post-start script for LXC

[greg]

Greetings
When proxmox was using VZ, we had the possibility to run a script after a VM has booted, how can we do the same with LXC? my goal is to create a bind mount (using fsbind) when a given VM is up and running.
Thanks in advance

 

[apmuthu]

Any update on this in PVE 7.x?

 

[fiona]

Hi,
you can use a hook-script and do what you need to do in the post-start phase. Documentation and where to find the example hookscript: https://pve.proxmox.com/pve-docs/chapter-pct.html#_hookscripts

 

[apmuthu]

Is there any means to execute scripts on the host and have the results placed in the guest LXC during first boot of the container?

# dmesg | grep apparmor

[ 4091.454217] audit: type=1400 audit(1665995133.442:20): apparmor="STATUS" operation="profile_load" profile="/usr/bin/lxc-start" name="lxc-101_</var/lib/lxc>" pid=10356 comm="apparmor_parser"
[ 4092.391168] audit: type=1400 audit(1665995134.378:21): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-101_</var/lib/lxc>" name="/" pid=10471 comm="mount" flags="rw, remount"
[ 4092.391577] audit: type=1400 audit(1665995134.378:22): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-101_</var/lib/lxc>" name="/" pid=10472 comm="mount" flags="rw, remount, relatime"

The above apparmor log does not show the container name but just the VMID.

System based monitoring and tracing will be roundabout.

Where is the snippets folder - in the host or guest LXC?
Where in the LXC template / VMID.conf / dab.conf do we put the hookscript in?
Executing from host using pct is listed here.

Please note that we do not yet know the VMID when the template was made and the container was created when operating from within the container.

In the manual for pct.conf the following is stated:

 hookscript: <string>

    Script that will be exectued during various steps in the containers lifetime.

but it does not state how the output is to be stored in the guest filesystem.

 

[fiona]

Is there any means to execute scripts on the host and have the results placed in the guest LXC during first boot of the container?

Yes, the hookscript is executed on the host.

Where is the snippets folder - in the host or guest LXC?

It's a content type for a file-base storage in Proxmox VE, so on the host.

Where in the LXC template / VMID.conf / dab.conf do we put the hookscript in?

You put it in the snippets folder on your Proxmox VE storage. Ideally, the storage is shared between nodes, so the hookscript is accessible from all nodes when the container migrates. If the storage is not shared, you still need to ensure that the script is available on each node respectively.

Executing from host using pct is listed here.

This sets the hookscript for the container.

Please note that we do not yet know the VMID when the template was made and the container was created when operating from within the container.

The ID is passed to the hookscript as an argument. See the example hook script.

For example:

} elsif ($phase eq 'post-start') {
 
# Second phase 'post-start' will be executed after the guest
# successfully started.

print "$vmid started successfully.\n";

my $node = `cat /etc/hostname`;
system("pct exec $vmid -- /root/updateinfo.sh $vmid $node");

} elsif ($phase eq 'pre-stop') {

where updateinfo.sh is a script in the container putting the info somewhere appropriate.

 

[apmuthu]

Having allowed snippets folder in the storage section of the Web GUI in the node and having named the script as lxc_hookscript.pl and made it 755 permissions, other than cli mode with pci set... where in the container (from template) do we put in the this script name?

Otherwise, are all scripts in the snippets folder executed for all containers so that the name of the hookscript is immaterial or must it be hardcoded as hostscript.pl?

Otherwise, how and where in the DAB Makefile should this script be referenced?

How do we make sure that the said script is executed on first startup only.

 

[fiona]

Having allowed snippets folder in the storage section of the Web GUI in the node and having named the script as lxc_hookscript.pl and made it 755 permissions, other than cli mode with pci set... where in the container (from template) do we put in the this script name?

Otherwise, are all scripts in the snippets folder executed for all containers so that the name of the hookscript is immaterial or must it be hardcoded as hostscript.pl?

Otherwise, how and where in the DAB Makefile should this script be referenced?

How do we make sure that the said script is executed on first startup only.

This script is not executed on first startup only, but on every startup, it's not for DAB.
Inside the container you need whatever the pct exec command tries to execute (in my example that was /root/updateinfo.sh, but it can be any other binary or script).

The pct set <ID> --hookscript ... command just sets the hookscript in the container's configuration. You can only set one hookscript at a time, but you can re-use the hookscript for multiple containers. If there is a hookscript set in the containers configuration, it will be executed during the various phases like post-start.

 

[apmuthu]

Thankyou.

So there is no way get the hookscript to be set from the guest LXC and it has to be set from the host cli using pct set VMID --hookscript ... only and that too after the first boot is over.

Hence for DAB to be aware of the VMID can we not have a script that will allow the first run webapp-setup to use it?

This will be a nice feature now that the VMID is not available by parsing any log or running any script from within the LXC as was available in OpenVZ (PVE-3.4) and LXC up to 6.x. Even if there is some output in the LXC guest dmesg that can be parsed it would suffice.

The current manual state without the pci set --hookscript ... is:

root@pr72:~# pct start 101
root@pr72:~# pct enter 101
# If "pct mount 101" is executed, it must be reverted with "pct unmount 101" before shutdown/remove of LXC guest.
# There is no UnMount menu entry in PVE-7.x GUI
# Upload /root/updateinfo.sh and set permissions to 755
# root@sqlamp:/# cd ~
# root@sqlamp:~# ./updateinfo.sh 101
root@sqlamp:~# exit

root@pr72:~# cd /var/lib/vz/snippets
root@pr72:/var/lib/vz/snippets# ./lxc_hookscript.pl 101 post-start
GUEST HOOK: 101 post-start
101 started successfully.

The attachment files should be 755 permissions and placed at /var/lib/vz/snippets/lxc_hookscript.pl in the host (default storage) and at /root/updateinfo.sh in the DAB templated LXC guest (VMID 101).

Fiona you rock!