Containers
We install containers to manage the transitional, finally LXE: https://wiki.debian.org/LXC
STEP 0 Install lxc
apt-get update
apt-get install lxc
STEP 1 Create Let's create a 'Transitional' virtual machine, a container
lxc-create -n transitional -t debian
Start the container,deattach the container from the root terminal and change password of the container
START
lxc-start -n transitional -d
OPEN
lxc-console -n transitional
STOP
lxc-stop -n transitional
LIST the containers and their IP
lxc-ls -f
ERRORS along the way which got solved
Could not find writable mount point for cgroup hierarchy 8 while trying to create cgroup.
We imagine that if we upgrade to jessie 8.8, that the Cgroup issue (=a subsystem in the linux kernell, which allows process separation) will be a resolved. For now we add the mountpoint. and follow this manual [1]
STEP 2 How can a container access the network?
A container, has MAC adress, we need a bridge for networking, via dhcp, So the container get an ip, and give access to the server's internal network
Do we opt for static of dynamic ip's? the dhcp server can have static ip via host/ it is anyhow setup to give a unique ip to the MAC address of the container (guest). So the choice is obsolete.
/var/lib/lxc/<name>/config
lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxc-nat-bridge lxc.network.name = eth0 lxc.network.ipv4 = 10.0.3.2 lxc.network.ipv4.gateway = 10.0.3.1
Using /etc/network/interfaces, the bridge could be created simply:
iface lxc-nat-bridge inet static
bridge_ports none bridge_fd 0 address 10.0.3.1 netmask 255.255.255.0
We will also add, /etc/network/interface, the iptable rules for your main 'out' interface (here eth0):
iface eth0 inet static
... up iptables -t nat -F POSTROUTING
up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
or
iptables -A FORWARD -i eth0 -o lxc-nat-bridge -j ACCEPT | iptables -A FORWARD -i lxc-nat-bridge -o eth0 -j ACCEPT
Restart network interface
service networking restart
WARNING deprecated!!!!
Enable IPv4 forwarding by putting this in /etc/sysctl.conf:
net.ipv4.ip_forward=1
and then applying it using:
sysctl -p
STEP 3 How can we access via the internet a container?
Setup routing / (reverse) proxy system for networking, so depending on the different services (Living data, Nekrocemetery, Transitional) we create subdomains which direct you to the correct container.
Example with Transitional/Yunohost container and services
Add the subdomain at Gandi
In need for a user/pwd !
Configure the hosts
Modify /etc/hosts on the root of the server
sudo nano /etc/hosts
Add :
10.0.3.2 ynh.anarchaserver.org
'Modify /etc/hosts on your computer to test before the domain is propagated
sudo nano /etc/hosts
Add :
209.51.163.19 ynh.anarchaserver.org
Create a HTTPS Certificate with let'sencrypt (certbot)
See the existings certificates :
sudo certbot certificates
Create the certificate for the domain with apache server
sudo certbot --apache -d ynh.anarchaserver.org
That's it !
To check if the certificates needs to be renewed (and renew them)
sudo certbot renew
Configure Apache to proxy the subdomain
Create 2 files in /etc/apache2/sites-availables for http and https config :
sudo nano /etc/apache2/sites-available/yunohost.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName ynh.anarchaserver.org
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://10.0.3.2
ProxyPassReverse https://10.0.3.2 /
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{SERVER_NAME} =ynh.anarchaserver.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
2ème fichier :
sudo nano /etc/apache2/sites-available/yunohost-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName ynh.anarchaserver.org
ErrorLog ${APACHE_LOG_DIR}/ynh-error.log
CustomLog ${APACHE_LOG_DIR}/ynh-access.log combined
ProxyPreserveHost On
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLProxyEngine On
ProxyPass / https://ynh.anarchaserver.org/
ProxyPassReverse / https://ynh.anarchaserver.org/
SSLCertificateFile /etc/letsencrypt/live/ynh.anarchaserver.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ynh.anarchaserver.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Activate mod_ssl on Apache (as root)
a2enmod ssl
Restart Apache2 (to activate ssl)
sudo systemctl restart apache2.service
OR
Reload Apache2 (if there is a problem, Apache will keep its configuration)
sudo systemctl reload apache2.service
STEP 4 How can we administrate this container
Access the container
- Log into anarchaserver and then type : (you need to be a user on this container to be able to login with ssh public key or root account)
sudo lxc-console -n transitional
- To access the container without an account
sudo lxc-attach -n transitional
Install and update things in the container
Once logged :
sudo apt-get update sudo apt-get upgrade sudo apt-get iputils-ping