Debian – LXC migrate between hosts

debianlxcmigrationUbuntu

I had setup a testsystem with LXC and installed a webserver etc. that all was not the problem. But now I want to swich to another host system also I compressed /var/lib/lxc/webserver and copied it to the other host.
But there i got serval errors:

lxc-start: failed to attach 'vethO5HJ2b' to the bridge 'lxcbr0' : No such device
lxc-start: failed to create netdev
lxc-start: failed to create the network
lxc-start: failed to spawn 'webserver'

In the config i did found settings for network. Any Ideas to fix the network issue or exits a better way to migrate between hosts ?

ifconfig -a

Host1 (VM is working here)

eth0      Link encap:Ethernet  Hardware Adresse 00:25:90:d2:c2:d6  
          inet Adresse:85.xxx.xxx.43  Bcast:85.xxx.xxx.43  Maske:255.255.255.255
          inet6-Adresse: fe80::225:90ff:fed2:c2d6/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:186831047 errors:0 dropped:0 overruns:0 frame:0
          TX packets:170397357 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX-Bytes:14641876568 (14.6 GB)  TX-Bytes:32363758586 (32.3 GB)
          Speicher:f7100000-f7180000 

eth0:1    Link encap:Ethernet  Hardware Adresse 00:25:90:d2:c2:d6  
          inet Adresse:81.xxx.xxx.247  Bcast:81.xxx.xxx.255  Maske:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          Speicher:f7100000-f7180000 

eth1      Link encap:Ethernet  Hardware Adresse 00:25:90:d2:c2:d7  
          BROADCAST MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX-Bytes:0 (0.0 B)  TX-Bytes:0 (0.0 B)
          Interrupt:20 Speicher:f7200000-f7220000 

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:22574 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22574 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX-Bytes:4393152 (4.3 MB)  TX-Bytes:4393152 (4.3 MB)

lxcbr0    Link encap:Ethernet  Hardware Adresse ee:2c:00:bf:f0:a9  
          inet Adresse:10.0.3.1  Bcast:10.0.3.255  Maske:255.255.255.0
          inet6-Adresse: fe80::ec2c:ff:febf:f0a9/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX-Bytes:0 (0.0 B)  TX-Bytes:468 (468.0 B)

bridge name bridge id       STP enabled interfaces
lxcbr0      8000.000000000000   no  

ls: Zugriff auf /var/log/upstart/lxc* nicht möglich: Datei oder Verzeichnis nicht gefunden (in English, not found)  

$ brctl show
bridge name bridge id       STP enabled interfaces
lxcbr0      8000.000000000000   no      
minecraft@h2210663:~$ ls -l /var/log/upstart/lxc*
ls: Zugriff auf /var/log/upstart/lxc* nicht möglich: Datei oder Verzeichnis nicht gefunden
minecraft@h2210663:~$ cat /etc/default/lxc
# MIRROR to be used by ubuntu template at container creation:
# Leaving it undefined is fine
#MIRROR="http://archive.ubuntu.com/ubuntu"
# or 
#MIRROR="http://<host-ip-addr>:3142/archive.ubuntu.com/ubuntu"

# LXC_AUTO - whether or not to start containers symlinked under
# /etc/lxc/auto
LXC_AUTO="true"

# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="true"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"

LXC_SHUTDOWN_TIMEOUT=120

$ cat /etc/init/lxc-net.conf
description "lxc network"
author "Serge Hallyn <serge.hallyn@canonical.com>"

start on starting lxc
stop on stopped lxc

env USE_LXC_BRIDGE="false"
env LXC_BRIDGE="lxcbr0"
env LXC_ADDR="10.0.3.1"
env LXC_NETMASK="255.255.255.0"
env LXC_NETWORK="10.0.3.0/24"
env LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
env LXC_DHCP_MAX="253"
env varrun="/var/run/lxc"

pre-start script
    [ -f /etc/default/lxc ] && . /etc/default/lxc

    [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }

    cleanup() {
        # dnsmasq failed to start, clean up the bridge
        iptables -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
        ifconfig ${LXC_BRIDGE} down || true
        brctl delbr ${LXC_BRIDGE} || true
    }

    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
        if [ ! -f ${varrun}/network_up ]; then
            # bridge exists, but we didn't start it
            stop;
        fi
        exit 0;
    fi

    # set up the lxc network
    echo 1 > /proc/sys/net/ipv4/ip_forward
    mkdir -p ${varrun}
    brctl addbr ${LXC_BRIDGE}
    ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
    iptables -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
    dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file= --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
    touch ${varrun}/network_up
end script

post-stop script
    [ -f /etc/default/lxc ] && . /etc/default/lxc
    [ -f "${varrun}/network_up" ] || exit 0;
    # if $LXC_BRIDGE has attached interfaces, don't shut it down
    ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;

    if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
        ifconfig ${LXC_BRIDGE} down
        iptables -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
        pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
        rm -f ${varrun}/dnsmasq.pid
        brctl delbr ${LXC_BRIDGE}
    fi
    rm -f ${varrun}/network_up
end script

Host2 (destination)

eth0      Link encap:Ethernet  Hardware Adresse 00:25:90:ae:09:6a  
          inet Adresse:2xx.xx4.xxx.217  Bcast:2xx.xx4.xxx.255  Maske:255.255.255.192
          inet6-Adresse: fe80::225:90ff:feae:96a/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:2876153658 errors:0 dropped:48779 overruns:0 frame:0
          TX packets:2680725017 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX bytes:234344379020 (218.2 GiB)  TX bytes:710758489234 (661.9 GiB)
          Interrupt:16 Speicher:df900000-df920000 

eth0:1    Link encap:Ethernet  Hardware Adresse 00:25:90:ae:09:6a  
          inet Adresse:2xx.xx4.xxx.252  Bcast:2xx.xx4.xxx.255  Maske:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          Interrupt:16 Speicher:df900000-df920000 

eth1      Link encap:Ethernet  Hardware Adresse 00:25:90:ae:09:6b  
          BROADCAST MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:20 Speicher:dfa00000-dfa20000 

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metrik:1
          RX packets:738956166 errors:0 dropped:0 overruns:0 frame:0
          TX packets:738956166 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX bytes:65605834297 (61.1 GiB)  TX bytes:65605834297 (61.1 GiB)
$ brctl show
bridge name bridge id       STP enabled interfaces

   $ ls: Zugriff auf /var/log/upstart/lxc* nicht möglich: Datei oder Verzeichnis nicht gefunden (in English, not found) 

$ cat /etc/default/lxc
# /etc/default/lxc

LXC_AUTO="true"
LXC_DIRECTORY="/ssd/lib/lxc"

$ cat /etc/init/lxc-net.conf
cat: /etc/init/lxc-net.conf: Datei oder Verzeichnis nicht gefunden (in English, not found)

Best Answer

From the errors you're getting it looks like the 2nd host is missing the network bridge lxcbr0.

Other things to consider:

Also what steps did you follow to "move" the container?
Did you copy both the container's file and .conf files?
Did you use a command like this to recreate this host's container on the 2nd host?
```
$ lxc-create -t TEMPLATE -f lxc.conf -n CONTAINER
```
Also I would compare the following things between the 2 hosts and make sure that everything is setup consistently between the 2 systems. Use the following commands on both hosts:
```
$ ifconfig -a
$ brctl show
$ ls -l /var/log/upstart/lxc*
$ cat /etc/default/lxc
$ cat /etc/init/lxc-net.conf
```

Preliminary assumptions

I'll stick with the following assumptions, extended from what I have from your question:

host has a user1 and a user2, if an information isn't specific to one, we'll use userX
the container will be named by a variable which we will render as $container
home folders for user1 and user2 will be given in the notation known from Bash as ~user1 and ~user2.
we'll assume the subordinate UID and GID ranges to be 100000..165536 for user1 and 200000..265536 for user2 just for brevity
the root FS folder for $container will be rendered as $rootfs, regardless of where it will end up (~userX/.local/share/lxc/$container/rootfs)
container configuration is by default in ~userX/.local/share/lxc/$container/config

Moving the container

There are two relevant pieces of data that govern the userns containers:

owner and group for the files/folders of the folders comprising the $container
the subordinate UIDs and GIDs assigned in two places: /etc/sub{uid,gid} for the user account (manipulated via usermod --{add,del}-sub-{uid,gid}s) and lxc.id_map in the $container configuration (~userX/.local/share/lxc/$container/config) respectively
- I don't know for certain whether it is possible to define different ranges in the container configuration for each container. E.g. if the host user userX has 65536 subordinate GIDs and UIDs, it might be possible to assign 5000 to 65 different containers, but I haven't tested that hypothesis.
- it is certain, though, that this setting communicates to LXC which are the valid ranges for GID and UID in the child namespace.

So the gist is really that you need to make sure that the file/folder owner and group for the container match the configuration, which in turn has to be a valid subset of the host subordinate GIDs/UIDs assigned to user1 and user2 respectively.

If you're using Bash, for example, you can use $((expression)) for arithmetic expressions and let to assign arithmetic expressions to variables. This is mighty useful if you know a base value (100000 and 200000 respectively) and the GID/UID for the "inside" users.

The main points are:

it's possible
either the capability CAP_CHOWN or superuser rights are required

Here's a script that will probably need some more honing (example: migration from root-created container to unprivileged), but it works for me for the purpose:

#!/usr/bin/env bash

function syntax
{
    echo "SYNTAX: ${0##*/} <from-user> <to-user> <container-name>"
    [[ -n "$1" ]] && echo -e "\nERROR: ${1}."
    exit 1
}

# Checks
[[ -n "$1" ]] || syntax "<from-user> is not set"
[[ -n "$2" ]] || syntax "<to-user> is not set"
[[ -n "$3" ]] || syntax "<container-name> is not set"
[[ "$UID" -eq "0" ]] || syntax "${0##*/}" "You must be superuser to make use of this script"
# Constants with stuff we need
readonly USERFROM=$1
readonly USERTO=$2
shift; shift
readonly CONTAINER=${1:-*}
LXCLOCAL=".local/share/lxc"
readonly HOMEFROM=$(eval echo ~$USERFROM)
readonly HOMETO=$(eval echo ~$USERTO)
readonly LXCFROM="$HOMEFROM/$LXCLOCAL"
readonly LXCTO="$HOMETO/$LXCLOCAL"
readonly GIDBASEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$2}" /etc/subgid)
readonly UIDBASEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$2}" /etc/subuid)
readonly GIDSIZEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$3}" /etc/subgid)
readonly UIDSIZEFROM=$(awk -F : "\$1 ~/$USERFROM/ {print \$3}" /etc/subuid)
readonly GIDBASETO=$(awk -F : "\$1 ~/$USERTO/ {print \$2}" /etc/subgid)
readonly UIDBASETO=$(awk -F : "\$1 ~/$USERTO/ {print \$2}" /etc/subuid)
readonly GIDSIZETO=$(awk -F : "\$1 ~/$USERTO/ {print \$3}" /etc/subgid)
readonly UIDSIZETO=$(awk -F : "\$1 ~/$USERTO/ {print \$3}" /etc/subuid)
unset LXCLOCAL
# More checks
[[ -d "$LXCFROM" ]] || syntax "Could not locate '$LXCFROM'. It is not a directory as expected"
[[ -e "$LXCTO" ]] && syntax "Destination '$LXCTO' already exists. However, it must not"
for i in GIDBASEFROM UIDBASEFROM GIDBASETO UIDBASETO; do
    (($i > 0)) || syntax "Could not determine base/offset of subordinate UID/GID range"
done
for i in GIDSIZEFROM UIDSIZEFROM GIDSIZETO UIDSIZETO; do
    (($i > 0)) || syntax "Could not determine length of subordinate UID/GID range"
done

echo "Going to migrate container: $CONTAINER"
echo -e "\tfrom user $USERFROM ($HOMEFROM): subUID=${UIDBASEFROM}..$((UIDBASEFROM+UIDSIZEFROM)); subGID=${GIDBASEFROM}..$((GIDBASEFROM+GIDSIZEFROM))"
echo -e "\tto user $USERTO ($HOMETO): subUID=${UIDBASETO}..$((UIDBASETO+UIDSIZETO)); subGID=${GIDBASETO}..$((GIDBASETO+GIDSIZETO))"
while read -p "Do you want to continue? (y/N) "; do
    case ${REPLY:0:1} in
        y|Y)
            break;
            ;;
        *)
            echo "User asked to abort."
            exit 1
            ;;
    esac
done

# Find the UIDs and GIDs in use in the container
readonly SUBGIDSFROM=$(find -H "$LXCFROM" -printf '%G\n'|sort -u)
readonly SUBUIDSFROM=$(find -H "$LXCFROM" -printf '%U\n'|sort -u)

# Change group
for gid in $SUBGIDSFROM; do
    let GIDTO=$(id -g "$USERTO")
    if ((gid == $(id -g "$USERFROM"))); then
        echo "Changing group from $USERFROM ($gid) to $USERTO ($GIDTO)"
        find -H "$LXCFROM/$CONTAINER" -gid $gid -exec chgrp $GIDTO {} +
    elif ((gid >= GIDBASEFROM )) && ((gid <= GIDBASEFROM+GIDSIZEFROM)); then
        let GIDTO=$((gid-GIDBASEFROM+GIDBASETO))
        echo "Changing group $gid -> $GIDTO"
        find -H "$LXCFROM/$CONTAINER" -gid $gid -exec chgrp $GIDTO {} +
    else
        echo "ERROR: Some file/folder inside '$LXCFROM/$CONTAINER' has a group not assigned to $USERFROM (assigned subordinate GIDs)."
        echo -e "Use:\n\tfind -H '$LXCFROM/$CONTAINER' -gid $gid\nto list those files/folders."
        exit 1
    fi
done

# Change owner
for uid in $SUBUIDSFROM; do
    let UIDTO=$(id -u "$USERTO")
    if ((uid == $(id -u "$USERFROM"))); then
        echo "Changing owner from $USERFROM ($uid) to $USERTO ($UIDTO)"
        find -H "$LXCFROM/$CONTAINER" -uid $uid -exec chown $UIDTO {} +
    elif ((uid >= UIDBASEFROM )) && ((uid <= UIDBASEFROM+UIDSIZEFROM)); then
        let UIDTO=$((uid-UIDBASEFROM+UIDBASETO))
        echo "Changing owner $uid -> $UIDTO"
        find -H "$LXCFROM/$CONTAINER" -uid $uid -exec chown $UIDTO {} +
    else
        echo "ERROR: Some file/folder inside '$LXCFROM/$CONTAINER' has an owner not assigned to $USERFROM (assigned subordinate UIDs)."
        echo -e "Use:\n\tfind -H '$LXCFROM/$CONTAINER' -uid $uid\nto list those files/folders."
        exit 1
    fi
done
mv "$LXCFROM/$CONTAINER" "$LXCTO/" || { echo "ERROR: failed to move to destination: ${LXCTO}/${CONTAINER}."; exit 1; }

In addition to the license terms of the StackExchange network, I am putting this into the public domain. So reuse and modify for whatever purpose, but it comes without any warranty and I must not be held liable for its use or abuse.

Usage

SYNTAX: lxc-reassign-userns.sh <from-user> <to-user> <container-name>

It assumes find, sort, uniq, awk (mawk and gawk should work), id, bash, chown, chmod and so on to be available and to understand all the command line switches it is using. For Bash readonly and let and arithmetic expressions are assumed to be understood. For find is assumes + is a valid terminator for the -exec action.

This list is probably not complete.

Backups

Yes, you can make backups and restore them elsewhere, as long as you also adjust the file owner and group accordingly.

However, assuming you use something like tar, there's a caveat: tar will ignore sockets, so $rootfs/dev/log will pose an issue - others may also create a similar issue.

Best Answer

Related Solutions

Linux Migration – How to Migrate Configuration Between Computers with Different Hardware

Linux – Migrate an unprivileged LXC container between users

Preliminary assumptions

Moving the container

Backups

Resources:

Related Question