Difference between revisions of "Containers"

From Anarchaserver
Line 58: Line 58:
<code>service networking restart</code>
<code>service networking restart</code>


WARNING deprecated!!!!
'''Enable IPv4 forwarding by putting this in /etc/sysctl.conf:'''
<code>net.ipv4.ip_forward=1</code>
and then applying it using:
sysctl -p
'''ERRORS along the way which got solved'''
<code>Could not find writable mount point for cgroup hierarchy 8 while trying to create cgroup. </code>
We imagine that if we upgrade to jessie 8.8, that the Cgroup issue (=a subsystem in the linux kernell, which allows process separation) will be a resolved. For now we add the mountpoint. and follow this manual [https://wiki.deimos.fr/LXC_:_Install_and_configure_the_Linux_Containers#Nat_configuration]


---------------------------------------
---------------------------------------
Line 81: Line 66:


'''Configure its network'''
'''Configure its network'''
<code>nano /var/lib/lxc/transitional/config</code>
nano /var/lib/lxc/transitional/config
 
At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter
At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter
 
<syntaxhighlight lang="text">
  lxc.network.type = veth
  lxc.network.type = veth
  lxc.network.flags = up
  lxc.network.flags = up
  lxc.network.link = lxc-nat-bridge
  lxc.network.link = lxc-nat-bridge
  lxc.network.name = eth0
  lxc.network.name = eth0
  lxc.network.ipv4 = 10.0.3.2
  lxc.network.ipv4 = 10.0.3.9
  lxc.network.ipv4.gateway = 10.0.3.1
  lxc.network.ipv4.gateway = 10.0.3.1


Line 102: Line 88:
  lxc.arch = amd64
  lxc.arch = amd64
  lxc.start.auto = 1
  lxc.start.auto = 1
 
</syntaxhighlight>


== STEP 3 Configure the host/front Apache to proxy the requests to the container ==  
== STEP 3 Configure the host/front Apache to proxy the requests to the container ==  
Line 116: Line 102:
  sudo nano /etc/hosts
  sudo nano /etc/hosts
Add :
Add :
  10.0.3.2       ynh.anarchaserver.org
  10.0.3.9       transitional.anarchaserver.org


=== Create a first vhost on the front apache ===
=== Create a first vhost on the front apache ===
  sudo nano /etc/apache2/sites-available/ynh.conf
  sudo nano /etc/apache2/sites-available/ynh.conf
<code>
<syntaxhighlight lang="text">
  <VirtualHost *:80>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
  ServerAdmin webmaster@localhost
        ServerName ynh.anarchaserver.org
  ServerName transitional.anarchaserver.org


  ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
  CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined


        ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
  ProxyPreserveHost      On
        CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
  ProxyRequests          Off


  ProxyPass / http://10.0.3.9/
  ProxyPassReverse http://10.0.3.9/ /


  ProxyPreserveHost      On
  <Proxy *>
  ProxyRequests           Off
           Order deny,allow
          Allow from all
  </Proxy>
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>


  ProxyPass / http://10.0.3.2
</syntaxhighlight>
  ProxyPassReverse http://10.0.3.2 /


        <Proxy *>
'''Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache'''
                Order deny,allow
sudo a2ensite /etc/apache2/sites-enable/transitional.conf
                Allow from all
        </Proxy>


  </VirtualHost>
</code>
'''Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache'''
sudo ln -s ynh.conf /etc/apache2/sites-enabled/ynh.conf


'''Restart Apache2'''
'''Restart Apache2'''
Line 154: Line 142:
  sudo certbot certificates
  sudo certbot certificates
'''Create the certificate for the domain with apache server'''
'''Create the certificate for the domain with apache server'''
  sudo certbot --apache -d ynh.anarchaserver.org
  sudo certbot --apache -d transitional.anarchaserver.org
You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"
You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"


Line 168: Line 156:
Modify the vhost for ssl generated by certbot as below :
Modify the vhost for ssl generated by certbot as below :


  sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf
  sudo nano /etc/apache2/sites-available/transitional-le-ssl.conf
 
<code>
  <IfModule mod_ssl.c>
  <VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName ynh.anarchaserver.org
 
        ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
        CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
 
        ProxyPreserveHost      On
        ProxyRequests          Off


        <Proxy *>
<syntaxhighlight lang="text">
                Order deny,allow
<IfModule mod_ssl.c>
                Allow from all
<VirtualHost *:443>
        </Proxy>
    ServerAdmin webmaster@localhost
        SSLEngine on
    ServerName transitional.anarchaserver.org
        SSLProxyEngine On
    ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
        SSLProxyVerify none
    CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
        SSLProxyCheckPeerCN off
    ProxyPreserveHost      On
        SSLProxyCheckPeerName off
    ProxyRequests          Off
        SSLProxyCheckPeerExpire off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLEngine on
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off


        ProxyPass /  https://ynh.anarchaserver.org/
    ProxyPass /  https://transitional.anarchaserver.org/
        ProxyPassReverse / https://ynh.anarchaserver.org/
    ProxyPassReverse / https://transitional.anarchaserver.org/


   SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem
   SSLCertificateFile /etc/letsencrypt/live/transitional.anarchaserver.org/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/transitional.anarchaserver.org/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
   Include /etc/letsencrypt/options-ssl-apache.conf
   </VirtualHost>
   </VirtualHost>
   </IfModule>
   </IfModule>
</code>
</syntaxhighlight>


'''Activate mod_ssl on Apache''' (as root)
'''Activate mod_ssl on Apache''' (as root)
  a2enmod ssl
  sudo a2enmod ssl
sudo a2ensite /etc/apache2/sites-enabled/transitional-le-ssl.conf


'''Restart Apache2''' (to activate ssl)
'''Restart Apache2''' (to activate ssl)

Revision as of 17:00, 8 June 2019

We install containers to manage the transitional, finally LXE: https://wiki.debian.org/LXC

STEP 0 Install lxc

apt-get update apt-get install lxc

Generic commands to manipulate containers

Start the container,deattach the container from the root terminal and change password of the container

START lxc-start -n transitional -d

GET A ROOT PROMPT lxc-attach -n transitional

OPEN A CONSOLE lxc-console -n transitional

STOP lxc-stop -n transitional

LIST the containers and their IP lxc-ls -f


STEP 1 Prepare once the host network for containers

This operation just need to be done once

A container, has MAC adress, we need a bridge for networking, via dhcp,  So the container get an ip, and give access to the server's internal network

Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.


Using /etc/network/interfaces, the bridge could be created simply:

iface lxc-nat-bridge inet static bridge_ports none bridge_fd 0 address 10.0.3.1 netmask 255.255.255.0

We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):

iface eth0 inet static       ...       up iptables -t nat -F POSTROUTING       up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE or       iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT                                                                                       |       iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT


Restart network interface service networking restart


STEP 2 Create and configure the container

Create the container lxc-create -n transitional -t debian

Configure its network 

nano /var/lib/lxc/transitional/config

At least, you have to uncomment and adapt the lxc.network.ipv4 IP adresse and the lxc.utsname parameter 

 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = lxc-nat-bridge
 lxc.network.name = eth0
 lxc.network.ipv4 = 10.0.3.9
 lxc.network.ipv4.gateway = 10.0.3.1

 lxc.rootfs = /var/lib/lxc/transitional/rootfs
 lxc.rootfs.backend = dir

 # Common configuration
 lxc.include = /usr/share/lxc/config/debian.common.conf

 # Container specific configuration
 lxc.tty = 4
 lxc.utsname = transitional
 lxc.arch = amd64
 lxc.start.auto = 1

STEP 3 Configure the host/front Apache to proxy the requests to the container

Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.

Example here with Transitional/Yunohost (ynh) container and services

Add the subdomain at Gandi

Or not, as there is a wildcard (*), all subdomains of anarchaserver.org will be directed to the front apache server on the IP of anarchaserver.org

Configure the hosts

Modify /etc/hosts on the root of the server 

sudo nano /etc/hosts

Add : 

10.0.3.9        transitional.anarchaserver.org

Create a first vhost on the front apache

sudo nano /etc/apache2/sites-available/ynh.conf

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   ServerName transitional.anarchaserver.org

   ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
   CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined

   ProxyPreserveHost       On
   ProxyRequests           Off

   ProxyPass / http://10.0.3.9/
   ProxyPassReverse http://10.0.3.9/ /

   <Proxy *>
          Order deny,allow
          Allow from all
   </Proxy>
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

Create the symbolic link between this file and the sites-enable folder so has to be taken into account by apache 

sudo a2ensite /etc/apache2/sites-enable/transitional.conf


Restart Apache2 

sudo systemctl reload apache2

Create a HTTPS Certificate with let'sencrypt (certbot)

See the existings certificates : 

sudo certbot certificates

Create the certificate for the domain with apache server 

sudo certbot --apache -d transitional.anarchaserver.org

You can choose to : "2: Secure - Make all requests redirect to secure HTTPS access"

That's it !

To check if the certificates needs to be renewed (and renew them) 

sudo certbot renew

Restart Apache2 

sudo systemctl reload apache2

Configure Apache to proxy the subdomain for HTTPS

Modify the vhost for ssl generated by certbot as below : 

sudo nano /etc/apache2/sites-available/transitional-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
     ServerAdmin webmaster@localhost
     ServerName transitional.anarchaserver.org
     ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
     CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
     ProxyPreserveHost       On
     ProxyRequests           Off
     <Proxy *>
         Order deny,allow
         Allow from all
     </Proxy>
     SSLEngine on
     SSLProxyEngine On
     SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
     SSLProxyCheckPeerExpire off

     ProxyPass /  https://transitional.anarchaserver.org/
     ProxyPassReverse / https://transitional.anarchaserver.org/

  SSLCertificateFile /etc/letsencrypt/live/transitional.anarchaserver.org/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/transitional.anarchaserver.org/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
  </VirtualHost>
  </IfModule>

Activate mod_ssl on Apache (as root) 

sudo a2enmod ssl
sudo a2ensite /etc/apache2/sites-enabled/transitional-le-ssl.conf

Restart Apache2 (to activate ssl) 

sudo systemctl restart apache2.service

OR

Reload Apache2 (if there is a problem, Apache will keep its configuration) 

sudo systemctl reload apache2.service

STEP 4 How can we administrate this container

Access the container

  • Log into anarchaserver and then type : (you need to be a user on this container to be able to login with ssh public key or root account)
sudo lxc-console -n transitional
  • To access the container without an account
sudo lxc-attach -n transitional

Install and update things in the container

Once logged : 

sudo apt-get update
sudo apt-get upgrade
sudo apt-get iputils-ping

Snapshot a container

Stop it first, and write a comment file 

lxc-stop -n repository
echo "Snapshot before installing mediainfo" > repopiwigoquasiOK
lxc-snapshot -n repository -c repopiwigoquasiOK

To check the snapshot 

lxc-snapshot -n repository -L

To delete a snapshot 

sudo rm -rf /var/lib/lxc/repository/snaps/snapXXX/
Retrieved from "https://alexandria.anarchaserver.org/index.php?title=Containers&oldid=643"