These steps work well on a Debian Lenny 5.0 container. After logging into the container for the first time: 1. Type passwd and enter your new UNIX password. 2. Configure locales: dpkg-reconfigure locales Select your language from the long list. NOTE: Should be in utf8 format and the default for the container. Clear out your locales cache: apt-get install localepurge Then run localepurge 3. Configure local time. VERY IMPORTANT if you want to avoid problems with syncing timestamped files later (yikes!). Do this: dpkg-reconfigure tzdata and select correct timezone. Then run this diff -s /etc/localtime /usr/share/zoneinfo/`cat /etc/timezone` .. these should be the same and when you "poweroff" from the console you should see local time being correctly reported. 4. apt-get install vim-nox 5. Get a decent set of sources from here: http://debgen.simplylinux.ch/ -include "main", "security" and "volatile" repos. vi /etc/apt/sources.list Paste your new sources in and save. apt-get update apt-get upgrade 6. vi /etc/network/interfaces and set up a static ip for the container as you normally would. /etc/init.d/networking restart check the output of ifconfig - your network should reflect your changes. 7. vi /etc/hosts - write out the hosts file as you normally would - note that this will be a new file since the default container doesn't have a hosts file. echo hostname.example.tld > /etc/hostname /etc/init.d/hostname.sh start The output of hostname and hostname -f should now be hostname.example.tld ----------------------- You should be good to go now with installing a base system for use in a multiserver setup although the master server (with quota installed) will still have to reside on the host server/physical machine unless you customize your fstab in the container. ----------------------- Regards.
Additional base packages I have found that installing the following packages right at the start is helpful later down the track: apt-get install vim-nox rsyslog sudo ssh rsyslog sets up the required mail.err and mail.warn logs in /var/log directory cron is also installed as a depend.
Manage rkhunter warnings properly: Rkhunter in a LXC. I was getting rkhunter warnings about the absence of /lib/modules directory in a LXC running Debian 5.0 Lenny so with a bit of skulldugery I simply created the directory /lib/modules. Later when I started running Debian Sid (testing) containers the rkhunter warning went further to complain that /lib/modules was "either missing or empty" so I put a dummy-file in there and all is good for now. vi /lib/modules ## This is a dummy file located /lib/modules in a LXC I have found it better to deal with rkhunter on a fresh install of ISPConfig3 or any system where it is installed) as follows: 1. Update rkhunter root@lxchost:~# rkhunter --update [ Rootkit Hunter version 1.3.6 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ updated ] Checking file backdoorports.dat [ updated ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] 2. Run rkhunter to report warnings only rkhunter -c --rwo 3. Deal with any warnings as you will. For example: vi /etc/rkhunter.conf Change ALLOW_SSH_ROOT_USER=no (line 199) to ALLOW_SSH_ROOT_USER=yes :x 4. Run a check again to make sure all spurious warnings have been dealt with. 5. When you are happy that all is well (and only then!) you can run a system wide acceptance of the changes you have made. rkhunter --propupdate 6. You will still get warnings in the future about possible compromise. For example if I reconfigure debconf and decide to go with readline instead of dialogue inside a LXC, rkhunter will log the change and this is a good thing.
Portable ISPConfig 3 using an lxc container?? When formatting my hard drive on the host I thought I might format a couple of USB drives I had so that they would mount when I booted the system. I gave one a mount point of /mail2 and the other a mount point of /web2 Additionally I gave them user and group quota. Here are the fstab entries on the host. # /mail2 was on /dev/sdc1 during installation UUID=e86c7cd4-cf2c-4064-8c55-c2ae06d1b1b2 /mail2 ext4 rw,nosuid,usrquota,grpquota 0 2 # /web2 was on /dev/sdb1 during installation UUID=a3bffff2-49bf-45cb-ba4e-1c0d35adfbad /web2 ext4 rw,nosuid,usrquota,grpquota 0 2 They have to be "rw" in order for debootstrap to write to them. root@lxchost:/web2# ls aquota.group aquota.user lost+found NOTE: I am using the latest templates from the lxc git which I name and copy into /usr/lib/lxc/templates (in this case I have called the template "lxc-debian-my") chmod +x /usr/lib/lxc/templates/lxc-debian-my /usr/lib/lxc/templates/lxc-debian-my -p /mail2 This downloads a Debian Squeeze minimal right into the flash drive. root@lxchost:~# ls /var/lib/lxc/ db mail ns1 ns2 web (There are my other containers already running in the multiserver setup) To give the container an init script so not to crash the host: ln -s /mail2 /var/lib/lxc/mail2 root@lxchost:~# ls /var/lib/lxc/ db mail mail2 ns1 ns2 web There it is "mail2" ... And now to start the container: root@lxchost:~# lxc-start -n mail2 -d root@lxchost:~# lxc-info -n mail2 'mail2' is RUNNING root@lxchost:~# lxc-ps --name mail2 --forest CONTAINER PID TTY TIME CMD mail2 25493 ? 00:00:00 init mail2 25709 ? 00:00:00 \_ dhclient3 mail2 25785 ? 00:00:00 \_ sshd mail2 25802 pts/30 00:00:00 \_ getty mail2 25803 pts/26 00:00:00 \_ getty mail2 25804 pts/27 00:00:00 \_ getty mail2 25805 pts/28 00:00:00 \_ getty mail2 25806 pts/29 00:00:00 \_ getty So the system is up and running and now to configure and install ISPConfig 3. The next step might be to work out how to use quota inside the container - I can't figure it out and would appreciate help. I'll be trying to plug this node into an ISPConfig install on a completely different system and see how that goes.
Is there any special reason why you use lxc and not openvz? I checked lxc a few months ago and as far as I have seen, lxc has no quota support yet and no advanced vm limits. LXC seemed not be mature enough for a real deployment so I use openvz as container system on my servers and it works great.
lxc is my first experience with virtualisation and I do hear that it does have quota support - I just don't know how yet. They are very fast systems - easy to make and destroy (ultra lightweight). As to openvz I read that it is very good and see a lot of people use it but I have not tried it. To answer your question properly I think it is just a matter of preference for me. This from control panel on host: Filesystem Type Size Used Available Use% Mounted on /dev/sda3 ext4 74G 6.3G 64G 9% / none devtmpfs 998M 240K 997M 1% /dev none tmpfs 1005M 0 1005M 0% /dev/shm none tmpfs 1005M 72K 1005M 1% /var/run none tmpfs 1005M 0 1005M 0% /var/lock /dev/sdb1 ext4 3.7G 72M 3.5G 3% /web2 /dev/sdc1 ext4 3.7G 282M 3.3G 8% /mail2 /dev/sda1 ext4 472M 48M 400M 11% /boot this from database node Filesystem Type Size Used Available Use% Mounted on tmpfs tmpfs 1005M 0 1005M 0% /lib/init/rw tmpfs tmpfs 1005M 0 1005M 0% /dev/shm rootfs rootfs 74G 6.3G 64G 9% / I realise this is not the way to go for production servers yet but I think there is potential there.
A better solution is to disable the "os_specific" test in /etc/rkhunter.conf See : http://www.mail-archive.com/[email protected]/msg01719.html On Linux os_specific runs 2 tests : - check which modules are loaded - check modules on the disk As you have neither in a container you can safely disable this test. Hope this help LeTic