Temps de lecture approximatif : 5 minutes
#############################################################################
CREATION CONTAINER LXC sur une machine hôte ( muni de la distribution Voyager (Xubuntu)
#############################################################################
+++++++++++++++++++++++++++++++
Pré-requis pour LXC
+++++++++++++++++++++++++++++++
Installer les paquets suivants sur la machine hôte (votre mac
apt-get install bridge-utils lxc debootstrap
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Installation du template d’une machine Debian Wheezy
+++++++++++++++++++++++++++++++++++++++++++++++++++++
[root@mamachine]# lxc-create -t download -n serveur1 -- --dist debian --release wheezy --arch amd64
Setting up the GPG keyring
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created a Debian container (release=wheezy, arch=amd64, variant=default)
The default root password is: root
[root@mamachine]#
Editer le fichier de conf pour serveur1:
Exemple de fichier : /var/lib/lxc/serveur1/config
ATTENTION:
– 192.168.1.12 c’est l’adresse choisi ici pour le container serveur1.
Il faut l’adapter en fonction de la plage réseau où l’on se situe.
# Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: --dist debian --release wheezy --arch amd64 # For additional config options, please look at lxc.conf(5) # Distribution configuration lxc.include = /usr/share/lxc/config/debian.common.conf lxc.arch = x86_64 # Container specific configuration lxc.rootfs = /var/lib/lxc/serveur1/rootfs lxc.utsname = serveur1 # Auto start container at boot (0 for disable) lxc.start.auto = 0 # Wait time (seconde) to start next container lxc.start.delay = 5 # Container TTY lxc.tty = 4 # Enable FSTAB lxc.mount = /var/lib/lxc/serveur1/fstab # ...or just mount a directory: # Network configuration lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr0 lxc.network.hwaddr = 00:16:3e:e1:c3:fa lxc.network.ipv4 = 192.168.1.12 ## Limits #lxc.cgroup.cpu.shares = 1024 #lxc.cgroup.cpuset.cpus = 0 #lxc.cgroup.memory.limit_in_bytes = 256M #lxc.cgroup.memory.memsw.limit_in_bytes = 1G lxc.cgroup.devices.deny = a # Allow any mknod (but not using the node) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:0 rwm #lxc.cgroup.devices.allow = c 4:0 rwm #lxc.cgroup.devices.allow = c 4:1 rwm # /dev/{,u}random lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 254:0 rwm #fuse lxc.cgroup.devices.allow = c 10:229 rwm #tun lxc.cgroup.devices.allow = c 10:200 rwm #full lxc.cgroup.devices.allow = c 1:7 rwm #hpet lxc.cgroup.devices.allow = c 10:228 rwm #kvm lxc.cgroup.devices.allow = c 10:232 rwm
Sur la machine hôte, créer le répertoire de partage entre la machine hôte et le container serveur1 (/data/lxc_share/serveur1):
mkdir -p /data/lxc_share/serveur1
Puis…configurer le fichier /var/lib/lxc/serveur1/fstab
# Mount /data/test to lxc container... /data/lxc_share/serveur1 /var/lib/lxc/serveur1/rootfs/mnt none defaults,bind 0 0
Configurer le fichier « interfaces » du conteneur serveur1 (/var/lib/lxc/serveur1/rootfs/etc/network/interfaces)
ATTENTION:
– 192.168.1.12 c’est l’adresse de notre container serveur1 (en fonction de la plage réseau où on se trouve !)
– 192.168.22.11 c’est l’adresse de notre machine hôte (en fonction de la plage réseau où on se trouve !)
iface eth0 inet dhcp iface lo inet loopback #auto eth0 #iface eth0 inet dhcp auto eth0 iface eth0 inet static address 192.168.1.12 netmask 255.255.255.255 pointopoint 192.168.22.11 gateway 192.168.22.11 # up route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.22.11 dev eth0
Configurer le fichier « /etc/network/interfaces » de l’hôte
ATTENTION: Nous allons ici fixer l’adresse IP de l’hôte.
Si vous changez de réseau, ne pas oublier d’adapter ce fichier à votre réseau !
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface #auto eth0 #iface eth0 inet static # le bridge br0 auto br0 iface br0 inet static bridge_ports eth0 bridge_fd 0 #bridge_stp off #bridge_maxwait 0 address 192.168.22.11 netmask 255.255.255.0 gateway 192.168.22.1 pre-up /sbin/ip link set eth0 up pre-up /sbin/brctl addbr br0 pre-up /sbin/brctl addif br0 eth0 pre-down /sbin/brctl delif br0 eth0 pre-down /sbin/ip link set eth0 down post-down /sbin/brctl delbr br0 # LXC container 1 up route add -host 192.168.1.12 dev br0 # LXC container 2 up route add -host 192.168.22.13 dev br0 # LXC apply iptables rules pre-up iptables-restore < /etc/iptables.uprules post-down iptables-restore < /etc/iptables.downrules auto lo iface lo inet loopback
Configurer les fichiers /etc/iptables.uprules et /etc/iptables.downrules sur la machine hôte
uprules
# Generated by iptables-save v1.4.14 on Tue Jun 10 13:53:21 2014 *nat :PREROUTING ACCEPT [10:576] :INPUT ACCEPT [2:132] :OUTPUT ACCEPT [1:116] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o br0 -j MASQUERADE COMMIT # Completed on Tue Jun 10 13:53:21 2014 # Generated by iptables-save v1.4.14 on Tue Jun 10 13:53:21 2014 *filter :INPUT ACCEPT [1393:104490] :FORWARD ACCEPT [585:24722] :OUTPUT ACCEPT [903:141187] COMMIT # Completed on Tue Jun 10 13:53:21 2014
downrules
# Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014 *mangle :PREROUTING ACCEPT [175:10994] :INPUT ACCEPT [112:8348] :FORWARD ACCEPT [62:2614] :OUTPUT ACCEPT [62:7150] :POSTROUTING ACCEPT [122:9561] COMMIT # Completed on Tue Jun 10 13:57:21 2014 # Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014 *nat :PREROUTING ACCEPT [3:179] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [2:147] COMMIT # Completed on Tue Jun 10 13:57:21 2014 # Generated by iptables-save v1.4.14 on Tue Jun 10 13:57:21 2014 *filter :INPUT ACCEPT [112:8348] :FORWARD ACCEPT [62:2614] :OUTPUT ACCEPT [60:6947] COMMIT # Completed on Tue Jun 10 13:57:21 2014
Démarrer le conteneur et se logguer
[root@mamachine]# lxc-console -n serveur1 -t 1
ou en mode debug
[root@mamachine]# lxc-start -n serveur1 -l debug -o serveur1.debug.log -d
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
Debian GNU/Linux 7 serveur1 tty1
serveur1 login:root
Password:
Last login: Fri Jun 6 20:33:10 UTC 2014 on tty3
Linux serveur1 3.13.0-27-generic #50-Ubuntu SMP Thu May 15 18:06:16 UTC 2014 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@serveur1:~#
Se déconnecter de la console du container
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
+++++++++++++++++++++
Clone your container
+++++++++++++++++++++
lxc-clone -o serveur1 -n tikok_lemp_server
+++++++++++++++++++++
Delete your container
+++++++++++++++++++++
lxc-destroy -n tikok_lemp_server
++++++++++++++++++++++++++++++++++
Script iptables en cas de nat
++++++++++++++++++++++++++++++++++
#!/bin/bash iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to 192.168.1.80 iptables -t nat -A PREROUTING -p tcp --dport 80 -i wlan0 -j DNAT --to 192.168.22.11:80 iptables -t nat -A PREROUTING -p tcp --dport 443 -i wlan0 -j DNAT --to 192.168.22.11:443
192.168.1.80 = ip de l’hôte
192.168.22.11 = ip container
++++++++++++++++++
Autre exemple de config
++++++++++++++++++
Notes: Pour que le container puisse communiquer vers l’extérieur, il ne faut pas oublier de mettre l’@ip avec
le masque (10.0.3.12/16) ainsi que la gateway (10.0.3.1)
lxc.network.type=veth lxc.network.link=lxcbr0 lxc.network.flags=up lxc.network.hwaddr = 00:17:3f:20:54:5f lxc.network.ipv4 = 10.0.3.12/16 lxc.network.ipv4.gateway = 10.0.3.1 # /var/lib/lxc/zoreil/config ## Container lxc.utsname = zoreil lxc.rootfs = /var/lib/lxc/zoreil/rootfs lxc.tty = 4 lxc.pts = 1024 #lxc.console = /var/log/lxc/zoreil.console ## Capabilities lxc.cap.drop = sys_admin # uncomment the next line to run the container unconfined: #lxc.aa_profile = unconfined ## Devices #lxc.cgroup.devices.allow = a lxc.cgroup.devices.deny = a # /dev/null lxc.cgroup.devices.allow = c 1:3 rwm # /dev/zero lxc.cgroup.devices.allow = c 1:5 rwm # /dev/tty[1-4] consoles lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 4:0 rwm lxc.cgroup.devices.allow = c 4:1 rwm # /dev/{,u}random lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # /dev/rtc lxc.cgroup.devices.allow = c 254:0 rwm ## Limits #lxc.cgroup.cpu.shares = 1024 #lxc.cgroup.cpuset.cpus = 0 #lxc.cgroup.memory.limit_in_bytes = 256M #lxc.cgroup.memory.memsw.limit_in_bytes = 1G ## Filesystem lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs defaults,ro 0 0 #lxc.mount.entry = /srv/zoreil srv/zoreil none defaults,bind 0 0 # Added by lxc postinst, migration of autostart flag lxc.start.auto = 0
Page suivante: Installation d’un serveur LEMP (mon expérience)