{"id":21605974,"url":"https://github.com/archf/lxd-centos7","last_synced_at":"2026-02-14T04:49:47.388Z","repository":{"id":89975067,"uuid":"76681381","full_name":"archf/lxd-centos7","owner":"archf","description":"setup lxd 2.X from source on centos7 ","archived":false,"fork":false,"pushed_at":"2016-12-16T19:55:06.000Z","size":6,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-03-18T14:49:03.125Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/archf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-16T19:52:38.000Z","updated_at":"2016-12-16T19:56:03.000Z","dependencies_parsed_at":"2023-05-30T18:00:33.328Z","dependency_job_id":null,"html_url":"https://github.com/archf/lxd-centos7","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/archf/lxd-centos7","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archf%2Flxd-centos7","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archf%2Flxd-centos7/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archf%2Flxd-centos7/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archf%2Flxd-centos7/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/archf","download_url":"https://codeload.github.com/archf/lxd-centos7/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archf%2Flxd-centos7/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274402304,"owners_count":25278338,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-10T02:00:12.551Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T20:18:25.128Z","updated_at":"2026-02-14T04:49:42.370Z","avatar_url":"https://github.com/archf.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Build and configure LXC and LXD on centOS 7\n\n### Preparation\n\nFollow this guide.\n\n### Build from source\n\nYou need to build LXC first and then and LXD. See the `README` files in respective\nfolders for details.\n\nThere are `Makefiles` you can use to grab dependancies, configure and compile\nwith the right flags that worked for me.\n\n## Network setup\n\nMost of this could be replaced by\n[lxc-net](https://github.com/lxc/lxc/blob/master/config/init/common/lxc-net.in)\nservice or by this unit file\n\n```\n[Unit]\nDescription=Bridge interface for LXC Containers\n\n[Service]\nType=oneshot\n\n# Bring up bridge interface\nExecStart=/sbin/brctl addbr lxcbr0\nExecStart=/sbin/ip address add 192.168.150.1/24 dev lxcbr0\nExecStart=/sbin/ip link set lxcbr0 up\n\nRemainAfterExit=yes\n\n# Bring bridge interface down\nExecStop=/sbin/ip link set lxcbr0 down\nExecStop=/sbin/brctl delbr lxcbr0\n```\n\nThis was taken from the\n[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc/wiki/Usage-on-fedora-hosts)\nwiki.\n\n### Disable firewalld\n\n```\nsudo systemctl stop firewalld.service\n```\n\n### Permanently disable checksum offloading on your bridge device\n\n```bash\ncat \u003c\u003c 'EOF' | sudo tee /sbin/ifup-local\n\nif [ '${DEVICE}' = 'br0' ]\nthen\n  /sbin/ethtool -K ${DEVICE} tx off\nfi\n\nEOF\nsudo chmod +x /sbin/ifup-local\n```\n\nor do it using iptables:\n\n```bash\niptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill\n```\n\n### With NAT\n\n```bash\nsudo systemctl start iptables\nsudo systemctl enable iptables\n```\n\nThen as `root`:\n\n```bash\necho 1 \u003e /proc/sys/net/ipv4/ip_forward\nLXC_BRIDGE=br0\nLXC_NETWORK=10.72.0.0/16\nuse_iptables_lock=\"-w\"\niptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT\niptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT\niptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT\niptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT\niptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT\niptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT\niptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE\n```\n\nGive remote access to the and LXD hypervisor and some other optional ports.\n\n```bash\nOFACE=ens1f3\niptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p tcp --dports 53,443,80,8080,8443 -j ACCEPT\niptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p udp --dports 53,443,80,8080,8443 -j ACCEPT\n```\n\nWhich results in iptables rules of the kind:\n\n```\n*nat\n:PREROUTING ACCEPT [545973:82079852]\n:INPUT ACCEPT [164:23927]\n:OUTPUT ACCEPT [2248:144266]\n:POSTROUTING ACCEPT [3255:204762]\n-A POSTROUTING -s 10.72.0.0/16 ! -d 10.72.0.0/16 -j MASQUERADE\nCOMMIT\n# Completed on Fri Dec 16 14:38:39 2016\n# Generated by iptables-save v1.4.21 on Fri Dec 16 14:38:39 2016\n*filter\n:INPUT ACCEPT [0:0]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [24:2408]\n-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p icmp -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\n-I INPUT -m multiport -i ens1f3 -p tcp --dports 53,443,80,8080,8443 -j ACCEPT\n-I INPUT -m multiport -i ens1f3 -p udp --dports 53,443,80,8080,8443 -j ACCEPT\n-A INPUT -m multiport -i br0 -p tcp -m tcp --dports 53,67 -j ACCEPT\n-A INPUT -m multiport -i br0 -p udp -m udp --dports 53,67 -j ACCEPT\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\n-A FORWARD -o br0 -j ACCEPT\n-A FORWARD -i br0 -j ACCEPT\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\nCOMMIT\n```\n\n### Without NAT\n\n```bash\nsudo systemctl start ebtables\nsudo systemctl enable ebtables\n```\nThis is not recommended if there is another DHCP on your network. I did not\nfind a way to block outside DHCP traffic.\n\n*Tentative rules*\n\nYou might need this if you have another dhcp server on the network and no\nnating.\n\n** NOTE: I didn't get this to work **\n\nBlock outside DHCP requests\n\n```bash\niptables $use_iptables_lock -I INPUT -p udp --dport 67 -m physdev --physdev-out ens1f3 -j DROP\niptables $use_iptables_lock -I INPUT -p tcp --dport 67 -m physdev --physdev-out ens1f3 -j DROP\n\niptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP\niptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP\niptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -o ens1f3 -j DROP\niptables $use_iptables_lock -I FORWARD -p udp --dport 67 -o ens1f3 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -i ens1f3 -j DROP\niptables $use_iptables_lock -I FORWARD -p udp --dport 67 -i ens1f3 -j DROP\n\niptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -o ens1f3 -j DROP\niptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -o ens1f3 -j DROP\n\niptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -j DROP\niptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -j DROP\niptables $use_iptables_lock -I FORWARD -p udp --dport 67 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in br0 -j DROP\niptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in br0 -j DROP\n\niptables $use_iptables_lock -A FORWARD -p tcp --dport 67 -j LOG\n```\n\nBlock outgoing response:\n\n```bash\niptables $use_iptables_lock -I OUTPUT -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP\niptables $use_iptables_lock -I OUTPUT -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP\n\niptables $use_iptables_lock -I FORWARD -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP\niptables $use_iptables_lock -I FORWARD -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP\n```\n\n### Sudoers quirks\n\nThis is really important:\n\n* Add `/usr/local/bin` to securepath\n* Remove `always_set_home` directive\n\n## Libvirt quirks\n\nAvoid conflict with existing dnsmasq instance from libvirt.\n\nTo disable `virbr0` or create `lxcbr0` bridge with `libvirt`.\n\n```bash\nsudo virsh net-stop virbr0\nvirsh net-autostart --disable default\n\nsudo virsh net-define --file  ~/lxcbr0.xml\nsudo virsh net-autostart lxcbr0\nsudo virsh net-start lxcbr0\n```\n\n## debugging\n\n```bash\nsudo netstat -l -n -4 -p\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchf%2Flxd-centos7","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farchf%2Flxd-centos7","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchf%2Flxd-centos7/lists"}