HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Tips/Tricks/Mods (
-   -   LXC containers as VM's for ISPConfig 3 - First steps & quick start. (

CSsab 14th January 2011 09:09

LXC containers as VM's for ISPConfig 3 - First steps & quick start.
These steps work well on a Debian Lenny 5.0 container.
After logging into the container for the first time:

1. Type passwd and enter your new UNIX password.

2. Configure locales: dpkg-reconfigure locales Select your language from the long list. NOTE: Should be in utf8 format and the default for the container.
Clear out your locales cache: apt-get install localepurge
Then run localepurge

3. Configure local time. VERY IMPORTANT if you want to avoid problems with syncing timestamped files later (yikes!). Do this: dpkg-reconfigure tzdata and select correct timezone. Then run this diff -s /etc/localtime /usr/share/zoneinfo/`cat /etc/timezone` .. these should be the same and when you "poweroff" from the console you should see local time being correctly reported.

4. apt-get install vim-nox

5. Get a decent set of sources from here: -include "main", "security" and "volatile" repos.
vi /etc/apt/sources.list
Paste your new sources in and save.
apt-get update
apt-get upgrade

6. vi /etc/network/interfaces and set up a static ip for the container as you normally would.
/etc/init.d/networking restart
check the output of ifconfig - your network should reflect your changes.

7. vi /etc/hosts - write out the hosts file as you normally would - note that this will be a new file since the default container doesn't have a hosts file.
echo hostname.example.tld > /etc/hostname
/etc/init.d/ start

The output of hostname and hostname -f should now be hostname.example.tld

You should be good to go now with installing a base system for use in a multiserver setup although the master server (with quota installed) will still have to reside on the host server/physical machine unless you customize your fstab in the container.

CSsab 20th January 2011 04:14

Additional base packages
I have found that installing the following packages right at the start is helpful later down the track:

apt-get install vim-nox rsyslog sudo ssh

rsyslog sets up the required mail.err and mail.warn logs in /var/log directory

cron is also installed as a depend.

CSsab 23rd January 2011 10:50

Manage rkhunter warnings properly: Rkhunter in a LXC.
I was getting rkhunter warnings about the absence of /lib/modules directory in a LXC running Debian 5.0 Lenny so with a bit of skulldugery I simply created the directory /lib/modules.

Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now.

vi /lib/modules
## This is a dummy file located /lib/modules in a LXC

I have found it better to deal with rkhunter on a fresh install of ISPConfig3 or any system where it is installed) as follows:

1. Update rkhunter
root@lxchost:~# rkhunter --update
[ Rootkit Hunter version 1.3.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ updated ]
Checking file backdoorports.dat [ updated ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]

2. Run rkhunter to report warnings only
rkhunter -c --rwo

3. Deal with any warnings as you will.
For example:
vi /etc/rkhunter.conf
ALLOW_SSH_ROOT_USER=no (line 199)

4. Run a check again to make sure all spurious warnings have been dealt with.

5. When you are happy that all is well (and only then!) you can run a system wide acceptance of the changes you have made.
rkhunter --propupdate

6. You will still get warnings in the future about possible compromise. For example if I reconfigure debconf and decide to go with readline instead of dialogue inside a LXC, rkhunter will log the change and this is a good thing.

CSsab 27th January 2011 16:08

Portable ISPConfig 3 using an lxc container??
When formatting my hard drive on the host I thought I might format a couple of USB drives I had so that they would mount when I booted the system.

I gave one a mount point of /mail2
and the other a mount point of /web2

Additionally I gave them user and group quota.

Here are the fstab entries on the host.

# /mail2 was on /dev/sdc1 during installation
UUID=e86c7cd4-cf2c-4064-8c55-c2ae06d1b1b2 /mail2 ext4 rw,nosuid,usrquota,grpquota 0 2
# /web2 was on /dev/sdb1 during installation
UUID=a3bffff2-49bf-45cb-ba4e-1c0d35adfbad /web2 ext4 rw,nosuid,usrquota,grpquota 0 2

They have to be "rw" in order for debootstrap to write to them.

root@lxchost:/web2# ls aquota.user lost+found

NOTE: I am using the latest templates from the lxc git which I name and copy into /usr/lib/lxc/templates (in this case I have called the template "lxc-debian-my")

chmod +x /usr/lib/lxc/templates/lxc-debian-my

/usr/lib/lxc/templates/lxc-debian-my -p /mail2

This downloads a Debian Squeeze minimal right into the flash drive.

root@lxchost:~# ls /var/lib/lxc/
db mail ns1 ns2 web

(There are my other containers already running in the multiserver setup)

To give the container an init script so not to crash the host:

ln -s /mail2 /var/lib/lxc/mail2

root@lxchost:~# ls /var/lib/lxc/
db mail mail2 ns1 ns2 web

There it is "mail2" ...

And now to start the container:

root@lxchost:~# lxc-start -n mail2 -d
root@lxchost:~# lxc-info -n mail2
'mail2' is RUNNING
root@lxchost:~# lxc-ps --name mail2 --forest
mail2 25493 ? 00:00:00 init
mail2 25709 ? 00:00:00 \_ dhclient3
mail2 25785 ? 00:00:00 \_ sshd
mail2 25802 pts/30 00:00:00 \_ getty
mail2 25803 pts/26 00:00:00 \_ getty
mail2 25804 pts/27 00:00:00 \_ getty
mail2 25805 pts/28 00:00:00 \_ getty
mail2 25806 pts/29 00:00:00 \_ getty

So the system is up and running and now to configure and install ISPConfig 3.

The next step might be to work out how to use quota inside the container - I can't figure it out and would appreciate help.

I'll be trying to plug this node into an ISPConfig install on a completely different system and see how that goes.

till 27th January 2011 16:14

Is there any special reason why you use lxc and not openvz? I checked lxc a few months ago and as far as I have seen, lxc has no quota support yet and no advanced vm limits. LXC seemed not be mature enough for a real deployment so I use openvz as container system on my servers and it works great.

CSsab 27th January 2011 16:35

lxc is my first experience with virtualisation and I do hear that it does have quota support - I just don't know how yet. They are very fast systems - easy to make and destroy (ultra lightweight).

As to openvz I read that it is very good and see a lot of people use it but I have not tried it.

To answer your question properly I think it is just a matter of preference for me.

This from control panel on host:

Filesystem Type Size Used Available Use% Mounted on
/dev/sda3 ext4 74G 6.3G 64G 9% /
none devtmpfs 998M 240K 997M 1% /dev
none tmpfs 1005M 0 1005M 0% /dev/shm
none tmpfs 1005M 72K 1005M 1% /var/run
none tmpfs 1005M 0 1005M 0% /var/lock
/dev/sdb1 ext4 3.7G 72M 3.5G 3% /web2
/dev/sdc1 ext4 3.7G 282M 3.3G 8% /mail2
/dev/sda1 ext4 472M 48M 400M 11% /boot

this from database node

Filesystem Type Size Used Available Use% Mounted on
tmpfs tmpfs 1005M 0 1005M 0% /lib/init/rw
tmpfs tmpfs 1005M 0 1005M 0% /dev/shm
rootfs rootfs 74G 6.3G 64G 9% /

I realise this is not the way to go for production servers yet but I think there is potential there.

letic 7th February 2011 17:14


Originally Posted by CSsab (Post 249329)
Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now.

vi /lib/modules
## This is a dummy file located /lib/modules in a LXC

A better solution is to disable the "os_specific" test in /etc/rkhunter.conf

See :

On Linux os_specific runs 2 tests :
- check which modules are loaded
- check modules on the disk

As you have neither in a container you can safely disable this test.

Hope this help

All times are GMT +2. The time now is 00:58.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.