Created
June 5, 2015 04:45
-
-
Save anonymous/0a126826b504062e2ba4 to your computer and use it in GitHub Desktop.
Create LXC environment on (fresh) Ubuntu 15.04 server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AS ROOT: | |
adduser admin | |
usermod -aG sudo admin | |
modify /etc/ufw/sysctl.conf to allow host to forward | |
net/ipv4/ip_forward=1 | |
net/ipv6/conf/default/forwarding=1 | |
net/ipv6/conf/all/forwarding=1 | |
modify /etc/default/ufw to forward | |
DEFAULT_FORWARD_POLICY="ACCEPT" | |
MANAGE_BUILTINS=yes | |
AS ADMIN: | |
sudo add-apt-repository ppa:ubuntu-lxc/lxd-stable | |
sudo apt-get update | |
sudo apt-get dist-upgrade -y | |
sudo apt-get install -y lxd haveged | |
# See https://wiki.archlinux.org/index.php/Linux_Containers | |
sudo tee -a /etc/lxc/default.conf << EOF > /dev/null | |
lxc.autodev=1 | |
lxc.kmsg=0 | |
lxc.pts=1024 | |
EOF | |
sudo systemctl enable lxd | |
sudo systemctl enable haveged | |
sudo service lxd start | |
# Had to wait a bit the first time I started before running lxd-images | |
sudo lxd-images import lxc ubuntu trusty amd64 --alias ubuntu-trusty | |
sudo lxc launch ubuntu-trusty mailinabox | |
sleep 5 | |
export $(grep LXC_NETWORK /etc/default/lxc-net | tr -d '"') | |
export $(grep LXC_NETMASK /etc/default/lxc-net | tr -d '"') | |
export $(grep LXC_ADDR /etc/default/lxc-net | tr -d '"') | |
export MAILINABOX_IP=$(sudo lxc info mailinabox | grep eth0 | cut -f3) | |
export HOST_IP=$(hostname -I | cut -f1 -d' ') | |
sudo tee -a /etc/ufw/before.rules << EOF > /dev/null | |
*nat | |
:PREROUTING ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
# Inspired by @efries | |
# https://discourse.mailinabox.email/t/system-status-pages-shows-errors-when-port-forward-to-container/470 | |
# http://blog.inetpeople.net/mail-in-a-box-with-lxd-container/ | |
# To parse these rules, check out http://explainshell.com | |
# Test: from the browser, access https://MYDOMAIN.com | |
# The following route incoming connections to the relevant ports to the LXC container | |
-A PREROUTING -d $HOST_IP/32 -p tcp -m multiport --dports 25,53,80,443,587,993,995 -j DNAT --to-destination $MAILINABOX_IP | |
-A PREROUTING -d $HOST_IP/32 -p udp --dport 53 -j DNAT --to-destination $MAILINABOX_IP | |
# The following route connections from the server to itself | |
# Interestingly, with the commented set of rules, | |
# wget https://127.0.0.1 times out, instead of connection refused | |
#-A OUTPUT -o lo -p tcp -m multiport --dports 25,53,80,443,587,993,995 -j DNAT --to-destination $MAILINABOX_IP | |
#-A OUTPUT -o lo -p udp --dport 53 -j DNAT --to-destination $MAILINABOX_IP | |
-A OUTPUT -o lo ! -s 127.0.0.0/8 -p tcp -m multiport --dports 25,53,80,443,587,993,995 -j DNAT --to-destination $MAILINABOX_IP | |
-A OUTPUT -o lo ! -s 127.0.0.0/8 -p udp --dport 53 -j DNAT --to-destination $MAILINABOX_IP | |
# Test: lxc exec mail -- wget https://MYDOMAIN.com | |
# The following will "hairpin" connections back from the LXC containers | |
-A POSTROUTING -s $LXC_NETWORK -d $LXC_NETWORK -p tcp -m multiport --dports 25,53,80,443,587,993,995 -j MASQUERADE | |
-A POSTROUTING -s $LXC_NETWORK -d $LXC_NETWORK -p udp --dport 53 -j MASQUERADE | |
# Test: lxc exec mail -- wget https://google.com | |
# The following will disguise the containers outbound connections as originating from the server | |
-A POSTROUTING -s $LXC_NETWORK -o eth0 -j MASQUERADE | |
# don't delete the 'COMMIT' line or these rules won't be processed | |
COMMIT | |
EOF | |
sudo ufw enable | |
sudo tee /etc/systemd/system/multi-user.target.wants/mailinabox-autostart.service << EOF > /dev/null | |
[Unit] | |
Description=Start mailinabox lxc instance | |
After=lxd.service | |
Requires=lxd.service | |
[Service] | |
ExecStart=/usr/bin/lxc start mailinabox | |
[Install] | |
WantedBy=multi-user.target | |
EOF | |
export VETH_DEV=$(ifconfig | grep veth | cut -f1 -d' ') | |
sudo brctl hairpin lxcbr0 $VETH_DEV on | |
sudo lxc exec mailinabox -- vim /etc/network/interfaces | |
modify /etc/network/interfaces | |
delete eth0 entries | |
add (manually expand the variables!) | |
auto eth0 | |
iface eth0 inet static | |
address $MAILINABOX_IP | |
netmask $LXC_NETMASK | |
gateway $LXC_ADDR | |
dns-nameservers (see your /etc/resolv.conf and put a few in there, space separated) | |
sudo lxc exec mailinabox -- ifdown eth0 | |
sudo lxc exec mailinabox -- ifup eth0 | |
# This removes the resolv.conf entry pointing at the gateway | |
sudo lxc exec mailinabox -- resolvconf -d eth0.dhclient | |
sudo lxc exec mailinabox -- apt-get install -y curl git ssh | |
sudo lxc exec mailinabox -- adduser admin | |
sudo lxc exec mailinabox -- usermod -aG sudo admin | |
ssh admin@$MAILINABOX_IP | |
AS ADMIN@MAILINABOX | |
curl -s https://mailinabox.email/bootstrap.sh | sudo bash |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment