Containers

We install containers to manage the transitional, finally LXE: https://wiki.debian.org/LXC

STEP 0 Install lxc

apt-get update apt-get install lxc

Generic commands to manipulate containers

Start the container,deattach the container from the root terminal and change password of the container

START lxc-start -n transitional -d

GET A ROOT PROMPT lxc-attach -n transitional

OPEN A CONSOLE lxc-console -n transitional

STOP lxc-stop -n transitional

LIST the containers and their IP lxc-ls -f


STEP 1 Prepare once the host network for containers

This operation just need to be done once

A container, has MAC adress, we need a bridge for networking, via dhcp,  So the container get an ip, and give access to the server's internal network

Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.


Using /etc/network/interfaces, the bridge could be created simply:

iface lxc-nat-bridge inet static bridge_ports none bridge_fd 0 address 10.0.3.1 netmask 255.255.255.0

We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):

iface eth0 inet static       ...       up iptables -t nat -F POSTROUTING       up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE or       iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT                                                                                       |       iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT


Restart network interface service networking restart


WARNING deprecated!!!!


Enable IPv4 forwarding by putting this in /etc/sysctl.conf: net.ipv4.ip_forward=1 and then applying it using:

sysctl -p


ERRORS along the way which got solved

Could not find writable mount point for cgroup hierarchy 8 while trying to create cgroup.

We imagine that if we upgrade to jessie 8.8, that the Cgroup issue (=a subsystem in the linux kernell, which allows process separation) will be a resolved. For now we add the mountpoint. and follow this manual [1]


STEP 2 Create and configure the container

Create the container lxc-create -n transitional -t debian

Configure its network nano /var/lib/lxc/transitional/config At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxc-nat-bridge
lxc.network.name = eth0
lxc.network.ipv4 = 10.0.3.2
lxc.network.ipv4.gateway = 10.0.3.1
lxc.rootfs = /var/lib/lxc/transitional/rootfs
lxc.rootfs.backend = dir
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty = 4
lxc.utsname = transitional
lxc.arch = amd64
lxc.start.auto = 1


STEP 3 Configure the host/front Apache to proxy the requests to the container

Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.

Example here with Transitional/Yunohost (ynh) container and services

Add the subdomain at Gandi

Or not, as there is a wildcard (*), all subdomains of anarchaserver.org will be directed to the front apache server on the IP of anarchaserver.org

Configure the hosts

Modify /etc/hosts on the root of the server

sudo nano /etc/hosts

Add :

10.0.3.2        ynh.anarchaserver.org

Create a first vhost on the front apache

sudo nano /etc/apache2/sites-available/ynh.conf

<VirtualHost *:80>

       ServerAdmin webmaster@localhost
       ServerName ynh.anarchaserver.org


       ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
       CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined


 ProxyPreserveHost       On
 ProxyRequests           Off
  ProxyPass / http://10.0.3.2
  ProxyPassReverse http://10.0.3.2 /
       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>

</VirtualHost> Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache

sudo ln -s ynh.conf /etc/apache2/sites-enabled/ynh.conf

Restart Apache2

sudo systemctl reload apache2

Create a HTTPS Certificate with let'sencrypt (certbot)

See the existings certificates :

sudo certbot certificates

Create the certificate for the domain with apache server

sudo certbot --apache -d ynh.anarchaserver.org

You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"

That's it !

To check if the certificates needs to be renewed (and renew them)

sudo certbot renew

Restart Apache2

sudo systemctl reload apache2

Configure Apache to proxy the subdomain for HTTPS

Modify the vhost for ssl generated by certbot as below :

sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf

<IfModule mod_ssl.c> <VirtualHost *:443>

       ServerAdmin webmaster@localhost
       ServerName ynh.anarchaserver.org
       ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
       CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
       ProxyPreserveHost       On
       ProxyRequests           Off
       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>
       SSLEngine on
       SSLProxyEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off
       ProxyPass /  https://ynh.anarchaserver.org/
       ProxyPassReverse / https://ynh.anarchaserver.org/

SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

Activate mod_ssl on Apache (as root)

a2enmod ssl

Restart Apache2 (to activate ssl)

sudo systemctl restart apache2.service

OR

Reload Apache2 (if there is a problem, Apache will keep its configuration)

sudo systemctl reload apache2.service

STEP 4 How can we administrate this container

Access the container

  • Log into anarchaserver and then type : (you need to be a user on this container to be able to login with ssh public key or root account)
sudo lxc-console -n transitional
  • To access the container without an account
sudo lxc-attach -n transitional

Install and update things in the container

Once logged :

sudo apt-get update
sudo apt-get upgrade
sudo apt-get iputils-ping