LXC初体验 -- 在LXC的容器内跑shadowsocks
安装 LXC
yum install -y epel-release
yum-config-manager --enable epel
yum install -y debootstrap perl libvirt
yum install -y lxc lxc-templates
启动 LXC 服务
systemctl status lxc.service
systemctl start lxc.service
systemctl start libvirtd
systemctl status lxc.service
命令
lxc-checkconfig
检查系统对虚拟化的支持和配置, 输出如下:
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.10.4-1.el7.elrepo.x86_64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled
Multiple /dev/pts instances: missing
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
LXC 已经预装了一些VM模板:
ll /usr/share/lxc/templates/
total 348K
drwxr-xr-x 2 root root 4.0K Dec 2 09:37 .
drwxr-xr-x 6 root root 4.0K Dec 2 09:37 ..
-rwxr-xr-x 1 root root 11K Oct 20 2017 lxc-alpine
-rwxr-xr-x 1 root root 14K Oct 20 2017 lxc-altlinux
-rwxr-xr-x 1 root root 11K Oct 20 2017 lxc-archlinux
-rwxr-xr-x 1 root root 9.5K Oct 20 2017 lxc-busybox
-rwxr-xr-x 1 root root 30K Oct 20 2017 lxc-centos
-rwxr-xr-x 1 root root 11K Oct 20 2017 lxc-cirros
-rwxr-xr-x 1 root root 18K Oct 20 2017 lxc-debian
-rwxr-xr-x 1 root root 18K Oct 20 2017 lxc-download
-rwxr-xr-x 1 root root 49K Oct 20 2017 lxc-fedora
-rwxr-xr-x 1 root root 28K Oct 20 2017 lxc-gentoo
-rwxr-xr-x 1 root root 14K Oct 20 2017 lxc-openmandriva
-rwxr-xr-x 1 root root 14K Oct 20 2017 lxc-opensuse
-rwxr-xr-x 1 root root 35K Oct 20 2017 lxc-oracle
-rwxr-xr-x 1 root root 12K Oct 20 2017 lxc-plamo
-rwxr-xr-x 1 root root 6.7K Oct 20 2017 lxc-sshd
-rwxr-xr-x 1 root root 24K Oct 20 2017 lxc-ubuntu
-rwxr-xr-x 1 root root 12K Oct 20 2017 lxc-ubuntu-cloud
lxc-create -n s1 -t centos
创建名字为 s1 , 模板为 centos 的容器.
lxc-info –name s1
查看 s1 的状态
lxc-start -n s1 -d
以 deamon 方式启动 s1
lxc-console -n s1
登录到 s1 的控制台.
(然而并不会用, 还是 ssh 进去吧)
lxc-stop -n s1
停止 s1, 会比较慢.
DEMO
实验流程:
在host上用centos的模板 , 创建一个名为 ss 的容器.
以deamon模式启动容器.
在host上添加转发规则, 讲10000端口的TCP和UDP转发到容器内的8388端口.
ssh登录容器, 以密码 110 和其他默认配置启动 shadowsocks.
小火箭添加配置, server为host的ip, 端口为10000, 密码为110, 手机访问Twitter, 查看ssserver日志:
[root@host ~]# lxc-create -n ss -t centos
[root@host ~]# cat /var/lib/lxc/ss/tmp_root_pass
[root@host ~]# lxc-start -n ss -d
[root@host ~]# iptables -t nat -A PREROUTING -p tcp -d #{你的服务器IP} --dport 10000 -j DNAT --to #{容器内网IP}:8388
[root@host ~]# iptables -t nat -A PREROUTING -p udp -d #{你的服务器IP} --dport 10000 -j DNAT --to #{容器内网IP}:8388
[root@host ~]# ssh root@#{容器内网IP}
[root@ss ~]# yum install -y epel-release
[root@ss ~]# yum install -y python2-pip
[root@ss ~]# pip install shadowsocks
[root@ss ~]# ssserver -k 110
2018-12-03 15:14:56 INFO loading libcrypto from libcrypto.so.10
2018-12-03 15:14:56 INFO starting server at 0.0.0.0:8388
2018-12-03 15:16:05 INFO connecting video.twimg.com:443 from #{我的手机IP}:63578
2018-12-03 15:16:05 INFO connecting abs.twimg.com:443 from #{我的手机IP}:63575
2018-12-03 15:16:05 INFO connecting t.co:443 from #{我的手机IP}:63577
新建LXC容器后要手动修改密码, 手动配置端口转发, 用docker会简化相关配置.