https://github.com/archf/lxd-centos7
setup lxd 2.X from source on centos7
https://github.com/archf/lxd-centos7
Last synced: 5 months ago
JSON representation
setup lxd 2.X from source on centos7
- Host: GitHub
- URL: https://github.com/archf/lxd-centos7
- Owner: archf
- Created: 2016-12-16T19:52:38.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2016-12-16T19:55:06.000Z (over 9 years ago)
- Last Synced: 2025-03-18T14:49:03.125Z (over 1 year ago)
- Language: Makefile
- Homepage:
- Size: 5.86 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
## Build and configure LXC and LXD on centOS 7
### Preparation
Follow this guide.
### Build from source
You need to build LXC first and then and LXD. See the `README` files in respective
folders for details.
There are `Makefiles` you can use to grab dependancies, configure and compile
with the right flags that worked for me.
## Network setup
Most of this could be replaced by
[lxc-net](https://github.com/lxc/lxc/blob/master/config/init/common/lxc-net.in)
service or by this unit file
```
[Unit]
Description=Bridge interface for LXC Containers
[Service]
Type=oneshot
# Bring up bridge interface
ExecStart=/sbin/brctl addbr lxcbr0
ExecStart=/sbin/ip address add 192.168.150.1/24 dev lxcbr0
ExecStart=/sbin/ip link set lxcbr0 up
RemainAfterExit=yes
# Bring bridge interface down
ExecStop=/sbin/ip link set lxcbr0 down
ExecStop=/sbin/brctl delbr lxcbr0
```
This was taken from the
[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc/wiki/Usage-on-fedora-hosts)
wiki.
### Disable firewalld
```
sudo systemctl stop firewalld.service
```
### Permanently disable checksum offloading on your bridge device
```bash
cat << 'EOF' | sudo tee /sbin/ifup-local
if [ '${DEVICE}' = 'br0' ]
then
/sbin/ethtool -K ${DEVICE} tx off
fi
EOF
sudo chmod +x /sbin/ifup-local
```
or do it using iptables:
```bash
iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
```
### With NAT
```bash
sudo systemctl start iptables
sudo systemctl enable iptables
```
Then as `root`:
```bash
echo 1 > /proc/sys/net/ipv4/ip_forward
LXC_BRIDGE=br0
LXC_NETWORK=10.72.0.0/16
use_iptables_lock="-w"
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
```
Give remote access to the and LXD hypervisor and some other optional ports.
```bash
OFACE=ens1f3
iptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p tcp --dports 53,443,80,8080,8443 -j ACCEPT
iptables $use_iptables_lock -I INPUT -m multiport -i ${OFACE} -p udp --dports 53,443,80,8080,8443 -j ACCEPT
```
Which results in iptables rules of the kind:
```
*nat
:PREROUTING ACCEPT [545973:82079852]
:INPUT ACCEPT [164:23927]
:OUTPUT ACCEPT [2248:144266]
:POSTROUTING ACCEPT [3255:204762]
-A POSTROUTING -s 10.72.0.0/16 ! -d 10.72.0.0/16 -j MASQUERADE
COMMIT
# Completed on Fri Dec 16 14:38:39 2016
# Generated by iptables-save v1.4.21 on Fri Dec 16 14:38:39 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2408]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-I INPUT -m multiport -i ens1f3 -p tcp --dports 53,443,80,8080,8443 -j ACCEPT
-I INPUT -m multiport -i ens1f3 -p udp --dports 53,443,80,8080,8443 -j ACCEPT
-A INPUT -m multiport -i br0 -p tcp -m tcp --dports 53,67 -j ACCEPT
-A INPUT -m multiport -i br0 -p udp -m udp --dports 53,67 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
```
### Without NAT
```bash
sudo systemctl start ebtables
sudo systemctl enable ebtables
```
This is not recommended if there is another DHCP on your network. I did not
find a way to block outside DHCP traffic.
*Tentative rules*
You might need this if you have another dhcp server on the network and no
nating.
** NOTE: I didn't get this to work **
Block outside DHCP requests
```bash
iptables $use_iptables_lock -I INPUT -p udp --dport 67 -m physdev --physdev-out ens1f3 -j DROP
iptables $use_iptables_lock -I INPUT -p tcp --dport 67 -m physdev --physdev-out ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -i ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -i ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -o ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 67 -j DROP
iptables $use_iptables_lock -I OUTPUT -p udp --dport 67 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 67 -m physdev --physdev-in br0 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 67 -m physdev --physdev-in br0 -j DROP
iptables $use_iptables_lock -A FORWARD -p tcp --dport 67 -j LOG
```
Block outgoing response:
```bash
iptables $use_iptables_lock -I OUTPUT -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I OUTPUT -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p udp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
iptables $use_iptables_lock -I FORWARD -p tcp --dport 68 -m physdev --physdev-in ens1f3 -j DROP
```
### Sudoers quirks
This is really important:
* Add `/usr/local/bin` to securepath
* Remove `always_set_home` directive
## Libvirt quirks
Avoid conflict with existing dnsmasq instance from libvirt.
To disable `virbr0` or create `lxcbr0` bridge with `libvirt`.
```bash
sudo virsh net-stop virbr0
virsh net-autostart --disable default
sudo virsh net-define --file ~/lxcbr0.xml
sudo virsh net-autostart lxcbr0
sudo virsh net-start lxcbr0
```
## debugging
```bash
sudo netstat -l -n -4 -p
```