LXC containers as VM's for ISPConfig 3 - First steps & quick start.

Discussion in 'Tips/Tricks/Mods' started by CSsab, Jan 14, 2011.

  1. CSsab

    CSsab New Member

    These steps work well on a Debian Lenny 5.0 container.
    After logging into the container for the first time:

    1. Type passwd and enter your new UNIX password.

    2. Configure locales: dpkg-reconfigure locales Select your language from the long list. NOTE: Should be in utf8 format and the default for the container.
    Clear out your locales cache: apt-get install localepurge
    Then run localepurge

    3. Configure local time. VERY IMPORTANT if you want to avoid problems with syncing timestamped files later (yikes!). Do this: dpkg-reconfigure tzdata and select correct timezone. Then run this diff -s /etc/localtime /usr/share/zoneinfo/`cat /etc/timezone` .. these should be the same and when you "poweroff" from the console you should see local time being correctly reported.

    4. apt-get install vim-nox

    5. Get a decent set of sources from here: http://debgen.simplylinux.ch/ -include "main", "security" and "volatile" repos.
    vi /etc/apt/sources.list
    Paste your new sources in and save.
    apt-get update
    apt-get upgrade

    6. vi /etc/network/interfaces and set up a static ip for the container as you normally would.
    /etc/init.d/networking restart
    check the output of ifconfig - your network should reflect your changes.

    7. vi /etc/hosts - write out the hosts file as you normally would - note that this will be a new file since the default container doesn't have a hosts file.
    echo hostname.example.tld > /etc/hostname
    /etc/init.d/hostname.sh start

    The output of hostname and hostname -f should now be hostname.example.tld

    You should be good to go now with installing a base system for use in a multiserver setup although the master server (with quota installed) will still have to reside on the host server/physical machine unless you customize your fstab in the container.
  2. CSsab

    CSsab New Member

    Additional base packages

    I have found that installing the following packages right at the start is helpful later down the track:

    apt-get install vim-nox rsyslog sudo ssh

    rsyslog sets up the required mail.err and mail.warn logs in /var/log directory

    cron is also installed as a depend.
    Last edited: Jan 20, 2011
  3. CSsab

    CSsab New Member

    Manage rkhunter warnings properly: Rkhunter in a LXC.

    I was getting rkhunter warnings about the absence of /lib/modules directory in a LXC running Debian 5.0 Lenny so with a bit of skulldugery I simply created the directory /lib/modules.

    Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now.

    vi /lib/modules
    ## This is a dummy file located /lib/modules in a LXC

    I have found it better to deal with rkhunter on a fresh install of ISPConfig3 or any system where it is installed) as follows:

    1. Update rkhunter
    [email protected]:~# rkhunter --update
    [ Rootkit Hunter version 1.3.6 ]

    Checking rkhunter data files...
    Checking file mirrors.dat [ No update ]
    Checking file programs_bad.dat [ updated ]
    Checking file backdoorports.dat [ updated ]
    Checking file suspscan.dat [ No update ]
    Checking file i18n/cn [ No update ]
    Checking file i18n/de [ No update ]
    Checking file i18n/en [ No update ]
    Checking file i18n/zh [ No update ]
    Checking file i18n/zh.utf8 [ No update ]

    2. Run rkhunter to report warnings only
    rkhunter -c --rwo

    3. Deal with any warnings as you will.
    For example:
    vi /etc/rkhunter.conf
    ALLOW_SSH_ROOT_USER=no (line 199)

    4. Run a check again to make sure all spurious warnings have been dealt with.

    5. When you are happy that all is well (and only then!) you can run a system wide acceptance of the changes you have made.
    rkhunter --propupdate

    6. You will still get warnings in the future about possible compromise. For example if I reconfigure debconf and decide to go with readline instead of dialogue inside a LXC, rkhunter will log the change and this is a good thing.
  4. CSsab

    CSsab New Member

    Portable ISPConfig 3 using an lxc container??

    When formatting my hard drive on the host I thought I might format a couple of USB drives I had so that they would mount when I booted the system.

    I gave one a mount point of /mail2
    and the other a mount point of /web2

    Additionally I gave them user and group quota.

    Here are the fstab entries on the host.

    # /mail2 was on /dev/sdc1 during installation
    UUID=e86c7cd4-cf2c-4064-8c55-c2ae06d1b1b2 /mail2 ext4 rw,nosuid,usrquota,grpquota 0 2
    # /web2 was on /dev/sdb1 during installation
    UUID=a3bffff2-49bf-45cb-ba4e-1c0d35adfbad /web2 ext4 rw,nosuid,usrquota,grpquota 0 2

    They have to be "rw" in order for debootstrap to write to them.

    [email protected]:/web2# ls
    aquota.group aquota.user lost+found

    NOTE: I am using the latest templates from the lxc git which I name and copy into /usr/lib/lxc/templates (in this case I have called the template "lxc-debian-my")

    chmod +x /usr/lib/lxc/templates/lxc-debian-my

    /usr/lib/lxc/templates/lxc-debian-my -p /mail2

    This downloads a Debian Squeeze minimal right into the flash drive.

    [email protected]:~# ls /var/lib/lxc/
    db mail ns1 ns2 web

    (There are my other containers already running in the multiserver setup)

    To give the container an init script so not to crash the host:

    ln -s /mail2 /var/lib/lxc/mail2

    [email protected]:~# ls /var/lib/lxc/
    db mail mail2 ns1 ns2 web

    There it is "mail2" ...

    And now to start the container:

    [email protected]:~# lxc-start -n mail2 -d
    [email protected]:~# lxc-info -n mail2
    'mail2' is RUNNING
    [email protected]:~# lxc-ps --name mail2 --forest
    mail2 25493 ? 00:00:00 init
    mail2 25709 ? 00:00:00 \_ dhclient3
    mail2 25785 ? 00:00:00 \_ sshd
    mail2 25802 pts/30 00:00:00 \_ getty
    mail2 25803 pts/26 00:00:00 \_ getty
    mail2 25804 pts/27 00:00:00 \_ getty
    mail2 25805 pts/28 00:00:00 \_ getty
    mail2 25806 pts/29 00:00:00 \_ getty

    So the system is up and running and now to configure and install ISPConfig 3.

    The next step might be to work out how to use quota inside the container - I can't figure it out and would appreciate help.

    I'll be trying to plug this node into an ISPConfig install on a completely different system and see how that goes.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Is there any special reason why you use lxc and not openvz? I checked lxc a few months ago and as far as I have seen, lxc has no quota support yet and no advanced vm limits. LXC seemed not be mature enough for a real deployment so I use openvz as container system on my servers and it works great.
  6. CSsab

    CSsab New Member

    lxc is my first experience with virtualisation and I do hear that it does have quota support - I just don't know how yet. They are very fast systems - easy to make and destroy (ultra lightweight).

    As to openvz I read that it is very good and see a lot of people use it but I have not tried it.

    To answer your question properly I think it is just a matter of preference for me.

    This from control panel on host:

    Filesystem Type Size Used Available Use% Mounted on
    /dev/sda3 ext4 74G 6.3G 64G 9% /
    none devtmpfs 998M 240K 997M 1% /dev
    none tmpfs 1005M 0 1005M 0% /dev/shm
    none tmpfs 1005M 72K 1005M 1% /var/run
    none tmpfs 1005M 0 1005M 0% /var/lock
    /dev/sdb1 ext4 3.7G 72M 3.5G 3% /web2
    /dev/sdc1 ext4 3.7G 282M 3.3G 8% /mail2
    /dev/sda1 ext4 472M 48M 400M 11% /boot

    this from database node

    Filesystem Type Size Used Available Use% Mounted on
    tmpfs tmpfs 1005M 0 1005M 0% /lib/init/rw
    tmpfs tmpfs 1005M 0 1005M 0% /dev/shm
    rootfs rootfs 74G 6.3G 64G 9% /

    I realise this is not the way to go for production servers yet but I think there is potential there.
  7. letic

    letic New Member

    A better solution is to disable the "os_specific" test in /etc/rkhunter.conf

    See : http://www.mail-archive.com/[email protected]/msg01719.html

    On Linux os_specific runs 2 tests :
    - check which modules are loaded
    - check modules on the disk

    As you have neither in a container you can safely disable this test.

    Hope this help

Share This Page