Temps de lecture approximatif : 5 minutes

#############################################################################
CREATION CONTAINER LXC sur une machine hôte ( muni de la distribution Voyager (Xubuntu)
#############################################################################

+++++++++++++++++++++++++++++++
 Pré-requis pour LXC
 +++++++++++++++++++++++++++++++

Installer les paquets suivants sur la machine hôte (votre mac

apt-get install bridge-utils lxc debootstrap

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++
Installation du template d’une machine Debian Wheezy
+++++++++++++++++++++++++++++++++++++++++++++++++++++

[root@mamachine]# lxc-create -t download -n serveur1 -- --dist debian --release wheezy --arch amd64
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created a Debian container (release=wheezy, arch=amd64, variant=default)
The default root password is: root
[root@mamachine]#

 

Editer le fichier de conf pour serveur1:
Exemple de fichier : /var/lib/lxc/serveur1/config

ATTENTION:
– 192.168.1.12 c’est l’adresse choisi ici pour le container serveur1.
Il faut l’adapter en fonction de la plage réseau où l’on se situe.

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist debian --release wheezy --arch amd64
# For additional config options, please look at lxc.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.arch = x86_64

# Container specific configuration
lxc.rootfs = /var/lib/lxc/serveur1/rootfs
lxc.utsname = serveur1
# Auto start container at boot (0 for disable)
lxc.start.auto = 0
# Wait time (seconde) to start next container
lxc.start.delay = 5

# Container TTY
lxc.tty                                 = 4

# Enable FSTAB
lxc.mount  = /var/lib/lxc/serveur1/fstab
# ...or just mount a directory:

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:e1:c3:fa
lxc.network.ipv4 = 192.168.1.12

## Limits
#lxc.cgroup.cpu.shares                  = 1024
#lxc.cgroup.cpuset.cpus                 = 0
#lxc.cgroup.memory.limit_in_bytes       = 256M
#lxc.cgroup.memory.memsw.limit_in_bytes = 1G

lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m

# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm

# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm

# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm

# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

#fuse
lxc.cgroup.devices.allow = c 10:229 rwm

#tun
lxc.cgroup.devices.allow = c 10:200 rwm

#full
lxc.cgroup.devices.allow = c 1:7 rwm

#hpet
lxc.cgroup.devices.allow = c 10:228 rwm

#kvm
lxc.cgroup.devices.allow = c 10:232 rwm

Sur la machine hôte, créer le répertoire de partage entre la machine hôte et le container serveur1 (/data/lxc_share/serveur1):

mkdir -p /data/lxc_share/serveur1

Puis…configurer le fichier /var/lib/lxc/serveur1/fstab

# Mount /data/test to lxc container...
/data/lxc_share/serveur1      /var/lib/lxc/serveur1/rootfs/mnt      none    defaults,bind   0       0

Configurer le fichier « interfaces » du conteneur serveur1 (/var/lib/lxc/serveur1/rootfs/etc/network/interfaces)
ATTENTION:
– 192.168.1.12 c’est l’adresse de notre container serveur1 (en fonction de la plage réseau où on se trouve !)
– 192.168.22.11 c’est l’adresse de notre machine hôte (en fonction de la plage réseau où on se trouve !)

iface eth0 inet dhcp

iface lo inet loopback

#auto eth0
#iface eth0 inet dhcp

auto eth0
iface eth0 inet static
address 192.168.1.12
netmask 255.255.255.255
pointopoint 192.168.22.11
gateway 192.168.22.11
#
up route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.22.11 dev eth0

Configurer le fichier « /etc/network/interfaces » de l’hôte

ATTENTION: Nous allons ici fixer l’adresse IP de l’hôte.
Si vous changez de réseau, ne pas oublier d’adapter ce fichier à votre réseau !

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

#auto eth0
#iface eth0 inet static

# le bridge br0
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
#bridge_stp off
#bridge_maxwait 0
address 192.168.22.11
netmask 255.255.255.0
gateway 192.168.22.1

pre-up /sbin/ip link set eth0 up
pre-up /sbin/brctl addbr br0
pre-up /sbin/brctl addif br0 eth0
pre-down /sbin/brctl delif br0 eth0
pre-down /sbin/ip link set eth0 down
post-down /sbin/brctl delbr br0

# LXC container 1
up route add -host 192.168.1.12 dev br0
# LXC container 2
up route add -host 192.168.22.13 dev br0

# LXC apply iptables rules
pre-up iptables-restore < /etc/iptables.uprules
post-down iptables-restore < /etc/iptables.downrules

auto lo
iface lo inet loopback

Configurer les fichiers /etc/iptables.uprules et /etc/iptables.downrules sur la machine hôte

uprules

# Generated by iptables-save v1.4.14 on Tue Jun 10 13:53:21 2014
*nat
:PREROUTING ACCEPT [10:576]
:INPUT ACCEPT [2:132]
:OUTPUT ACCEPT [1:116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o br0 -j MASQUERADE
COMMIT
# Completed on Tue Jun 10 13:53:21 2014
# Generated by iptables-save v1.4.14 on Tue Jun 10 13:53:21 2014
*filter
:INPUT ACCEPT [1393:104490]
:FORWARD ACCEPT [585:24722]
:OUTPUT ACCEPT [903:141187]
COMMIT
# Completed on Tue Jun 10 13:53:21 2014

downrules

# Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014
*mangle
:PREROUTING ACCEPT [175:10994]
:INPUT ACCEPT [112:8348]
:FORWARD ACCEPT [62:2614]
:OUTPUT ACCEPT [62:7150]
:POSTROUTING ACCEPT [122:9561]
COMMIT
# Completed on Tue Jun 10 13:57:21 2014
# Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014
*nat
:PREROUTING ACCEPT [3:179]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2:147]
COMMIT
# Completed on Tue Jun 10 13:57:21 2014
# Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014
*filter
:INPUT ACCEPT [112:8348]
:FORWARD ACCEPT [62:2614]
:OUTPUT ACCEPT [60:6947]
COMMIT
# Completed on Tue Jun 10 13:57:21 2014

Démarrer le conteneur et se logguer

[root@mamachine]# lxc-console -n serveur1 -t 1

ou en mode debug

[root@mamachine]# lxc-start -n serveur1 -l debug -o serveur1.debug.log -d

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself


Debian GNU/Linux 7 serveur1 tty1

serveur1 login:root
Password:
Last login: Fri Jun  6 20:33:10 UTC 2014 on tty3
Linux serveur1 3.13.0-27-generic #50-Ubuntu SMP Thu May 15 18:06:16 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@serveur1:~#

Se déconnecter de la console du container

Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

 

+++++++++++++++++++++
 Clone your container
+++++++++++++++++++++

lxc-clone -o serveur1 -n tikok_lemp_server

 

 

+++++++++++++++++++++
Delete your container
+++++++++++++++++++++

lxc-destroy -n tikok_lemp_server

 

++++++++++++++++++++++++++++++++++
Script iptables en cas de nat
 ++++++++++++++++++++++++++++++++++

#!/bin/bash
iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to 192.168.1.80
iptables -t nat -A PREROUTING -p tcp --dport 80 -i wlan0 -j DNAT --to 192.168.22.11:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -i wlan0 -j DNAT --to 192.168.22.11:443

192.168.1.80 = ip de l’hôte
192.168.22.11 = ip container

 

 

++++++++++++++++++
Autre  exemple de config
++++++++++++++++++

Notes: Pour que le container puisse communiquer vers l’extérieur, il ne faut pas oublier de mettre l’@ip avec
le masque (10.0.3.12/16) ainsi que la gateway (10.0.3.1)

lxc.network.type=veth
lxc.network.link=lxcbr0
lxc.network.flags=up
lxc.network.hwaddr = 00:17:3f:20:54:5f
lxc.network.ipv4 = 10.0.3.12/16
lxc.network.ipv4.gateway = 10.0.3.1
# /var/lib/lxc/zoreil/config

## Container
lxc.utsname                             = zoreil
lxc.rootfs                              = /var/lib/lxc/zoreil/rootfs
lxc.tty                                 = 4
lxc.pts                                 = 1024

#lxc.console                            = /var/log/lxc/zoreil.console

## Capabilities
lxc.cap.drop                            = sys_admin

# uncomment the next line to run the container unconfined:
#lxc.aa_profile = unconfined

## Devices
#lxc.cgroup.devices.allow               = a
lxc.cgroup.devices.deny                 = a
# /dev/null
lxc.cgroup.devices.allow                = c 1:3 rwm
# /dev/zero
lxc.cgroup.devices.allow                = c 1:5 rwm
# /dev/tty[1-4] consoles
lxc.cgroup.devices.allow                = c 5:1 rwm
lxc.cgroup.devices.allow                = c 5:0 rwm
lxc.cgroup.devices.allow                = c 4:0 rwm
lxc.cgroup.devices.allow                = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow                = c 1:9 rwm
lxc.cgroup.devices.allow                = c 1:8 rwm
lxc.cgroup.devices.allow                = c 136:* rwm
lxc.cgroup.devices.allow                = c 5:2 rwm
# /dev/rtc
lxc.cgroup.devices.allow                = c 254:0 rwm

## Limits
#lxc.cgroup.cpu.shares                  = 1024
#lxc.cgroup.cpuset.cpus                 = 0
#lxc.cgroup.memory.limit_in_bytes       = 256M
#lxc.cgroup.memory.memsw.limit_in_bytes = 1G

## Filesystem
lxc.mount.entry                         = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry                         = sysfs sys sysfs defaults,ro 0 0
#lxc.mount.entry                        = /srv/zoreil srv/zoreil none defaults,bind 0 0

# Added by lxc postinst, migration of autostart flag
lxc.start.auto = 0

 

Page suivante: Installation d’un serveur LEMP (mon expérience)