這邊紀錄目前使用 LXD CentOS 7 Image 遇到的功能補完。
lab@lxdlab:~$ lxc list lxdimg-centos7 +----------------+---------+----------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +----------------+---------+----------------------+-----------------------------------------------+------------+-----------+ | lxdimg-centos7 | RUNNING | 10.207.69.167 (eth0) | fd42:ebd6:90e3:9a71:216:3eff:fec2:f9c1 (eth0) | PERSISTENT | 0 | +----------------+---------+----------------------+-----------------------------------------------+------------+-----------+ lab@lxdlab:~$
SSH 服務
啟動一個 CentOS 7 Container 之後,通常只要用 lxc shell 就可以進入環境操作。CentOS Image 裡面預設只有 ssh Client,沒有辦法透過 SSH 登入。不過進行軟體叢集設置時,常常需要使用到 SSH 服務互相接通。
這時直覺想到的,就是補上 OpenSSH-Server 套件。
不過,因為 Container Image 預設的功能比較精簡(佔用空間也小很多~),安裝 SSH Server 之後,還會需要作一點小設定。
基本上就是:Container 裡面沒有安裝完整的 PAM 套件,所以 SSH 不需要整合 PAM。
lab@lxdlab:~$ lxc shell lxdimg-centos7 [root@lxdimg-centos7 ~]# yum install -y openssh-server [root@lxdimg-centos7 ~]# [root@lxdimg-centos7 ~]# sed -e "s/^UsePAM yes/UsePAM no/g" -i /etc/ssh/sshd_config [root@lxdimg-centos7 ~]# [root@lxdimg-centos7 ~]# chkconfig sshd on [root@lxdimg-centos7 ~]# service sshd start
參考資料
shell - Can't ssh, connection terminates immediately with exit status 254 - Unix & Linux Stack Exchange
HTTPD 服務
CentOS 提供的 HTTPD 套件,在安裝時會有一些錯誤訊息。為了安裝這個套件,會需要暫時把 Container 暫時變成 Privileged Container。安裝完畢可以再停用即可。以下直接用 lxc exec 指令,不用進去 lxc shell 執行。
lab@lxdlab:~$ lxc config set lxdimg-centos7 security.privileged true lab@lxdlab:~$ lxc exec lxdimg-centos7 -- yum install -y httpd lab@lxdlab:~$ lxc config set lxdimg-centos7 security.privileged false
另外,現在大家多數都使用 VM 來執行 Linux,而不是把自己電腦灌成 Linux。因此比較不會直接在 Linux 桌面裡面使用瀏覽器連接 Container 的 HTTPD 服務。
所以通常會需要把 Container 的 HTTP/HTTPS Port 轉發到 Host OS 上面。以下指令便是轉發出來的方式(80 Port 跟 443 Port)
lab@lxdlab:~$ lxc config device add lxdimg-centos7 labport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:localhost:80
lab@lxdlab:~$ lxc config device add lxdimg-centos7 labport443 proxy listen=tcp:0.0.0.0:443 connect=tcp:localhost:443
參考資料
cap_set_file not permitted · Issue #1245 · lxc/lxd
Forward port 80 and 443 from WAN to container - LXD - Linux Containers Forum
增加網卡界面
演練時,有時後會希望環境擬真一點,具備多網卡的設置(例如,模擬實體主機的 Service LAN+Heartbeat LAN 配置)。在 LXD 裡面,也可以像一般 VM 一樣,增加額外網卡。首先,需要增加一個 NIC 界面(目前只有 lxdbr0)。
lab@lxdlab:~$ lxc network create lxdbr1 Network lxdbr1 created lab@lxdlab:~$
如果要限縮這個網路連到外部,以模擬內網網段的話,可以停用 Routing
lab@lxdlab:~$ lxc network set lxdbr1 ipv4.routing false
這邊複製一份 Profile 來處理。
lab@lxdlab:~$ lxc profile copy default dualnic lab@lxdlab:~$ lxc profile edit dualnic進入編輯畫面後,紅色部份是調整/新增的內容
config: {}
description: LXD profile for Dual NICs
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
eth1:
name: eth1
nictype: bridged
parent: lxdbr1
type: nic
root:
path: /
pool: default
type: disk
name: dualnic
used_by: []
然後基於這個新的 Profile 長一個新的 Container
lab@lxdlab:~$ lxc launch images:centos/7/amd64 dualnettest -p dualnic Creating dualnettest Starting dualnettest lab@lxdlab:~$ lab@lxdlab:~$ lxc list dualnettest +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ | dualnettest | RUNNING | 10.207.69.45 (eth0) | fd42:ebd6:90e3:9a71:216:3eff:fe96:ea1 (eth0) | PERSISTENT | 0 | | | | | fd42:19af:5b46:bd2a:216:3eff:fe9a:5187 (eth1) | | | +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ lab@lxdlab:~$
雖然環境起來了,但怎麼好像沒有比較習慣用的 IPv4。。。?實際進去看看
lab@lxdlab:~$ lxc shell dualnettest [root@dualnettest ~]# ip a 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 18: eth0@if19: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3e:96:0e:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.207.69.45/24 brd 10.207.69.255 scope global dynamic eth0 valid_lft 2220sec preferred_lft 2220sec inet6 fd42:ebd6:90e3:9a71:216:3eff:fe96:ea1/64 scope global mngtmpaddr dynamic valid_lft 3369sec preferred_lft 3369sec inet6 fe80::216:3eff:fe96:ea1/64 scope link valid_lft forever preferred_lft forever 20: eth1@if21: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3e:9a:51:87 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fd42:19af:5b46:bd2a:216:3eff:fe9a:5187/64 scope global mngtmpaddr dynamic valid_lft 3285sec preferred_lft 3285sec inet6 fe80::216:3eff:fe9a:5187/64 scope link valid_lft forever preferred_lft forever [root@dualnettest ~]# [root@dualnettest ~]# ls /etc/sysconfig/network-scripts/ifcfg-* /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-lo [root@dualnettest ~]# [root@dualnettest ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes HOSTNAME=dualnettest NM_CONTROLLED=no TYPE=Ethernet MTU= DHCP_HOSTNAME=`hostname` [root@dualnettest ~]#
看起來是因為沒有設定檔的關係~讓我們複製一份 ifcfg-eth1 然後重啟 network Service
[root@dualnettest ~]# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1 [root@dualnettest ~]# sed -e 's/eth0/eth1/g' -i /etc/sysconfig/network-scripts/ifcfg-eth1 [root@dualnettest ~]# service network restart Restarting network (via systemctl): [ OK ] [root@dualnettest ~]# ip -4 a 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 18: eth0@if19: mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0 inet 10.207.69.45/24 brd 10.207.69.255 scope global dynamic eth0 valid_lft 3576sec preferred_lft 3576sec 20: eth1@if21: mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0 inet 10.8.135.208/24 brd 10.8.135.255 scope global dynamic eth1 valid_lft 3584sec preferred_lft 3584sec [root@dualnettest ~]# [root@dualnettest ~]# exit logout lab@lxdlab:~$ lxc list dualnettest +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ | dualnettest | RUNNING | 10.8.135.208 (eth1) | fd42:ebd6:90e3:9a71:216:3eff:fe96:ea1 (eth0) | PERSISTENT | 0 | | | | 10.207.69.45 (eth0) | fd42:19af:5b46:bd2a:216:3eff:fe9a:5187 (eth1) | | | +-------------+---------+---------------------+-----------------------------------------------+------------+-----------+ lab@lxdlab:~$
設置完成。Container 已經拿到兩組網卡了~
若要測試內網,可以把第一個網卡停下來,再去 ping 外部網路
[root@dualnettest ~]# sed -e "s/ONBOOT=yes/ONBOOT=no/g" -i /etc/sysconfig/network-scripts/ifcfg-eth0
[root@dualnettest ~]# service network restart
Restarting network (via systemctl): [ OK ]
[root@dualnettest ~]#
[root@dualnettest ~]# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth1@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0
inet 10.8.135.208/24 brd 10.8.135.255 scope global dynamic eth1
valid_lft 3591sec preferred_lft 3591sec
[root@dualnettest ~]#
[root@dualnettest ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.8.135.1 icmp_seq=1 Destination Port Unreachable
From 10.8.135.1 icmp_seq=2 Destination Port Unreachable
From 10.8.135.1 icmp_seq=3 Destination Port Unreachable
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2029ms
[root@dualnettest ~]#
確認內網隔離模擬 OK~
參考資料
啟用 CentOS 桌面
LXD Container 預設沒有可用的圖形界面(只有指令界面),在 LXD 裡面要執行桌面程式,需要設定成遠端桌面的方式連線進去。遠端桌面大概有幾種方式- XDMCP:使用 X Window 協定達成
- VNC:現在的 Linux 流行用用這個
- XRDP:在 Linux 啟動 Windows 的遠端桌面協定
- Google Chrome Remote Desktop:使用 Google Chrome 的遠端桌面外掛達成
最常用的是 VNC。這邊紀錄 LXD 底下的 CentOS 7 Container 裡面開桌面的方式。這裡的 LXD Host 是實際的電腦,不是用雲端 VM~
雖然原則上只要用 yum 裝 X Window Server / Server With GUI / GNOME Desktop 擇一的 group 加上 tigervnc-server 套件就差不多了。但是上面這幾種的 yum group 會把一大堆不需要的套件裝進來,尤其是 Linux Kernel 套件。而且安裝完之後會需要設定停用 graphical target。
這邊想辦法找出必要的 Gnome 與 X Window 套件。啟動 VNC 之後就有比較空的桌面。
lab@lxdlab:~$ lxc launch images:centos/7/amd64 centosdesktop lab@lxdlab:~$ lxc list centosdesktop +---------------+---------+----------------------+-----------------------------------------------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------------+---------+----------------------+-----------------------------------------------+------------+-----------+ | centosdesktop | RUNNING | 10.236.247.69 (eth0) | fd42:b925:969f:cf73:216:3eff:fe11:1ae9 (eth0) | PERSISTENT | 0 | +---------------+---------+----------------------+-----------------------------------------------+------------+-----------+ lab@lxdlab:~$ lab@lxdlab:~$ lxc shell centosdesktop [root@centosdesktop ~]# yum install -y gnome-desktop3 gnome-session gnome-shell gnome-terminal nautilus tigervnc-server
然後可以作一個桌面用的帳號,當然直接用 root 帳號來開 VNC 也行,主要是設定 VNC 密碼。(注意:VNC 桌面的密碼,跟帳號本身的密碼是不同的~)
[root@centosdesktop ~]# useradd aaa [root@centosdesktop ~]# su - aaa [aaa@centosdesktop ~]# vncpasswd Password:123456 Verify:123456 Would you like to enter a view-only password (y/n)? n A view-only password is not used [aaa@centosdesktop ~]$
接著是一個額外小設定。X Window 服務本身開起來只會是一個空的畫面,通常要有一個 Desktop Manager 才能使用。在 VNC 裡面,他會把 DISPLAY 搶過去,接著就接收 Desktop Session Manager 的圖形內容了。在 VNC 裡面,會由 $HOME/.vnc/xstartup 控制。裡面預設會啟用 /etc/X11/xinit/xinitrc。這邊直接替換成 gnome-sessions 來用。
[aaa@centosdesktop ~]$ cat ~/.vnc/xstartup
#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
/etc/X11/xinit/xinitrc
# Assume either Gnome or KDE will be started by default when installed
# We want to kill the session automatically in this case when user logs out. In case you modify
# /etc/X11/xinit/Xclients or ~/.Xclients yourself to achieve a different result, then you should
# be responsible to modify below code to avoid that your session will be automatically killed
if [ -e /usr/bin/gnome-session -o -e /usr/bin/startkde ]; then
vncserver -kill $DISPLAY
fi
[aaa@centosdesktop ~]$
[aaa@centosdesktop ~]$ mv ~/.vnc/xstartup ~/.vnc/xstartup.orig
[aaa@centosdesktop ~]$ cat << EOF >> ~/.vnc/xstartup
#!/bin/sh
gnome-session &
EOF
[aaa@centosdesktop ~]$ chmod +x ~/.vnc/xstartup
[aaa@centosdesktop ~]$
接著就能直接啟動了:
[aaa@centosdesktop ~]$ vncserver -depth 24 -geometry 800x600 xauth: file /home/aaa/.Xauthority does not exist New 'centosdesktop:1 (aaa)' desktop is centosdesktop:1 Creating default config /home/aaa/.vnc/config Starting applications specified in /home/aaa/.vnc/xstartup Log file is /home/aaa/.vnc/centosdesktop:1.log [aaa@centosdesktop ~]$ [aaa@centosdesktop ~]$ vncserver -list TigerVNC server sessions: X DISPLAY # PROCESS ID :1 1761 [aaa@centosdesktop ~]$
然後就可以用 VNC Viewer 連線了,這邊在本機上用 TigerVNC Client 來連:這邊連的 IP 就是這個 Container IP
最後,再停用 Gnome 的螢幕保護程式/螢幕鎖:這步驟要在 VNC 裡面執行(因為這會認 DISPLAY 環境變數)
[aaa@centosdesktop ~]$ gconftool-2 --type boolean -s /apps/gnome_settings_daemon/screensaver/start_screensaver false [aaa@centosdesktop ~]$ gsettings set org.gnome.desktop.session idle-delay 0
參考資料
桌面補上中文字型
要顯示中文字,需要裝中文字型,並且在啟動 vncserver 之前要先變更環境變數 LC_ALL[root@centosdesktop ~]# yum install cjkuni-uming-fonts 輸出過程略.. [root@centosdesktop ~]$ fc-list /usr/share/fonts/dejavu/DejaVuSansCondensed-Oblique.ttf: DejaVu Sans,DejaVu Sans Condensed:style=Condensed Oblique,Oblique /usr/share/fonts/dejavu/DejaVuSansCondensed-Bold.ttf: DejaVu Sans,DejaVu Sans Condensed:style=Condensed Bold,Bold /usr/share/X11/fonts/Type1/c0611bt_.pfb: Courier 10 Pitch:style=Bold Italic /usr/share/fonts/abattis-cantarell/Cantarell-Bold.otf: Cantarell:style=Bold /usr/share/X11/fonts/Type1/UTBI____.pfa: Utopia:style=Bold Italic /usr/share/X11/fonts/Type1/c0419bt_.pfb: Courier 10 Pitch:style=Regular /usr/share/fonts/dejavu/DejaVuSans.ttf: DejaVu Sans:style=Book /usr/share/fonts/cjkuni-uming/uming.ttc: AR PL UMing TW MBE:style=Light /usr/share/X11/fonts/Type1/c0648bt_.pfb: Bitstream Charter:style=Regular /usr/share/fonts/abattis-cantarell/Cantarell-Regular.otf: Cantarell:style=Regular /usr/share/fonts/abattis-cantarell/Cantarell-Oblique.otf: Cantarell:style=Oblique /usr/share/fonts/dejavu/DejaVuSans-Bold.ttf: DejaVu Sans:style=Bold /usr/share/X11/fonts/Type1/cursor.pfa: Cursor:style=Regular /usr/share/X11/fonts/Type1/UTB_____.pfa: Utopia:style=Bold /usr/share/fonts/abattis-cantarell/Cantarell-BoldOblique.otf: Cantarell:style=BoldOblique /usr/share/X11/fonts/Type1/c0583bt_.pfb: Courier 10 Pitch:style=Bold /usr/share/X11/fonts/Type1/UTI_____.pfa: Utopia:style=Italic /usr/share/X11/fonts/Type1/c0582bt_.pfb: Courier 10 Pitch:style=Italic /usr/share/fonts/cjkuni-uming/uming.ttc: AR PL UMing TW:style=Light /usr/share/fonts/cjkuni-uming/uming.ttc: AR PL UMing HK:style=Light /usr/share/fonts/dejavu/DejaVuSansCondensed.ttf: DejaVu Sans,DejaVu Sans Condensed:style=Condensed,Book /usr/share/fonts/dejavu/DejaVuSans-ExtraLight.ttf: DejaVu Sans,DejaVu Sans Light:style=ExtraLight /usr/share/fonts/cjkuni-uming/uming.ttc: AR PL UMing CN:style=Light /usr/share/fonts/dejavu/DejaVuSansCondensed-BoldOblique.ttf: DejaVu Sans,DejaVu Sans Condensed:style=Condensed Bold Oblique,Bold Oblique /usr/share/fonts/google-noto-emoji/NotoColorEmoji.ttf: Noto Color Emoji:style=Regular /usr/share/X11/fonts/Type1/c0633bt_.pfb: Bitstream Charter:style=Bold Italic /usr/share/X11/fonts/Type1/c0649bt_.pfb: Bitstream Charter:style=Italic /usr/share/fonts/dejavu/DejaVuSans-Oblique.ttf: DejaVu Sans:style=Oblique /usr/share/X11/fonts/Type1/c0632bt_.pfb: Bitstream Charter:style=Bold /usr/share/fonts/dejavu/DejaVuSans-BoldOblique.ttf: DejaVu Sans:style=Bold Oblique /usr/share/X11/fonts/Type1/UTRG____.pfa: Utopia:style=Regular [root@centosdesktop ~]$
[aaa@centosdesktop ~]$ export LC_ALL=zh_TW.UTF-8 [aaa@centosdesktop ~]$ vncserver -depth 24 -geometry 1280x1024
參考資料
沒有留言:
張貼留言