userdoc:guest_lxc_container

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
userdoc:guest_lxc_container [2020/05/31 15:09]
abelbeck [Quick Start Guide] 		userdoc:guest_lxc_container [2023/03/11 04:23]
mkeuter
Line 50: Line 50:
   LXC_BRIDGE0="eth3"   LXC_BRIDGE0="eth3"
  
-!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added.+!!Tip ->!! If you have multiple LAN interfaces defined in the Network tab, assign ''lxcbr0'' to **[[userdoc:tt_firewall_overview|The DMZ Interface]]**.  In this configuration the firewall will allow any **LAN Interface** to access the container, but the container's network can only initiate access via the **External Interface** unless additional firewall rules are added (e.g. DNS will not work!).
  
 !!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example: !!Tip ->!! If you run out of physical interfaces to assign to the bridge, create a VLAN, for example:
Line 146: Line 146:
 ===== Recommended Base Installs ===== ===== Recommended Base Installs =====
  
 +  lxc-create -t download -n debian11 -- -d debian -r bullseye -a amd64 --no-validate
 +  
   lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate   lxc-create -t download -n debian10 -- -d debian -r buster -a amd64 --no-validate
      
Line 158: Line 160:
  
 Typical base installs use less than 1 GB of disk space. Typical base installs use less than 1 GB of disk space.
- 
-\\  
-===== Pi-hole Container Example ===== 
- 
-The [[https://pi-hole.net/|Pi-hole]] project is a "DNS sinkhole" that protects your devices from unwanted content, without installing any client-side software. 
- 
-Pi-hole is a perfect example to use with AstLinux within a LXC.  Begin as with the "Quick Start Guide" but use the name ''pi-hole''. 
- 
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support. 
- 
-Then from the CLI: 
- 
-  lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate 
- 
-  service lxc init 
- 
-  lxc-attach pi-hole 
-    passwd 
-    apt update 
-    apt install openssh-server iputils-ping curl 
-    ... 
-    exit 
- 
-!!Tip ->!! Optionally you may want to also... 
-    apt install sudo nano 
- 
-!!Tip ->!! Set ''PermitRootLogin yes'' for sshd and restart sshd. Type ''exit'' to leave the container and do the rest via ssh. 
- 
-\\ 
-__Install Pi-hole:__ 
-\\ 
- 
-Either with ''lxc-attach pi-hole'' or ''ssh root@pi-hole_ip_address'' 
- 
-  curl -sSL https://install.pi-hole.net -o pihole.sh 
-  # Comment out the "set -e" in pihole.sh, then 
-  bash pihole.sh 
- 
-Follow the dialogs and answer the questions. 
- 
-Change Pi-hole WebGUI password: 
- 
-  /usr/local/bin/pihole -a -p 
- 
-\\ 
-!!Tip ->!! If ''lighttpd'' is not started after the Pi-hole installation (=> ''netstat -tlp''): 
- 
-  apt remove lighttpd 
-  bash pihole.sh 
-  # choose "Update" 
-   
-The Pi-hole LXC container uses about 40-50 MB of RAM. 
- 
-\\ 
-===== Command via a Container ===== 
- 
-There are occasions where a command might be useful within AstLinux, but it may use python, golang, etc. or is just large in comparison to the 50 MB size of the AstLinux image.  A LXC container can be a handy tool to add such a command. 
- 
-Below is an example how to add the ''lynx'' command line web browser.  The ''lynx'' container only runs when needed. 
- 
-First, it is assumed the ''lxcbr0'' interface is setup per the above **Quick Start Guide** -> Enable LXC Support. 
- 
-Then from the CLI: 
- 
-  lxc-create -t download -n lynx -- -d debian -r buster -a amd64 --no-validate 
- 
-  service lxc restart 
- 
-  lxc-attach lynx 
-    apt update 
-    apt install lynx ca-certificates fping 
-    exit 
- 
-Next, stop the ''lynx'' container and keep it from automatically starting. 
- 
-  lxc-stop lynx 
-  sed -i 's/^lxc.start.auto=1/lxc.start.auto=0/' /var/lib/lxc/lynx/config 
- 
-Finally, create a wrapper script to start/stop the container and issue a command. 
- 
-Place this script at ''/mnt/kd/bin/lynx'' and give it ''chmod 755'' permissions. 
-  #!/bin/sh 
-  ## 
-  ## lynx wrapper for LXC Debian 10 container 
-  ## 
-   
-  ## generate a random uid 
-  rand_uid=$((RANDOM % 4999 + 95000)) 
-   
-  ## Destination IP to test when container network is active 
-  ping_ip="8.8.4.4" 
-   
-  trap 'printf "Abort\n" >&2; lxc-stop lynx; exit 1' INT TERM EXIT 
-   
-  lxc-start lynx 
-   
-  printf "Waiting for container network to become active... " 
-  lxc-attach lynx -u $rand_uid -- fping -q -r15 $ping_ip 
-  printf "OK\n" 
-   
-  lxc-attach lynx -u $rand_uid -- lynx "$@" 
-   
-  lxc-stop lynx 
-   
-  trap - INT TERM EXIT 
-   
-  exit 0 
- 
-!!Tip ->!! If you edit ''/var/lib/lxc/lynx/config'' and assign a manual IP address, the container starts very quickly, whereas using DHCP it takes 4-6 seconds to establish the network. 
- 
-Test it! 
- 
-  /mnt/kd/bin/lynx https://www.astlinux-project.org 
  
 \\  \\ 
  • userdoc/guest_lxc_container.txt
  • Last modified: 2023/06/15 09:03
  • by abelbeck