Proxmox LXC Containers

lxc containers #

pros:

• lightweight
• very flexibile config from proxmox interface

cons:

• compromise of the container might affect the running host (vms are better isolated)
• backup quirks and downtime (see dedicated section)
• can see underlying hardware (see dedicated section)

other things that works:

• iptables
• vpns (see dedicater section)

backup #

while KVM vms use dirty bitmaps to achieve an online backup, the LXC container needs to be suspended:

snapshot: This mode uses the snapshotting facilities of the underlying storage. First, the container will be suspended to ensure data consistency. A temporary snapshot of the container’s volumes will be made and the snapshot content will be archived in a tar file. Finally, the temporary snapshot is deleted again.

sources:

• https://pve.proxmox.com/wiki/Backup_and_Restore
• https://symcbean.blogspot.com/2022/01/proxmox-backup-server-evaluation.html

underlying hardware #

the container will be able to see part of the hardware, for example disks.

An "lbslk" will show the host's disks and you can see infos about the disks,
for example we can retrieve the disk serial:

:#cat /sys/block/sda/device/model
SeagateUltrastarIII

:#cat /sys/class/block/sda/device/wwid   
t10.ATA     SeagateUltrastarIII                          AABBCCDDEEFF

this is an unnecessary potential leak of information that needs to be taken into account,
a VM would only see it's disk image.

detecting the container (useful in Ansible) #

we can leverage

systemd-detect-virt

to understand where our os is running,
the command will output the different technologies if ran without any option, for example:

• "none" : running on baremetal
• "kvm" : runnning in a vm (on Proxmox)
• "lxc" : running in a container (on Proxmox)

See here for the full list:

But if we run the command with the --container option:

systemd-detect-virt --container

the output will be:

• "none" : if we are running on ANYTHING else than a container
• $container : if we are running insiede a container (so in my case would be "lxc")

This is very useful in Ansible where I want to skip the sysctl tasks since those are not valid for a container:

# playbook.yml:
---
- name: "container detection"
  hosts: localhost
  connection: local
  
  tasks:
    - name: "Register if we are running on anything else than a container (none) or in a container"
      command: systemd-detect-virt --container
      register: systemd_detect_virt

    - name: "Set swappiness to zero in sysctl.conf"
      sysctl:
        name: vm.swappiness
        value: '1'
        state: present
        reload: yes
        sysctl_file: /etc/sysctl.conf
      when: systemd_detect_virt.stdout == "none"

the task will be executed only if the command output is "none", thus we are not inside a container.

tun devices #

to configure a VPN that uses /dev/tun devices an additional configuration is needed:

edit your LXC configfile, for example for container 1001: /etc/pve/lxc/1001.conf

and add:

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

sources:

• https://pve.proxmox.com/wiki/OpenVPN_in_LXC
• https://forum.proxmox.com/threads/how-to-enable-tun-tap-in-a-lxc-container.25339/
• https://tailscale.com/kb/1130/lxc-unprivileged

• Previous: Nginx edit content with ngx_http_sub_module