Posts Tagged ‘ Linux ’

Create a Debian Squeeze LXC template under Debian Squeeze

By default, the Debian container template script installs Debian Lenny, which is no more the current stable release, so it makes sense that your new containers run an up to date release, i tried squeeze so far, didn’t try testing or still in development yet, so i’ll tell you how to create a script to create Debian Squeeze containers.

By default, the lxc package ships with few different template scripts, and they’re located in the directory /usr/lib/lxc/templates/, the debian one is called lxc-debian.
Copy it to the same directory with another name:

user@host:/usr/lib/lxc/templates$ sudo cp lxc-debian lxc-debian-squeeze

Open it with with your favorite text editor and change the following lines:

dhcp-client,\

to

isc-dhcp-client,\
lenny $cache/partial-$arch http://ftp.debian.org/debian

to

squeeze $cache/partial-$arch http://ftp.debian.org/debian
cache="/var/cache/lxc/debian"

to

cache="/var/cache/lxc/debian-squeeze"

(this last appears two times!)

… Or just apply the following patch:

--- lxc-debian	2011-02-08 01:03:22.931566630 +0000
+++ lxc-debian-squeeze	2011-02-08 01:19:46.287573988 +0000
@@ -90,7 +90,7 @@
 locales,\
 libui-dialog-perl,\
 dialog,\
-dhcp-client,\
+isc-dhcp-client,\
 netbase,\
 net-tools,\
 iproute,\
@@ -110,7 +110,7 @@
     echo "Downloading debian minimal ..."
     debootstrap --verbose --variant=minbase --arch=$arch \
 	--include $packages \
-	lenny $cache/partial-$arch http://ftp.debian.org/debian
+	squeeze $cache/partial-$arch http://ftp.debian.org/debian
     if [ $? -ne 0 ]; then
 	echo "Failed to download the rootfs, aborting."
 	return 1
@@ -136,7 +136,7 @@
 
 install_debian()
 {
-    cache="/var/cache/lxc/debian"
+    cache="/var/cache/lxc/debian-squeeze"
     rootfs=$1
     mkdir -p /var/lock/subsys/
     (
@@ -220,7 +220,7 @@
 
 clean()
 {
-    cache="/var/cache/lxc/debian"
+    cache="/var/cache/lxc/debian-squeeze"
 
     if [ ! -e $cache ]; then
 	exit 0

And now you’re ready to create new Debian Squeeze containers :)

user@host:~$ sudo /usr/lib/lxc/templates/lxc-debian-squeeze -p /var/lib/lxc/my-awesome-debian-squeeze-container

There’s also something else you’ll probably need to do in order to login to a tty with lxc-console, the template script does not create any of the /dev/tty’s, so you’ll need to create them by hand, or change the new template script in order to create it:

… cd to your container’s rootfs and execute the following commands:

user@host:~$ sudo mknod -m 666 /dev/tty1 c 4 1
user@host:~$ sudo mknod -m 666 /dev/tty2 c 4 2
user@host:~$ sudo mknod -m 666 /dev/tty3 c 4 3
user@host:~$ sudo mknod -m 666 /dev/tty4 c 4 4

Now you may want to edit your container’s configuration, and then start using it.
For your convenience, you can setup a first container, do your initial configuration on it, and then leave it alone, every new container you want to create could be just a copy of it, this will boost the container’s setup, just don’t forget to edit the new containers configuration accordingly.

user@host:/var/lib/lxc$ sudo cp -a squeeze-base-container new-web-container
Advertisements

Install fuse powered filesystems within an LXC container

I’m running a Debian Squeeze in an LXC container, and i needed to install SSHFS within the container, a FUSE based filesystem which lets you to mount remote filesystems through SSH. It shouldn’t be a problem, but fuse-utils depends on udev, and as you may know, LXC containers do not support udev, which will cause problems during the install.
While installing the udev package you’ll get some errors related with device creation like the following one:

Populating the new /dev filesystem temporarily mounted on /tmp/udev.EgkS50/...
mknod: `//tmp/udev.EgkS50/ppp': Operation not permitted

In order to solve this i had to allow those new devices to be created in your container’s configuration file by adding the following lines:

#ppp
lxc.cgroup.devices.allow = c 108:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#loop0
lxc.cgroup.devices.allow = b 7:0 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm

Now start your container and login.
Then, because the udev install will break your created devices, you should backup them:

user@host:~$ sudo cp -a /dev /dev.old

Go and install your fuse based filesystem, i’ll be installing sshfs:

user@host:~$ sudo apt-get install sshfs

Restore your old devices:

user@host:~$ sudo cp -a /dev.old/* /dev/

Create the fuse device:

user@host:~$ sudo mknod /dev/fuse c 10 229

Avoid udev to boot by disabling its init scripts:

user@host:~$ sudo update-rc.d -f udev disable

And that’s it, you should now be able to mount your fuse powered filesystem :-)

Tunneling network connections through SSH

Sometimes you may want to tunnel your connections through a secure SSH connection, because you want the traffic to be encrypted, because of any restrictive access rule in your firewall, or any other reason.
I assume you have a regular account in a machine running an OpenSSH server, an OpenSSH client installed in your machine, and you’re running Linux.
What you have to do is to bounce all network connections through a SOCKS4 / SOCKS5 local proxy created by the SSH connection, that can be done using the -D option on the OpenSSH client call, in conjunction with the tsocks library. tsocks is basically a library which intercepts network connections from any application, and redirects them through a SOCKS server, if you’re using Ubuntu there’s also a script with the same name which wraps it, allowing you to enable and disable the connection forwarding.

At first you’ll need to configure the SOCKS server and port in the tsocks configuration file, for that edit the file /etc/tsocks.conf and set the following options:

server = 127.0.0.1
server_port = 1080

Then, do the SSH connection:

user@host$ ssh -NfD 1080 user@remote

The “D” will create the local SOCKS proxy, binding it to the give port (1080 is the default one), the “f” tells the client to execute in the background after logging in and executing the command, and the “N” tells the client to not execute any command. So, it’ll just create the SOCKS server and go to background.

After that, just run the tsocks command (man tsocks for more information)

user@host$ tsocks

Now every connection done by every application you run in this shell session will be redirected through the SOCKS server, and will be done by the remote server.

Hope it helps someone! :)

SSHFS and multi-user access

In a situation described in a previous post, i needed to setup apache with PHP files for being hosted in another machine, for the effect i used SSHFS to mount a remote directory in my Document Root over SSH, it uses Fuse and only requires a SSH server running in the target machine. So i wrote an init script to mount that directory before apache starts using a RSA SSH key for the login. But when i tried i always get an HTTP 403 permission denied error, checked and double checked for permissions, and everything was right. Ok, the problem is described here, since SSHFS uses Fuse, fuse doesn’t allow other users than the one who mounted the remote directory to have access to it.

You have two options:

  1. Confiure /etc/fuse.conf setting the user_allow_other option
  2. Mount your remote directory as the user who’s gonna access it (if it will be only one user, like www-data), you can do it with the sudo -u option. man sudo for more info.