Revision as of 16:12, 13 January 2014

Abstract: This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).

Tip: At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.

Hardware

Setup Host Box

Boot Alpine USB

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

Alpine Setup

setup-alpine

You will be prompted something like this...	Suggestion on what you could enter...
`Select keyboard layout [none]:`	Type an appropriate layout for you
`Select variant:`	Type an appropriate layout for you (if prompted)
`Enter system hostname (short form, e.g. 'foo') [localhost]:`	Enter the hostname, e.g. lxc-host
`Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')`	Enter bond0.3
`Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]`	eth0 eth1
`IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]:`	Press Enter confirming 'none'
`IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]:`	<%LXCHOST_MANAGEMENT_IP_ADDRESS%>
`Netmask? [255.255.255.0]:`	<%DMVPN_MANAGEMENT_NETMASK%>
`Gateway? (or 'none') [none]:`	<%DMVPN_MANAGEMENT_NET_IP%>
`Do you want to do any manual network configuration? [no]`	no
`DNS domain name? (e.g. 'bar.com') []:`	Enter the domain name of your intranet, e.g., office.example.net
`DNS nameservers(s)? []:`	8.8.8.8 8.8.4.4 (we will change them later)
`Changing password for root New password:`	Enter a secure password for the console
`Retype password:`	Retype the above password
`Which timezone are you in? ('?' for list) [UTC]:`	Press Enter confirming 'UTC'
`HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]`	http://<%DMVPN_USR_NET_IP%>:8080
`Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:`	Select a mirror close to you and press Enter
`Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:`	Press Enter confirming 'openssh'
`Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:`	Press Enter confirming 'chrony'
`Which disk(s) would you like to use? (or '?' for help or 'none') [none]:`	sda sdb
`How would you like to use them? ('sys', 'data' or '?' for help):`	data
`Enter where to store configs ('floppy', 'usb' or 'none') [usb]:`	Press Enter confirming 'usb'
`Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:`	Press Enter confirming '/media/usb/cache'

Upgrade packages

apk update apk upgrade

Save Changes

lbu commit

Finish Setup with a reboot

reboot

Setup Networking

With your favorite editor configure /etc/network/interfaces

Contents of /etc/netowork/interfaces

auto lo
iface lo inet loopback

auto bond0
iface bond0 inet manual
        bond-slaves eth0 eth1
        up ip link set $IFACE up
        up bond-mode balance-tlb
        up bond-miimon 100
        down ip link set $IFACE down

auto bond0.3
iface bond0.3 inet static
	address <%LXCHOST_MANAGEMENT_IP_ADDRESS%>
	netmask <%DMVPN_MANAGEMENT_NETMASK%>
	gateway <%DMVPN_MANAGEMENT_IP%>

auto bond0.101
iface bond0.101 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

auto bond0.1101
iface bond0.1101 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

auto bond0.701
iface bond0.601 inet manual
	up ip link set $IFACE up
	down ip link set $IFACE down

Apply changes by restarting networking

/etc/init.d/networking restart

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Setup Firewall

apk add acf-awall

With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json

Contents of /etc/awall/optional/base.json

{
  "description": "Base Policy",

  "policy": [
    { "in": "_fw", "action": "accept" }
  ],

  "filter": [
    {
      "out": "_fw",
      "service": [ "ssh", "https", "ping" ],
      "action": "accept"
    }
  ]
}

Activate the Firewall

modprobe ip_tables awall enable base awall activate

Configure ip_tables to start automatically when host is booted up

rc-update add awall

Install LXC

Install the LXC and Bridge packages

apk add lxc bridge

With your favorite editor configure /etc/lxc/default.conf

Contents of /etc/lxc/default.conf

## Allow containers in the same VLAN to see each other
lxc.network.type = macvlan
lxc.network.macvlan.mode = bridge
lxc.network.link = bond0.3
lxc.network.name = eth0

## Restrict capabilities of the containers
lxc.cap.drop = sys_admin audit_control audit_write fsetid ipc_lock
lxc.cap.drop = ipc_owner lease linux_immutable mac_admin mac_override
lxc.cap.drop = mknod setfcap setpcap sys_module sys_nice sys_pacct
lxc.cap.drop = sys_ptrace sys_rawio sys_tty_config sys_time

Finish Installation

lbu ci reboot

@@ Line 170: / Line 170: @@
 {{Cmd|apk add lxc bridge}}
 With your favorite editor configure /etc/lxc/default.conf
+{{cat|/etc/lxc/default.conf|
-{{cat|/etc/init.d/default.conf|
+## Allow containers in the same VLAN to see each other
-# Allow containers in the same VLAN to see each other
+lxc.network.type {{=}} macvlan
-lxc.network.type = macvlan
+lxc.network.macvlan.mode {{=}} bridge
-lxc.network.macvlan.mode = bridge
+lxc.network.link {{=}} bond0.3
-lxc.network.link = bond0.3
+lxc.network.name {{=}} eth0
-lxc.network.name = eth0
 ## Restrict capabilities of the containers
-lxc.cap.drop = sys_admin audit_control audit_write fsetid ipc_lock
+lxc.cap.drop {{=}} sys_admin audit_control audit_write fsetid ipc_lock
-lxc.cap.drop = ipc_owner lease linux_immutable mac_admin mac_override
+lxc.cap.drop {{=}} ipc_owner lease linux_immutable mac_admin mac_override
-lxc.cap.drop = mknod setfcap setpcap sys_module sys_nice sys_pacct
+lxc.cap.drop {{=}} mknod setfcap setpcap sys_module sys_nice sys_pacct
-lxc.cap.drop = sys_ptrace sys_rawio sys_tty_config sys_time
+lxc.cap.drop {{=}} sys_ptrace sys_rawio sys_tty_config sys_time
 }}
 Finish Installation
 {{Cmd|lbu ci
 reboot}}