1
0

lxc.rst 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629
  1. .. _tutorial-lxc:
  2. ========================
  3. LXC Management with Salt
  4. ========================
  5. .. note::
  6. This walkthrough assumes basic knowledge of Salt. To get up to speed, check
  7. out the :ref:`Salt Walkthrough <tutorial-salt-walk-through>`.
  8. Dependencies
  9. ============
  10. Manipulation of LXC containers in Salt requires the minion to have an LXC
  11. version of at least 1.0 (an alpha or beta release of LXC 1.0 is acceptable).
  12. The following distributions are known to have new enough versions of LXC
  13. packaged:
  14. - RHEL/CentOS 6 and later (via EPEL_)
  15. - Fedora (All non-EOL releases)
  16. - Debian 8.0 (Jessie)
  17. - Ubuntu 14.04 LTS and later (LXC templates are packaged separately as
  18. **lxc-templates**, it is recommended to also install this package)
  19. - openSUSE 13.2 and later
  20. .. _EPEL: https://fedoraproject.org/wiki/EPEL
  21. .. _tutorial-lxc-profiles:
  22. Profiles
  23. ========
  24. Profiles allow for a sort of shorthand for commonly-used
  25. configurations to be defined in the minion config file, :ref:`grains
  26. <targeting-grains>`, :ref:`pillar <pillar>`, or the master config file. The
  27. profile is retrieved by Salt using the :mod:`config.get
  28. <salt.modules.config.get>` function, which looks in those locations, in that
  29. order. This allows for profiles to be defined centrally in the master config
  30. file, with several options for overriding them (if necessary) on groups of
  31. minions or individual minions.
  32. There are two types of profiles:
  33. - One for defining the parameters used in container creation/clone.
  34. - One for defining the container's network interface(s) settings.
  35. .. _tutorial-lxc-profiles-container:
  36. Container Profiles
  37. ------------------
  38. LXC container profiles are defined underneath the
  39. ``lxc.container_profile`` config option:
  40. .. code-block:: yaml
  41. lxc.container_profile:
  42. centos:
  43. template: centos
  44. backing: lvm
  45. vgname: vg1
  46. lvname: lxclv
  47. size: 10G
  48. centos_big:
  49. template: centos
  50. backing: lvm
  51. vgname: vg1
  52. lvname: lxclv
  53. size: 20G
  54. Profiles are retrieved using the :mod:`config.get <salt.modules.config.get>`
  55. function, with the **recurse** merge strategy. This means that a profile can be
  56. defined at a lower level (for example, the master config file) and then parts
  57. of it can be overridden at a higher level (for example, in pillar data).
  58. Consider the following container profile data:
  59. **In the Master config file:**
  60. .. code-block:: yaml
  61. lxc.container_profile:
  62. centos:
  63. template: centos
  64. backing: lvm
  65. vgname: vg1
  66. lvname: lxclv
  67. size: 10G
  68. **In the Pillar data**
  69. .. code-block:: yaml
  70. lxc.container_profile:
  71. centos:
  72. size: 20G
  73. Any minion with the above Pillar data would have the **size** parameter in the
  74. **centos** profile overridden to 20G, while those minions without the above
  75. Pillar data would have the 10G **size** value. This is another way of achieving
  76. the same result as the **centos_big** profile above, without having to define
  77. another whole profile that differs in just one value.
  78. .. note::
  79. In the 2014.7.x release cycle and earlier, container profiles are defined
  80. under ``lxc.profile``. This parameter will still work in version 2015.5.0,
  81. but is deprecated and will be removed in a future release. Please note
  82. however that the profile merging feature described above will only work
  83. with profiles defined under ``lxc.container_profile``, and only in versions
  84. 2015.5.0 and later.
  85. Additionally, in version 2015.5.0 container profiles have been expanded to
  86. support passing template-specific CLI options to :mod:`lxc.create
  87. <salt.modules.lxc.create>`. Below is a table describing the parameters which
  88. can be configured in container profiles:
  89. ================== ================== ====================
  90. Parameter 2015.5.0 and Newer 2014.7.x and Earlier
  91. ================== ================== ====================
  92. *template*:sup:`1` Yes Yes
  93. *options*:sup:`1` Yes No
  94. *image*:sup:`1` Yes Yes
  95. *backing* Yes Yes
  96. *snapshot*:sup:`2` Yes Yes
  97. *lvname*:sup:`1` Yes Yes
  98. *fstype*:sup:`1` Yes Yes
  99. *size* Yes Yes
  100. ================== ================== ====================
  101. 1. Parameter is only supported for container creation, and will be ignored if
  102. the profile is used when cloning a container.
  103. 2. Parameter is only supported for container cloning, and will be ignored if
  104. the profile is used when not cloning a container.
  105. .. _tutorial-lxc-profiles-network:
  106. Network Profiles
  107. ----------------
  108. LXC network profiles are defined defined underneath the ``lxc.network_profile``
  109. config option.
  110. By default, the module uses a DHCP based configuration and try to guess a bridge to
  111. get connectivity.
  112. .. warning::
  113. on pre **2015.5.2**, you need to specify explicitly the network bridge
  114. .. code-block:: yaml
  115. lxc.network_profile:
  116. centos:
  117. eth0:
  118. link: br0
  119. type: veth
  120. flags: up
  121. ubuntu:
  122. eth0:
  123. link: lxcbr0
  124. type: veth
  125. flags: up
  126. As with container profiles, network profiles are retrieved using the
  127. :mod:`config.get <salt.modules.config.get>` function, with the **recurse**
  128. merge strategy. Consider the following network profile data:
  129. **In the Master config file:**
  130. .. code-block:: yaml
  131. lxc.network_profile:
  132. centos:
  133. eth0:
  134. link: br0
  135. type: veth
  136. flags: up
  137. **In the Pillar data**
  138. .. code-block:: yaml
  139. lxc.network_profile:
  140. centos:
  141. eth0:
  142. link: lxcbr0
  143. Any minion with the above Pillar data would use the **lxcbr0** interface as the
  144. bridge interface for any container configured using the **centos** network
  145. profile, while those minions without the above Pillar data would use the
  146. **br0** interface for the same.
  147. .. note::
  148. In the 2014.7.x release cycle and earlier, network profiles are defined
  149. under ``lxc.nic``. This parameter will still work in version 2015.5.0, but
  150. is deprecated and will be removed in a future release. Please note however
  151. that the profile merging feature described above will only work with
  152. profiles defined under ``lxc.network_profile``, and only in versions
  153. 2015.5.0 and later.
  154. The following are parameters which can be configured in network profiles. These
  155. will directly correspond to a parameter in an LXC configuration file (see ``man
  156. 5 lxc.container.conf``).
  157. - **type** - Corresponds to **lxc.network.type**
  158. - **link** - Corresponds to **lxc.network.link**
  159. - **flags** - Corresponds to **lxc.network.flags**
  160. Interface-specific options (MAC address, IPv4/IPv6, etc.) must be passed on a
  161. container-by-container basis, for instance using the ``nic_opts`` argument to
  162. :mod:`lxc.create <salt.modules.lxc.create>`:
  163. .. code-block:: bash
  164. salt myminion lxc.create container1 profile=centos network_profile=centos nic_opts='{eth0: {ipv4: 10.0.0.20/24, gateway: 10.0.0.1}}'
  165. .. warning::
  166. The ``ipv4``, ``ipv6``, ``gateway``, and ``link`` (bridge) settings in
  167. network profiles / nic_opts will only work if the container doesn't redefine
  168. the network configuration (for example in
  169. ``/etc/sysconfig/network-scripts/ifcfg-<interface_name>`` on RHEL/CentOS,
  170. or ``/etc/network/interfaces`` on Debian/Ubuntu/etc.). Use these with
  171. caution. The container images installed using the ``download`` template,
  172. for instance, typically are configured for eth0 to use DHCP, which will
  173. conflict with static IP addresses set at the container level.
  174. .. note::
  175. For LXC < 1.0.7 and DHCP support, set ``ipv4.gateway: 'auto'`` is your
  176. network profile, ie.::
  177. lxc.network_profile.nic:
  178. debian:
  179. eth0:
  180. link: lxcbr0
  181. ipv4.gateway: 'auto'
  182. Old lxc support (<1.0.7)
  183. ------------------------
  184. With saltstack **2015.5.2** and above, normally the setting is autoselected, but
  185. before, you'll need to teach your network profile to set
  186. **lxc.network.ipv4.gateway** to **auto** when using a classic ipv4 configuration.
  187. Thus you'll need
  188. .. code-block:: yaml
  189. lxc.network_profile.foo:
  190. etho:
  191. link: lxcbr0
  192. ipv4.gateway: auto
  193. Tricky network setups Examples
  194. ------------------------------
  195. This example covers how to make a container with both an internal ip and a
  196. public routable ip, wired on two veth pairs.
  197. The another interface which receives directly a public routable ip can't be on
  198. the first interface that we reserve for private inter LXC networking.
  199. .. code-block:: yaml
  200. lxc.network_profile.foo:
  201. eth0: {gateway: null, bridge: lxcbr0}
  202. eth1:
  203. # replace that by your main interface
  204. 'link': 'br0'
  205. 'mac': '00:16:5b:01:24:e1'
  206. 'gateway': '2.20.9.14'
  207. 'ipv4': '2.20.9.1'
  208. Creating a Container on the CLI
  209. ===============================
  210. From a Template
  211. ---------------
  212. LXC is commonly distributed with several template scripts in
  213. /usr/share/lxc/templates. Some distros may package these separately in an
  214. **lxc-templates** package, so make sure to check if this is the case.
  215. There are LXC template scripts for several different operating systems, but
  216. some of them are designed to use tools specific to a given distribution. For
  217. instance, the ``ubuntu`` template uses deb_bootstrap, the ``centos`` template
  218. uses yum, etc., making these templates impractical when a container from a
  219. different OS is desired.
  220. The :mod:`lxc.create <salt.modules.lxc.create>` function is used to create
  221. containers using a template script. To create a CentOS container named
  222. ``container1`` on a CentOS minion named ``mycentosminion``, using the
  223. ``centos`` LXC template, one can simply run the following command:
  224. .. code-block:: bash
  225. salt mycentosminion lxc.create container1 template=centos
  226. For these instances, there is a ``download`` template which retrieves minimal
  227. container images for several different operating systems. To use this template,
  228. it is necessary to provide an ``options`` parameter when creating the
  229. container, with three values:
  230. 1. **dist** - the Linux distribution (i.e. ``ubuntu`` or ``centos``)
  231. 2. **release** - the release name/version (i.e. ``trusty`` or ``6``)
  232. 3. **arch** - CPU architecture (i.e. ``amd64`` or ``i386``)
  233. The :mod:`lxc.images <salt.modules.lxc.images>` function (new in version
  234. 2015.5.0) can be used to list the available images. Alternatively, the releases
  235. can be viewed on http://images.linuxcontainers.org/images/. The images are
  236. organized in such a way that the **dist**, **release**, and **arch** can be
  237. determined using the following URL format:
  238. ``http://images.linuxcontainers.org/images/dist/release/arch``. For example,
  239. ``http://images.linuxcontainers.org/images/centos/6/amd64`` would correspond to
  240. a **dist** of ``centos``, a **release** of ``6``, and an **arch** of ``amd64``.
  241. Therefore, to use the ``download`` template to create a new 64-bit CentOS 6
  242. container, the following command can be used:
  243. .. code-block:: bash
  244. salt myminion lxc.create container1 template=download options='{dist: centos, release: 6, arch: amd64}'
  245. .. note::
  246. These command-line options can be placed into a :ref:`container profile
  247. <tutorial-lxc-profiles-container>`, like so:
  248. .. code-block:: yaml
  249. lxc.container_profile.cent6:
  250. template: download
  251. options:
  252. dist: centos
  253. release: 6
  254. arch: amd64
  255. The ``options`` parameter is not supported in profiles for the 2014.7.x
  256. release cycle and earlier, so it would still need to be provided on the
  257. command-line.
  258. Cloning an Existing Container
  259. -----------------------------
  260. To clone a container, use the :mod:`lxc.clone <salt.modules.lxc.clone>`
  261. function:
  262. .. code-block:: bash
  263. salt myminion lxc.clone container2 orig=container1
  264. Using a Container Image
  265. -----------------------
  266. While cloning is a good way to create new containers from a common base
  267. container, the source container that is being cloned needs to already exist on
  268. the minion. This makes deploying a common container across minions difficult.
  269. For this reason, Salt's :mod:`lxc.create <salt.modules.lxc.create>` is capable
  270. of installing a container from a tar archive of another container's rootfs. To
  271. create an image of a container named ``cent6``, run the following command as
  272. root:
  273. .. code-block:: bash
  274. tar czf cent6.tar.gz -C /var/lib/lxc/cent6 rootfs
  275. .. note::
  276. Before doing this, it is recommended that the container is stopped.
  277. The resulting tarball can then be placed alongside the files in the salt
  278. fileserver and referenced using a ``salt://`` URL. To create a container using
  279. an image, use the ``image`` parameter with :mod:`lxc.create
  280. <salt.modules.lxc.create>`:
  281. .. code-block:: bash
  282. salt myminion lxc.create new-cent6 image=salt://path/to/cent6.tar.gz
  283. .. note:: Making images of containers with LVM backing
  284. For containers with LVM backing, the rootfs is not mounted, so it is
  285. necessary to mount it first before creating the tar archive. When a
  286. container is created using LVM backing, an empty ``rootfs`` dir is handily
  287. created within ``/var/lib/lxc/container_name``, so this can be used as the
  288. mountpoint. The location of the logical volume for the container will be
  289. ``/dev/vgname/lvname``, where ``vgname`` is the name of the volume group,
  290. and ``lvname`` is the name of the logical volume. Therefore, assuming a
  291. volume group of ``vg1``, a logical volume of ``lxc-cent6``, and a container
  292. name of ``cent6``, the following commands can be used to create a tar
  293. archive of the rootfs:
  294. .. code-block:: bash
  295. mount /dev/vg1/lxc-cent6 /var/lib/lxc/cent6/rootfs
  296. tar czf cent6.tar.gz -C /var/lib/lxc/cent6 rootfs
  297. umount /var/lib/lxc/cent6/rootfs
  298. .. warning::
  299. One caveat of using this method of container creation is that
  300. ``/etc/hosts`` is left unmodified. This could cause confusion for some
  301. distros if salt-minion is later installed on the container, as the
  302. functions that determine the hostname take ``/etc/hosts`` into account.
  303. Additionally, when creating an rootfs image, be sure to remove
  304. ``/etc/salt/minion_id`` and make sure that ``id`` is not defined in
  305. ``/etc/salt/minion``, as this will cause similar issues.
  306. Initializing a New Container as a Salt Minion
  307. =============================================
  308. The above examples illustrate a few ways to create containers on the CLI, but
  309. often it is desirable to also have the new container run as a Minion. To do
  310. this, the :mod:`lxc.init <salt.modules.lxc.init>` function can be used. This
  311. function will do the following:
  312. 1. Create a new container
  313. 2. Optionally set password and/or DNS
  314. 3. Bootstrap the minion (using either salt-bootstrap_ or a custom command)
  315. .. _salt-bootstrap: https://github.com/saltstack/salt-bootstrap
  316. By default, the new container will be pointed at the same Salt Master as the
  317. host machine on which the container was created. It will then request to
  318. authenticate with the Master like any other bootstrapped Minion, at which point
  319. it can be accepted.
  320. .. code-block:: bash
  321. salt myminion lxc.init test1 profile=centos
  322. salt-key -a test1
  323. For even greater convenience, the :mod:`LXC runner <salt.runners.lxc>` contains
  324. a runner function of the same name (:mod:`lxc.init <salt.runners.lxc.init>`),
  325. which creates a keypair, seeds the new minion with it, and pre-accepts the key,
  326. allowing for the new Minion to be created and authorized in a single step:
  327. .. code-block:: bash
  328. salt-run lxc.init test1 host=myminion profile=centos
  329. Running Commands Within a Container
  330. ===================================
  331. For containers which are not running their own Minion, commands can be run
  332. within the container in a manner similar to using (:mod:`cmd.run
  333. <salt.modules.cmdmod.run`). The means of doing this have been changed
  334. significantly in version 2015.5.0 (though the deprecated behavior will still be
  335. supported for a few releases). Both the old and new usage are documented
  336. below.
  337. 2015.5.0 and Newer
  338. ------------------
  339. New functions have been added to mimic the behavior of the functions in the
  340. :mod:`cmd <salt.modules.cmdmod>` module. Below is a table with the :mod:`cmd
  341. <salt.modules.cmdmod>` functions and their :mod:`lxc <salt.modules.lxc>` module
  342. equivalents:
  343. ======================================= ====================================================== ===================================================
  344. Description :mod:`cmd <salt.modules.cmdmod>` module :mod:`lxc <salt.modules.lxc>` module
  345. ======================================= ====================================================== ===================================================
  346. Run a command and get all output :mod:`cmd.run <salt.modules.cmdmod.run>` :mod:`lxc.run <salt.modules.lxc.run>`
  347. Run a command and get just stdout :mod:`cmd.run_stdout <salt.modules.cmdmod.run_stdout>` :mod:`lxc.run_stdout <salt.modules.lxc.run_stdout>`
  348. Run a command and get just stderr :mod:`cmd.run_stderr <salt.modules.cmdmod.run_stderr>` :mod:`lxc.run_stderr <salt.modules.lxc.run_stderr>`
  349. Run a command and get just the retcode :mod:`cmd.retcode <salt.modules.cmdmod.retcode>` :mod:`lxc.retcode <salt.modules.lxc.retcode>`
  350. Run a command and get all information :mod:`cmd.run_all <salt.modules.cmdmod.run_all>` :mod:`lxc.run_all <salt.modules.lxc.run_all>`
  351. ======================================= ====================================================== ===================================================
  352. 2014.7.x and Earlier
  353. --------------------
  354. Earlier Salt releases use a single function (:mod:`lxc.run_cmd
  355. <salt.modules.lxc.run_cmd>`) to run commands within containers. Whether stdout,
  356. stderr, etc. are returned depends on how the function is invoked.
  357. To run a command and return the stdout:
  358. .. code-block:: bash
  359. salt myminion lxc.run_cmd web1 'tail /var/log/messages'
  360. To run a command and return the stderr:
  361. .. code-block:: bash
  362. salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=False stderr=True
  363. To run a command and return the retcode:
  364. .. code-block:: bash
  365. salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=False stderr=False
  366. To run a command and return all information:
  367. .. code-block:: bash
  368. salt myminion lxc.run_cmd web1 'tail /var/log/messages' stdout=True stderr=True
  369. Container Management Using salt-cloud
  370. =====================================
  371. Salt cloud uses under the hood the salt runner and module to manage containers,
  372. Please look at :ref:`this chapter <config_lxc>`
  373. Container Management Using States
  374. =================================
  375. Several states are being renamed or otherwise modified in version 2015.5.0. The
  376. information in this tutorial refers to the new states. For
  377. 2014.7.x and earlier, please refer to the :mod:`documentation for the LXC
  378. states <salt.states.lxc>`.
  379. Ensuring a Container Is Present
  380. -------------------------------
  381. To ensure the existence of a named container, use the :mod:`lxc.present
  382. <salt.states.lxc.present>` state. Here are some examples:
  383. .. code-block:: yaml
  384. # Using a template
  385. web1:
  386. lxc.present:
  387. - template: download
  388. - options:
  389. dist: centos
  390. release: 6
  391. arch: amd64
  392. # Cloning
  393. web2:
  394. lxc.present:
  395. - clone_from: web-base
  396. # Using a rootfs image
  397. web3:
  398. lxc.present:
  399. - image: salt://path/to/cent6.tar.gz
  400. # Using profiles
  401. web4:
  402. lxc.present:
  403. - profile: centos_web
  404. - network_profile: centos
  405. .. warning::
  406. The :mod:`lxc.present <salt.states.lxc.present>` state will not modify an
  407. existing container (in other words, it will not re-create the container).
  408. If an :mod:`lxc.present <salt.states.lxc.present>` state is run on an
  409. existing container, there will be no change and the state will return a
  410. ``True`` result.
  411. The :mod:`lxc.present <salt.states.lxc.present>` state also includes an
  412. optional ``running`` parameter which can be used to ensure that a container is
  413. running/stopped. Note that there are standalone :mod:`lxc.running
  414. <salt.states.lxc.running>` and :mod:`lxc.stopped <salt.states.lxc.stopped>`
  415. states which can be used for this purpose.
  416. Ensuring a Container Does Not Exist
  417. -----------------------------------
  418. To ensure that a named container is not present, use the :mod:`lxc.absent
  419. <salt.states.lxc.absent>` state. For example:
  420. .. code-block:: yaml
  421. web1:
  422. lxc.absent
  423. Ensuring a Container is Running/Stopped/Frozen
  424. ----------------------------------------------
  425. Containers can be in one of three states:
  426. - **running** - Container is running and active
  427. - **frozen** - Container is running, but all process are blocked and the
  428. container is essentially non-active until the container is "unfrozen"
  429. - **stopped** - Container is not running
  430. Salt has three states (:mod:`lxc.running <salt.states.lxc.running>`,
  431. :mod:`lxc.frozen <salt.states.lxc.frozen>`, and :mod:`lxc.stopped
  432. <salt.states.lxc.stopped>`) which can be used to ensure a container is in one
  433. of these states:
  434. .. code-block:: yaml
  435. web1:
  436. lxc.running
  437. # Restart the container if it was already running
  438. web2:
  439. lxc.running:
  440. - restart: True
  441. web3:
  442. lxc.stopped
  443. # Explicitly kill all tasks in container instead of gracefully stopping
  444. web4:
  445. lxc.stopped:
  446. - kill: True
  447. web5:
  448. lxc.frozen
  449. # If container is stopped, do not start it (in which case the state will fail)
  450. web6:
  451. lxc.frozen:
  452. - start: False