diff --git a/creation-template-lxc-debian-buster.md b/creation-template-lxc-debian-buster.md new file mode 100644 index 0000000..f2d4269 --- /dev/null +++ b/creation-template-lxc-debian-buster.md @@ -0,0 +1,221 @@ +# Template LXC unprivileged de Debian 10 _Buster_ + +Création d'un conteneur/template LXC unprivileged de Debian 10 dans une Debian 10 sur une partition Btrfs. + +Avertissements liminaires : +- `lxc-create -t debian` dit explicitement ne pas gérer les conteneurs non-privilégies, cependant je n'ai trouvé aucune contre-indication à créer le template privilégie et faire un _uidshift_ maison. C'est la piste détaillée ici. +- une autre piste consiste à partir d'un `debootstrap` et faire le travail manuellement. Il faut cependant penser à initialiser pas mal de petites choses comme pour openvz (locales, fuseau horaire, `/etc/machine-id`, etc.) +- ce tuto est en bêta : écrit d'une traite et, aujourd'hui, pas encore relu ni réutilisé. Caveat emptor. + +## Création du template +On commence par créer un répertoire de cache dans le même volume BtrFs, puis on lance la commande de création : +``` +cd /home/ltorvalds/lxc +mkdir cache +LXC_CACHE_PATH=/home/ltorvalds/lxc/cache MIRROR=http://apt-proxy.example.net:3142/debian SECURITY_MIRROR=http://apt-proxy.example.net:3142/debian lxc-create -n debian-buster-lxccreate -P /home/ltorvalds/lxc -t debian -B btrfs -- -r buster +``` + +Quelques erreurs `update-rc.d` et `invoke-rc.d`, on a un magnifique template. On le complète ainsi : +``` +# nettoyage +btrfs subvol delete cache/debian/rootfs-buster-amd64 +rm -rf cache/ + +# droits +chown 100000:ltorvalds debian-buster-lxccreate +chown ltorvalds:ltorvalds debian-buster-lxccreate/config +# Repris de https://unix.stackexchange.com/questions/127554/building-unprivileged-userns-lxc-container-from-scratch-by-migrating-a-privil/420317#420317 +export SUBUID=100000 +export SUBGID=100000 +#find debian-buster-lxccreate/rootfs | while read i; do CURRENT_UID=$(stat --format=%u $i); CURRENT_GID=$(stat --format=%g $i); NEW_SUBUID=$((CURRENT_UID+SUBUID)); NEW_SUBGID=$((CURRENT_GID+SUBGID)); echo "chown -h $NEW_SUBUID.$NEW_SUBGID $i"; done +# Version "noms-de-fichiers-bizarres". Attention bashism sur 'read -d'. +find debian-buster-lxccreate/rootfs -print0 | while IFS= read -r -d '' i; do CURRENT_UID=$(stat --format=%u "$i"); CURRENT_GID=$(stat --format=%g "$i"); NEW_SUBUID=$((CURRENT_UID+SUBUID)); NEW_SUBGID=$((CURRENT_GID+SUBGID)); chown -h $NEW_SUBUID.$NEW_SUBGID "$i"; done +``` + +### Adaptation de la configuration + +On remplace la config par : +``` +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r buster +# Template script checksum (SHA-1): 5a35ad98c578f5487dc5712a1c7d38af399be813 +# For additional config options, please look at lxc.container.conf(5) + +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) + + +# Distribution configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +lxc.include = /usr/share/lxc/config/debian.userns.conf +lxc.arch = linux64 + +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.include = /etc/lxc/default.conf +lxc.idmap = u 0 100000 1000 +lxc.idmap = g 0 100000 1000 +lxc.idmap = u 1000 1000 1 +lxc.idmap = g 1000 1000 1 +lxc.idmap = u 1001 101001 64534 +lxc.idmap = g 1001 101001 64534 +lxc.mount.auto = proc:mixed sys:ro cgroup:mixed + +# FS configuration +lxc.rootfs.path = btrfs:/home/ltorvalds/lxc/debian-buster-lxccreate/rootfs + +# Point de montage à partager avec l'hôte +#lxc.mount.entry = /home/ltorvalds/dev/project-ro home/ltorvalds/dev/project-ro none ro,bind,create=dir 0 0 +#lxc.mount.entry = /home/ltorvalds/dev/project-rw home/ltorvalds/dev/project-rw none bind,create=dir 0 0 + +# Network configuration +lxc.uts.name = debian-buster-lxccreate +#lxc.net.0.type = empty +lxc.net.0.type = veth +lxc.net.0.link = br0 +lxc.net.0.flags = up +lxc.net.0.hwaddr = 00:FF:3e:99:99:99 +lxc.net.0.ipv4.address = 192.168.1.199/25 +lxc.net.0.ipv4.gateway = 192.168.1.1 +lxc.net.0.ipv6.address = 2a01:1234:1234:1234::1:99/112 +lxc.net.0.ipv6.gateway = 2a01:1234:1234:1234::1:1 + +# Profil Apparmor +# Pour Debian Buster, il semble qu'on soit obligé de passer en unconfined +# (note 2020-01-22 : ben c'est bon maintenant ?) +lxc.apparmor.profile = lxc-container-default-cgns +#lxc.apparmor.profile = unconfined +#lxc.apparmor.profile = generated +#lxc.apparmor.allow_nesting = 1 +``` + +Pour mémoire, au niveau système : +``` +# cd /etc; tail -n 1000 lxc/* sub??? +==> lxc/default.conf <== +lxc.net.0.type = empty +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 + +==> lxc/lxc-usernet <== +ltorvalds veth br0 10 + +==> subgid <== +ltorvalds:100000:65536 +ltorvalds:200000:65536 +ltorvalds:300000:65536 +ltorvalds:400000:65536 +ltorvalds:500000:65536 +ltorvalds:600000:65536 +ltorvalds:700000:65536 +ltorvalds:800000:65536 +ltorvalds:900000:65536 +ltorvalds:1000:1 + +==> subuid <== +ltorvalds:100000:65536 +ltorvalds:200000:65536 +ltorvalds:300000:65536 +ltorvalds:400000:65536 +ltorvalds:500000:65536 +ltorvalds:600000:65536 +ltorvalds:700000:65536 +ltorvalds:800000:65536 +ltorvalds:900000:65536 +ltorvalds:1000:1 +``` + +### Adaptation à l'intérieur du conteneur + +On lance le conteneur et on s'y projette : +``` +lxc-start -n debian-buster-lxccreate +# FIXME : quelques erreurs systemd à déboguer en mode --foreground +# [FAILED] Failed to listen on Journal Audit Socket +# [FAILED] Failed to mount Kernel Debug File System. (/sys/kernel/debug) +lxc-attach -n debian-buster-lxccreate + +su - + +cd /etc +dpkg-reconfigure debconf +apt install git --no-install-recommends +cat <.gitignore +/ld.so.cache +/adjtime +/nologin +/.pwd.lock +*- +*~ +*.old +*-old +EOF + +git init +chmod 0700 .git +git add . +git commit -a -m "commit initial" + +apt install less vim +update-alternatives --config editor + +apt install nullmailer # "" / mail.example.net / postmaster@example.net +rm mailname && ln -s hostname mailname # pas très orthodoxe :-/ + +apt install iptables-persistent netcat-openbsd + +# Rechercher ~/.ssh/git-read-only , puis... +cat <~/.ssh/config +# /root/.ssh/config +Host code.bugness.org + IdentityFile ~/.ssh/git-read-only +EOF +cd /usr/local/share +git clone ssh://gb@code.bugness.org:2020/chl/scripts-admin-quickndirty-public.git scripts-admin + +cd /etc +cat </etc/apt/apt.conf.d/44proxy +Acquire::http::Proxy-Auto-Detect "/usr/local/share/scripts-admin/apt-conf-proxy.sh"; +EOF +# Vérifier que /etc/apt/sources.list soit a peu près ok : +# deb http://ftp.fr.debian.org/debian buster main +# deb http://ftp.fr.debian.org/debian buster-updates main +# deb http://security.debian.org buster/updates main +``` + +### Reconfiguration automatique + + +``` +cat < +[Unit] +Description=Regenerate OpenSSH server keys +#ConditionPathExists=!/etc/ssh/ssh_host_rsa_key +Before=network.target + +[Service] +Type=oneshot +ExecStart=/bin/bash -c "(/bin/date; echo $(( $RANDOM * $RANDOM * $RANDOM * $RANDOM )) )| /usr/bin/md5sum | /usr/bin/cut -f 1 -d ' ' >/etc/machine-id" +ExecStart=/bin/sh -c "/bin/rm -vf /etc/ssh/ssh_host_*" +ExecStart=/usr/sbin/dpkg-reconfigure openssh-server +ExecStartPost=-/bin/bash -c "/bin/systemctl disable reset-ssh-server-keys" +ExecStartPost=/bin/rm -f /etc/systemd/system/reset-ssh-server-keys.service +TimeoutSec=120 +RemainAfterExit=no + +[Install] +WantedBy=multi-user.target +EOF +systemctl enable reset-ssh-server-keys +``` + +## Utilisation courante +On peut ensuite profiter du template en tant qu'utilisateur simple via : +``` +lxc-copy -n debian-buster-lxccreate -N project1234-dev +# The MAC address will be changed by LXC but remember to affect a new IP +# and possibly new subuid (but that topic will be for another day). +```