Update config templates
Updated config templates to benefit from initial_setup running after jail has fully started. Added conditional nvidia-container-toolkit install during initial_setup. Config templates now default to bridge networking.
This commit is contained in:
parent
4cd7c54c58
commit
b849cb787c
|
@ -2,4 +2,4 @@
|
||||||
|
|
||||||
## Setup
|
## Setup
|
||||||
|
|
||||||
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/docker/config mydockerjail`.
|
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/docker/config mydockerjail`. If you want the `nvidia-container-toolkit` to be installed, ensure you set `gpu_passthrough_nvidia=1` when creating the jail.
|
|
@ -6,10 +6,10 @@ seccomp=1
|
||||||
|
|
||||||
# Use macvlan networking to provide an isolated network namespace,
|
# Use macvlan networking to provide an isolated network namespace,
|
||||||
# so docker can manage firewall rules
|
# so docker can manage firewall rules
|
||||||
# Alternatively use --network-bridge=br1 instead of --network-macvlan
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
||||||
# Ensure to change eno1/br1 to the interface name you want to use
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||||||
# You may want to add additional options here, e.g. bind mounts
|
# You may want to add additional options here, e.g. bind mounts
|
||||||
systemd_nspawn_user_args=--network-macvlan=eno1
|
systemd_nspawn_user_args=--network-bridge=br1
|
||||||
--resolv-conf=bind-host
|
--resolv-conf=bind-host
|
||||||
--system-call-filter='add_key keyctl bpf'
|
--system-call-filter='add_key keyctl bpf'
|
||||||
|
|
||||||
|
@ -29,8 +29,8 @@ release=bookworm
|
||||||
|
|
||||||
# Install docker inside the jail:
|
# Install docker inside the jail:
|
||||||
# https://docs.docker.com/engine/install/debian/#install-using-the-repository
|
# https://docs.docker.com/engine/install/debian/#install-using-the-repository
|
||||||
# NOTE: this script will run in the host networking namespace and ignores
|
# Will also install the NVIDIA Container Toolkit if gpu_passthrough_nvidia=1 during initial setup
|
||||||
# all systemd_nspawn_user_args such as bind mounts
|
# https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
|
||||||
initial_setup=#!/usr/bin/bash
|
initial_setup=#!/usr/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
@ -43,9 +43,27 @@ initial_setup=#!/usr/bin/bash
|
||||||
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
|
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
|
||||||
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
||||||
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||||
|
|
||||||
|
# The /usr/bin/nvidia-smi will be present when gpu_passthrough_nvidia=1
|
||||||
|
if [ -f /usr/bin/nvidia-smi ]; then
|
||||||
|
curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey -o /etc/apt/keyrings/nvidia.asc
|
||||||
|
chmod a+r /etc/apt/keyrings/nvidia.asc
|
||||||
|
curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
|
||||||
|
sed 's#deb https://#deb [signed-by=/etc/apt/keyrings/nvidia.asc] https://#g' | \
|
||||||
|
tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y nvidia-container-toolkit
|
||||||
|
|
||||||
|
nvidia-ctk runtime configure --runtime=docker
|
||||||
|
systemctl restart docker
|
||||||
|
fi
|
||||||
|
|
||||||
|
docker info
|
||||||
|
|
||||||
# You generally will not need to change the options below
|
# You generally will not need to change the options below
|
||||||
systemd_run_default_args=--property=KillMode=mixed
|
systemd_run_default_args=--property=KillMode=mixed
|
||||||
--property=Type=notify
|
--property=Type=notify
|
||||||
|
|
|
@ -8,11 +8,10 @@
|
||||||
|
|
||||||
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/incus/config myincusjail`.
|
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/incus/config myincusjail`.
|
||||||
|
|
||||||
Unfortunately incus doesn't want to install from the `initial_setup` script inside the config file. So we manually finish the setup by running the following after creating and starting the jail:
|
We manually finish the setup by running the following after creating and starting the jail:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
jlmkr exec myincusjail bash -c 'apt-get -y install incus incus-ui-canonical &&
|
jlmkr exec myincusjail bash -c 'incus admin init'
|
||||||
incus admin init'
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Follow [First steps with Incus](https://linuxcontainers.org/incus/docs/main/tutorial/first_steps/).
|
Follow [First steps with Incus](https://linuxcontainers.org/incus/docs/main/tutorial/first_steps/).
|
||||||
|
|
|
@ -3,15 +3,16 @@ startup=0
|
||||||
gpu_passthrough_intel=0
|
gpu_passthrough_intel=0
|
||||||
gpu_passthrough_nvidia=0
|
gpu_passthrough_nvidia=0
|
||||||
# Turning off seccomp filtering improves performance at the expense of security
|
# Turning off seccomp filtering improves performance at the expense of security
|
||||||
seccomp=1
|
# TODO: don't disable seccomp but specify which syscalls should be allowed
|
||||||
|
seccomp=0
|
||||||
|
|
||||||
# Use macvlan networking to provide an isolated network namespace,
|
# Use macvlan networking to provide an isolated network namespace,
|
||||||
# so incus can manage firewall rules
|
# so incus can manage firewall rules
|
||||||
# Alternatively use --network-bridge=br1 instead of --network-macvlan
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
||||||
# Ensure to change eno1/br1 to the interface name you want to use
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||||||
# You may want to add additional options here, e.g. bind mounts
|
# You may want to add additional options here, e.g. bind mounts
|
||||||
# TODO: don't use --capability=all but specify only the required capabilities
|
# TODO: don't use --capability=all but specify only the required capabilities
|
||||||
systemd_nspawn_user_args=--network-macvlan=eno1
|
systemd_nspawn_user_args=--network-bridge=br1
|
||||||
--resolv-conf=bind-host
|
--resolv-conf=bind-host
|
||||||
--capability=all
|
--capability=all
|
||||||
--bind=/dev/fuse
|
--bind=/dev/fuse
|
||||||
|
@ -36,8 +37,6 @@ release=bookworm
|
||||||
|
|
||||||
# Install incus according to:
|
# Install incus according to:
|
||||||
# https://github.com/zabbly/incus#installation
|
# https://github.com/zabbly/incus#installation
|
||||||
# NOTE: this script will run in the host networking namespace and ignores
|
|
||||||
# all systemd_nspawn_user_args such as bind mounts
|
|
||||||
initial_setup=#!/usr/bin/bash
|
initial_setup=#!/usr/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
apt-get update && apt-get -y install curl
|
apt-get update && apt-get -y install curl
|
||||||
|
@ -54,6 +53,7 @@ initial_setup=#!/usr/bin/bash
|
||||||
|
|
||||||
EOF'
|
EOF'
|
||||||
apt-get update
|
apt-get update
|
||||||
|
apt-get -y install incus incus-ui-canonical
|
||||||
|
|
||||||
# You generally will not need to change the options below
|
# You generally will not need to change the options below
|
||||||
systemd_run_default_args=--property=KillMode=mixed
|
systemd_run_default_args=--property=KillMode=mixed
|
||||||
|
|
|
@ -8,20 +8,7 @@
|
||||||
|
|
||||||
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/lxd/config mylxdjail`.
|
Check out the [config](./config) template file. You may provide it when asked during `jlmkr create` or, if you have the template file stored on your NAS, you may provide it directly by running `jlmkr create --start --config /mnt/tank/path/to/lxd/config mylxdjail`.
|
||||||
|
|
||||||
Unfortunately snapd doesn't want to install from the `initial_setup` script inside the config file. So we manually finish the setup by running the following after creating and starting the jail:
|
We manually finish the setup by running the command below after creating and starting the jail. Choose the `dir` storage backend during `lxd init` and answer `yes` to "Would you like the LXD server to be available over the network?"
|
||||||
|
|
||||||
```bash
|
|
||||||
# Repeat listing the jail until you see it has an IPv4 address
|
|
||||||
jlmkr list
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
jlmkr exec mylxdjail bash -c 'apt-get update &&
|
|
||||||
apt-get install -y --no-install-recommends snapd &&
|
|
||||||
snap install lxd'
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
Choose the `dir` storage backend during `lxd init` and answer `yes` to "Would you like the LXD server to be available over the network?"
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
jlmkr exec mylxdjail bash -c 'lxd init &&
|
jlmkr exec mylxdjail bash -c 'lxd init &&
|
||||||
|
|
|
@ -3,11 +3,12 @@ startup=0
|
||||||
gpu_passthrough_intel=0
|
gpu_passthrough_intel=0
|
||||||
gpu_passthrough_nvidia=0
|
gpu_passthrough_nvidia=0
|
||||||
# Turning off seccomp filtering improves performance at the expense of security
|
# Turning off seccomp filtering improves performance at the expense of security
|
||||||
seccomp=1
|
# TODO: don't disable seccomp but specify which syscalls should be allowed
|
||||||
|
seccomp=0
|
||||||
|
|
||||||
# Use macvlan networking to provide an isolated network namespace,
|
# Use macvlan networking to provide an isolated network namespace,
|
||||||
# so lxd can manage firewall rules
|
# so lxd can manage firewall rules
|
||||||
# Alternatively use --network-bridge=br1 instead of --network-macvlan
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
||||||
# Ensure to change eno1/br1 to the interface name you want to use
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||||||
# You may want to add additional options here, e.g. bind mounts
|
# You may want to add additional options here, e.g. bind mounts
|
||||||
# TODO: don't use --capability=all but specify only the required capabilities
|
# TODO: don't use --capability=all but specify only the required capabilities
|
||||||
|
@ -34,12 +35,13 @@ pre_start_hook=#!/usr/bin/bash
|
||||||
distro=ubuntu
|
distro=ubuntu
|
||||||
release=jammy
|
release=jammy
|
||||||
|
|
||||||
# NOTE: this script will run in the host networking namespace and ignores
|
|
||||||
# all systemd_nspawn_user_args such as bind mounts
|
|
||||||
initial_setup=#!/usr/bin/bash
|
initial_setup=#!/usr/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
# https://discuss.linuxcontainers.org/t/snap-inside-privileged-lxd-container/13691/8
|
# https://discuss.linuxcontainers.org/t/snap-inside-privileged-lxd-container/13691/8
|
||||||
ln -sf /bin/true /usr/local/bin/udevadm
|
ln -sf /bin/true /usr/local/bin/udevadm
|
||||||
|
apt-get update
|
||||||
|
apt-get install -y --no-install-recommends snapd
|
||||||
|
snap install lxd
|
||||||
|
|
||||||
# You generally will not need to change the options below
|
# You generally will not need to change the options below
|
||||||
systemd_run_default_args=--property=KillMode=mixed
|
systemd_run_default_args=--property=KillMode=mixed
|
||||||
|
|
|
@ -6,10 +6,10 @@ seccomp=1
|
||||||
|
|
||||||
# Use macvlan networking to provide an isolated network namespace,
|
# Use macvlan networking to provide an isolated network namespace,
|
||||||
# so podman can manage firewall rules
|
# so podman can manage firewall rules
|
||||||
# Alternatively use --network-bridge=br1 instead of --network-macvlan
|
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
|
||||||
# Ensure to change eno1/br1 to the interface name you want to use
|
# Ensure to change eno1/br1 to the interface name you want to use
|
||||||
# You may want to add additional options here, e.g. bind mounts
|
# You may want to add additional options here, e.g. bind mounts
|
||||||
systemd_nspawn_user_args=--network-macvlan=eno1
|
systemd_nspawn_user_args=--network-bridge=br1
|
||||||
--resolv-conf=bind-host
|
--resolv-conf=bind-host
|
||||||
--system-call-filter='add_key keyctl bpf'
|
--system-call-filter='add_key keyctl bpf'
|
||||||
|
|
||||||
|
@ -28,8 +28,6 @@ distro=fedora
|
||||||
release=39
|
release=39
|
||||||
|
|
||||||
# Install podman inside the jail
|
# Install podman inside the jail
|
||||||
# NOTE: this script will run in the host networking namespace and ignores
|
|
||||||
# all systemd_nspawn_user_args such as bind mounts
|
|
||||||
initial_setup=#!/usr/bin/bash
|
initial_setup=#!/usr/bin/bash
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
dnf -y install podman
|
dnf -y install podman
|
||||||
|
|
Loading…
Reference in New Issue