Wiki » Konfiguracja serwerów » Linux LXC » Tworzenie Guest LXC »
Tworzenie nowego kontenera PokażUkryj
NAME=tu_nazwa; lxc-create -t debian -n $NAME -B lvm --vgname=first --lvname=lxc-$NAME --fstype=xfs --fssize=10G -- -r bookworm; \ echo 'lxc.start.auto = 1' >> /var/lib/lxc/$NAME/config; \ lxc-start -n $NAME -d;
- Bridge - aktualnie zalecany
PokażUkryj
Pamiętać o nadaniu unikalnego adresu MAC.
echo -e "\n## Network\n lxc.network.type\t\t\t= veth\n lxc.network.flags\t\t\t= up\n lxc.network.link\t\t\t= br0.1000\n lxc.network.name\t\t\t= eth0\n" >> /var/lib/lxc/$NAME/config
Przykład## Network lxc.hook.version = 1 lxc.net.1.type = veth lxc.net.1.flags = up lxc.net.1.link = br0 lxc.net.1.name = wan lxc.net.1.veth.pair = $NAME lxc.net.1.script.up = /var/lib/lxc/$NAME/br0.up
br0.up
#!/bin/sh bridge vlan del dev $LXC_NET_PEER vid 1 untagged bridge vlan add dev $LXC_NET_PEER vid 2 untagged pvid
- SR-IOV - nie zalecany(tracimy rdzenie procesora które na sztywno trzeba przypisać do urządzenia)
PokażUkryj
## Network lxc.net.1.type = phys lxc.net.1.flags = up lxc.net.1.link = eth5 lxc.net.1.name = eth0vf1
- Konfiguracja IP - nie wykonujemy, ip nadajemy w kontenerze
PokażUkryj
#lxc.network.hwaddr = 00:FF:CB:AC:FF:A5 lxc.network.ipv4 = 31.41.176.16/24 lxc.network.ipv4.gateway = 31.41.176.1
Gdzie zmienne to: ** lxc.network.hwaddr - adres fizyczny karty sieciowej ** lxc.network.link - nazwa bridga do którego mamy się podłączyć ** lxc.network.name - nazwa interfejsu widocznego w GUEST
Konfiguracja kontenera PokażUkryj
lxc-attach -n $NAME -- bash -c 'echo "deb http://deb.debian.org/debian/ bookworm main contrib non-free" >> /etc/apt/sources.list;'; \ lxc-stop -n $NAME; lxc-start -n $NAME -d; IP=x.x.x.x; BRAMA=x.x.x.x; lxc-attach -n $NAME -- ip ad add $IP dev eth0; \ lxc-attach -n $NAME -- ip ro add default via $BRAMA; lxc-attach -n $NAME
Paczka pakietów potrzebnych na wszystkich systemach PokażUkryj
apt -y update; \ apt-get -y install mc ssh less psmisc pciutils tcpdump logrotate cron nano vim rsyslog iptables lsof strace iputils-ping wget screen \ pbzip2 aptitude htop man iftop bzip2 telnet htop tree rsync \ dnsutils ncdu mtr arping lldpd bash-completion acl git python3 python3-pip nano net-tools diceware ifstat acl colordiff \ fail2ban;
Dodawanie konta dla administratora PokażUkryj
USER=jadmin; \
adduser --force-badname --gecos "JustNet Admin Account" ${USER}; \
for group in justnet remote-console admin; do
egrep -q -i "^${group}" /etc/group; [ $? -eq 0 ] && adduser ${USER} ${group} || addgroup --system ${group}; adduser ${USER} ${group};
done; \
echo "alias su='su - -c \"export SSH_AUTH_SOCK=$SSH_AUTH_SOCK; bash\"'" >> /home/${USER}/.bashrc; \
mkdir -p /home/${USER}/.config/mc; \
echo -e '[Midnight-Commander]\nuse_internal_edit=true\neditor_fill_tabs_with_spaces=true\neditor_tab_spacing=4\n\n[Panels]\nnavigate_with_arrows=true' > /home/${USER}/.config/mc/ini; \
chown -cR $USER.$USER /home/${USER}
Konfiguracja Podstawowa(SSH Root Firewall) PokażUkryj
passwd; \
mkdir -p /root/.config/mc; \
echo -e '[Midnight-Commander]\nuse_internal_edit=true\neditor_fill_tabs_with_spaces=true\neditor_tab_spacing=4\n\n[Panels]\nnavigate_with_arrows=true' > /root/.config/mc/ini; \
\
echo -e "\nAllowGroups remote-console\n" >> /etc/ssh/sshd_config; \
/etc/init.d/ssh restart; \
\
echo "auth required pam_wheel.so trust group=admin" >> /etc/pam.d/su; \
\
rsync -avz -e ssh jadmin@deploy.justnet.pl:storage/baseconfig/firewall/* /; \
SERVER_IP=`ip li|grep ',UP,'|grep -v lo|cut -d':' -f 2| xargs`; \
mkdir -p /etc/gen/firewall/host:${SERVER_IP}/22:tcp:ssh; \
echo -e "78.9.185.84\t# JustNet VPN" > /etc/gen/firewall/host\:${SERVER_IP}/22\:tcp\:ssh/allow; \
/etc/init.d/ip_firewall restart; \
update-rc.d ip_firewall defaults; \
echo "Europe/Warsaw" > /etc/timezone; \
rm /etc/localtime; \
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime; \
\
echo 'DAEMON_ARGS="-c -s -e"' >> /etc/default/lldpd; \
systemctl restart lldpd;
Debian - Zabbix instalacja i konfiguracja PokażUkryj
apt -y update; \
apt-get -y install git sudo zabbix-agent rsync; \
\
git clone https://github.com/H-Software/Zabbix-Template-Linux-LXC.git /tmp/zabbix; \
cp /tmp/zabbix/conf/zabbix-lxc.conf /etc/zabbix/zabbix_agentd.conf.d/; \
cat /tmp/zabbix/conf/sudoers.d-zabbix-agent >> /etc/sudoers; \
mkdir -p /etc/zabbix/scripts; \
rm -rf /tmp/zabbix/; \
rsync -avz -e ssh jadmin@deploy.justnet.pl:storage/baseconfig/zabbix/* /; \
/etc/init.d/zabbix-agent restart; \
mkdir -p /etc/gen/firewall/host\:${SERVER_IP}/10050\:tcp\:zabbix; \
echo -e "78.9.185.79\t# Zabbix" > /etc/gen/firewall/host\:${SERVER_IP}/10050\:tcp\:zabbix/allow; \
/etc/init.d/ip_firewall restart; \
echo "Dodaj z laski swojej host $HOSTNAME o ip ${SERVER_IP} do zabbiksa";
SNMPD - instalacja i konfiguracja PokażUkryj
apt-get update; \
apt-get -y install snmpd; \
sed -i "s|-Lsd|-LS6d|" /etc/init.d/snmpd; \
sed -i "s|-Lsd|-LS6d|" /etc/default/snmpd; \
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service; \
systemctl daemon-reload;
sed -i "s|udp:127.0.0.1:161|udp:${SERVER_IP}:161|" /etc/snmp/snmpd.conf; \
sed -i "s|rocommunity public default|rocommunity read-`hostname` default|" /etc/snmp/snmpd.conf; \
systemctl restart snmpd; \
mkdir -p /etc/gen/firewall/host:${SERVER_IP}/161:udp:snmp; \
echo -e "78.9.185.84\t# JustNet VPN" > /etc/gen/firewall/host\:${SERVER_IP}/161\:udp\:snmp/allow; \
/etc/init.d/ip_firewall restart; \
Tworzymy hostname w poleceniu należy zamienić domena na używaną domenę PokażUkryj
echo firma._domena_ > /etc/hostname; \
echo `ip ad|grep inet|grep eth0|awk '{print $2}'|cut -d/ -f1` firma._domena_ >> /etc/hosts;
apt -y update
apt-get install -y apache2; \
a2enmod ssl; \
a2enmod rewrite; \
a2enmod cgi; \
service apache2 restart; \
mkdir -p /etc/gen/firewall/host\:`ip ad|grep inet|grep eth0|awk '{print $2}'|cut -d/ -f1`/80\:tcp\:http/; \
mkdir -p /etc/gen/firewall/host\:`ip ad|grep inet|grep eth0|awk '{print $2}'|cut -d/ -f1`/443\:tcp\:https/; \
/etc/init.d/ip_firewall restart;
Instalacja certyfikatu SSL dla Apache z LetsEncrypt HTTP-01 PokażUkryj
apt -y update; \ apt-get install -y certbot python3-certbot-apache; \ systemctl restart apache2; \ certbot -m webmaster@justnet.pl --agree-tos; \ systemctl restart apache2; # kiedyś było wymagane: #echo -e "<Directory /var/lib/letsencrypt/http_challenges/>\n\tOrder allow,deny\n\t\tallow from all\n\tRequire all granted\n</Directory>" > /etc/apache2/conf-available/lestencrypt.conf; \ #ln -s /etc/apache2/conf-available/lestencrypt.conf /etc/apache2/conf-enabled/lestencrypt.conf; \
apt -y update apt-get -y install -y php php-mysql libapache2-mod-php php-snmp php-imap php-gd \ php-imagick php-mbstring php-cli php-pspell php-mail php-cgi php-soap; \ service apache2 restart;
MariaDB Instalacja pakietów PokażUkryj
apt-get install -y mariadb-server; \
mysql_secure_installation; \
echo "update user set host='%',user='jsql',plugin='' where user='root'; flush privileges;" | mysql -u root -p mysql; \
mkdir -p /etc/gen/firewall/host:`ip ad|grep inet|grep eth0|${SERVER_IP}/3306:tcp:mysqld; \
echo -e "195.54.47.33\t\t# JustNet VPN" >> /etc/gen/firewall/host:`ip ad|grep inet|grep eth0|${SERVER_IP}/3306:tcp:mysqld/allow; \
/etc/init.d/ip_firewall restart; \
rsync -avz -e ssh jadmin@deploy.justnet.pl:storage/baseconfig/mariadb/ /; \
sed -i "s|bind-address = 127.0.0.1|bind-address = ${SERVER_IP}|" /etc/mysql/mariadb.conf.d/50-server.cnf; \
systemctl restart mariadb;
PHPMyAdmin
$cfg['Servers'][$i]['auth_type'] = 'cookie'; /* Server parameters */ $cfg['Servers'][$i]['host'] = 'xxx.xxx.xxx.xxx'; $cfg['Servers'][$i]['verbose'] = 'Nazwa_Serwera'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['AllowNoPassword'] = false;