Difference between revisions of "Containers"
| Line 97: | Line 97: | ||
== STEP 3 How can we access via the internet a container? == | == STEP 3 How can we access via the internet a container? == | ||
Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container. | Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container. | ||
=== Example with Transitional/Yunohost container and services === | |||
Modify /etc/hosts on the root of the server | |||
sudo nano /etc/hosts | |||
Add : | |||
10.0.3.2 ynh.anarchaserver.org | |||
Create 2 files in /etc/apache2/sites-availables for http and https config : | |||
sudo nano /etc/apache2/sites-available/yunohost.conf | |||
<code> | |||
<VirtualHost *:80> | |||
ServerAdmin webmaster@localhost | |||
ServerName ynh.anarchaserver.org | |||
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log | |||
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
ProxyPass / https://10.0.3.2 | |||
ProxyPassReverse https://10.0.3.2 / | |||
<Proxy *> | |||
Order deny,allow | |||
Allow from all | |||
</Proxy> | |||
# Uncomment and adapt if you want to swith automaticaly from http to https | |||
#RewriteEngine on | |||
#RewriteCond %{SERVER_NAME} =ynh.anarchaserver.org | |||
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] | |||
</VirtualHost> | |||
</code> | |||
2ème fichier : | |||
sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf | |||
<code> | |||
<IfModule mod_ssl.c> | |||
<VirtualHost *:443> | |||
ServerAdmin webmaster@localhost | |||
ServerName ynh.anarchaserver.org | |||
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log | |||
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
<Proxy *> | |||
Order deny,allow | |||
Allow from all | |||
</Proxy> | |||
SSLEngine on | |||
SSLProxyEngine On | |||
ProxyPass / https://ynh.anarchaserver.org/ | |||
ProxyPassReverse / https://ynh.anarchaserver.org/ | |||
SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem | |||
Include /etc/letsencrypt/options-ssl-apache.conf | |||
</VirtualHost> | |||
</IfModule> | |||
</code> | |||
Reload Apache2 (if there is a problem, Apache will keep its configuration) | |||
sudo systemctl reload apache2.service | |||
== STEP 4 How can we administrate this container == | == STEP 4 How can we administrate this container == | ||
Revision as of 18:53, 18 August 2017
We install containers to manage the transitional, finally LXE: https://wiki.debian.org/LXC
STEP 0 Install lxc
apt-get update
apt-get install lxc
STEP 1 Create Let's create a 'Transitional' virtual machine, a container
lxc-create -n transitional -t debian
Start the container,deattach the container from the root terminal and change password of the container
START
lxc-start -n transitional -d
OPEN
lxc-console -n transitional
STOP
lxc-stop -n transitional
LIST the containers and their IP
lxc-ls -f
ERRORS along the way which got solved
Could not find writable mount point for cgroup hierarchy 8 while trying to create cgroup.
We imagine that if we upgrade to jessie 8.8, that the Cgroup issue (=a subsystem in the linux kernell, which allows process separation) will be a resolved. For now we add the mountpoint. and follow this manual [1]
STEP 2 How can a container access the network?
A container, has MAC adress, we need a bridge for networking, via dhcp, So the container get an ip, and give access to the server's internal network
Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.
/var/lib/lxc/<name>/config
lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxc-nat-bridge lxc.network.name = eth0 lxc.network.ipv4 = 10.0.3.2 lxc.network.ipv4.gateway = 10.0.3.1
Using /etc/network/interfaces, the bridge could be created simply:
iface lxc-nat-bridge inet static
bridge_ports none bridge_fd 0 address 10.0.3.1 netmask 255.255.255.0
We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):
iface eth0 inet static
...
up iptables -t nat -F POSTROUTING
up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
or
iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT |
iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT
Restart network interface
service networking restart
WARNING deprecated!!!!
Enable IPv4 forwarding by putting this in /etc/sysctl.conf:
net.ipv4.ip_forward=1
and then applying it using:
sysctl -p
STEP 3 How can we access via the internet a container?
Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.
Example with Transitional/Yunohost container and services
Modify /etc/hosts on the root of the server
sudo nano /etc/hosts
Add :
10.0.3.2 ynh.anarchaserver.org
Create 2 files in /etc/apache2/sites-availables for http and https config :
sudo nano /etc/apache2/sites-available/yunohost.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName ynh.anarchaserver.org
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://10.0.3.2
ProxyPassReverse https://10.0.3.2 /
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
- Uncomment and adapt if you want to swith automaticaly from http to https
- RewriteEngine on
- RewriteCond %{SERVER_NAME} =ynh.anarchaserver.org
- RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
2ème fichier :
sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName ynh.anarchaserver.org
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
ProxyPreserveHost On
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine On
ProxyPass / https://ynh.anarchaserver.org/
ProxyPassReverse / https://ynh.anarchaserver.org/
SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Reload Apache2 (if there is a problem, Apache will keep its configuration)
sudo systemctl reload apache2.service
STEP 4 How can we administrate this container
Access the container
- Log into anarchaserver and then type : (you need to be a user on this container to be able to login with ssh public key or root account)
sudo lxc-console -n transitional
- To access the container without an account
sudo lxc-attach -n transitional
Install and update things in the container
Once logged :
sudo apt-get update sudo apt-get upgrade sudo apt-get iputils-ping
