This should be a list of file system types as used with the mount command. This is experimental.Īllow mounting file systems of specific types. This requires a kernel with seccomp trap to user space support (5.3 or newer). Essentially, you can choose between running systemd-networkd or docker.Īllow unprivileged containers to use mknod() to add certain device nodes. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. By default unprivileged containers will see this system call as non-existent. This is required to use docker inside a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.įor unprivileged containers only: Allow the use of the keyctl() system call. This can break networking under newer (>= v245) systemd-network use.Īllow using fuse file systems in a container. The container is then only useful when the kernel is changed over to one that is unpatched.Mount /sys in unprivileged containers as rw instead of mixed. Then chroot into this and follow the handbook. To migrate, first make an initial container from a tarball or such like.
This makes migrating from one to the other difficult. When the kernel is patched with vserver, networking inside a container is unavailable. #cp -a /lib/modules/4.1.12-gentoo/kernel/drivers/md/raid1.ko. #cp -a /lib/modules/4.1.12-gentoo/kernel/drivers/md/md-mod.ko. #cp -a /lib/modules/4.1.12-gentoo/kernel/drivers/net/phy/libphy.ko. #cp -a /lib/modules/4.1.12-gentoo/kernel/drivers/md/dm-crypt.ko. #cp -a /lib/modules/4.1.12-gentoo/kernel/drivers/net/ethernet/broadcom/bnx2.ko. # previously I have still had to copy libraries in when built "static", so I don't bother with that any more.Ĭp -a /lib64/libdevmapper-event.so.1.02. Ldd sbin/cryptsetup #and copy in the necessary files.Ĭp -a /usr/lib64/libcryptsetup.so.4 usr/lib64/libcryptsetup.so.4Ĭp -a /usr/lib64/libpopt.so.0 usr/lib64/libpopt.so.0Ĭp -a /lib64/libuuid.so.1 lib64/libuuid.so.1Ĭp -a /lib64/libdevmapper.so.1.02 lib64/libdevmapper.so.1.02Ĭp -a /usr/lib64/libgcrypt.so.20 usr/lib64/libgcrypt.so.20Ĭp -a /usr/lib64/libgpg-error.so.0 usr/lib64/libgpg-error.so.0Ĭp -a /lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2Ĭp -a /lib64/libudev.so.1 lib64/libudev.so.1Ĭp -a /lib64/libpthread.so.0 lib64/libpthread.so.0Ĭp -a /lib64/libresolv.so.2 lib64/libresolv.so.2Ĭp -a /lib64/libcap.so.2 lib64/libcap.so.2Ĭp -a /lib64/libattr.so.1 lib64/libattr.so.1Ĭp -a /sbin/lvm sbin/ # again ldd is used to find out which libraries are needed. exec switch_root /mnt/root /sbin/init || rescue_shell umount /proc umount /sys umount /mnt/usb # Boot the real thing. cryptsetup create -cipher aes-xts-plain64 -key-file /mnt/usb/keyfile cryptmd1 /dev/md1 #sleep 2 lvm vgchange -ay || rescue_shell lvm vgscan -mknodes > /dev/null 2>&1 mount -o ro /dev/mapper/vg-root /mnt/root || rescue_shell # Clean up. mdadm -As sleep 2 mount LABEL=Keyfile /mnt/usb || rescue_shell #The label is an ext filesystem label, not the label of the partition. mount -t proc none /proc mount -t sysfs none /sys mount -t devtmpfs none /dev #load_modules || rescue_shell #The kernel was made with the essential modules so that the initramfs does not need to be rebuilt every time with a new kernel. #!/bin/busybox sh #load_modules() # Mount the /proc and /sys filesystems. Gentoo will be installed on the following stack Except, /dev/sda2 is used to store bootable ISOs and /dev/sdb2 is swap.
Both disks are partitioned about the same. The dm-crypt is put onto a /dev/md1 RAID 1 device, just to add a little protection from disk failure. The physical volume is therefore a dm-crypt device. I don't want my data to go wandering through physical theft or disk RMA's. There doesn't seem much point in containerising the operating system without putting them in containers, so everything, including root, is put into a logical volume. Also networking under LXC is more flexible. The change was undertaken because one is not in the kernel, whereas the other is. This latest incarnation of the server is a migration from vserver to LXC. Ext4 was chosen as its recent and current. Gentoo was chosen because maintenance is tremendous. The document describes a server built for home use.
Accordingly it is written in first person. This is a "how I did it", not a "how to".
0 kommentar(er)
