Installing Calculate in Debian LXC

Updated 7 March 2019

Introduction

Only a few VPS/VDS server providers offer the possibility to install your own system from an ISO image rather than a more common one. You can nevertheless run Calculate Linux in a container. This solution has two main pros:

  • Your system is not dependent on a hosting contract and can be easily transferred;
  • You can use as many containers with Calculate Linux on board as you need, each of them dedicated to a specific task if you want so.

Let us take Debian 9 as an example of a host system.

Configuring the network bridge

First install the necessary software:

apt-get install bridge-utils

Configure the bridge by adding at the end of the configuration file:

/etc/network/interfaces

auto br0
iface br0 inet static
bridge_ports none
bridge_fd 0
address 192.168.0.1
netmask 255.255.255.0

Restart the network:

systemctl restart networking

Make sure that the br0 network is up and running:

ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::418:f4ff:fe48:10e9  prefixlen 64  scopeid 0x20<link>
        ether 06:18:f4:48:10:e9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 438 (438.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Installing a container with Calculate Linux

Install all necessary software. To extract the system image, you will need the app-arch/xz-utils package, so install it:

apt-get install lxc xz-utils

Install a recent Calculate Container Scratch version. The container name will be calculate. You will be prompted for an available version name (17.12.2):

lxc-create -n calculate -t download -- --server mirror.calculate-linux.org --no-validate -d CCS --arch x86_64
Downloading the image index
WARNING: Running without gpg validation!
---
DIST    RELEASE ARCH    VARIANT BUILD
---
CCS 17.12.2 x86_64  default 20180221
---

Release: 17.12.2

Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created a Gentoo container (release=17.12.2, arch=amd64, variant=default)

To enable sshd, run: rc-update add sshd

For security reason, container images ship without user accounts
and without a root password.

Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.

Edit the container settings:

/var/lib/lxc/calculate/config

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.name = eth0
lxc.network.link = br0
lxc.network.ipv4.address = 192.168.0.2/24
lxc.network.ipv4.gateway = 192.168.0.1
lxc.start.auto = 1

Restart the container and add the daemon to autostart:

systemctl start lxc

systemctl enable lxc
Synchronizing state of lxc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable lxc

To check the container, run:

lxc-info -n calculate
Name:           calculate
State:          RUNNING
PID:            20111
IP:             192.168.0.2
CPU use:        8.16 seconds
BlkIO use:      50.00 MiB
Memory use:     58.30 MiB
KMem use:       6.67 MiB
Link:           veth0
 TX bytes:      858 bytes
 RX bytes:      438 bytes
 Total bytes:   1.27 KiB

Configuring Calculate Linux

Connect to the LCX system and

lxc-attach -n calculate

passwd

/etc/init.d/sshd start

rc-update add sshd default

cl-setup-locale -l ru_RU

exit

Firewall configuration

You will need the Shorewall software to configure the routing and the firewall. First, install Shorewall:

apt-get install shorewall

Copy the template configuration:

cp /usr/share/shorewall/configfiles/{interfaces,policy,rules,snat,zones} /etc/shorewall/

Modify the common Shorewall settings, allowing the IP forwarding:

/etc/shorewall/shorewall.conf

IP_FORWARDING=On

You need to know the interface name, as it will be specified in settings. If you do not know it, run:

ifconfig

...
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

Important

In the examples below, ens3 stands for the interface name. Do not forget to replace with yours!

/etc/shorewall/conf.d/zones

#ZONE       TYPE
fw          firewall
loc         ipv4
net         ipv4

Define the interface zones

/etc/shorewall/conf.d/interfaces

?FORMAT 2
#ZONE       INTERFACE       OPTIONS
net         ens3            tcpflags,nosmurfs,routefilter
loc         br0             tcpflags,nosmurfs,routefilter,routeback

Configure IP masquerading so that to have Internet connection in the container:

Important

Replace 12.34.56.78 with your external IP.

/etc/shorewall/conf.d/snat

#ACTION             SOURCE              DEST
SNAT(12.34.56.78)   192.168.0.0/24      ens3

Configure the connection policy: connections should be allowed in the local zone, while incoming calls are denied.

/etc/shorewall/conf.d/policy

#SOURCE     DEST        POLICY      LOGLEVEL
fw          all         ACCEPT
loc         all         ACCEPT
net         all         DROP
all         all         REJECT      INFO

Configure access to the host system: allow access for ping and ssh, and define the forwarding rule for the container ssh via the 222 port:

/etc/shorewall/conf.d/rules

?SECTION NEW
#ACTION             SOURCE          DEST                    PROTO       DPORT
Ping(ACCEPT)        all             $FW
SSH(ACCEPT)         net             $FW
DNAT                net             loc:192.168.0.2:22      tcp         222

Run(@debian) Shorewall:

shorewall start

Check accessing the container via ssh, port 222:

ssh -p 222 server.example.org

where server.example.org is the server.

If everything is OK, add Shorewall to autostart:

systemctl enable shorewall
Synchronizing state of shorewall.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable shorewall