Difference between revisions of "Containers"

From Anarchaserver
 
(8 intermediate revisions by the same user not shown)
Line 6: Line 6:
<code> apt-get install lxc </code>
<code> apt-get install lxc </code>


== STEP 1 Create Let's create a 'Transitional' virtual machine, a container ==  
=== Generic commands to manipulate containers ===
 
 
<code>lxc-create -n transitional -t debian</code>
 
 
Start the container,deattach the container from the root terminal and change password of the container
Start the container,deattach the container from the root terminal and change password of the container


START
START  
<code>lxc-start -n transitional -d </code>
<code>lxc-start -n transitional -d </code>


OPEN
GET A ROOT PROMPT
<code>lxc-attach -n transitional</code>
 
OPEN A CONSOLE
<code>lxc-console -n transitional </code>
<code>lxc-console -n transitional </code>


STOP
STOP  
<code>lxc-stop -n transitional </code>
<code>lxc-stop -n transitional </code>


LIST the containers and their IP
LIST the containers and their IP  
<code>lxc-ls -f</code>
<code>lxc-ls -f</code>


---------------------------------------
                                           
ERRORS along the way which got solved
<code>Could not find writable mount point for cgroup hierarchy 8 while trying to create cgroup. </code>
We imagine that if we upgrade to jessie 8.8, that the Cgroup issue (=a subsystem in the linux kernell, which allows process separation) will be a resolved. For now we add the mountpoint. and follow this manual [https://wiki.deimos.fr/LXC_:_Install_and_configure_the_Linux_Containers#Nat_configuration]


---------------------------------------
== STEP 1 Prepare once the host network for containers ==
'''This operation just need to be done once'''


== STEP 2 How can a container access the network? ==
A container, has MAC adress, we need a bridge for networking, via dhcp, 
A container, has MAC adress, we need a bridge for networking, via dhcp,  
So the container get an ip, and give access to the server's internal network
So the container get an ip, and give access to the server's internal network


Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.
Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.


<code>/var/lib/lxc/<name>/config</code>


    lxc.network.type = veth
'''Using /etc/network/interfaces, the bridge could be created simply:'''
    lxc.network.flags = up
    lxc.network.link = lxc-nat-bridge
    lxc.network.name = eth0
    lxc.network.ipv4 = 10.0.3.2
    lxc.network.ipv4.gateway = 10.0.3.1


<code>
iface lxc-nat-bridge inet static
bridge_ports none
bridge_fd 0
address 10.0.3.1
netmask 255.255.255.0
</code>


Using /etc/network/interfaces, the bridge could be created simply:
'''We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):'''
 
<code>iface lxc-nat-bridge inet static</code>
    bridge_ports none
    bridge_fd 0
    address 10.0.3.1
    netmask 255.255.255.0
 
 
We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):


<code>iface eth0 inet static</code>
<code>iface eth0 inet static</code>
      ...
      ...
      up iptables -t nat -F POSTROUTING
      up iptables -t nat -F POSTROUTING
 
      up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
or
or
 
      iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT                                                                                       |
      iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT                                                                                       |
      iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT
      iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT
 
 
 




'''Restart network interface'''
'''Restart network interface'''
<code>service networking restart</code>


<code>service networking restart</code>


WARNING deprecated!!!!
---------------------------------------


== STEP 2 Create and configure the container ==
'''Create the container'''
<code>lxc-create -n transitional -t debian</code>


'''Configure its network'''
nano /var/lib/lxc/transitional/config


'''Enable IPv4 forwarding by putting this in /etc/sysctl.conf:'''
At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter
<syntaxhighlight lang="text">
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxc-nat-bridge
lxc.network.name = eth0
lxc.network.ipv4 = 10.0.3.9
lxc.network.ipv4.gateway = 10.0.3.1


<code>net.ipv4.ip_forward=1</code>
lxc.rootfs = /var/lib/lxc/transitional/rootfs
lxc.rootfs.backend = dir


and then applying it using:
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf


<code>sysctl -p</code>
# Container specific configuration
lxc.tty = 4
lxc.utsname = transitional
lxc.arch = amd64
lxc.start.auto = 1
</syntaxhighlight>


== STEP 3 How can we access via the internet a container? ==  
== STEP 3 Configure the host/front Apache to proxy the requests to the container ==  
Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.
Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.


=== Example with Transitional/Yunohost container and services ===
Example here with Transitional/Yunohost (ynh) container and services
==== Add the subdomain at Gandi ====
 
In need for a user/pwd !
=== Add the subdomain at Gandi ===
Or not, as there is a wildcard (*), all subdomains of anarchaserver.org will be directed to the front apache server on the IP of anarchaserver.org


==== Configure the hosts ====
=== Configure the hosts ===
'''Modify /etc/hosts on the root of the server'''
'''Modify /etc/hosts on the root of the server'''
  sudo nano /etc/hosts
  sudo nano /etc/hosts
Add :
Add :
  10.0.3.2       ynh.anarchaserver.org
  10.0.3.9       transitional.anarchaserver.org


'''Modify /etc/hosts on your computer'' to test before the domain is propagated
=== Create a first vhost on the front apache ===
  sudo nano /etc/hosts
  sudo nano /etc/apache2/sites-available/ynh.conf
Add :
<syntaxhighlight lang="text">
209.51.163.19 ynh.anarchaserver.org
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName transitional.anarchaserver.org


==== Create a HTTPS Certificate with let'sencrypt (certbot) ====
  ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
'''See the existings certificates :'''
  CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
sudo certbot certificates
'''Create the certificate for the domain with apache server'''
sudo certbot --apache -d ynh.anarchaserver.org
<code>
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
</code>
That's it !


'''To check if the certificates needs to be renewed (and renew them)'''
  ProxyPreserveHost      On
sudo certbot renew
  ProxyRequests          Off


  ProxyPass / http://10.0.3.9/
  ProxyPassReverse http://10.0.3.9/ /


==== Configure Apache to proxy the subdomain ====
  <Proxy *>
          Order deny,allow
          Allow from all
  </Proxy>
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>


</syntaxhighlight>


'''Create 2 files in /etc/apache2/sites-availables for http and https config :'''  
'''Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache'''
  sudo nano /etc/apache2/sites-available/yunohost.conf
  sudo a2ensite /etc/apache2/sites-enable/transitional.conf


<code>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName ynh.anarchaserver.org


        ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
'''Restart Apache2'''
        CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
sudo systemctl reload apache2


=== Create a HTTPS Certificate with let'sencrypt (certbot) ===
'''See the existings certificates :'''
sudo certbot certificates
'''Create the certificate for the domain with apache server'''
sudo certbot --apache -d transitional.anarchaserver.org
You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"


        ProxyPreserveHost      On
That's it !
        ProxyRequests          Off


        ProxyPass / https://10.0.3.2
'''To check if the certificates needs to be renewed (and renew them)'''
        ProxyPassReverse https://10.0.3.2 /
sudo certbot renew


'''Restart Apache2'''
sudo systemctl reload apache2


        <Proxy *>
=== Configure Apache to proxy the subdomain for HTTPS ===
                Order deny,allow
Modify the vhost for ssl generated by certbot as below :
                Allow from all
        </Proxy>
# Uncomment and adapt if you want to swith automaticaly from http to https
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =ynh.anarchaserver.org
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
</code>


'''2ème fichier :'''
  sudo nano /etc/apache2/sites-available/transitional-le-ssl.conf
  sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf


<code>
<syntaxhighlight lang="text">
<IfModule mod_ssl.c>
<IfModule mod_ssl.c>
<VirtualHost *:443>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
    ServerAdmin webmaster@localhost
        ServerName ynh.anarchaserver.org
    ServerName transitional.anarchaserver.org
    ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
    CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
    ProxyPreserveHost      On
    ProxyRequests          Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLEngine on
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off


        ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
    ProxyPass / https://transitional.anarchaserver.org/
        CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
    ProxyPassReverse / https://transitional.anarchaserver.org/


        ProxyPreserveHost      On
  SSLCertificateFile /etc/letsencrypt/live/transitional.anarchaserver.org/fullchain.pem
        ProxyRequests          Off
  SSLCertificateKeyFile /etc/letsencrypt/live/transitional.anarchaserver.org/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
  </IfModule>
</syntaxhighlight>


        <Proxy *>
'''Activate mod_ssl on Apache''' (as root)
                Order deny,allow
sudo a2enmod ssl
                Allow from all
sudo a2ensite /etc/apache2/sites-enabled/transitional-le-ssl.conf
        </Proxy>
        SSLEngine on
        SSLProxyEngine On


        ProxyPass / https://ynh.anarchaserver.org/
'''Restart Apache2''' (to activate ssl)
        ProxyPassReverse / https://ynh.anarchaserver.org/
  sudo systemctl restart apache2.service


SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem
OR
SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
</code>


'''Reload Apache2''' (if there is a problem, Apache will keep its configuration)
'''Reload Apache2''' (if there is a problem, Apache will keep its configuration)
Line 213: Line 213:
  sudo apt-get upgrade
  sudo apt-get upgrade
  sudo apt-get iputils-ping
  sudo apt-get iputils-ping
=== Snapshot a container ===
Stop it first, and write a comment file
lxc-stop -n repository
echo "Snapshot before installing mediainfo" > repopiwigoquasiOK
lxc-snapshot -n repository -c repopiwigoquasiOK
To check the snapshot
lxc-snapshot -n repository -L
To delete a snapshot
sudo rm -rf /var/lib/lxc/repository/snaps/snapXXX/
=== update a container coming from previous debian 9 ===
lxc-update-config -c /var/lib/lxc/repository/config

Latest revision as of 16:51, 18 April 2020

We install containers to manage the transitional, finally LXE: https://wiki.debian.org/LXC

STEP 0 Install lxc

apt-get update apt-get install lxc

Generic commands to manipulate containers

Start the container,deattach the container from the root terminal and change password of the container

START lxc-start -n transitional -d

GET A ROOT PROMPT lxc-attach -n transitional

OPEN A CONSOLE lxc-console -n transitional

STOP lxc-stop -n transitional

LIST the containers and their IP lxc-ls -f


STEP 1 Prepare once the host network for containers

This operation just need to be done once

A container, has MAC adress, we need a bridge for networking, via dhcp,  So the container get an ip, and give access to the server's internal network

Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.


Using /etc/network/interfaces, the bridge could be created simply:

iface lxc-nat-bridge inet static bridge_ports none bridge_fd 0 address 10.0.3.1 netmask 255.255.255.0

We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):

iface eth0 inet static       ...       up iptables -t nat -F POSTROUTING       up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE or       iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT                                                                                       |       iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT


Restart network interface service networking restart


STEP 2 Create and configure the container

Create the container lxc-create -n transitional -t debian

Configure its network 

nano /var/lib/lxc/transitional/config

At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter 

 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = lxc-nat-bridge
 lxc.network.name = eth0
 lxc.network.ipv4 = 10.0.3.9
 lxc.network.ipv4.gateway = 10.0.3.1

 lxc.rootfs = /var/lib/lxc/transitional/rootfs
 lxc.rootfs.backend = dir

 # Common configuration
 lxc.include = /usr/share/lxc/config/debian.common.conf

 # Container specific configuration
 lxc.tty = 4
 lxc.utsname = transitional
 lxc.arch = amd64
 lxc.start.auto = 1

STEP 3 Configure the host/front Apache to proxy the requests to the container

Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.

Example here with Transitional/Yunohost (ynh) container and services

Add the subdomain at Gandi

Or not, as there is a wildcard (*), all subdomains of anarchaserver.org will be directed to the front apache server on the IP of anarchaserver.org

Configure the hosts

Modify /etc/hosts on the root of the server 

sudo nano /etc/hosts

Add : 

10.0.3.9        transitional.anarchaserver.org

Create a first vhost on the front apache

sudo nano /etc/apache2/sites-available/ynh.conf

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   ServerName transitional.anarchaserver.org

   ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
   CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined

   ProxyPreserveHost       On
   ProxyRequests           Off

   ProxyPass / http://10.0.3.9/
   ProxyPassReverse http://10.0.3.9/ /

   <Proxy *>
          Order deny,allow
          Allow from all
   </Proxy>
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache 

sudo a2ensite /etc/apache2/sites-enable/transitional.conf


Restart Apache2 

sudo systemctl reload apache2

Create a HTTPS Certificate with let'sencrypt (certbot)

See the existings certificates : 

sudo certbot certificates

Create the certificate for the domain with apache server 

sudo certbot --apache -d transitional.anarchaserver.org

You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"

That's it !

To check if the certificates needs to be renewed (and renew them) 

sudo certbot renew

Restart Apache2 

sudo systemctl reload apache2

Configure Apache to proxy the subdomain for HTTPS

Modify the vhost for ssl generated by certbot as below : 

sudo nano /etc/apache2/sites-available/transitional-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin webmaster@localhost
     ServerName transitional.anarchaserver.org
     ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
     CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
     ProxyPreserveHost       On
     ProxyRequests           Off
     <Proxy *>
         Order deny,allow
         Allow from all
     </Proxy>
     SSLEngine on
     SSLProxyEngine On
     SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
     SSLProxyCheckPeerExpire off

     ProxyPass /  https://transitional.anarchaserver.org/
     ProxyPassReverse / https://transitional.anarchaserver.org/

  SSLCertificateFile /etc/letsencrypt/live/transitional.anarchaserver.org/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/transitional.anarchaserver.org/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
  </IfModule>

Activate mod_ssl on Apache (as root) 

sudo a2enmod ssl
sudo a2ensite /etc/apache2/sites-enabled/transitional-le-ssl.conf

Restart Apache2 (to activate ssl) 

sudo systemctl restart apache2.service

OR

Reload Apache2 (if there is a problem, Apache will keep its configuration) 

sudo systemctl reload apache2.service

STEP 4 How can we administrate this container

Access the container

  • Log into anarchaserver and then type : (you need to be a user on this container to be able to login with ssh public key or root account)
sudo lxc-console -n transitional
  • To access the container without an account
sudo lxc-attach -n transitional

Install and update things in the container

Once logged : 

sudo apt-get update
sudo apt-get upgrade
sudo apt-get iputils-ping

Snapshot a container

Stop it first, and write a comment file 

lxc-stop -n repository
echo "Snapshot before installing mediainfo" > repopiwigoquasiOK
lxc-snapshot -n repository -c repopiwigoquasiOK

To check the snapshot 

lxc-snapshot -n repository -L

To delete a snapshot 

sudo rm -rf /var/lib/lxc/repository/snaps/snapXXX/

update a container coming from previous debian 9

lxc-update-config -c /var/lib/lxc/repository/config
Retrieved from "https://alexandria.anarchaserver.org/index.php?title=Containers&oldid=721"