使用 LXD 容器运行 Ubuntu Core
Ubuntu Core 是什么?
Ubuntu Core 是完全基于 snap 包构建,并且完全事务化的 Ubuntu 版本。
该系统大部分是只读的,所有已安装的应用全部来自 snap 包,完全使用事务化更新。这意味着不管在系统更新还是安装软件的时候遇到问题,整个系统都可以回退到之前的状态并且记录这个错误。
最新版是在 2016 年 11 月发布的 Ubuntu Core 16。
注意,Ubuntu Core 限制只能够安装 snap 包(而非 “传统” 软件包),并且有相当数量的 snap 包在当前环境下不能正常运行,或者需要人工干预(创建用户和用户组等)才能正常运行。随着新版的 snapd 和 “core” snap 包发布,Ubuntu Core 每周都会得到改进。
环境需求
就 LXD 而言,Ubuntu Core 仅仅相当于另一个 Linux 发行版。也就是说,snapd 需要挂载无特权的 FUSE 和 AppArmor 命名空间以及软件栈,像下面这样:
- 一个新版的使用 Ubuntu 官方内核的系统
- 一个新版的 LXD
创建一个 Ubuntu Core 容器
当前 Ubuntu Core 镜像发布在社区的镜像服务器。你可以像这样启动一个新的容器:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc launch images</span><span class="pun">:</span><span class="pln">ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">/</span><span class="lit">16</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core</span>
<span class="typ">Creating</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core</span>
<span class="typ">Starting</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core</span>
这个容器启动需要一点点时间,它会先执行第一阶段的加载程序,加载程序会确定使用哪一个镜像(镜像是只读的),并且在系统上设置一个可读层,你不要在这一阶段中断容器执行,这个时候什么都没有,所以执行 lxc exec
将会出错。
几秒钟之后,执行 lxc list
将会展示容器的 IP 地址,这表明已经启动了 Ubuntu Core:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">list</span>
<span class="pun">+-------------+---------+----------------------+----------------------------------------------+------------+-----------+</span>
<span class="pun">|</span><span class="pln"> NAME </span><span class="pun">|</span><span class="pln"> STATE </span><span class="pun">|</span><span class="pln"> IPV4 </span><span class="pun">|</span><span class="pln"> IPV6 </span><span class="pun">|</span><span class="pln"> TYPE </span><span class="pun">|</span><span class="pln"> SNAPSHOTS </span><span class="pun">|</span>
<span class="pun">+-------------+---------+----------------------+----------------------------------------------+------------+-----------+</span>
<span class="pun">|</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="pun">|</span><span class="pln"> RUNNING </span><span class="pun">|</span><span class="lit">10.90</span><span class="pun">.</span><span class="lit">151.104</span><span class="pun">(</span><span class="pln">eth0</span><span class="pun">)</span><span class="pun">|</span><span class="lit">2001</span><span class="pun">:</span><span class="lit">470</span><span class="pun">:</span><span class="pln">b368</span><span class="pun">:</span><span class="pln">b2b5</span><span class="pun">:</span><span class="lit">216</span><span class="pun">:</span><span class="lit">3eff</span><span class="pun">:</span><span class="pln">fee1</span><span class="pun">:</span><span class="lit">296f</span><span class="pun">(</span><span class="pln">eth0</span><span class="pun">)</span><span class="pun">|</span><span class="pln"> PERSISTENT </span><span class="pun">|</span><span class="lit">0</span><span class="pun">|</span>
<span class="pun">+-------------+---------+----------------------+----------------------------------------------+------------+-----------+</span>
之后你就可以像使用其他的交互一样和这个容器进行交互:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap </span><span class="kwd">list</span>
<span class="typ">Name</span><span class="typ">Version</span><span class="typ">Rev</span><span class="typ">Developer</span><span class="typ">Notes</span>
<span class="pln">core </span><span class="lit">16.04</span><span class="pun">.</span><span class="lit">1</span><span class="lit">394</span><span class="pln"> canonical </span><span class="pun">-</span>
<span class="pln">pc </span><span class="lit">16.04</span><span class="pun">-</span><span class="lit">0.8</span><span class="lit">9</span><span class="pln"> canonical </span><span class="pun">-</span>
<span class="pln">pc</span><span class="pun">-</span><span class="pln">kernel </span><span class="lit">4.4</span><span class="pun">.</span><span class="lit">0</span><span class="pun">-</span><span class="lit">45</span><span class="pun">-</span><span class="lit">4</span><span class="lit">37</span><span class="pln"> canonical </span><span class="pun">-</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span>
更新容器
如果你一直关注着 Ubuntu Core 的开发,你应该知道上面的版本已经很老了。这是因为被用作 Ubuntu LXD 镜像的代码每隔几个月才会更新。Ubuntu Core 系统在重启时会检查更新并进行自动更新(更新失败会回退)。
如果你想现在强制更新,你可以这样做:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap refresh</span>
<span class="pln">pc</span><span class="pun">-</span><span class="pln">kernel </span><span class="pun">(</span><span class="pln">stable</span><span class="pun">)</span><span class="lit">4.4</span><span class="pun">.</span><span class="lit">0</span><span class="pun">-</span><span class="lit">53</span><span class="pun">-</span><span class="lit">1</span><span class="kwd">from</span><span class="str">'canonical'</span><span class="pln"> upgraded</span>
<span class="pln">core </span><span class="pun">(</span><span class="pln">stable</span><span class="pun">)</span><span class="lit">16.04</span><span class="pun">.</span><span class="lit">1</span><span class="kwd">from</span><span class="str">'canonical'</span><span class="pln"> upgraded</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap version</span>
<span class="pln">snap </span><span class="lit">2.17</span>
<span class="pln">snapd </span><span class="lit">2.17</span>
<span class="pln">series </span><span class="lit">16</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span>
然后重启一下 Ubuntu Core 系统,然后看看 snapd 的版本。
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="kwd">reboot</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span>
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap version</span>
<span class="pln">snap </span><span class="lit">2.21</span>
<span class="pln">snapd </span><span class="lit">2.21</span>
<span class="pln">series </span><span class="lit">16</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span>
你也可以像下面这样查看所有 snapd 的历史记录:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core snap changes</span>
<span class="pln">ID </span><span class="typ">Status</span><span class="typ">Spawn</span><span class="typ">Ready</span><span class="typ">Summary</span>
<span class="lit">1</span><span class="typ">Done</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">14</span><span class="pun">:</span><span class="lit">38Z</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">14</span><span class="pun">:</span><span class="lit">44Z</span><span class="typ">Initialize</span><span class="pln"> system state</span>
<span class="lit">2</span><span class="typ">Done</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">14</span><span class="pun">:</span><span class="lit">40Z</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">14</span><span class="pun">:</span><span class="lit">45Z</span><span class="typ">Initialize</span><span class="pln"> device</span>
<span class="lit">3</span><span class="typ">Done</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">21</span><span class="pun">:</span><span class="lit">30Z</span><span class="lit">2017</span><span class="pun">-</span><span class="lit">01</span><span class="pun">-</span><span class="lit">31T05</span><span class="pun">:</span><span class="lit">22</span><span class="pun">:</span><span class="lit">45Z</span><span class="typ">Refresh</span><span class="pln"> all snaps </span><span class="kwd">in</span><span class="pln"> the system</span>
安装 Snap 软件包
以一个最简单的例子开始,经典的 Hello World:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap install hello</span><span class="pun">-</span><span class="pln">world</span>
<span class="pln">hello</span><span class="pun">-</span><span class="pln">world </span><span class="lit">6.3</span><span class="kwd">from</span><span class="str">'canonical'</span><span class="pln"> installed</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> hello</span><span class="pun">-</span><span class="pln">world</span>
<span class="typ">Hello</span><span class="typ">World</span><span class="pun">!</span>
接下来让我们看一些更有用的:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap install nextcloud</span>
<span class="pln">nextcloud </span><span class="lit">11.0</span><span class="pun">.</span><span class="lit">1snap2</span><span class="kwd">from</span><span class="str">'nextcloud'</span><span class="pln"> installed</span>
之后通过 HTTP 访问你的容器就可以看到刚才部署的 Nextcloud 实例。
如果你想直接通过 git 测试最新版 LXD,你可以这样做:
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc config </span><span class="kwd">set</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core security</span><span class="pun">.</span><span class="pln">nesting </span><span class="kwd">true</span>
<span class="pln">stgraber@dakara</span><span class="pun">:~</span><span class="pln">$ lxc </span><span class="kwd">exec</span><span class="pln"> ubuntu</span><span class="pun">-</span><span class="pln">core </span><span class="kwd">bash</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> snap install lxd </span><span class="pun">--</span><span class="pln">edge</span>
<span class="pln">lxd </span><span class="pun">(</span><span class="pln">edge</span><span class="pun">)</span><span class="kwd">git</span><span class="pun">-</span><span class="pln">c6006fb </span><span class="kwd">from</span><span class="str">'canonical'</span><span class="pln"> installed</span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> lxd </span><span class="kwd">init</span>
<span class="typ">Name</span><span class="pln"> of the storage backend to </span><span class="kwd">use</span><span class="pun">(</span><span class="kwd">dir</span><span class="kwd">or</span><span class="pln"> zfs</span><span class="pun">)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">dir</span><span class="pun">]:</span>
<span class="typ">We</span><span class="pln"> detected that you are running inside an unprivileged container</span><span class="pun">.</span>
<span class="typ">This</span><span class="pln"> means that </span><span class="kwd">unless</span><span class="pln"> you manually configured your host otherwise</span><span class="pun">,</span>
<span class="pln">you will </span><span class="kwd">not</span><span class="pln"> have enough uid </span><span class="kwd">and</span><span class="pln"> gid to allocate to your containers</span><span class="pun">.</span>
<span class="pln">LXD can re</span><span class="pun">-</span><span class="kwd">use</span><span class="pln"> your container</span><span class="str">'s own allocation to avoid the problem.</span>
<span class="str">Doing so makes your nested containers slightly less safe as they could</span>
<span class="str">in theory attack their parent container and gain more privileges than</span>
<span class="str">they otherwise would.</span>
<span class="str">Would you like to have your containers share their parent'</span><span class="pln">s allocation </span><span class="pun">(</span><span class="kwd">yes</span><span class="pun">/</span><span class="kwd">no</span><span class="pun">)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">yes</span><span class="pun">]?</span>
<span class="typ">Would</span><span class="pln"> you like LXD to be available over the network </span><span class="pun">(</span><span class="kwd">yes</span><span class="pun">/</span><span class="kwd">no</span><span class="pun">)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">no</span><span class="pun">]?</span>
<span class="typ">Would</span><span class="pln"> you like stale cached images to be updated automatically </span><span class="pun">(</span><span class="kwd">yes</span><span class="pun">/</span><span class="kwd">no</span><span class="pun">)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">yes</span><span class="pun">]?</span>
<span class="typ">Would</span><span class="pln"> you like to create a </span><span class="kwd">new</span><span class="pln"> network bridge </span><span class="pun">(</span><span class="kwd">yes</span><span class="pun">/</span><span class="kwd">no</span><span class="pun">)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">yes</span><span class="pun">]?</span>
<span class="typ">What</span><span class="pln"> should the </span><span class="kwd">new</span><span class="pln"> bridge be called </span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="pln">lxdbr0</span><span class="pun">]?</span>
<span class="typ">What</span><span class="typ">IPv4</span><span class="pln"> address should be used </span><span class="pun">(</span><span class="pln">CIDR subnet notation</span><span class="pun">,</span><span class="pun">“</span><span class="kwd">auto</span><span class="pun">”</span><span class="kwd">or</span><span class="pun">“</span><span class="pln">none</span><span class="pun">”)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">auto</span><span class="pun">]?</span>
<span class="typ">What</span><span class="typ">IPv6</span><span class="pln"> address should be used </span><span class="pun">(</span><span class="pln">CIDR subnet notation</span><span class="pun">,</span><span class="pun">“</span><span class="kwd">auto</span><span class="pun">”</span><span class="kwd">or</span><span class="pun">“</span><span class="pln">none</span><span class="pun">”)</span><span class="pun">[</span><span class="kwd">default</span><span class="pun">=</span><span class="kwd">auto</span><span class="pun">]?</span>
<span class="pln">LXD has been successfully configured</span><span class="pun">.</span>
已经设置过的容器不能回退版本,但是可以在 Ubuntu Core 16 中运行另一个 Ubuntu Core 16 容器:
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> lxc launch images</span><span class="pun">:</span><span class="pln">ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">/</span><span class="lit">16</span><span class="pln"> nested</span><span class="pun">-</span><span class="pln">core</span>
<span class="typ">Creating</span><span class="pln"> nested</span><span class="pun">-</span><span class="pln">core</span>
<span class="typ">Starting</span><span class="pln"> nested</span><span class="pun">-</span><span class="pln">core </span>
<span class="pln">root@ubuntu</span><span class="pun">-</span><span class="pln">core</span><span class="pun">:~#</span><span class="pln"> lxc </span><span class="kwd">list</span>
<span class="pun">+-------------+---------+---------------------+-----------------------------------------------+------------+-----------+</span>
<span class="pun">|</span><span class="pln"> NAME </span><span class="pun">|</span><span class="pln"> STATE </span><span class="pun">|</span><span class="pln"> IPV4 </span><span class="pun">|</span><span class="pln"> IPV6 </span><span class="pun">|</span><span class="pln"> TYPE </span><span class="pun">|</span><span class="pln"> SNAPSHOTS </span><span class="pun">|</span>
<span class="pun">+-------------+---------+---------------------+-----------------------------------------------+------------+-----------+</span>
<span class="pun">|</span><span class="pln"> nested</span><span class="pun">-</span><span class="pln">core </span><span class="pun">|</span><span class="pln"> RUNNING </span><span class="pun">|</span><span class="lit">10.71</span><span class="pun">.</span><span class="lit">135.21</span><span class="pun">(</span><span class="pln">eth0</span><span class="pun">)</span><span class="pun">|</span><span class="pln"> fd42</span><span class="pun">:</span><span class="lit">2861</span><span class="pun">:</span><span class="lit">5aad</span><span class="pun">:</span><span class="lit">3842</span><span class="pun">:</span><span class="lit">216</span><span class="pun">:</span><span class="lit">3eff</span><span class="pun">:</span><span class="pln">feaf</span><span class="pun">:</span><span class="pln">e6bd </span><span class="pun">(</span><span class="pln">eth0</span><span class="pun">)</span><span class="pun">|</span><span class="pln"> PERSISTENT </span><span class="pun">|</span><span class="lit">0</span><span class="pun">|</span>
<span class="pun">+-------------+---------+---------------------+-----------------------------------------------+------------+-----------+</span>
写在最后
如果你只是想试用一下 Ubuntu Core,这是一个不错的方法。对于 snap 包开发者来说,这也是一个不错的工具来测试你的 snap 包能否在不同的环境下正常运行。
如果你希望你的系统总是最新的,并且整体可复制,Ubuntu Core 是一个很不错的方案,不过这也会带来一些相应的限制,所以可能不太适合你。
最后是一个警告,对于测试来说,这些镜像是足够的,但是当前并没有被正式的支持。在不久的将来,官方的 Ubuntu server 可以完整的支持 Ubuntu Core LXD 镜像。
附录
- LXD 主站:https://linuxcontainers.org/lxd
- Github:https://github.com/lxc/lxd
- 邮件列表:https://lists.linuxcontainers.org
- IRC:#lxcontainers on irc.freenode.net
- 在线试用:https://linuxcontainers.org/lxd/try-it
来自: https://insights.ubuntu.com/2017/02/27/ubuntu-core-in-lxd-containers/
作者:Stéphane Graber 译者:aiwhj 校对:wxy