An open API service indexing awesome lists of open source software.

https://github.com/archf/lxd-centos7

setup lxd 2.X from source on centos7
https://github.com/archf/lxd-centos7

Last synced: 5 months ago
JSON representation

setup lxd 2.X from source on centos7

Awesome Lists containing this project

README

          

## Build and configure LXC and LXD on centOS 7

### Preparation

Follow this guide.

### Build from source

You need to build LXC first and then and LXD. See the `README` files in respective
folders for details.

There are `Makefiles` you can use to grab dependancies, configure and compile
with the right flags that worked for me.

## Network setup

Most of this could be replaced by
[lxc-net](https://github.com/lxc/lxc/blob/master/config/init/common/lxc-net.in)
service or by this unit file

```
[Unit]
Description=Bridge interface for LXC Containers

[Service]
Type=oneshot

# Bring up bridge interface
ExecStart=/sbin/brctl addbr lxcbr0
ExecStart=/sbin/ip address add 192.168.150.1/24 dev lxcbr0
ExecStart=/sbin/ip link set lxcbr0 up

RemainAfterExit=yes

# Bring bridge interface down
ExecStop=/sbin/ip link set lxcbr0 down
ExecStop=/sbin/brctl delbr lxcbr0
```

This was taken from the
[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc/wiki/Usage-on-fedora-hosts)
wiki.

### Disable firewalld

```
sudo systemctl stop firewalld.service
```

### Permanently disable checksum offloading on your bridge device

```bash
cat << 'EOF' | sudo tee /sbin/ifup-local

if [ '${DEVICE}' = 'br0' ]
then
/sbin/ethtool -K ${DEVICE} tx off
fi

EOF
sudo chmod +x /sbin/ifup-local
```

or do it using iptables:

```bash
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
```

### With NAT

```bash
sudo systemctl start iptables
sudo systemctl enable iptables
```

Then as `root`:

```bash
echo 1 > /proc/sys/net/ipv4/ip_forward
LXC_BRIDGE=br0
LXC_NETWORK=10.72.0.0/16
use_iptables_lock="-w"
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
```

Give remote access to the and LXD hypervisor and some other optional ports.

```bash
OFACE=ens1f3
iptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p tcp --dports 53,443,80,8080,8443 -j ACCEPT
iptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p udp --dports 53,443,80,8080,8443 -j ACCEPT
```

Which results in iptables rules of the kind:

```
*nat
:PREROUTING ACCEPT [545973:82079852]
:INPUT ACCEPT [164:23927]
:OUTPUT ACCEPT [2248:144266]
:POSTROUTING ACCEPT [3255:204762]
-A POSTROUTING -s 10.72.0.0/16 ! -d 10.72.0.0/16 -j MASQUERADE
COMMIT
# Completed on Fri Dec 16 14:38:39 2016
# Generated by iptables-save v1.4.21 on Fri Dec 16 14:38:39 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2408]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-I INPUT -m multiport -i ens1f3 -p tcp --dports 53,443,80,8080,8443 -j ACCEPT
-I INPUT -m multiport -i ens1f3 -p udp --dports 53,443,80,8080,8443 -j ACCEPT
-A INPUT -m multiport -i br0 -p tcp -m tcp --dports 53,67 -j ACCEPT
-A INPUT -m multiport -i br0 -p udp -m udp --dports 53,67 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
```

### Without NAT

```bash
sudo systemctl start ebtables
sudo systemctl enable ebtables
```
This is not recommended if there is another DHCP on your network. I did not
find a way to block outside DHCP traffic.

*Tentative rules*

You might need this if you have another dhcp server on the network and no
nating.

** NOTE: I didn't get this to work **

Block outside DHCP requests

```bash
iptables $use_iptables_lock -I INPUT -p udp --dport 67 -m physdev --physdev-out ens1f3 -j DROP
iptables $use_iptables_lock -I INPUT -p tcp --dport 67 -m physdev --physdev-out ens1f3 -j DROP

iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP

iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP

iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -o ens1f3 -j DROP

iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -i ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -i ens1f3 -j DROP

iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -o ens1f3 -j DROP

iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -j DROP
iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -j DROP

iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -j DROP

iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in br0 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in br0 -j DROP

iptables $use_iptables_lock -A FORWARD -p tcp --dport 67 -j LOG
```

Block outgoing response:

```bash
iptables $use_iptables_lock -I OUTPUT -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP

iptables $use_iptables_lock -I FORWARD -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
```

### Sudoers quirks

This is really important:

* Add `/usr/local/bin` to securepath
* Remove `always_set_home` directive

## Libvirt quirks

Avoid conflict with existing dnsmasq instance from libvirt.

To disable `virbr0` or create `lxcbr0` bridge with `libvirt`.

```bash
sudo virsh net-stop virbr0
virsh net-autostart --disable default

sudo virsh net-define --file ~/lxcbr0.xml
sudo virsh net-autostart lxcbr0
sudo virsh net-start lxcbr0
```

## debugging

```bash
sudo netstat -l -n -4 -p
```