I’ve completed setting up my comfort set of LXC containers and want to save some points I spent a lot of time for or things for copy-paste.
I used the official Ubuntu Server Guide but note at Digital Ocean knowledge base also helped me a lot. I created 3 containers: one for vpn, one for site on Drupal and last one as www proxy for second one with nginx only.
Create LXC container
Pretty simple, create container with Ubuntu in it:
lxc-create -n [container_name] -t ubuntu
Next, start it:
lxc-start -d -n [container_name]
-d arg is essential, otherwise you will fell into containers command line and stuck in it.
Attach to started container:
lxc-attach -n [container_name]
All containers are created with default user:password «ubuntu:ubuntu». I strongly recommend to delete it, it is out of use:
userdel ubuntu rm -rf /home/ubuntu
Autostart LXC container
I wanted all my containers to start automatically. You can find instructions in Ubuntu server guide (edit
# Autostart lxc.start.auto = 1 lxc.start.delay = 5
Read as follows: autostart container and wait 5 seconds before starting next one.
OpenVPN in LXC
VPN server is not working out-of-box in LXC container. You need to add following option in container config (
# OpenVPN lxc.cgroup.devices.allow = c 10:200 rwm
At first time you will also need to run commands as root to create file for tun device:
mkdir /dev/net mknod /dev/net/tun c 10 200 chmod 0666 /dev/net/tun
Iptables with LXC containers
I needed to forward 80 and 443 ports to container with ip 10.0.3.100 and 1194 (OpenVPN) port to 10.0.3.200. To do so, perform at host machine:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.3.100:80 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.3.100:443 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 10.0.3.200:1194
but these changes will be lost after reboot. To save them, install
apt-get install -y iptables-persistent
and agree to save current iptables settings.
The last problem was that iptables rules are correct, but not loaded by iptables-persistent. But if I run
service iptables-persistent start manually after booting, everything is ok, port forwarding works. In
/var/lib/boot.log I saw line:
I believe, the problem is in boot and init order, so I added iptables-persistent start after network is up. Create file
#!/usr/bin/env bash service iptables-persistent start
and make it executable:
chmod +x /etc/network/if-up.d/iptables-persistent
At next boot iptables will fall at boot, but will be reloaded after network is up.