[SOLVED] clone machine to CT

[piviul]

Hi all, I'm new in proxmox and I'm looking for a way to clone an existing bar metal debian stretch to a LXC in proxmox? Can anyone address me to find a way?

Thank you very much

Piviul

 

[oguz]

hi,

i'm not aware of any fully automatic process, but basically you can copy the whole rootfs of your machine and unpack it in a fresh container, remove unneeded stuff (for example /etc/fstab isn't needed) then configure the container using PVE

 

[piviul]

remove unneeded stuff (for example /etc/fstab isn't needed) then configure the container using PVE

Hi Oguz thank you very much for your prompt reply. I found this tutorial[¹] but there is no mention about the /etc/fstab but there are some other steps to do for example create devices because CT doesn't support udev... so I fear that the process is not so simple.

In others world someone can address me to find the unneeded stuff and the steps to remove them?

Thank you very much

Piviul

[¹] https://snikt.net/blog/2014/04/07/how-to-convert-an-kvm-image-into-a-lxc-container/

 

[oguz]

I found this tutorial[¹] but there is no mention about the /etc/fstab

in step 3:

To prevent any problems I’ve commented out each and every line within the guests “etc/fstab” configuration file.

you can skip some steps in the tutorial also, like creating the lxc config or setting the device nodes (this is done by PVE automatically when you create a container)

to make the /dev stuff easier you can just skip copying the /dev and let PVE handle it (simply don't copy the contents of /dev, container setup already initializes everything you need)

so the process is something like:
1. create debian container in PVE
2. archive contents of:

/etc/
/usr/
/home/
/root/
/var/

and you should have all the files you need.
transfer the archive to the container and unpack the contents in the right places

/etc/network/interfaces and /etc/fstab are not needed (you can simply delete them)

and then it should at least be able to boot. after that install any packages you need and you should be done, there could be some small tweak i'm forgetting about but we'll find out if it doesn't work

 

[ness1602]

I have done this a few times, and decided that it is easier just to migrate app, then to copy everything and the remove what is not used.

 

[ness1602]

FWIW i usually clone that this way:
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

 

[piviul]

FWIW i usually clone that this way:
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

both machine are up and running? If I have well understand you create a lxc container named lxcserver then from the machine to clone you run the command
# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

is it correct?

Piviul

 

[piviul]

I have done this a few times, and decided that it is easier just to migrate app, then to copy everything and the remove what is not used.

you are right if we are taking about cloning a desktop PC but if you are cloning a server I'm not agree with you.

Piviul

 

[ness1602]

both machine are up and running? If I have well understand you create a lxc container named lxcserver then from the machine to clone you run the command
# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

is it correct?

Piviul

Yes that should do it.

 

[piviul]

hi,
i'm not aware of any fully automatic process, but basically you can copy the whole rootfs of your machine and unpack it in a fresh container, remove unneeded stuff (for example /etc/fstab isn't needed) then configure the container using PVE

From the node that host the CT I have done a:
# rsync -avx --delete root@sourcehost:/ /zfspool/subvol-of-CT-host/

Then I have removed the /zfspool/subvol-of-CT-host//etc/fstab

The CT seems to start correctly but when I try to logon says that the password is incorrect. Furthermore doesn't seems that the services on the CT are accessible from the lan.

Do you think to know what can be the problem?

Thank you veri much

Piviul

 

[oguz]

The CT seems to start correctly but when I try to logon says that the password is incorrect. Furthermore doesn't seems that the services on the CT are accessible from the lan.

when you rsync'd it overwrote /etc/passwd and /etc/shadow so you may need to use the old credentials.

if that doesn't work you can use pct enter CTID command to attach to the container and run commands to change the password and bring services up and so on

 

[piviul]

when you rsync'd it overwrote /etc/passwd and /etc/shadow so you may need to use the old credentials.

Yes of course, the credentials I used was from cloned machine!

if that doesn't work you can use pct enter CTID command to attach to the container and run commands to change the password and bring services up and so on

Doesn't seems to work

That's what I've done:
root@pve# pct enter 105
bash: /root/.bashrc: Permission denied
root@ct105:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
passwd: password unchanged

where pve is the name of the proxmox node that virtualize the container named ct105.

If you have any others suggestions

Any way thank you very much!

Piviul

 

[oguz]

what are the permissions on /etc/passwd and /etc/shadow ?

for reference:

# s -arilh /etc/passwd /etc/shadow
1520977 -rw-r----- 1 root shadow 1.6K May 28 12:06 /etc/shadow
1514335 -rw-r--r-- 1 root root   2.7K May 28 12:06 /etc/passwd

also this is curious:

bash: /root/.bashrc: Permission denied

what are the permissions on that file?

 

[piviul]

FWIW i usually clone that this way:
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

Your method seems to work. I have only made very little changes to it:

 rsync -aAXv --exclude={"/dev/*","/proc/","/sys/","/tmp/*","/usr/tmp/*","/run/*","/mnt/*","/media/*","/var/cache/*","/","/lost+found","/boot/} /* root@lxcserver:/

that's because proc and sys are readonly filesystem and shows an error.

Furthermore after the clone on the CT cloned running apt update return an error:

can't create /var/cache/apt-show-versions/files: No such file or directory at /usr/bin/apt-show-versions line 199.
Reading package lists... Done
E: Problem executing scripts APT::Update::Post-Invoke-Success 'test -x /usr/bin/apt-show-versions || exit 0 ; apt-show-versions -i'
E: Sub-process returned an error code

I have solved reinstalling apt-show-versions

Thank you very much

Piviul

 

[piviul]

what are the permissions on /etc/passwd and /etc/shadow ?

# ls -l /zfspool/subvol-105-disk-0/etc/{passwd,shadow}
-rw-r--r-- 1 root root   2168 Jun  6 09:02 /zfspool/subvol-105-disk-0/etc/passwd
-rw-r----- 1 root shadow 1335 Jun  6 09:02 /zfspool/subvol-105-disk-0/etc/shadow

but in the container I can't do nothing:

root@pve:~# pct enter 105
bash: /root/.bashrc: Permission denied
root@ct105:~# ls -l
ls: cannot open directory '.': Permission denied
root@ct105:~# whoami
root

[...]
also this is curious:

bash: /root/.bashrc: Permission denied

what are the permissions on that file?

root@pve:~# ls -l /zfspool/subvol-105-disk-0/root/.bashrc
-rw-r--r-- 1 root root 570 Jan 31  2010 /zfspool/subvol-105-disk-0/root/.bashrc

Any way I have solved the main topic using hot rsync between the machine to CT as suggest from ness1602... but if we want to learn something more of this problem I'm here!

Many thanks to all

Piviul

 

[oguz]

check the uid/gid of the files in the CT rootfs. i think the owners of the files need to be set to the correct uids. is the container privileged or unprivileged?

 

[piviul]

Hi oguz, I'm new with Proxmox and LXC....

check the uid/gid of the files in the CT rootfs.

I don't know seems to be root:

# ls -ld /zfspool/subvol-105-disk-0
drwxr-xr-x 23 root root 27 Jun 16 14:17 /zfspool/subvol-105-disk-0

I've executed the command from the node that hosts the CT 105.
...or there is something else to look for?

i think the owners of the files need to be set to the correct uids.

I've tried to learn something about containers. How can I know what are the correct uids?

is the container privileged or unprivileged?

That's a good question; I think unprivileged but I'm not sure: how can I verify it?

Thank you very much for the patience

Piviul

 

[oguz]

so,

That's a good question; I think unprivileged but I'm not sure: how can I verify it?

check the output of pct config CTID. unprivileged: 1 in the output would indicate an unprivileged container.

I've executed the command from the node that hosts the CT 105.
...or there is something else to look for?

yes, there's something else to look for.
you checked the uid/guid of the zfs subvol which contains the rootfs, however what we're interested in is the owners of the files inside the rootfs.

to check this, you will need to mount it first. try with pct mount CTID and it should mount the rootfs and tell you where it's mounted.

go to that directory and check the uid/gid. better way to do this is using the -n flag for ls (numeric uid/gid in output)

I don't know seems to be root:

in unprivileged containers, uids and gids in the container are actually mapped to a different uid/gid on the host, to make it more secure against breakout techniques. so for example even if you are root in the container and the container thinks your uid is 0, in reality your uid is mapped to something else (by default to 100000).

 

[piviul]

[...]
check the output of pct config CTID. unprivileged: 1 in the output would indicate an unprivileged container.

Ok, unprivileged:

# pct config 105 | grep ^unpriv
unprivileged: 1

yes, there's something else to look for.
you checked the uid/guid of the zfs subvol which contains the rootfs, however what we're interested in is the owners of the files inside the rootfs.

to check this, you will need to mount it first. try with pct mount CTID and it should mount the rootfs and tell you where it's mounted.

Done:

# pct mount 105
mounted CT 105 in '/var/lib/lxc/105/rootfs'

go to that directory and check the uid/gid. better way to do this is using the -n flag for ls (numeric uid/gid in output)

This is the result:

# ls -na /var/lib/lxc/105/rootfs
total 185
drwxr-xr-x  23      0      0   27 Jun 16 14:17 .
drwxr-xr-x   3      0      0 4096 Jun 17 07:56 ..
drwxr-xr-x   2      0      0  158 Jun  6 08:59 bin
drwxr-xr-x   3      0      0    7 Jun  8 11:17 boot
drwxr-xr-x   4      0      0    4 Jun  5 15:29 build
drwxr-xr-x  17      0      0  157 Jun  9 15:18 dev
drwxr-xr-x 139      0      0  249 Jun 16 14:17 etc
-rw-r--r--   1 100000 100000    0 Jun 16 14:17 fastboot
drwxr-xr-x   6      0      0    6 Apr  7 09:28 home
lrwxrwxrwx   1      0      0   30 Jun  6 06:47 initrd.img -> boot/initrd.img-4.9.0-12-amd64
drwxr-xr-x  17      0      0   23 Jun  8 11:18 lib
drwxr-xr-x   2      0      0    3 Jun  6 06:40 lib64
drwx------   2      0      0    2 Mar  6 16:08 lost+found
drwxr-xr-x   3      0      0    4 Mar  6 16:08 media
drwxr-xr-x   2      0      0    2 Jun  5 09:52 mnt
drwxr-xr-x   4      0      0    4 Jun  8 11:41 opt
dr-xr-xr-x 246      0      0  266 Jun  9 15:18 proc
-rw-------   1      0      0 1024 Mar  6 16:22 .rnd
drwx------   7      0      0   22 Jun  9 14:56 root
drwxr-xr-x   3      0      0    4 Jun  9 15:24 run
drwxr-xr-x   2      0      0  232 Jun  8 11:18 sbin
drwxr-xr-x   2      0      0    2 Mar  6 16:08 srv
dr-xr-xr-x   2      0      0    2 Jun  9 15:18 sys
drwxrwxrwt   7      0      0    7 Jun 17 07:39 tmp
drwxr-xr-x  10      0      0   10 Mar  6 16:08 usr
drwxr-xr-x  12      0      0   14 Apr  2 12:03 var
lrwxrwxrwx   1      0      0   27 Jun  6 06:47 vmlinuz -> boot/vmlinuz-4.9.0-12-amd64

in unprivileged containers, uids and gids in the container are actually mapped to a different uid/gid on the host, to make it more secure against breakout techniques. so for example even if you are root in the container and the container thinks your uid is 0, in reality your uid is mapped to something else (by default to 100000).

Except for the file fastboot all other seem to be not mapped at all... :?

Can I manually solve the problem with a

chown -R 100000:100000 /var/lib/lxc/105/rootfs

?

Piviul

 

[oguz]

Except for the file fastboot all other seem to be not mapped at all... :?

indeed, it seems like that. i'm guessing this is because of a missing rsync flag like -o to preserve owners..

anyway, to "fix" it you can try something like the following as root:

pct mount CTID
cd /var/lib/lxc/CTID/rootfs
find . -uid 0 -gid 0 -exec chown 100000:100000 -R {} \;

this will find all files and directories belonging to uid/gid 0 in the current working directory and change the owner to the correct uid/gid (in this case 100000)

be careful to run the commands correctly as you can break your system if you run the last command somewhere else other than /var/lib/lxc/CTID/rootfs