User Tools

Site Tools


soft:debian-template

VCT provides a vct_build_sliver_template command to create Debian sliver templates which are ready to use in the same version of the CONFINE node system. Please regard the rest of this document as reference documentation that may not apply to the current version of testbed software.

Creating a Debian sliver template

Host requirements (for creation & installation)

This document assumes that your system includes working LXC tools tools (Debian package lxc), with containers being located at /var/lib/lxc.

Note: You may be interested in setting up the VM bridge in your system for containers to be able to access the Internet.

Container creation

Note: If you prefer to use a prebuilt sliver template, you can skip this section and jump straight to Container installation.

This explains how to create a Squashfs base image for Debian slivers using lxc-debian with live-debconfig and preseeding. It assumes that your system runs Debian and you have the packages lxc (version 0.9.0~alpha2-8 or newer from Debian experimental, not testing nor unstable) and squashfs-tools installed.

Download (but do not install) the Debian package live-debconfig version 4.0~a17 and copy it into /usr/share/lxc/packages:

# cp live-debconfig_4.0~a17-1_all.deb /usr/share/lxc/packages

Create a preseed file sliver.cfg like the following one:

# # Debian preseed file for CONFINE sliver template
# Tested on lxc 0.9.0~alpha3-2 and live-debconfig 4.0~a17.

# ## Distribution and packages
lxc-debconfig lxc-debconfig/distribution string wheezy
lxc-debconfig lxc-debconfig/architecture string i386
lxc-debconfig lxc-debconfig/archives multiselect \
    wheezy-security, wheezy-updates, wheezy-backports
lxc-debconfig lxc-debconfig/mirror string \
    http://http.debian.net/debian/
lxc-debconfig lxc-debconfig/mirror-security string \
    http://security.debian.org/
lxc-debconfig lxc-debconfig/mirror-backports string \
    http://http.debian.net/debian/
lxc-debconfig lxc-debconfig/archive-areas multiselect main
lxc-debconfig lxc-debconfig/packages string \
    bridge-utils curl iperf iptables iputils-arping iputils-ping \
    less man-db nano openssl screen \
    traceroute tshark vim-tiny w3m wget

# For configuring additional package sources.
##lxc-debconfig lxc-debconfig/archives0/repository string \
##    https://debian.example.com/  wheezy  main
##lxc-debconfig lxc-debconfig/archives0/list string local-my-repo
##lxc-debconfig lxc-debconfig/archives0/comment string \
##    My custom package repository
##lxc-debconfig lxc-debconfig/archives0/source boolean true
##lxc-debconfig lxc-debconfig/archives0/key string \
##    https://debian.example.com/keys/archive-key.asc

# ## Network
# Please adjust to the name of the bridge used in your host.
lxc-debconfig lxc-debconfig/eth0-bridge string vmbr
# Private MAC address, to be replaced on sliver creation.
lxc-debconfig lxc-debconfig/eth0-mac string 52:C0:A1:AB:BA:1A
# Private veth interface name, to be replaced on sliver creation.
lxc-debconfig lxc-debconfig/eth0-veth string veth-sliver

# ## Other container options
lxc-debconfig lxc-debconfig/auto boolean false
# Use live-debconfig to further configure the container.
lxc-debconfig lxc-debconfig/lxc-debconfig-with-live-debconfig boolean true
lxc-debconfig lxc-debconfig/apt-recommends boolean false
# Avoid debconf questions.
lxc-debconfig lxc-debconfig/debconf-frontend select noninteractive
## (default value)
##lxc-debconfig lxc-debconfig/debconf-priority string medium

# For running commands in the container and host at the end.
##lxc-debconfig lxc-debconfig/late-command string container-command args...
##lxc-debconfig lxc-debconfig/late-host-command string host-command args...

# Capabilities to be dropped from the container.
lxc-debconfig lxc-debconfig/capabilities string \
    audit_control audit_write ipc_lock mac_admin mac_override \
    sys_admin sys_module sys_pacct sys_rawio sys_resource sys_time \
    syslog wake_alarm

# For mounting filesystems in container.
##lxc-debconfig lxc-debconfig/mount0/entry string \
##    /host/path/foo  /container/path/bar  none  bind  0  0
##lxc-debconfig lxc-debconfig/mount0/comment string \
##    Bind mount host path in container

# ## Live-debconfig scripts configuration

# (For some reason live-debconfig options must be on a single line
# or the following options are not interpreted correctly.)

live-debconfig live-debconfig/scripts multiselect hostname, ifupdown, openssh-server, passwd, sysvinit, util-linux

# ### LXC (sysvinit)
# Perform LXC tweaks in the container.
live-debconfig live-debconfig/sysvinit/lxc-enable boolean true
## (default values)
##live-debconfig live-debconfig/sysvinit/lxc-consoles string 6
##live-debconfig live-debconfig/sysvinit/lxc-disable-services string checkroot.sh hwclockfirst.sh hwclock.sh kmod module-init-tools mountall.sh mountkernfs.sh umountfs umountroot

### Hardware clock access (util-linux)
live-debconfig live-debconfig/util-linux/hwclockaccess boolean false

# ### Host name (hostname)
# Host name, to be replaced on sliver creation.
live-debconfig live-debconfig/hostname/hostname string sliver

# ### Network configuration (ifupdown)
live-debconfig live-debconfig/ifupdown/lo-comment string The loopback interface
live-debconfig live-debconfig/ifupdown/lo-enable boolean true

# Private interface method, to be replaced on sliver creation.
live-debconfig live-debconfig/ifupdown/eth0-ipv4-comment string The private interface
live-debconfig live-debconfig/ifupdown/eth0-ipv4-method select dhcp

# For static configuration of network interfaces.
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-method select static
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-address string 1.2.3.4
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-netmask string 255.255.255.0
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-gateway string 1.2.3.1
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-network string 1.2.3.0
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-broadcast string 1.2.3.255
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-mtu string 1500
##live-debconfig live-debconfig/ifupdown/eth0-ipv4-post-up string post-command

# For static configuration of DNS.
##live-debconfig live-debconfig/ifupdown/nameserver-addresses string 5.6.7.8 9.10.11.12
##live-debconfig live-debconfig/ifupdown/nameserver-domain string example.com
##live-debconfig live-debconfig/ifupdown/nameserver-search string lan example.com
##live-debconfig live-debconfig/ifupdown/nameserver-options string debug

# ### Users (passwd)
live-debconfig live-debconfig/passwd/shadow boolean true
live-debconfig live-debconfig/passwd/root-password string confine

And run the following command:

# lxc-create -t debian -n sliver -- --preseed-file=/path/to/sliver.cfg

After a while a new container called sliver will be set up.

With recent kernels, containers have their own vision of the proc and sys filesystems, thus they can be safely mounted read-write. This is also needed in systems using AppArmor (like Ubuntu) to avoid the error message “lxc-start: Read-only file system - failed to change apparmor profile to lxc-container-default”. Although package lxc >= 0.9.0~rc1-5 supports configuring their mount options through the preseed file, you can also fix the container's configuration file /var/lib/lxc/sliver/config by running:

# sed -ri 's/^(lxc.mount.entry\s*=.* )(proc|sysfs) ro\b/\1\2 rw/' /var/lib/lxc/sliver/config

Since container creation scripts only work with a primary network interface called eth0 and CONFINE slivers use to have the priv private interface instead, use the following command to rename the interface:

# sed -i s/eth0/priv/g /var/lib/lxc/sliver/config \
      /var/lib/lxc/sliver/rootfs/etc/network/interfaces

Before the container gets cluttered with files created during its execution, create a Squashfs image from the container's root directory and a copy of its configuration by running:

# template_name="debian,wheezy,i386,$(date -u +%Y%m%d)NN"
# mksquashfs /var/lib/lxc/sliver/rootfs "$template_name.squashfs"
# cp /var/lib/lxc/sliver/config "$template_name.config"
# unset template_name

where NN is a serial number (starting at 00) for the different versions of the same image produced on the same day. Please use the same distribution name and architecture (wheezy and i386) specified in the preseed file.

After that you may want to test the container straight away by running lxc-start -n sliver (you may log in as root using the password confine).

Container installation

The following instructions assume that there is no other container called sliver in the host.

To create a new container from an already created template, download the newest debian,NAME,ARCH,SERIAL.{squashfs,config} files from https://media.confine-project.eu/misc/. Create the directories to place the container files and copy them there:

# mkdir /var/lib/lxc/sliver
# cp debian,NAME,ARCH,SERIAL.config /var/lib/lxc/sliver/config
# cp debian,NAME,ARCH,SERIAL.squashfs /var/lib/lxc/sliver/template.squashfs

You may choose either to unpack the Squashfs image into the container's root file system directory, or to stack a read-write overlay directory on top of the read-only template (using overlayfs or AuFS). In the first case use unsquashfs from the squashfs-tools package:

# unsquashfs -d /var/lib/lxc/sliver/rootfs /var/lib/lxc/sliver/template.squashfs

In the second case you need to create and enable an LXC pre-mount hook for the container that sets up the overlaid root file system:

# mkdir -p /var/lib/lxc/sliver/{template,overlay,rootfs}
# cat >> /var/lib/lxc/sliver/mount-overlay << 'EOF'
#!/bin/sh
LXC_DIR=$(dirname "$LXC_ROOTFS_PATH")
mount -nt squashfs -o ro "$LXC_DIR/template.squashfs" "$LXC_DIR/template"
mount -nt overlayfs -o "lowerdir=$LXC_DIR/template,upperdir=$LXC_DIR/overlay" sliver "$LXC_ROOTFS_PATH" \
|| mount -nt aufs -o "br=$LXC_DIR/overlay:$LXC_DIR/template" sliver "$LXC_ROOTFS_PATH"
EOF
# chmod +rx /var/lib/lxc/sliver/mount-overlay
# cat >> /var/lib/lxc/sliver/config << 'EOF'

## Prepare the writable root using an overlay directory.
lxc.hook.pre-mount = /var/lib/lxc/sliver/mount-overlay
EOF

Usually, if you only have a single sliver container it will need no further configuration, although you may want to fine-tune options in the config file to your liking.

If you unpacked somewhere else or used a different container name edit the config file and replace all occurrences of /var/lib/lxc/sliver. If your bridge is not called vmbr change the lxc.network.link. If you are already running another container using the same template, you may need to change the lxc.network.hwaddr MAC address and lxc.network.veth.pair name.

Container usage

You may start the container by running:

# lxc-start -n sliver

As instructed in the preseed file, you may log in as root using the password confine.

Template history

  • 2013060501, i386 (SHA256: fcb0d9d0f872e10936ec3fc5720841febc5cd625b55c8d1dc857f973f5cc7e5b, LXC config)
    • Same image as 2013060500, but changed LXC config to retain the sys_boot capability and mount proc and sys read-write.
  • 2013060500, i386 (SHA256: fcb0d9d0f872e10936ec3fc5720841febc5cd625b55c8d1dc857f973f5cc7e5b, LXC config)
    • Based in Debian Wheezy.
    • Configured to be used as a plain container.
    • Add packages bridge-utils, curl, nano, iputils-arping.
    • Use Bash as login shell.
    • Name primary interface as priv.
  • 2012041700, i386 (SHA256: f0be1a9af7b56ea7f8efc0762c0da840730e83c2255096ef99feebe51bc2f801)
    • Initial version.
    • Based in Debian Squeeze.
    • Not configured to be used as a plain container.
soft/debian-template.txt · Last modified: 2014/04/01 13:03 by ivilata