Installing Calculate in Debian LXC
Updated 7 March 2019
Introduction
Only a few VPS/VDS server providers offer the possibility to install your own system from an ISO image rather than a more common one. You can nevertheless run Calculate Linux in a container. This solution has two main pros:
- Your system is not dependent on a hosting contract and can be easily transferred;
- You can use as many containers with Calculate Linux on board as you need, each of them dedicated to a specific task if you want so.
Let us take Debian 9 as an example of a host system.
Configuring the network bridge
First install the necessary software:
apt-get install bridge-utils
Configure the bridge by adding at the end of the configuration file:
/etc/network/interfaces
auto br0 iface br0 inet static bridge_ports none bridge_fd 0 address 192.168.0.1 netmask 255.255.255.0
Restart the network:
systemctl restart networking
Make sure that the br0 network is up and running:
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::418:f4ff:fe48:10e9 prefixlen 64 scopeid 0x20<link> ether 06:18:f4:48:10:e9 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5 bytes 438 (438.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Installing a container with Calculate Linux
Install all necessary software. To extract the system image, you will need the app-arch/xz-utils package, so install it:
apt-get install lxc xz-utils
Install a recent Calculate Container Scratch version. The container name will be calculate. You will be prompted for an available version name (17.12.2):
Downloading the image index
WARNING: Running without gpg validation!
---
DIST RELEASE ARCH VARIANT BUILD
---
CCS 17.12.2 x86_64 default 20180221
---
Release: 17.12.2
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs
---
You just created a Gentoo container (release=17.12.2, arch=amd64, variant=default)
To enable sshd, run: rc-update add sshd
For security reason, container images ship without user accounts
and without a root password.
Use lxc-attach or chroot directly into the rootfs to set a root password
or create user accounts.
Edit the container settings:
/var/lib/lxc/calculate/config
# Network configuration lxc.network.type = veth lxc.network.flags = up lxc.network.name = eth0 lxc.network.link = br0 lxc.network.ipv4.address = 192.168.0.2/24 lxc.network.ipv4.gateway = 192.168.0.1 lxc.start.auto = 1
Restart the container and add the daemon to autostart:
systemctl start lxc
Synchronizing state of lxc.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable lxc
To check the container, run:
Name: calculate State: RUNNING PID: 20111 IP: 192.168.0.2 CPU use: 8.16 seconds BlkIO use: 50.00 MiB Memory use: 58.30 MiB KMem use: 6.67 MiB Link: veth0 TX bytes: 858 bytes RX bytes: 438 bytes Total bytes: 1.27 KiB
Configuring Calculate Linux
Connect to the LCX system and
lxc-attach -n calculate
passwd
/etc/init.d/sshd start
rc-update add sshd default
cl-setup-locale -l ru_RU
exit
Firewall configuration
You will need the Shorewall software to configure the routing and the firewall. First, install Shorewall:
apt-get install shorewall
Copy the template configuration:
cp /usr/share/shorewall/configfiles/{interfaces,policy,rules,snat,zones} /etc/shorewall/
Modify the common Shorewall settings, allowing the IP forwarding:
/etc/shorewall/shorewall.conf
IP_FORWARDING=On
You need to know the interface name, as it will be specified in settings. If you do not know it, run:
ifconfig
...
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
Important
In the examples below, ens3 stands for the interface name. Do not forget to replace with yours!
/etc/shorewall/conf.d/zones
#ZONE TYPE fw firewall loc ipv4 net ipv4
Define the interface zones
/etc/shorewall/conf.d/interfaces
?FORMAT 2 #ZONE INTERFACE OPTIONS net ens3 tcpflags,nosmurfs,routefilter loc br0 tcpflags,nosmurfs,routefilter,routeback
Configure IP masquerading so that to have Internet connection in the container:
Important
Replace 12.34.56.78 with your external IP.
/etc/shorewall/conf.d/snat
#ACTION SOURCE DEST SNAT(12.34.56.78) 192.168.0.0/24 ens3
Configure the connection policy: connections should be allowed in the local zone, while incoming calls are denied.
/etc/shorewall/conf.d/policy
#SOURCE DEST POLICY LOGLEVEL fw all ACCEPT loc all ACCEPT net all DROP all all REJECT INFO
Configure access to the host system: allow access for ping and ssh, and define the forwarding rule for the container ssh via the 222 port:
/etc/shorewall/conf.d/rules
?SECTION NEW #ACTION SOURCE DEST PROTO DPORT Ping(ACCEPT) all $FW SSH(ACCEPT) net $FW DNAT net loc:192.168.0.2:22 tcp 222
Run(@debian) Shorewall:
shorewall start
Check accessing the container via ssh, port 222:
ssh -p 222 server.example.org
where server.example.org is the server.
If everything is OK, add Shorewall to autostart:
Synchronizing state of shorewall.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable shorewall