Jochen Wiedmann
2016-Feb-09 09:32 UTC
[CentOS-virt] LXC on CentOS 7 HowTo: PAM Configuration
Hi,
I am trying to implement something like an "LXC on CentOS 7 HowTo" for
internal use. (Might as well get public afterwards.) I am following
the HowTo for CentOS 6
(https://wiki.centos.org/HowTos/LXC-on-CentOS6). So, here's what I did
so far (Steps 1-6 can easily be omitted, but I am trying to be
complete.)
1.) Disable delta RPM's in /etc/yum.conf
2.) Remove LibreOffice
sudo yum remove "libreoffice*"
3.) System update
sudo yum -y update
4.) Install some niceties
sudo yum -y install emacs emacs-nox "@Development Tools" git
subversion
5.) Reboot
6.) Install VirtualBox Guest Additions
7.) Install libvirt
sudo yum -y install libvirt libvirt-client libvirt-install
8.) Setting up root fs for a container:
sudo su -
mkdir -p /var/lib/libvirt/lxc/centos01/etc/yum.repos.d
cat cat /etc/yum.repos.d/CentOS-Base.repo | sed
s/'$releasever'/7/g>/var/lib/libvirt/lxc/centos01/etc/yum.repos.d/CentOS-Base.repo
yum groupinstall core --installroot=/var/lib/libvirt/lxc/centos01
# The following command seems to be redundant, as both
packages are already installed as part of the core group.
yum -y install plymouth libselinux-python
--installroot=/var/lib/libvirt/lxc/centos01
Now, according to the old howto, I am to configure PAM in the new root
fs. Reading through that; I don't really understand what I am to do.
For example, I am to replace a line with "session required
pam_selinux.so close". However, the matching line is a comment line,
which makes me unsure.
Are those PAM configurations still required? If so, could someone help
me on what to do exactly?
Thanks,
Jochen
--
The next time you hear: "Don't reinvent the wheel!"
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
Greetings, ----- Original Message -----> I am trying to implement something like an "LXC on CentOS 7 HowTo" > for internal use. (Might as well get public afterwards.) I am following > the HowTo for CentOS 6 > (https://wiki.centos.org/HowTos/LXC-on-CentOS6). So, here's what I > did so far (Steps 1-6 can easily be omitted, but I am trying to be > complete.)Do you want to use the libvirt tools or the lxc-{whatever} tools? I haven't worked with LXC on EL6 nor EL7 much at all... but I have been playing with it some on Fedora 23. Anyway, to create a CentOS container, the lxc tools can do a lot of the work for you... and I don't know that all of the steps are needed from that wiki... at least if you use the lxc tools rather than libvirt... although you'll still use libvirt for it's networking stuff. To create a CentOS 7 container: lxc-create -t download -n {desired-name} That should give you a list of available Templates... and you would type in: Distribution: centos Release: 7 Architecture: amd64 It should download the template and put it under /var/cache/lxc/ and create the container under /var/lib/lxc/. The Template should just work and not require any fiddling with... I'm hoping. LXC is still rather lacking in isolation features as it does not give the container a subset of /proc... so within the container you can see all of the RAM and disk... and your root user can do bad things if you don't trust them. That is with a "privileged" container. Supposedly there is a way to run a container as a user and then grant capabilities as needed to reduce the security footprint but I don't know much about that. Docker is a subset of that design for Applications (rather than the full distro with an init system of its own) that provides a really nice image library and image builder... but unless you are trying to do fleet computing (aka microservices) then Docker really isn't the container I've been looking for. If you want privileged containers you don't have to worry about, you'll most likely want tp create an OpenVZ host (warning, third-party repo / kernel / tools needed). The current stable version of OpenVZ is "OpenVZ Legacy" which is EL6-based. They have been working hard on "Virtuozzo 7" which is merger of OpenVZ and the upstream Virtuozzo product-line still offering a FLOSS version... that is based on EL7 and also provides KVM VM management along-side of containers. They are trying to integrate Virtuozzo support into libvirt and the libvirt-based tools like virsh and virt-manager... and get as much of that work upstreamed as possible... and switch from the kernel-patch based checkpoint code they have in OpenVZ Legacy to the mostly upstreamed CRIU C/R. Hopefully in the next 3-6 months Virtuozzo 7 will go GA. They basically have created a complete distro for it which is based on CentOS. I'd be interested to hear of the lxc tools work for you or not. The little bit I tried them on EL7 I seemed to get journald CPU max-outs on the host node. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work]
On Tue, 9 Feb 2016 10:32, Jochen Wiedmann wrote:> > Hi, > > I am trying to implement something like an "LXC on CentOS 7 HowTo" for > internal use. (Might as well get public afterwards.) I am following > the HowTo for CentOS 6 > (https://wiki.centos.org/HowTos/LXC-on-CentOS6). So, here's what I did > so far (Steps 1-6 can easily be omitted, but I am trying to be > complete.) > > 1.) Disable delta RPM's in /etc/yum.conf_________^ Well, that needs a explicite explanation on the WHY, IMHO not needed> 2.) Remove LibreOffice > > sudo yum remove "libreoffice*"_______________^ Well, that is personal taste, the existence of a installed LibreOffice should not influence LXC in any way.> 3.) System update > > sudo yum -y updateThis should be first point. No one should start a installation of such a complex matter as Virtualisation on a outdated system. Best add comment about the use of "yum ps" or the real need of a reboot in case of glibc/udev/kernel updates before going further in installing.> 4.) Install some niceties > > sudo yum -y install emacs emacs-nox "@Development Tools" git subversion_______________^ Again personal taste, for some is the installation of emacs a sacred act, for other pure blasphemy. say something about making sure the the favourite text-cli editor is installed is more helpful here. Remember the UNIX way: Less is more. Less software on the host(metal), means more uptime between unavoidable reboots, esp. for servers.> 5.) Reboot > 6.) Install VirtualBox Guest Additions________^ Eh? You want to use LXC, not "VirtualBox", what are the "Guest Additions" for? Explain, if really needed> 7.) Install libvirt_______^ Give better title here, e.g. "Install packages for LXC: libvirt + co."> > sudo yum -y install libvirt libvirt-client libvirt-install > > 8.) Setting up root fs for a container: > > sudo su - > mkdir -p /var/lib/libvirt/lxc/centos01/etc/yum.repos.d > cat cat /etc/yum.repos.d/CentOS-Base.repo | sed > s/'$releasever'/7/g > > /var/lib/libvirt/lxc/centos01/etc/yum.repos.d/CentOS-Base.repo_______^ Ok, that can be done better, and easier to read and understand: [code] cp -t /var/lib/libvirt/lxc/centos01/etc/yum.repos.d/ \ /etc/yum.repos.d/CentOS-Base.repo sed --in-place 's/$releasever/7/g' \ /var/lib/libvirt/lxc/centos01/etc/yum.repos.d/CentOS-Base.repo [/code] If you really need the switched of "Delta RPM" stuff, here and now is the place.> yum groupinstall core --installroot=/var/lib/libvirt/lxc/centos01 > # The following command seems to be redundant, as both > packages are already installed as part of the core group. > yum -y install plymouth libselinux-python > --installroot=/var/lib/libvirt/lxc/centos01 > > Now, according to the old howto, I am to configure PAM in the new root > fs. Reading through that; I don't really understand what I am to do. > For example, I am to replace a line with "session required > pam_selinux.so close". However, the matching line is a comment line, > which makes me unsure. > > Are those PAM configurations still required? If so, could someone help > me on what to do exactly? > > Thanks, > > JochenI have not needed any pam-monging so far, but ... [shrugs]. Please, some other (real-live) expert, go over the installation procedere, too, I'm no guru, nor a last instance. Lets give enough input to make this HowTo conform to best practises. - Yamaban.