Proxmox LXC Containers
lxc containers #
pros:
- lightweight
- very flexibile config from proxmox interface
cons:
- compromise of the container might affect the running host (vms are better isolated)
- backup quirks and downtime (see dedicated section)
- can see underlying hardware (see dedicated section)
other things that works:
- iptables
- vpns (see dedicater section)
backup #
while KVM vms use dirty bitmaps to achieve an online backup, the LXC container needs to be suspended:
snapshot: This mode uses the snapshotting facilities of the underlying storage. First, the container will be suspended to ensure data consistency. A temporary snapshot of the container’s volumes will be made and the snapshot content will be archived in a tar file. Finally, the temporary snapshot is deleted again.
sources:
- https://pve.proxmox.com/wiki/Backup_and_Restore
- https://symcbean.blogspot.com/2022/01/proxmox-backup-server-evaluation.html
underlying hardware #
the container will be able to see part of the hardware, for example disks.
An "lbslk" will show the host's disks and you can see infos about the disks,
for example we can retrieve the disk serial:
:#cat /sys/block/sda/device/model
SeagateUltrastarIII
:#cat /sys/class/block/sda/device/wwid
t10.ATA SeagateUltrastarIII AABBCCDDEEFF
this is an unnecessary potential leak of information that needs to be taken into account,
a VM would only see it's disk image.
detecting the container (useful in Ansible) #
we can leverage
systemd-detect-virt
to understand where our os is running,
the command will output the different technologies if ran without any option, for example:
- "none" : running on baremetal
- "kvm" : runnning in a vm (on Proxmox)
- "lxc" : running in a container (on Proxmox)
See here for the full list:
But if we run the command with the --container option:
systemd-detect-virt --container
the output will be:
- "none" : if we are running on ANYTHING else than a container
- $container : if we are running insiede a container (so in my case would be "lxc")
This is very useful in Ansible where I want to skip the sysctl tasks since those are not valid for a container:
# playbook.yml:
---
- name: "container detection"
hosts: localhost
connection: local
tasks:
- name: "Register if we are running on anything else than a container (none) or in a container"
command: systemd-detect-virt --container
register: systemd_detect_virt
- name: "Set swappiness to zero in sysctl.conf"
sysctl:
name: vm.swappiness
value: '1'
state: present
reload: yes
sysctl_file: /etc/sysctl.conf
when: systemd_detect_virt.stdout == "none"
the task will be executed only if the command output is "none", thus we are not inside a container.
tun devices #
to configure a VPN that uses /dev/tun devices an additional configuration is needed:
edit your LXC configfile, for example for container 1001: /etc/pve/lxc/1001.conf
and add:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
sources:
- https://pve.proxmox.com/wiki/OpenVPN_in_LXC
- https://forum.proxmox.com/threads/how-to-enable-tun-tap-in-a-lxc-container.25339/
- https://tailscale.com/kb/1130/lxc-unprivileged