Linux Containers
Last modified: December 15, 2021
Overview
cPanel, L.L.C. recommends that only experienced system administrators attempt to perform the steps in this document. cPanel, L.L.C. is not responsible for any data loss that an attempt to perform these steps causes.
cPanel, L.L.C. supports the use of cPanel & WHM inside of a Linux Container (LXC). An LXC container provides an environment that resembles a standard Linux installation, but does not require a separate kernel. For more information about LXC containers, read the Linux Containers documentation.
Run in a Linux Container
To run cPanel & WHM inside an LXC container, we strongly recommend that you use the following settings:
Host
We strongly recommend that you use Red Hat® Enterprise Linux (RHEL) 7 or CentOS 7 as your server’s LXC host. This configuration ensures the best compatibility with cPanel & WHM. While other Linux distributions may work, they require that the system administrator perform additional steps that we do not support.
We have not tested LXC on AlmaLinux OS 8 or CloudLinux 8 servers.
Guest
We strongly recommend that your LXC containers use CentOS 6 or RHEL 6 as a guest. A CentOS 7 or an RHEL 7 installation require additional steps to use as a guest.
Privileged vs unprivileged containers
cPanel & WHM functions in both privileged and unprivileged containers. We strongly recommend that you run cPanel & WHM in a privileged container, because it expects unrestricted access to the system.
The following limitations are inherent to an unprivileged container:
The host operating system treats the
root
user as a non-root
user.You cannot raise the hard limit of a process if you previously lowered it. This action could cause EasyApache 4 to fail.
Subtle behavior differences may occur.
ProxMox
If you use the Proxmox virtualization software version 4.1 to create a CentOS 6 LXC container inside which to install cPanel & WHM, you may experience the following issues:
MySQL®-based sites cannot connect to the databases. This is because the ProxMox LXC container creates the
/var/lib/mysql/mysql.sock
MySQL socket with insufficient privileges.The Dovecot mail server does not function. This is because the ProxMox LXC container creates the files in the
/var/run/dovecot/
login directory with insufficient privileges.The server load average that the WHM API 1 loadavg function returns does not match the load average in the
/proc/loadavg
file.
To correct these issues, perform the following steps:
Run the
yum install -y acl
command.Change to the
/var/lib/mysql
directory.Set
777
file permissions to allow the user to create MySQL sockets. To do this, run the following commands:1 2
# setfacl -d -m g::rwx . # setfacl -d -m o::rwx .
Restart MySQL. To do this, run the
service mysql restart
command.Change to the
/var/run/dovecot/login
directory.Set
777
file permissions to allow the user to create files within the directory. To do this, run the following commands:1 2
# setfacl -d -m g::rwx . # setfacl -d -m o::rwx .
Restart the Dovecot server. To do this, run the
/usr/local/cpanel/scripts/restartsrv_dovecot
script.Run the
systemctl edit lxcfs
command to open the/lib/systemd/system/lxcfs.service
file.Locate the
ExecStart
line and add the following line of text:ExecStart=/usr/bin/lxcfs -l /var/lib/lxcfs/
Restart the LXC container. To do this, run the
systemctl restart lxcfs
command.
Required changes for CentOS 7 or RHEL 7
You must make the following configuration changes to run cPanel & WHM inside an LXC container:
After you create the LXC container, change the
lxc.include
line in thelxc.conf
file to the following line:lxc.include = /usr/share/lxc/config/fedora.common.conf
Edit the
lxc.conf
file to dropsetfcap
andsetpcap
capabilities. To do this, comment out the following lines:1 2
# lxc.cap.drop = setpcap # lxc.cap.drop = setfcap
Some system configurations will not run properly with cron inside an LXC container. Individual cron jobs fail to execute even though the cron daemon is active. This issue is a direct result of the incompatibility between the container environment and the pam_loginuid
module.
To resolve this conflict, disable the pam_loginuid
module for cron with the following comment in the /etc/pam.d/crond
directory:
|
|
Updates to your cron package may cause the service to reactivate. Inspect this file for changes after each system update.
AppArmor
If your system uses AppArmor, you must also uncomment the following line in the lxc.conf
file:
AppArmor version 2.0 and earlier
lxc.aa_profile = unconfined
AppArmor version 2.1 and later
lxc.apparmor.profile = unconfined