Lxc vm inside lxc container?

Gounick · June 2, 2022, 10:31pm

Hi, Is it possible to launch an LXC vm inside LXC container ?

I’ve setup an LXC container where I can successfully run nested virtualization:

docker
podman
virtualbox
libvirt
lxc container

but not Lxc vm.

How to achieve this?

It’s super handy for testing my Ansible roles with Molecule !

Cordially

stgraber · June 3, 2022, 1:32am

Played with this a bit and got it working with some changes.

Gounick · June 3, 2022, 8:29am

Thanks @stgraber

I followed the directions:

root@lxc-container-01:~# lxc launch images:ubuntu/22.04 u22 -c security.nesting=true
Creating u22
Starting u22
root@lxc-container-01:~# lxc config device add u22 kvm unix-char source=/dev/kvm
Device kvm added to u22
root@lxc-container-01:~# lxc config device add u22 vhost-net unix-char source=/dev/vhost-net
Device vhost-net added to u22
root@lxc-container-01:~# lxc config device add u22 vhost-vsock unix-char source=/dev/vhost-vsock
Device vhost-vsock added to u22
root@lxc-container-01:~# lxc exec u22 -- bash

root@u22:~# lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]: dir     # Error with ZFS, lvm or btrfs 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:

root@u22:~# lxd init --dump
config: {}
networks:
- config:
    ipv4.address: 10.117.86.1/24
    ipv4.nat: "true"
    ipv6.address: none
  description: ""
  name: lxdbr0
  type: bridge
  project: default
storage_pools:
- config:
    source: /var/snap/lxd/common/lxd/storage-pools/default
  description: ""
  name: default
  driver: dir
profiles:
- config: {}
  description: Default LXD profile
  devices:
    eth0:
      name: eth0
      network: lxdbr0
      type: nic
    root:
      path: /
      pool: default
      type: disk
  name: default
projects:
- config:
    features.images: "true"
    features.networks: "true"
    features.profiles: "true"
    features.storage.volumes: "true"
  description: Default LXD project
  name: default

and got this error:

root@u22:~# lxc launch images:ubuntu/22.04 u22vm --vm
Creating u22vm
Starting u22vm                              
Error: Failed to run: forklimits limit=memlock:unlimited:unlimited fd=3 -- /snap/lxd/23155/bin/qemu-system-x86_64 -S -name u22vm -uuid 27647c37-c204-4d90-9eef-21f9641ffa34 -daemonize -cpu host,hv_passthrough -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/u22vm/qemu.conf -spice unix=on,disable-ticketing=on,addr=/var/snap/lxd/common/lxd/logs/u22vm/qemu.spice -pidfile /var/snap/lxd/common/lxd/logs/u22vm/qemu.pid -D /var/snap/lxd/common/lxd/logs/u22vm/qemu.log -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -runas lxd: : Process exited with non-zero value 1
Try `lxc info --show-log local:u22vm` for more info

I added these parameters to the container:

  security.privileged: "true"
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw
    lxc.cap.drop=
    lxc.cgroup.devices.allow=a

root@lxc-container-01:~# lxc config show u22
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20220601_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20220601_07:42"
  image.type: squashfs
  image.variant: default
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw
    lxc.cap.drop=
    lxc.cgroup.devices.allow=a
  security.nesting: "true"
  security.privileged: "true"
  volatile.base_image: 1775f34f053699d05ae0bef21aee7553e0da071a1321d21538e244a33b2e4d90
  volatile.cloud-init.instance-id: f146b059-be15-4f40-8910-21cfad72a667
  volatile.eth0.host_name: vethbda9fb50
  volatile.eth0.hwaddr: 00:16:3e:db:76:42
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: f753ebbb-56f5-4c46-987c-d026da1b99b8
devices:
  kvm:
    source: /dev/kvm
    type: unix-char
  vhost-net:
    source: /dev/vhost-net
    type: unix-char
  vhost-vsock:
    source: /dev/vhost-vsock
    type: unix-char
ephemeral: false
profiles:
- default
stateful: false
description: ""

and it’s ok:

root@lxc-container-01:~# lxc exec u22 -- bash
root@u22:~# lxc delete u22vm
root@u22:~# lxc launch images:ubuntu/22.04 u22vm --vm
Creating u22vm
Starting u22vm

root@u22:~# lxc list
+--------+---------+-----------------------+------+-----------------+-----------+
|  NAME  |  STATE  |         IPV4          | IPV6 |      TYPE       | SNAPSHOTS |
+--------+---------+-----------------------+------+-----------------+-----------+
| u22vm  | RUNNING | 10.117.86.41 (enp5s0) |      | VIRTUAL-MACHINE | 0         |
+--------+---------+-----------------------+------+-----------------+-----------+

Are these additional parameters too broad?

tomp · June 3, 2022, 9:03am

The pr is merged but not released yet.
You should avoid running privileged containers as it is not as secure.