Mic92/lxc-config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

split-zone, dn42-routes and more

Browse Source
This commit is contained in:
Jörg Thalheim 2015-03-30 22:02:32 +00:00
parent 7f654d8997
commit 17426c3eeb
12 changed files with 247 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
container.json
View File

@ -1,14 +1,18 @@
{ {
"zone": { "zone": {
"soa": "ns1.higgsboson.tk.", "soa": "ns1.higgsboson.tk.",
"serial": 124, "serial": 149,
"refresh": "1H", "refresh": "1H",
"hostmaster": "hostmaster.higgsboson.tk", "hostmaster": "hostmaster.higgsboson.tk",
"domain": "eve.higgsboson.tk", "domain": "eve.higgsboson.tk",
"ttl": 300,
"a": "148.251.132.243",
"aaaa": "2a01:4f8:210:31fd::1",
"retry": "4H", "retry": "4H",
"expire": "3W", "expire": "3W",
"minimum": "1D", "minimum": "1D",
"v4_subnet": "192.168.66.0/24", "v4_subnet": "192.168.66.0/24",
"dn42_v4_subnet": "172.23.75.0/24",
"v6_subnet": "2a01:4f8:210:31fd:1::/80" "v6_subnet": "2a01:4f8:210:31fd:1::/80"
}, },
"network": { "network": {
@ -19,17 +23,17 @@
}, },
"tinc2": { "tinc2": {
"ipv4": "188.166.16.37", "ipv4": "188.166.16.37",
"ipv6": "2a03:b0c0:2:d0::2a5:f004", "ipv6": "2a03:b0c0:0:1010::3d:b003",
"lxc": false "lxc": false
}, },
"eve": { "eve": {
"ipv4": "192.168.66.1",
"ipv6": "2a01:4f8:210:31fd::1", "ipv6": "2a01:4f8:210:31fd::1",
"ipv4": "148.251.132.243",
"lxc": false "lxc": false
}, },
"eva": { "eva": {
"ipv4": "192.168.67.1",
"ipv6": "2a03:b0c0:2:d0::2a5:f001", "ipv6": "2a03:b0c0:2:d0::2a5:f001",
"ipv4": "188.166.16.37",
"lxc": false "lxc": false
}, },
"bridge": { "bridge": {
@ -68,23 +72,27 @@
"ns1": { "ns1": {
"ns": true, "ns": true,
"lxc": false, "lxc": false,
"rdns6": "ns1.higgsboson.tk", "ipv4": "148.251.132.243/32",
"ipv4": "192.168.66.6/32",
"ipv6": "2a01:4f8:210:31fd:1::6/128" "ipv6": "2a01:4f8:210:31fd:1::6/128"
}, },
"ns2": { "ns2": {
"ns": true, "ns": true,
"lxc": false, "lxc": false,
"ipv4": "192.168.67.1/32", "ipv4": "188.226.214.194/32",
"ipv6": "2a03:b0c0:2:d0:1::1/128" "ipv6": "2a03:b0c0:0:1010::3d:b002/128"
}, },
"dns": { "dns": {
"ipv4": "192.168.66.6/32", "ipv4": "192.168.66.6/32",
"ipv6": "2a01:4f8:210:31fd:1::6/128", "ipv6": "2a01:4f8:210:31fd:1::6/128",
"rdns6": "ns1.higgsboson.tk", "rdns6": "ns1.higgsboson.tk",
"dn42_ipv4": "172.23.75.6/32",
"dn42_ipv6": "fdc0:4992:6a6d:6::1/64"
},
"dn42": { "dn42": {
"ipv4": "172.23.75.4" "ipv4": "192.168.66.31/32",
} "ipv6": "2a01:4f8:210:31fd:1::1f/128",
"dn42_ipv4": "172.23.75.1/32",
"dn42_ipv6": "fdc0:4992:6a6d:1::1/64"
}, },
"faces": { "faces": {
"ipv4": "192.168.66.7/32", "ipv4": "192.168.66.7/32",
@ -132,7 +140,8 @@
"mysql", "mysql",
"pdo_mysql" "pdo_mysql"
] ]
} },
"lxc": false
}, },
"phppgadmin": { "phppgadmin": {
"ipv4": "192.168.66.13/32", "ipv4": "192.168.66.13/32",
@ -143,7 +152,8 @@
"pgsql", "pgsql",
"pdo_pgsql" "pdo_pgsql"
] ]
} },
"lxc": false
}, },
"adminer": { "adminer": {
"ipv4": "192.168.66.14/32", "ipv4": "192.168.66.14/32",
@ -339,6 +349,10 @@
] ]
} }
},
"terraria": {
"ipv4": "192.168.66.34/32",
"ipv6": "2a01:4f8:210:31fd:1::22/128"
} }
} }
} }

41
default.conf
View File

@ -1,6 +1,20 @@
lxc.autodev = 1 lxc.autodev = 1
lxc.kmsg = 0 lxc.kmsg = 0
lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin setfcap sys_nice sys_pacct sys_rawio
# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc
# Set the halt/stop signals
lxc.haltsignal=SIGRTMIN+4
lxc.stopsignal=SIGRTMIN+14
# Set the pivot directory
lxc.pivotdir = lxc_putold
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.network.type = veth lxc.network.type = veth
lxc.network.link = br0 lxc.network.link = br0
@ -12,30 +26,45 @@ lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
# cgroups # cgroups
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 4:1 rwm lxc.cgroup.devices.allow = c 4:1 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.cgroup.memory.soft_limit_in_bytes = 1500M lxc.cgroup.memory.soft_limit_in_bytes = 1500M
lxc.cgroup.memory.limit_in_bytes = 2000M lxc.cgroup.memory.limit_in_bytes = 2000M
lxc.cgroup.cpu.shares = 256 lxc.cgroup.cpu.shares = 256
lxc.cgroup.blkio.weight = 500 lxc.cgroup.blkio.weight = 500
lxc.mount.entry = /data/pacman-cache var/cache/pacman/pkg none bind 0 0 # Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0
lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0
lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0 lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0
lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0 lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
lxc.hook.clone = /etc/lxc/hooks/setup-machine-id lxc.hook.clone = /etc/lxc/hooks/setup-machine-id
lxc.hook.clone = /etc/lxc/hooks/remove-journal lxc.hook.clone = /etc/lxc/hooks/remove-journal
lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config

1
evenet.conf
View File

@ -3,3 +3,4 @@ lxc.network.link = evenet
lxc.network.flags = up lxc.network.flags = up
lxc.network.name = eth1 lxc.network.name = eth1
lxc.network.mtu = 1500 lxc.network.mtu = 1500
lxc.hook.autodev = /etc/lxc/hooks/dn42-routes

51
hooks/build-split-zone Executable file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env ruby
require "resolv"
require_relative "lib/lxc"
class Resolver
def initialize
@stub_resolver = Resolv::DNS.new
@cache = {}
end
def resolve(name, delegated_subdomain, typeclass)
if name == "@"
fqdn = delegated_subdomain
else
fqdn = "#{name}.#{delegated_subdomain}"
end
result = @cache[fqdn + typeclass.to_s] ||= @stub_resolver.getresource(fqdn, typeclass)
if result == :no_record
nil
else
result
end
rescue Resolv::ResolvError => e
puts "warning: #{e}"
@cache[fqdn + typeclass.to_s] = :no_record
return nil
end
def a(name, delegated_subdomain)
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::A)
return "" unless result
"#{name} A #{result.address.to_s}\n"
end
def aaaa(name, delegated_subdomain)
result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::AAAA)
return "" unless result
"#{name} AAAA #{result.address.to_s}\n"
end
end
template_path = Lxc::CONFIG_ROOT.join("templates/higgsboson.tk.zone.erb")
template = Lxc::Template.new(template_path)
serial = Time.new.to_i
resolver = Resolver.new
zones = [
["zones/higgsboson.tk.zone", :pub],
["zones/internal-eve.higgsboson.tk.zone", :eve],
["zones/internal-eva.higgsboson.tk.zone", :eva],
]
zones.each do |zone, type|
template.write(zone, resolver: resolver, serial: serial, type: type)
end
Lxc::Utils.sh("lxc-attach", "-n", "dns", "--", "rndc", "reload")

8
hooks/dn42-routes
View File

@ -1,5 +1,7 @@
#!/bin/bash #!/bin/bash
/usr/bin/ip route add 172.16.0.0/12 via 172.16.75.1 proto static metric 200 ip rule add from 172.23.75.0/24 table 42
/usr/bin/ip route add 10.0.0.0/8 via 172.16.75.1 proto static metric 200 ip route add 192.168.66.0/24 via 172.23.75.4 dev eth1 table 42
exit 0 ip route add 172.16.0.0/12 via 172.23.75.1
ip route add 10.0.0.0/8 via 172.23.75.1
ip route flush cache

8
hooks/lib/lxc/container.rb
View File

@ -16,13 +16,13 @@ module Lxc
@ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24") @ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24")
@ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48") @ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48")
if subnet = zone["dn42_ipv4_subnet"] if subnet = zone["dn42_v4_subnet"]
@dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask) @dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
else else
@dn42_ipv4_netmask = 24 @dn42_ipv4_netmask = 24
end end
if subnet = zone["dn42_ipv6_subnet"] if subnet = zone["dn42_v6_subnet"]
@dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask) @dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
else else
@dn42_ipv6_netmask = 48 @dn42_ipv6_netmask = 48
@ -47,12 +47,12 @@ module Lxc
ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)), ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)),
ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask))) ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask)))
if @dn42_ipv4 if @dn42_ipv4
opts[:dn42_ipv4] = format_address(dn42_ipv6, dn42_ipv4_netmask) opts[:dn42_ipv4] = format_address(@dn42_ipv4, @dn42_ipv4_netmask)
c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true) c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true)
end end
if @dn42_ipv6 if @dn42_ipv6
opts[:dn42_ipv6] = format_address(dn42_ipv4, dn42_ipv6_netmask) opts[:dn42_ipv6] = format_address(@dn42_ipv6, @dn42_ipv6_netmask)
c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true) c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true)
end end

5
hooks/lib/lxc/template.rb
View File

@ -8,12 +8,13 @@ module Lxc
end end
class Template class Template
def initialize(path) def initialize(path, context: nil)
@path = path @path = path
@erb = ERB.new(File.read(path), nil, "-") @erb = ERB.new(File.read(path), nil, "-")
end end
def render(params={}) def render(params={})
@erb.result(TemplateContext.new(params).get_binding) context = TemplateContext.new(params)
@erb.result(context.get_binding)
rescue => e rescue => e
raise StandardError.new("fail to render '#{@path}': #{e}") raise StandardError.new("fail to render '#{@path}': #{e}")
end end

6
hooks/tun-device Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

10
templates/config.erb
View File

@ -5,3 +5,13 @@ lxc.rootfs = <%= rootfs %>
lxc.network.ipv4 = <%= ipv4 %> lxc.network.ipv4 = <%= ipv4 %>
lxc.network.ipv6 = <%= ipv6 %> lxc.network.ipv6 = <%= ipv6 %>
lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %> lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %>
<% if dn42_ipv4 || dn42_ipv6 -%>
lxc.include = /etc/lxc/evenet.conf
<% if dn42_ipv4 -%>
lxc.network.ipv4 = <%= dn42_ipv4 %>
<% end -%>
<% if dn42_ipv6 -%>
lxc.network.ipv6 = <%= dn42_ipv6 %>
<% end -%>
<% end -%>

89
templates/higgsboson.tk.zone.erb Normal file
View File

@ -0,0 +1,89 @@
$TTL 300
@ 3600 IN SOA ns1 admin.higgsboson.tk. (
<%= serial %> ; serial
7200 ; refresh
3600 ; retry
86400 ; expire
3600) ; minimum
;; NS Records (YOU MUST CHANGE THIS)
NS ns1
NS ns2
;; MX Records
MX 10 mail
;; TXT Records
TXT "v=spf1 mx a:mail.higgsboson.tk aaaa:mail.higgsboson.tk -all"
_adsp._domainkey TXT "dkim=all\;"
default._domainkey TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhqBgbSEMgdWYmBSBsNbI2opjEZSFuZiqnAzv2yxLYyXB0l1uL4tw9npNkC4w5cNehc87qhuuzADsSOJoFUQ+H3oWOnENcGKatQqRKzLxKLBWwUf+TnC21AKGHXD4eABZk3ahfYnlR7li3Wh/JSMsAxWmaikLj3uLHd/WN9eH4rwIDAQAB"
_dmarc TXT "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@higgsboson.tk\; ruf=mailto:admin@higgsboson.tk\; pct=100"
joerg._pka TXT "v=pka1\;fpr=4ABA07382AD57E6B9AA4E88DCA4106B8D7CC79FA\;uri=http://higgsboson.tk/joerg/joerg.asc"
;; SRV Records (Service locator)
_xmpp-client._tcp.muc SRV 0 5 5222 jabber
_xmpp-client._tcp SRV 0 5 5222 jabber
_xmpp-server._tcp.muc SRV 0 5 5269 jabber
_xmpp-server._tcp SRV 0 5 5269 jabber
;; CNAME Records
*.jabber CNAME jabber
anon CNAME jabber
proxy CNAME jabber
pubsub CNAME jabber
imap CNAME mail
smtp CNAME mail
tinc1 CNAME dn42
archfeed CNAME arch-pkg-feed.herokuapp.com.
githubtags CNAME github-tags-feed.herokuapp.com.
reisekosten CNAME reisekosten.herokuapp.com.
;; A Records (IPv4 addresses)
<% if type == :eve -%>
* A 192.168.66.5
<% else -%>
* A 148.251.132.243
<% end -%>
dn42 A 148.251.132.243
<%= resolver.aaaa("dn42", "eve.higgsboson.tk") -%>
;; eve -->
<% eve_services = %w{@ classifier eve jabber login mail ns1 web} -%>
<% if type == :eve -%>
<% eve_services.each do |name| -%>
<%= resolver.a(name, "eve.higgsboson.tk") -%>
<% end -%>
<% else -%>
<% eve_services.each do |name| -%>
<%= name %> A 148.251.132.243
<% end -%>
<% end -%>
;; <-- eve
;; eva -->
<% eva_services = %w{eva ns2 tinc2} -%>
<% if type == :eva -%>
<% eva_services.each do |name| -%>
<%= resolver.a(name, "eva.higgsboson.tk") -%>
<% end -%>
<% else -%>
<% eva_services.each do |name| -%>
<%= name %> A 188.166.16.37
<% end -%>
<% end -%>
;; <-- eva
;; AAAA Records (IPv6 addresses)
* AAAA 2a01:4f8:210:31fd:1::5
<% eve_services.each do |name| -%>
<%= resolver.aaaa(name, "eve.higgsboson.tk") -%>
<% end -%>
<% eva_services.each do |name| -%>
<%= resolver.aaaa(name, "eva.higgsboson.tk") -%>
<% end -%>

13
templates/lxc-zone.erb
View File

@ -1,15 +1,26 @@
<% if data["zone"]["ttl"] -%>
$TTL <%= data["zone"]["ttl"] %>
<% end -%>
@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> ( @ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
<%= data["zone"]["serial"] %> ; serial <%= data["zone"]["serial"] %> ; serial
<%= data["zone"]["refresh"] %> ; refresh <%= data["zone"]["refresh"] %> ; refresh
<%= data["zone"]["retry"] %> ; retry <%= data["zone"]["retry"] %> ; retry
<%= data["zone"]["expire"] %> ; expire <%= data["zone"]["expire"] %> ; expire
<%= data["zone"]["minimum"] %>) ; minimum <%= data["zone"]["minimum"] %>) ; minimum
<% data["network"].each do |name, value| -%> <% data["network"].each do |name, value| -%>
<% if value["ns"] -%> <% if value["ns"] -%>
IN NS <%= name %> NS <%= name %>
<% end -%> <% end -%>
<% end -%> <% end -%>
<% if data["zone"]["a"] -%>
A <%= data["zone"]["a"] %>
<% end -%>
<% if data["zone"]["aaaa"] -%>
AAAA <%= data["zone"]["aaaa"]%>
<% end -%>
<% data["network"].each do |name, value| %> <% data["network"].each do |name, value| %>
<% if value["cname"] -%> <% if value["cname"] -%>
<%= name %> CNAME <%= value["cname"] %> <%= name %> CNAME <%= value["cname"] %>

13
templates/rdns-zone.erb
View File

@ -6,18 +6,7 @@
<%= data["zone"]["minimum"] %>) ; minimum <%= data["zone"]["minimum"] %>) ; minimum
<% data["network"].each do |name, value| -%> <% data["network"].each do |name, value| -%>
<% if value["ns"] -%> <% if value["ns"] -%>
IN NS <%= name %> IN NS <%= name %>.<%= data["zone"]["domain"] %>.
<% end -%>
<% end -%>
<% data["network"].each do |name, value| -%>
<% if value["ns"] -%>
<% if value["ipv4"] -%>
<%= name %> A <%= NetAddr::CIDR.create(value["ipv4"]).ip(Short: true) %>
<% end -%>
<% if value["ipv6"] -%>
<%= name %> AAAA <%= NetAddr::CIDR.create(value["ipv6"]).ip(Short: true) %>
<% end -%>
<% end -%> <% end -%>
<% end -%> <% end -%>