QEMU-KVM under LXC
As usual - circumstances dictate the rules. This time we install Proxmox and Libvirt on the same server.
Faced another challenge - the customer set the condition to deploy a stand on an existing, conflicting infrastructure. He has a Proxmox cluster, we have Libvirt
The solution to the forehead did not help, an attempt to install libvirtd required the removal of proxmox. Without hesitation, they decided to write off. Look under the cut an elegant solution as to climb a tree and do not tear anything.
Briefly about us - WriteX Team. We work with Linux since 2000 under the motto - nothing is impossible for Linux. No sooner said than done. let's think Development options: compile libvirt or go to container. Google as usual helped, found a very useful article: stgraber.org/2014/01/01/lxc-1-0-security-features and see that, in principle, you can donate any device to the container. We look (without the permission of the author, but not removing the links. A little copy-paste):
')
look, device codes on dom0,
and further, we allow all the devices we need and create them in a container:
we start the system and put everything we need in our container - without violating anything at the customer. In my opinion - cool!
Ready to catch tomatoes, but only after full awareness of the depth of creativity ;-)
Links to materials:
Faced another challenge - the customer set the condition to deploy a stand on an existing, conflicting infrastructure. He has a Proxmox cluster, we have Libvirt
The solution to the forehead did not help, an attempt to install libvirtd required the removal of proxmox. Without hesitation, they decided to write off. Look under the cut an elegant solution as to climb a tree and do not tear anything.
Briefly about us - WriteX Team. We work with Linux since 2000 under the motto - nothing is impossible for Linux. No sooner said than done. let's think Development options: compile libvirt or go to container. Google as usual helped, found a very useful article: stgraber.org/2014/01/01/lxc-1-0-security-features and see that, in principle, you can donate any device to the container. We look (without the permission of the author, but not removing the links. A little copy-paste):
')
LXC # Default cgroup limits lxc.cgroup.devices.deny = a ## Allow any mknod (but not using the node) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m ## /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm ## consoles lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 5:1 rwm ## /dev/{,u}random lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 1:9 rwm ## /dev/pts/* lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 136:* rwm ## rtc lxc.cgroup.devices.allow = c 254:0 rm ## fuse lxc.cgroup.devices.allow = c 10:229 rwm ## tun lxc.cgroup.devices.allow = c 10:200 rwm ## full lxc.cgroup.devices.allow = c 1:7 rwm ## hpet lxc.cgroup.devices.allow = c 10:228 rwm ## kvm lxc.cgroup.devices.allow = c 10:232 rwm look, device codes on dom0,
# ls -lah /dev/kvm crw-rw-rw- 1 root kvm 10, 232 1 11:55 /dev/kvm and further, we allow all the devices we need and create them in a container:
mknod /dev/net/tun c 10 200 mknod /dev/kvm c 10 232 we start the system and put everything we need in our container - without violating anything at the customer. In my opinion - cool!
Ready to catch tomatoes, but only after full awareness of the depth of creativity ;-)
Links to materials:
Source: https://habr.com/ru/post/330016/
All Articles