Installing Calculate in Debian LXC

Updated 7 March 2019


Only a few VPS/VDS server providers offer the possibility to install your own system from an ISO image rather than a more common one. You can nevertheless run Calculate Linux in a container. This solution has two main pros:

  • Your system is not dependent on a hosting contract and can be easily transferred;
  • You can use as many containers with Calculate Linux on board as you need, each of them dedicated to a specific task if you want so.

Let us take Debian 9 as an example of a host system.

Configuring the network bridge

First install the necessary software:

apt-get install bridge-utils

Configure the bridge by adding at the end of the configuration file:


auto br0
iface br0 inet static
bridge_ports none
bridge_fd 0

Restart the network:

systemctl restart networking

Make sure that the br0 network is up and running:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::418:f4ff:fe48:10e9  prefixlen 64  scopeid 0x20<link>
        ether 06:18:f4:48:10:e9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 438 (438.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Installing a container with Calculate Linux

Install all necessary software. To extract the system image, you will need the app-arch/xz-utils package, so install it:

apt-get install lxc xz-utils

Install a recent Calculate Container Scratch version. The container name will be calculate. You will be prompted for an available version name (17.12.2):

lxc-create -n calculate -t download -- --server --no-validate -d CCS --arch x86_64
Downloading the image index
WARNING: Running without gpg validation!
CCS 17.12.2 x86_64  default 20180221

Release: 17.12.2

Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

You just created a Gentoo container (release=17.12.2, arch=amd64, variant=default)

To enable sshd, run: rc-update add sshd

For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Edit the container settings:


# Network configuration = veth = up = eth0 = br0 = = = 1

Restart the container and add the daemon to autostart:

systemctl start lxc

systemctl enable lxc
Synchronizing state of lxc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable lxc

To check the container, run:

lxc-info -n calculate
Name:           calculate
State:          RUNNING
PID:            20111
CPU use:        8.16 seconds
BlkIO use:      50.00 MiB
Memory use:     58.30 MiB
KMem use:       6.67 MiB
Link:           veth0
 TX bytes:      858 bytes
 RX bytes:      438 bytes
 Total bytes:   1.27 KiB

Configuring Calculate Linux

Connect to the LCX system and

lxc-attach -n calculate


/etc/init.d/sshd start

rc-update add sshd default

cl-setup-locale -l ru_RU


Firewall configuration

You will need the Shorewall software to configure the routing and the firewall. First, install Shorewall:

apt-get install shorewall

Copy the template configuration:

cp /usr/share/shorewall/configfiles/{interfaces,policy,rules,snat,zones} /etc/shorewall/

Modify the common Shorewall settings, allowing the IP forwarding:



You need to know the interface name, as it will be specified in settings. If you do not know it, run:


ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500


In the examples below, ens3 stands for the interface name. Do not forget to replace with yours!


#ZONE       TYPE
fw          firewall
loc         ipv4
net         ipv4

Define the interface zones


net         ens3            tcpflags,nosmurfs,routefilter
loc         br0             tcpflags,nosmurfs,routefilter,routeback

Configure IP masquerading so that to have Internet connection in the container:


Replace with your external IP.


#ACTION             SOURCE              DEST
SNAT(      ens3

Configure the connection policy: connections should be allowed in the local zone, while incoming calls are denied.


fw          all         ACCEPT
loc         all         ACCEPT
net         all         DROP
all         all         REJECT      INFO

Configure access to the host system: allow access for ping and ssh, and define the forwarding rule for the container ssh via the 222 port:


#ACTION             SOURCE          DEST                    PROTO       DPORT
Ping(ACCEPT)        all             $FW
SSH(ACCEPT)         net             $FW
DNAT                net             loc:      tcp         222

Run(@debian) Shorewall:

shorewall start

Check accessing the container via ssh, port 222:

ssh -p 222

where is the server.

If everything is OK, add Shorewall to autostart:

systemctl enable shorewall
Synchronizing state of shorewall.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable shorewall