Récup. creation-template-lxc-debian-buster.md

creation-template-lxc-debian-buster.md

@@ -0,0 +1,221 @@
+# Template LXC unprivileged de Debian 10 _Buster_
+
+Création d'un conteneur/template LXC unprivileged de Debian 10 dans une Debian 10 sur une partition Btrfs.
+
+Avertissements liminaires :
+- `lxc-create -t debian` dit explicitement ne pas gérer les conteneurs non-privilégies, cependant je n'ai trouvé aucune contre-indication à créer le template privilégie et faire un _uidshift_ maison. C'est la piste détaillée ici.
+- une autre piste consiste à partir d'un `debootstrap` et faire le travail manuellement. Il faut cependant penser à initialiser pas mal de petites choses comme pour openvz (locales, fuseau horaire, `/etc/machine-id`, etc.)
+- ce tuto est en bêta : écrit d'une traite et, aujourd'hui, pas encore relu ni réutilisé. Caveat emptor.
+
+## Création du template
+On commence par créer un répertoire de cache dans le même volume BtrFs, puis on lance la commande de création :
+```
+cd /home/ltorvalds/lxc
+mkdir cache
+LXC_CACHE_PATH=/home/ltorvalds/lxc/cache MIRROR=http://apt-proxy.example.net:3142/debian SECURITY_MIRROR=http://apt-proxy.example.net:3142/debian lxc-create -n debian-buster-lxccreate -P /home/ltorvalds/lxc -t debian -B btrfs -- -r buster
+```
+
+Quelques erreurs `update-rc.d` et `invoke-rc.d`, on a un magnifique template. On le complète ainsi :
+```
+# nettoyage
+btrfs subvol delete cache/debian/rootfs-buster-amd64
+rm -rf cache/
+
+# droits
+chown 100000:ltorvalds debian-buster-lxccreate
+chown ltorvalds:ltorvalds debian-buster-lxccreate/config
+# Repris de https://unix.stackexchange.com/questions/127554/building-unprivileged-userns-lxc-container-from-scratch-by-migrating-a-privil/420317#420317
+export SUBUID=100000
+export SUBGID=100000
+#find debian-buster-lxccreate/rootfs | while read i; do CURRENT_UID=$(stat --format=%u $i); CURRENT_GID=$(stat --format=%g $i); NEW_SUBUID=$((CURRENT_UID+SUBUID)); NEW_SUBGID=$((CURRENT_GID+SUBGID)); echo "chown -h $NEW_SUBUID.$NEW_SUBGID $i"; done
+# Version "noms-de-fichiers-bizarres". Attention bashism sur 'read -d'.
+find debian-buster-lxccreate/rootfs -print0 | while IFS= read -r -d '' i; do CURRENT_UID=$(stat --format=%u "$i"); CURRENT_GID=$(stat --format=%g "$i"); NEW_SUBUID=$((CURRENT_UID+SUBUID)); NEW_SUBGID=$((CURRENT_GID+SUBGID)); chown -h $NEW_SUBUID.$NEW_SUBGID "$i"; done
+```
+
+### Adaptation de la configuration
+
+On remplace la config par :
+```
+# Template used to create this container: /usr/share/lxc/templates/lxc-debian
+# Parameters passed to the template: -r buster
+# Template script checksum (SHA-1): 5a35ad98c578f5487dc5712a1c7d38af399be813
+# For additional config options, please look at lxc.container.conf(5)
+
+# Uncomment the following line to support nesting containers:
+#lxc.include = /usr/share/lxc/config/nesting.conf
+# (Be aware this has security implications)
+
+
+# Distribution configuration
+lxc.include = /usr/share/lxc/config/debian.common.conf
+lxc.include = /usr/share/lxc/config/debian.userns.conf
+lxc.arch = linux64
+
+# Container specific configuration
+lxc.tty.max = 4
+lxc.arch = amd64
+lxc.pty.max = 1024
+lxc.include = /etc/lxc/default.conf
+lxc.idmap = u 0 100000 1000
+lxc.idmap = g 0 100000 1000
+lxc.idmap = u 1000 1000 1
+lxc.idmap = g 1000 1000 1
+lxc.idmap = u 1001 101001 64534
+lxc.idmap = g 1001 101001 64534
+lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
+
+# FS configuration
+lxc.rootfs.path = btrfs:/home/ltorvalds/lxc/debian-buster-lxccreate/rootfs
+
+# Point de montage à partager avec l'hôte
+#lxc.mount.entry = /home/ltorvalds/dev/project-ro home/ltorvalds/dev/project-ro none ro,bind,create=dir 0 0
+#lxc.mount.entry = /home/ltorvalds/dev/project-rw home/ltorvalds/dev/project-rw none bind,create=dir 0 0
+
+# Network configuration
+lxc.uts.name = debian-buster-lxccreate
+#lxc.net.0.type = empty
+lxc.net.0.type = veth
+lxc.net.0.link = br0
+lxc.net.0.flags = up
+lxc.net.0.hwaddr = 00:FF:3e:99:99:99
+lxc.net.0.ipv4.address = 192.168.1.199/25
+lxc.net.0.ipv4.gateway = 192.168.1.1
+lxc.net.0.ipv6.address = 2a01:1234:1234:1234::1:99/112
+lxc.net.0.ipv6.gateway = 2a01:1234:1234:1234::1:1
+
+# Profil Apparmor
+# Pour Debian Buster, il semble qu'on soit obligé de passer en unconfined
+# (note 2020-01-22 : ben c'est bon maintenant ?)
+lxc.apparmor.profile = lxc-container-default-cgns
+#lxc.apparmor.profile = unconfined
+#lxc.apparmor.profile = generated
+#lxc.apparmor.allow_nesting = 1
+```
+
+Pour mémoire, au niveau système :
+```
+# cd /etc; tail -n 1000 lxc/* sub???
+==> lxc/default.conf <==
+lxc.net.0.type = empty
+lxc.apparmor.profile = generated
+lxc.apparmor.allow_nesting = 1
+
+==> lxc/lxc-usernet <==
+ltorvalds   veth    br0     10
+
+==> subgid <==
+ltorvalds:100000:65536
+ltorvalds:200000:65536
+ltorvalds:300000:65536
+ltorvalds:400000:65536
+ltorvalds:500000:65536
+ltorvalds:600000:65536
+ltorvalds:700000:65536
+ltorvalds:800000:65536
+ltorvalds:900000:65536
+ltorvalds:1000:1
+
+==> subuid <==
+ltorvalds:100000:65536
+ltorvalds:200000:65536
+ltorvalds:300000:65536
+ltorvalds:400000:65536
+ltorvalds:500000:65536
+ltorvalds:600000:65536
+ltorvalds:700000:65536
+ltorvalds:800000:65536
+ltorvalds:900000:65536
+ltorvalds:1000:1
+```
+
+### Adaptation à l'intérieur du conteneur
+
+On lance le conteneur et on s'y projette :
+```
+lxc-start -n debian-buster-lxccreate
+# FIXME : quelques erreurs systemd à déboguer en mode --foreground
+# [FAILED] Failed to listen on Journal Audit Socket
+# [FAILED] Failed to mount Kernel Debug File System. (/sys/kernel/debug)
+lxc-attach -n debian-buster-lxccreate
+
+su - 
+
+cd /etc
+dpkg-reconfigure debconf
+apt install git --no-install-recommends
+cat <<EOF >.gitignore
+/ld.so.cache
+/adjtime
+/nologin
+/.pwd.lock
+*-
+*~
+*.old
+*-old
+EOF
+
+git init
+chmod 0700 .git
+git add .
+git commit -a -m "commit initial"
+
+apt install less vim
+update-alternatives --config editor
+
+apt install nullmailer  # "" / mail.example.net / postmaster@example.net
+rm mailname && ln -s hostname mailname  # pas très orthodoxe :-/
+
+apt install iptables-persistent netcat-openbsd
+
+# Rechercher ~/.ssh/git-read-only , puis...
+cat <<EOF >~/.ssh/config
+# /root/.ssh/config
+Host code.bugness.org
+	IdentityFile ~/.ssh/git-read-only
+EOF
+cd /usr/local/share
+git clone ssh://gb@code.bugness.org:2020/chl/scripts-admin-quickndirty-public.git scripts-admin
+
+cd /etc
+cat <<EOF >/etc/apt/apt.conf.d/44proxy
+Acquire::http::Proxy-Auto-Detect "/usr/local/share/scripts-admin/apt-conf-proxy.sh";
+EOF
+# Vérifier que /etc/apt/sources.list soit a peu près ok :
+# deb http://ftp.fr.debian.org/debian buster main
+# deb http://ftp.fr.debian.org/debian buster-updates main
+# deb http://security.debian.org buster/updates main
+```
+
+### Reconfiguration automatique
+
+
+```
+cat <<EOF >
+[Unit]
+Description=Regenerate OpenSSH server keys
+#ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
+Before=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c "(/bin/date; echo $(( $RANDOM * $RANDOM * $RANDOM * $RANDOM )) )| /usr/bin/md5sum | /usr/bin/cut -f 1 -d ' ' >/etc/machine-id"
+ExecStart=/bin/sh -c "/bin/rm -vf /etc/ssh/ssh_host_*"
+ExecStart=/usr/sbin/dpkg-reconfigure openssh-server
+ExecStartPost=-/bin/bash -c "/bin/systemctl disable reset-ssh-server-keys"
+ExecStartPost=/bin/rm -f /etc/systemd/system/reset-ssh-server-keys.service
+TimeoutSec=120
+RemainAfterExit=no
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable reset-ssh-server-keys
+```
+
+## Utilisation courante
+On peut ensuite profiter du template en tant qu'utilisateur simple via :
+```
+lxc-copy -n debian-buster-lxccreate -N project1234-dev
+# The MAC address will be changed by LXC but remember to affect a new IP
+# and possibly new subuid (but that topic will be for another day).
+```