Tag Archives: containers

Allowing OpenVPN to create tun device on LXC / Proxmox

Due to built-in security of LXC, trying to setup a tunnel interface inside a container is by blocked by default.

ERROR: Cannot open TUN/TAP dev /dev/net/tun

To allow this for a specific container in Proxmox, we need to make a few tweaks to allow this interface to work in a specific container (we don’t want to allow all containers to be able to setup a tunnel – hackers can hide their tracks using it).

How to do this:

ADD these lines to /etc/pve/lxc/<container-id>.conf

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

 

Fix zfs-mount.service failing after reboot on Proxmox

In my new homelab migration to Proxmox I came across a bug that will prevent you from being able to mount all your ZFS mount points and be a pain in the ass even more if you host containers in that folder.
Continue reading

LXC allow non-root users to bind to port 80 (couchpotato example)

A follow-up to my last post dealing with unprivileged port access on linux containers.

This time, I have a couchpotato container that I want to change its default port from 5050 to port 80, so that it is as simple as http://mycouch/ to access from the local network.
Continue reading

Allow non-root processes to bind to privileged (ports <1024) on linux

As I work on my homelab migration from FreeNAS into Linux containers, I need to move my freebsd jails to LXC.

In *nix any usage of well-known ports (aka 1024 or less) requires special privileges or a kernel setting. In FreeBSD a simple sysctl net.inet.ip.portrange.reservedhigh =1 was enough to allow the BSD jail to use any port on the jail.

On LXC, I had to figure out how to do the same thing and its quite different. My environment is a debian stretch LXC container but should work on other linux versions.

# apt-get install libcap2-bin
# setcap 'cap_net_bind_service=+ep' /usr/bin/transmission-daemon

In the example above, the binary /usr/bin/transmission-daemon is now able to open any port, or port 80 http in my case all while running a service as a non-root user.

Hopefully these helps folks out there, the answer took some digging but I already had an idea on what was needed thanks to my FreeBSD experience in zones 🙂

Running Windows containers in Docker

Microsoft Windows Server 2016 now supports containers, this means we can now isolate windows applications and share the underlying kernel of windows much like we have been doing in Linux for years with OpenVZ or more recently LXC (linux containers).

On January 4, 2017 Rancher announced experimental support for Windows containers (link below).

Official Microsoft documentation on containers.
Rancher v.1.3 has implemented experimental windows container support.

This is a good reason to spin up a Windows Server 2016 node and experiment in a lab. I’ll be looking forward to trying this when I get some time.

Virtualization hypervisor and containers all in one

I’m a big fan of virtualization, the ability to run multiple platforms and operating systems (called guests) in a single server (called host) is probably one of the best computing technologies of the past 10 years.

Personally, I have been using virtualization circa 2004. It all took off after 2006 when chip manufacturer’s started bundling virtualization technologies in their processors (Intel VT-x or AMD-v). The reason why “cloud” computing is so popular can also be attributed to virtualization.

In a container world…

However, in the past couple of years a new technology has been making making the rounds everywhere, the words “containers”, “docker”, “orchestration” is picking up steam in the past year. They say that containers are changing the landscape for system administrators and application developers.

Claims that containers can be built and deployed in seconds, share a common storage layer and allow you to resize the container in real-time when you need more performance or capacity are really exciting concepts and I think the time is now for me to jump in and learn a thing of two about this new technology when its hot a new. Continue reading