I’ve completed setting up my comfort set of LXC containers and want to save some points I spent a lot of time for or things for copy-paste.
I used the official Ubuntu Server Guide but note at Digital Ocean knowledge base also helped me a lot. I created 3 containers: one for vpn, one for site on Drupal and last one as www proxy for second one with nginx only.
Pretty simple, create container with Ubuntu in it:
lxc-create -n [container_name] -t ubuntu
Next, start it:
lxc-start -d -n [container_name]
where -d arg is essential, otherwise you will fell into containers command line and stuck in it.
Attach to started container:
lxc-attach -n [container_name]
All containers are created with default user:password «ubuntu:ubuntu». I strongly recommend to delete it, it is out of use:
userdel ubuntu
rm -rf /home/ubuntu
I wanted all my containers to start automatically. You can find instructions in Ubuntu server guide (edit /var/lib/lxc/[container_name]/config):
# Autostart
lxc.start.auto = 1
lxc.start.delay = 5
Read as follows: autostart container and wait 5 seconds before starting next one.
VPN server is not working out-of-box in LXC container. You need to add following option in container config (/var/lib/lxc/[container_name]/config):
# OpenVPN
lxc.cgroup.devices.allow = c 10:200 rwm
At first time you will also need to run commands as root to create file for tun device:
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun
Notes from heider.io and boxtricks helped me.
I needed to forward 80 and 443 ports to container with ip 10.0.3.100 and 1194 (OpenVPN) port to 10.0.3.200. To do so, perform at host machine:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.3.100:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.3.100:443
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to 10.0.3.200:1194
but these changes will be lost after reboot. To save them, install iptables-persistent:
apt-get install -y iptables-persistent
and agree to save current iptables settings.
The last problem was that iptables rules are correct, but not loaded by iptables-persistent. But if I run service iptables-persistent start manually after booting, everything is ok, port forwarding works. In /var/lib/boot.log I saw line:
Loading iptables rules... [fail]
I believe, the problem is in boot and init order, so I added iptables-persistent start after network is up. Create file /etc/network/if-up.d/iptables-persistent:
#!/usr/bin/env bash
service iptables-persistent start
and make it executable:
chmod +x /etc/network/if-up.d/iptables-persistent
At next boot iptables will fall at boot, but will be reloaded after network is up.