Small Office Services: Difference between revisions

From Alpine Linux
No edit summary
Line 187: Line 187:
{{Cmd|lbu ci
{{Cmd|lbu ci
reboot}}
reboot}}
= Install the Web Proxy Container =
== Create and the container ==
{{Cmd|lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine}}
Create the startup Script
{{Cmd|ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy}}
Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container
{{cat|/var/lib/lxc/webproxy/config|
...
lxc.network.link {{=}} bond0.101
...
}}
Start the container
{{Cmd|/etc/iniit.d/lxc.webproxy}}
Configure the container to automatically start
{{Cmd|rc-update add lxc.webproxy}}
== Enter the webproxy container ==
{{Cmd|lxc-console -n webproxy}}
Login as root
{{Note|If the need arises to exit the container press {{Key| Ctrl}}+{{Key| a}} + {{Key| k}}}}
Remove obsolete /etc/network/interfaces
{{Cmd|rm /etc/network/interfaces}}
Create and configure the new /etc/network/interfaces as shown below:
{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address <%WEB_PROXY_IP_ADDRESS%>
netmask <%DMVPN_USR_NET_NETMASK%>
gateway <%DMVPN_USR_NET_IP_ADDRESS%>
}}
Startup networking
{{Cmd| /etc/init.d/networking start}}
Add rule to DMVPN awall policy to allow this proxy out to the internet
{{Note| this is to be configured on the DMVPN awall config}}
{{cat| /etc/awall/optional/internet-host.json|
{
    "in": "B",
      "src": "$I2D_PROXY",
      "out": "E",
      "action": "accept",
},
}}
Configure remote administration
{{Cmd|apk update
setup-sshd -c openssh
sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}
Start ssh
{{Cmd|/etc/init.d/sshd start}}
Configure a passwd for the container
{{Cmd|passwd}}
Setup acf for web administration
{{Cmd|setup-acf}}
== Configure Firewall ==

Revision as of 13:26, 14 January 2014

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Cewebb on 14 Jan 2014.)

Abstract: This document will outline how to provide various network services for a small remote office, using Linux containerization (LXC).

Tip: At the time of writing this document the recommended Alpine version for building the Host box for the containers should be at minimum 2.7.3 64 bit.

Hardware

Setup LXC Host Box

Boot Alpine USB

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

Alpine Setup

setup-alpine

You will be prompted something like this... Suggestion on what you could enter...
Select keyboard layout [none]: Type an appropriate layout for you
Select variant: Type an appropriate layout for you (if prompted)
Enter system hostname (short form, e.g. 'foo') [localhost]: Enter the hostname, e.g. lxc-host
Available interfaces are: eth0
Enter '?' for help on bridges, bonding and vlans.
Which one do you want to initialize? (or '?' done')
Enter bond0.3
Available bond slaves are: eth0 eth1
Which slave(s) do you want to add to bond0? (or 'done') [eth0]
eth0 eth1
IP address for bond0? (or 'dhcp', 'none', '?') [dhcp]: Press Enter confirming 'none'
IP address for bond0.3? (or 'dhcp', 'none', '?') [dhcp]: <%LXCHOST_MANAGEMENT_IP_ADDRESS%>
Netmask? [255.255.255.0]: <%DMVPN_MANAGEMENT_NETMASK%>
Gateway? (or 'none') [none]: <%DMVPN_MANAGEMENT_NET_IP%>
Do you want to do any manual network configuration? [no] no
DNS domain name? (e.g. 'bar.com') []: Enter the domain name of your intranet, e.g., office.example.net
DNS nameservers(s)? []: 8.8.8.8 8.8.4.4 (we will change them later)
Changing password for root
New password:
Enter a secure password for the console
Retype password: Retype the above password
Which timezone are you in? ('?' for list) [UTC]: Press Enter confirming 'UTC'
HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none] http://<%DMVPN_USR_NET_IP%>:8080
Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]: Select a mirror close to you and press Enter
Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]: Press Enter confirming 'openssh'
Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]: Press Enter confirming 'chrony'
Which disk(s) would you like to use? (or '?' for help or 'none') [none]: sda sdb
How would you like to use them? ('sys', 'data' or '?' for help): data
Enter where to store configs ('floppy', 'usb' or 'none') [usb]: Press Enter confirming 'usb'
Enter apk cache directory (or '?' or 'none') [/media/usb/cache]: Press Enter confirming '/media/usb/cache'

Upgrade packages

apk update apk upgrade

Save Changes

lbu commit

Finish Setup with a reboot

reboot

Setup Networking

With your favorite editor configure /etc/network/interfaces

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto bond0 iface bond0 inet manual bond-slaves eth0 eth1 up ip link set $IFACE up up bond-mode balance-tlb up bond-miimon 100 down ip link set $IFACE down auto bond0.3 iface bond0.3 inet static address <%LXCHOST_MANAGEMENT_IP_ADDRESS%> netmask <%DMVPN_MANAGEMENT_NETMASK%> gateway <%DMVPN_MANAGEMENT_IP%> auto bond0.101 iface bond0.101 inet manual up ip link set $IFACE up down ip link set $IFACE down auto bond0.1101 iface bond0.1101 inet manual up ip link set $IFACE up down ip link set $IFACE down auto bond0.701 iface bond0.601 inet manual up ip link set $IFACE up down ip link set $IFACE down

Apply changes by restarting networking

/etc/init.d/networking restart

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Setup Firewall

apk add acf-awall

With your favorite editor, create a base policy file for a wall, /etc/awall/optional/base.json

Contents of /etc/awall/optional/base.json

{ "description": "Base Policy", "policy": [ { "in": "_fw", "action": "accept" } ], "filter": [ { "out": "_fw", "service": [ "ssh", "https", "ping" ], "action": "accept" } ] }

Activate the Firewall

modprobe ip_tables awall enable base awall activate

Configure ip_tables to start automatically when host is booted up

rc-update add awall

Install LXC

Install the LXC and Bridge packages

apk add lxc bridge

With your favorite editor configure /etc/lxc/default.conf

Contents of /etc/lxc/default.conf

## Allow containers in the same VLAN to see each other lxc.network.type = macvlan lxc.network.macvlan.mode = bridge lxc.network.link = bond0.3 lxc.network.name = eth0 ## Restrict capabilities of the containers lxc.cap.drop = sys_admin audit_control audit_write fsetid ipc_lock lxc.cap.drop = ipc_owner lease linux_immutable mac_admin mac_override lxc.cap.drop = mknod setfcap setpcap sys_module sys_nice sys_pacct lxc.cap.drop = sys_ptrace sys_rawio sys_tty_config sys_time

Finish Installation

lbu ci reboot

Install the Web Proxy Container

Create and the container

lxc-create -n webproxy -f /etc/lxc/default.conf -t alpine

Create the startup Script

ln -s /etc/init.d/lxc /etc/init.d/lxc.webproxy

Edit the container's config file found at /var/lib/lxc/webproxy/config, to reflect the network for the web proxy container

Contents of /var/lib/lxc/webproxy/config

... lxc.network.link = bond0.101 ...

Start the container

/etc/iniit.d/lxc.webproxy

Configure the container to automatically start

rc-update add lxc.webproxy

Enter the webproxy container

lxc-console -n webproxy

Login as root

Note: If the need arises to exit the container press Ctrl+ a + k

Remove obsolete /etc/network/interfaces

rm /etc/network/interfaces

Create and configure the new /etc/network/interfaces as shown below:

Contents of /etc/network/interfaces

auto lo iface lo inet loopback auto eth0 iface eth0 inet static address <%WEB_PROXY_IP_ADDRESS%> netmask <%DMVPN_USR_NET_NETMASK%> gateway <%DMVPN_USR_NET_IP_ADDRESS%>

Startup networking

/etc/init.d/networking start

Add rule to DMVPN awall policy to allow this proxy out to the internet

Note: this is to be configured on the DMVPN awall config

Contents of /etc/awall/optional/internet-host.json

{ "in": "B", "src": "$I2D_PROXY", "out": "E", "action": "accept", },

Configure remote administration

apk update setup-sshd -c openssh sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config

Start ssh

/etc/init.d/sshd start

Configure a passwd for the container

passwd

Setup acf for web administration

setup-acf

Configure Firewall