Tuesday, July 19, 2016

how to use an LXC to setup a MAAS region controller

First a word of warning: this feature is experimental. As far as I know it should be stable, but there are known security concerns, specifically with mounting ext2/3/4 volumes. 
It should only be enabled in trusted environments where potentially malicious users do not have shell access to your system.

A lxc container will not have the device nodes needed for mounting (/dev/fuse for fuse and some block device for ext4, e.g. /dev/loop0) and will not be permitted to mount by AppArmor. 
This how to shows how to create a lxc config which will run the container without AppArmor confinement and will allow you to mount the devices.

Requirements
In order to use this feature, you will need a 4.4.0-6.21 or later kernel in Ubuntu xenial. To follow these instructions you will also need to have lxc installed on the host machine

Setup:
in the HOST 
You need to flip the module parameters to enable user namespace mounts for ext4.
$ echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts

In the LXC 
add the following to the /etc/rc.local 
for i in `seq 0 7`; do /bin/mknod /dev/loop$i b 7 0; done
to create the needed loop devices (they are needed by MAAS top manage the tftp images)

run it or reboot the LXC 
$ /etc/rc.local 

check for /dev/loopNN devices and you are done 

Test

$ dd if=/dev/zero of=ext4.img bs=1M count=8
$ mkfs.ext4 ext4.img
$ sudo losetup /dev/loop0 ext4.img
 
$ mkdir -p mount
$ mount /dev/loop0 mount  
$ df

This filesystem can be unmounted in the usual way.

Now you have to follow the MAAS install guide and you are free to move the MAAS LXC wherever you want. 



1 comment:

  1. Dear Alex,

    don't forget in the config of the lxc:

    lxc.cgroup.devices.allow = b 7:* rwm
    lxc.cgroup.devices.allow = c 10:237 rwm

    your friends John and Peanut ;)

    ReplyDelete