Installation is very simple. Just download the newest “vct-container” archive from our public repository and configure it.
First of all, download the newest
vct-container,YYYYMMDDNN.tar.xz archive from https://media.confine-project.eu/vct-container/. It contains a single VCT directory containing the LXC configuration file (
vct/config) and its root filesystem (
In our case, we are going to use the version from 2013, August 2nd.
~$ sudo su ~# wget https://media.confine-project.eu/vct-container/vct-container,2013080200.tar.xz
Now you should be able to unpack the archive straight into your LXC directory by running
~# tar -C /var/lib/lxc --numeric-owner -xJf vct-container,2013080200.tar.xz
Usually, if you only have a single VCT container it will need no further configuration, although you may want to fine-tune options in the config file to your liking.
If you unpacked somewhere else or used a different container name, edit the config file and replace all occurrences of
/var/lib/lxc/vct. If your bridge is not called “vmbr” change the
lxc.network.link. If you are already running another container using the same template, you may need to change the
lxc.network.hwaddr MAC address and
In systems using AppArmor (like Ubuntu) the container will run with an unconfined profile to allow it to perform actions like mounting filesystems. The easiest way to do it, is to disable the AppArmor for the VCT.
~# cat >> /var/lib/lxc/vct/config << 'EOF' > ## Disable AppArmor for VCT > lxc.aa_profile = unconfined > EOF
The next step is to start the container and log in with the username and password vct:confine.
~# lxc-start -n vct
After restarting your machine, it is probable that when you try to start the VCT-C, you receive an error message, meaning that you didn't start the bridge before.
lxc-start: failed to attach 'vethb97OmU' to the bridge 'vmbr' : No such device
In such cases, you need to run the
ifup vmbr command first. See the VCT Bridge tutorial for more information.
The compiled image contains the CONFINE SDK built when it was created. Hence, it is recommended to update the development framework to the last version. The
git checkout command ensures that you use the latest version this tutorial was checked against, but you may specify other versions or branches like testing. First, clean previous VCT configuration:
vct@vct:~$ cd ~/confine-dist/utils/vct vct@vct:~/confine-dist/utils/vct$ ./vct_system_cleanup vct@vct:~/confine-dist/utils/vct$ sudo rm -rf /var/lib/vct
Then, download the latest version of the development source:
vct@vct:~$ cd ~/confine-dist vct@vct:~/confine-dist$ git checkout testing vct@vct:~/confine-dist$ git pull
If you want to use a specific version of the controller, just override the VCT_SERVER_VERSION:
echo 'VCT_SERVER_VERSION=0.9' >> ~/confine-dist/utils/vct/vct.conf.overrides
Now that CONFINE SDK is correctly installed, it is time to take a look into the directory structure:
/filescontains configuration files that will be copied to the OpenWrt image.
/openwrtcontains OpenWrt source, cloned from our Redmine git repository.
/packagescontains CONFINE-specific packages related to slices/slivers initialization and deployment.
/utilscontains some command line utilities for researchers and developers.
/utils/vctcontains the VCT itself.
/dlwill contain all the downloaded libraries necessary to compile the SDK.
/imageswill contain the compiled OpenWrt image itself.