Tips for LXC: creation, autostart, OpenVPN and port forwarding to containers

I’ve completed setting up my comfort set of LXC containers and want to save some points I spent a lot of time for or things for copy-paste.

I used the official Ubuntu Server Guide but note at Digital Ocean knowledge base also helped me a lot. I created 3 containers: one for vpn, one for site on Drupal and last one as www proxy for second one with nginx only.

Create LXC container

Pretty simple, create container with Ubuntu in it:

lxc-create -n [container_name] -t ubuntu

Next, start it:

lxc-start -d -n [container_name]

where -d arg is essential, otherwise you will fell into containers command line and stuck in it.

Attach to started container:

lxc-attach -n [container_name]

All containers are created with default user:password «ubuntu:ubuntu». I strongly recommend to delete it, it is out of use:

userdel ubuntu
rm -rf /home/ubuntu

Autostart LXC container

I wanted all my containers to start automatically. You can find instructions in Ubuntu server guide (edit /var/lib/lxc/[container_name]/config):

# Autostart
lxc.start.auto = 1
lxc.start.delay = 5

Read as follows: autostart container and wait 5 seconds before starting next one.

OpenVPN in LXC

VPN server is not working out-of-box in LXC container. You need to add following option in container config (/var/lib/lxc/[container_name]/config):

# OpenVPN
lxc.cgroup.devices.allow = c 10:200 rwm

At first time you will also need to run commands as root to create file for tun device:

mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

Notes from heider.io and boxtricks helped me.

Iptables with LXC containers

I needed to forward 80 and 443 ports to container with ip 10.0.3.100 and 1194 (OpenVPN) port to 10.0.3.200. To do so, perform at host machine:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.3.100:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.3.100:443
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 10.0.3.200:1194

but these changes will be lost after reboot. To save them, install iptables-persistent:

apt-get install -y iptables-persistent

and agree to save current iptables settings.

The last problem was that iptables rules are correct, but not loaded by iptables-persistent. But if I run service iptables-persistent start manually after booting, everything is ok, port forwarding works. In /var/lib/boot.log I saw line:

Loading iptables rules...       [fail]

I believe, the problem is in boot and init order, so I added iptables-persistent start after network is up. Create file /etc/network/if-up.d/iptables-persistent:

#!/usr/bin/env bash

service iptables-persistent start

and make it executable:

chmod +x /etc/network/if-up.d/iptables-persistent

At next boot iptables will fall at boot, but will be reloaded after network is up.