rory Campbell-Lange r...@campbell-lange.net -- How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Routing issues
I have (with Rob van der Hoeven's help) setup a Debian Wheezy container on a Wheezy host. This worked well. I can ssh into the main host from the lxc host. However I cannot hit the internet from the lxc host. I'd be grateful for some pointers. At present I have the following configuration on the host: auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 address aa.bb.cc.103 netmask 255.255.255.192 gateway aa.bb.cc.65 and the following in the container config: lxc.utsname = wheezy05 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.ipv4 = aa.bb.cc.87/26 lxc.network.hwaddr = 00:1E:83:8D:7C:25 with the following in wheezy05's /etc/network/interfaces file: auto eth0 # iface eth0 inet dhcp iface eth0 inet static address aa.bb.cc.87 netmask 255.255.255.192 gateway aa.bb.cc.65 One specific issue I found: * it looks like the container address is assigned at startup and the 'interfaces' network stanza is not run -- I have to assign the gateway by hand Many thanks Rory -- Rory Campbell-Lange r...@campbell-lange.net -- Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Difficulties setting up lxc on Debian 7
On 29/05/13, Niklas Fuchs (nkfu...@yahoo.de) wrote: > did any of you have success with using user ns and debian? does sshd > work? Hi Niklas What do you mean by "user ns"? -- Rory Campbell-Lange r...@campbell-lange.net -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Difficulties setting up lxc on Debian 7
On 24/05/13, Rob van der Hoeven (robvanderhoe...@ziggo.nl) wrote: > On Fri, 2013-05-24 at 11:26 +0100, Rory Campbell-Lange wrote: > > I'd be grateful for assistance trying to get a minimal Debian 7 lxc system > > running on a Debian 7 host. > The debian template that comes with Wheezy is broken. Solution: use > another template. See: > > http://sourceforge.net/mailarchive/message.php?msg_id=30820418 That worked perfectly. Thanks very much indeed. -- Rory Campbell-Lange r...@campbell-lange.net -- Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] Difficulties setting up lxc on Debian 7
I'd be grateful for assistance trying to get a minimal Debian 7 lxc system running on a Debian 7 host. I've been mainly following this guide: http://www.stefan-seelmann.de/wiki/lxc I've installed live-debconfig into the base system and /usr/share/lxc/packages/. I have a minimal cfg file along the following lines: lxc.utsname= code lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth1 lxc.network.ipv4 = 192.168.7.2/27 lxc.network.veth.pair = veth0 Try one: lxc-create -n code2 -t debian -f config.cfg -B btrfs (/var/lib/lxc is a symlink to /vms, a btrfs volume) This has lots of errors such as: Copying local cache to /var/lib/lxc/code2/rootfs... /usr/share/lxc/templates/lxc-debian: line 101: /var/lib/lxc/code2/rootfs/etc/apt/sources.list.d/debian.list: No such file or directory /usr/share/lxc/templates/lxc-debian: line 107: /var/lib/lxc/code2/rootfs/etc/apt/sources.list.d/debian.list: No such file or directory /usr/share/lxc/templates/lxc-debian: line 111: /var/lib/lxc/code2/rootfs/etc/apt/sources.list.d/debian.list: No such file or directory /usr/share/lxc/templates/lxc-debian: line 183: /var/lib/lxc/code2/rootfs/etc/fstab: No such file or directory mount: mount point /var/lib/lxc/code2/rootfs/dev/pts does not exist mount: mount point /var/lib/lxc/code2/rootfs/proc does not exist mount: mount point /var/lib/lxc/code2/rootfs/sys does not exist mount: mount point /var/lib/lxc/code2/rootfs/var/cache/apt/archives does not exist Try two: get rid of btrfs volume/symlink lxc-create -n code3 -t debian -f config.cfg Errors: debconf: unable to initialize frontend:... update-rc.d: warning: start runlevel arguments (none) do not match live Default-Start values (S) /usr/bin/env: live-debconfig: No such file or directory When trying to start code3 there are lots of mount problems: Creating compatibility symlink from /etc/mtab to /proc/mounts. ... (warning). Cleaning up temporary files... /tmp. mount: permission denied mount: permission denied mount: permission denied ... and I never get to a boot screen. -- Rory Campbell-Lange r...@campbell-lange.net -- Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users