LXC – Linux Containers – Ways of the nix's

Let’s get right to the fun part!

# apt install lxc lxc-net

# lxc-create -t download -n asbra-container

-t <template>

Use “download” to get a list of linux distributions, i like the alpine image since it’s less than 5Mb. Debian is also a good option but takes up about 350Mb of space.

-n <name_of_container>

# lxc-start -n asbra-container

To list available containers

# lxc-ls -f

-f fancy (show all containers and their IP)

# lxc-attach -n asbra-container

Attaches your TTY to the named container and gives you a prompt.

Networking

# nvim /etc/lxc/default.conf

The xx:xx:xx will be replaced by random.

#lxc.net.0.type = empty

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx

lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

Restart the lxc-net

# systemctl restart lxc-net

Firewall rules in iptables (for some reason i could not get this to work with nftables)

-A FORWARD -d 10.10.10.80/32 -p tcp -m tcp --dport 80 -j ACCEPT

-A PREROUTING -i $WAN -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.80:80

-A POSTROUTING -s 10.10.10.0/24 ! -d 10.10.10.0/24 -j MASQUERADE

# nvim /etc/network/interfaces

auto lxcbr0
iface lxcbr0 inet static
        bridge_ports eno2
        bridge_fd 0
        bridge_maxwait 0
        address 10.10.10.1

Webserver

# lxc-create -t debian -n buster-web

# nvim /var/lib/lxc/buster-web/rootfs/etc/network/interfaces

auto eth0
iface eth0 inet static
	address 10.10.10.80
	netmask 255.255.255.0
	gateway 10.10.10.1

# lxc-start -n buster-web
# lxc-attach -n buster-web

root@buster-web:/# apt update && apt upgrade
root@buster-web:/# apt install apache2 apache2-utils

root@buster-web:/# apt install php php-common php-cli php-fpm php-json php-pdo php-mysql php-zip php-gd php-mbstring php-curl php-xml php-pear php-bcmath libapache2-mod-php

root@buster-web:/# a2enmod php7.3
root@buster-web:/# a2enmod ssl
root@buster-web:/# a2enmod rewrite
root@buster-web:/# a2enmod proxy_fcgi

root@buster-web:/# systemctl restart apache2
root@buster-web:/# systemctl enable apache2

Virtual hosts

Add “–uid” if you need to match a previous user

root@buster-web:/# useradd --user-group --shell /usr/sbin/nologin --home-dir /var/www/site.se site.se

Since i dont know anything about the new resolvd i just turn it off.

# systemctl stop systemd-resolved
# systemctl disable systemd-resolved

SQL Server

Now do the same for a new machine called stretch-db and install the following packages.

root@stretch-db:/# apt install -y mariadb-server mariadb-client

Check if the server is running

root@stretch-db:/# netstat -tapnu

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1095/mysqld

Mariadb is tunning on localhost, we need it on eth0

root@stretch-db:/# vim /etc/mysql/mariadb.conf.d/50-server.cnf

#bind-address		= 127.0.0.1
bind-address		= 0.0.0.0

Secure the installation with the following script

root@stretch-db:/# mysql_secure_installation