LXC for Debian -------------- 1. Kernel LXC needs various cgroup related features enabled in the Linux kernel. If you use a non-Debian kernel, you can check your kernel configuration with the lxc-checkconfig tool. If you use a Debian squeeze kernel, all of the features are enable except the resource controller, means, you can use LXC just fine but cannot limit the use of RAM per container. Every container can use as much RAM as the host system offers. See http://bugs.debian.org/534964 for more information. If you use a Debian wheezy kernel or newer, all of the features are enabled including the resource controller. In order to enable the memory controller for Debian wheezy, the following boot parameter needs to be used: cgroup_enable=memory In order to enable the swap controller for Debian wheezy, the following boot parameter needs to be used: swapaccount In order to enable apparmor which lxc can make use of, the following boot parameter needs to be used: security=apparmor Note: Kernel version before 2.6.36 do crash when using two bridge network interfaces with LXC. If you need more than one bridge on the host system, make sure you upgrade your kernel first. 2. Cgroup LXC requires that the cgroup pseudo-filesystem is mounted. This can manually be done with the following command, executed as root on the host system: # mount cgroup -t cgroup /sys/fs/cgroup The corresponding entry for /etc/fstab looks like this: cgroup /sys/fs/cgroup cgroup defaults 0 0 This will eventually be done automatically as part of the mountkernfs initscript in sysvinit. See http://bugs.debian.org/601757 for more information. 3. Root LXC container can be made usable for non-root users by running lxc-setcap. It will set some capabilities so that normal users will be able to use the container utilities. This is not done by default and you have to explicitly allow it. 4. Autostart LXC container are automatically started on boot if container configuration files are symlinked (or copied) into the /etc/lxc/auto directory. Note that the name in /etc/lxc/auto needs to be the container name, e.g.: /etc/lxc/auto/www.example.org -> /var/lib/lxc/www.example.org/config 5. Bugs * veth not removed on container stop When stopping a container, it irregularly but reproducibly happen that the corresponding veth device of the container is not shutdown, making it impossible to start the container again. This is caused by a kernel bug not cleaning up veth devices on container collapsing. The veth device is supposed to be go away automatically after some time, definitely after a reboot though. A manual workaround is to shutdown the veth device manually with: # ip link delete ${VETH_DEVICE} There is a patch for it and hopefully landing in linux 3.7, see http://lists.linuxfoundation.org/pipermail/containers/2012-October/030533.html for more information. -- Daniel Baumann Tue, 12 Jul 2011 20:32:16 +0200