2.7 KiB
Debian Incus Jail Template (LXD / LXC / KVM)
Check out the config template file. You may provide it when asked during jlmkr create
or, if you have the template file stored on your NAS, you may provide it directly by running jlmkr create myincusjail /mnt/tank/path/to/incus/config
. Then check out First steps with Incus.
Disclaimer
These notes are a work in progress. Using Incus in this setup hasn't been extensively tested.
Create Ubuntu Desktop VM
Incus web GUI should be running on port 8443. Create new instance, call it desktop
, and choose the Ubuntu jammy desktop virtual-machine ubuntu/22.04/desktop
image.
Bind mount / virtiofs
To access files from the TrueNAS host directly in a VM created with incus, we can use virtiofs.
incus config device add desktop test disk source=/home/test/ path=/mnt/test
The command above (when ran as root user inside the incus jail) adds a new virtiofs mount of a test directory inside the jail to a VM named desktop. The /home/test
dir resides in the jail, but you can first bind mount any directory from the TrueNAS host inside the incus jail and then forward this to the VM using virtiofs. This could be an alternative to NFS mounts.
Benchmarks
Inside LXD ubuntu desktop VM with virtiofs mount
root@desktop:/mnt/test# mount | grep test incus_test on /mnt/test type virtiofs (rw,relatime) root@desktop:/mnt/test# time iozone -a [...] real 2m22.389s user 0m2.222s sys 0m59.275s
In a jailmaker jail on the host:
root@incus:/home/test# time iozone -a [...] real 0m59.486s user 0m1.468s sys 0m25.458s
Inside LXD ubuntu desktop VM with virtiofs mount
root@desktop:/mnt/test# dd if=/dev/random of=./test1.img bs=1G count=1 oflag=dsync 1+0 records in 1+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 36.321 s, 29.6 MB/s
In a jailmaker jail on the host:
root@incus:/home/test# dd if=/dev/random of=./test2.img bs=1G count=1 oflag=dsync 1+0 records in 1+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 7.03723 s, 153 MB/s
Create Ubuntu container
To be able to create unprivileged (rootless) containers with incus inside the jail, you need to increase the amount of UIDs available inside the jail. Please refer to the Podman instructions for more information. If you don't increase the UIDs you can only create privileged containers. You'd have to change Privileged
to Allow
in Security policies
in this case.