tags: - KVM - lxc categories: - informational comments: true

date: 2022-07-24 00:00:00

DESCRIPTION

baremetal: Ubuntu 20:04 LTS
install KVM using virt-install
install lxc containers inside the KVM
allow access to the containers via the KVM using .ssh/config

ERRORS

VERIFICATION

COMMANDS

install kvm - debian11 (bullseye) on baremetal (Ubuntu 20:04LTS)

apt install qemu-kvm libvirt-clients libvirt-daemon-system
apt install bridge-utils libguestfs-tools genisoimage virtinst libosinfo-bin

virsh destroy l2
virsh undefine l2
rm -f l2.qcow2

console 1

start a gost proxy to reach the internet for the new KVM

gost -L=127.0.0.1:8888?timeout=10s

create KVM

cd /opt/iso
wget "https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/debian-11.4.0-amd64-DVD-1.iso"

export http_proxy="http://127.0.0.1:8888/"
export https_proxy="http://127.0.0.1:8888/"
ISO="/opt/iso/debian-11.4.0-amd64-DVD-1.iso"

virt-install \
 --name "l2" \
 --ram 512 \
 --disk path="l2.qcow2",format=qcow2,bus=virtio,size=20 \
 --vcpus 1 \
 --os-variant debian10 \
 --network bridge=br1 \
 --graphics none \
 --console pty,target_type=serial \
 --location "${ISO}" \
 --extra-args 'console=ttyS0,115200n8 serial' \
 --force --debug
EOF

unselect X and gnome, select only ssh server
user the test1 as user

once ready, ssh into VM

virsh list --all
ssh test1@192.168.1.xx

cat >/etc/apt/sources.list<<EOF
deb http://security.debian.org/debian-security bullseye-security main contrib
deb-src http://security.debian.org/debian-security bullseye-security main contrib
deb http://deb.debian.org/debian/ bullseye-updates main contrib
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib

deb http://deb.debian.org/debian/ bullseye main contrib
deb-src http://deb.debian.org/debian/ bullseye main contrib
EOF

ssh root@192.168.1.xx

remove access to test1 user

passwd -d test1 gpasswd –delete test1 cdrom floppy audio dip video plugdev netdev id test1
enable serial consoel

systemctl enable serial-getty@ttyS0.service systemctl start serial-getty@ttyS0.service
ensure time is set

timedatectl set-timezone America/Toronto timedatectl status

install the software required for containers

apt install –no-install-recommends debian-keyring debian-archive-keyring netcat vim-nox rsync apt install –no-install-recommends debootstrap lxc lxc-templates

create all the containers required for testing

for c in db1 db2 db3 db4 dsn1 dsn2 dsn3 dsn4 app1 app2 app3 app4 tt1 tt2 tt3 tt4 ints1 ints2 clt1 clt2; do
  lxc-create -n "${c}" -t ubuntu -- -r focal -u test --password welcome
done

ensure containers are started on startup
stagger startup of containers to avoid CPU load on KVM

for c in db1 db2 db3 db4 dsn1 dsn2 dsn3 dsn4 app1 app2 app3 app4 tt1 tt2 tt3 tt4 ints1 ints2 clt1 clt2; do
  echo "lxc.start.auto = 1" >> /var/lib/lxc/"${c}"/config
  echo "lxc.start.delay = 10" >> /var/lib/lxc/"${c}"/config
done

Add SSH keys to root user and add login profile

for c in db1 db2 db3 db4 dsn1 dsn2 dsn3 dsn4 app1 app2 app3 app4 tt1 tt2 tt3 tt4 ints1 ints2 clt1 clt2; do
  mkdir /var/lib/lxc/"${c}"/rootfs/root/.ssh
  cp -p ~/.ssh/authorized_keys /var/lib/lxc/"${c}"/rootfs/root/.ssh/
  cp -p /etc/profile.d/login.sh /var/lib/lxc/"${c}"/rootfs/etc/profile.d/
done

start all the containers or reboot l2 (KVM)

for c in db1 db2 db3 db4 dsn1 dsn2 dsn3 dsn4 app1 app2 app3 app4 tt1 tt2 tt3 tt4 ints1 ints2 clt1 clt2; do lxc-start -n “${c}” done

list containers

lxc-ls -f

NAME  STATE   AUTOSTART GROUPS IPV4       IPV6 UNPRIVILEGED 
app1  RUNNING 1         -      10.0.3.143 -    false        
app2  RUNNING 1         -      10.0.3.48  -    false        
app3  RUNNING 1         -      10.0.3.133 -    false        
app4  RUNNING 1         -      10.0.3.201 -    false        
clt1  RUNNING 1         -      10.0.3.100 -    false        
clt2  RUNNING 1         -      10.0.3.228 -    false        
db1   RUNNING 1         -      10.0.3.242 -    false        
db2   RUNNING 1         -      10.0.3.33  -    false        
db3   RUNNING 1         -      10.0.3.70  -    false        
db4   RUNNING 1         -      10.0.3.181 -    false        
dsn1  RUNNING 1         -      10.0.3.51  -    false        
dsn2  RUNNING 1         -      10.0.3.129 -    false        
dsn3  RUNNING 1         -      10.0.3.186 -    false        
dsn4  RUNNING 1         -      10.0.3.85  -    false        
ints1 RUNNING 1         -      10.0.3.196 -    false        
ints2 RUNNING 1         -      10.0.3.115 -    false        
tt1   RUNNING 1         -      10.0.3.3   -    false        
tt2   RUNNING 1         -      10.0.3.101 -    false        
tt3   RUNNING 1         -      10.0.3.157 -    false        
tt4   RUNNING 1         -      10.0.3.247 -    false

add containers to hosts

lxc-ls -f | awk ‘/10.0.3/ { print $5" "$1 }’ >> /etc/hosts
list hosts file

cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       l2

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.3.143 app1
10.0.3.48 app2
10.0.3.133 app3
10.0.3.201 app4
10.0.3.100 clt1
10.0.3.228 clt2
10.0.3.242 db1
10.0.3.33 db2
10.0.3.70 db3
10.0.3.181 db4
10.0.3.51 dsn1
10.0.3.129 dsn2
10.0.3.186 dsn3
10.0.3.85 dsn4
10.0.3.196 ints1
10.0.3.115 ints2
10.0.3.3 tt1
10.0.3.101 tt2
10.0.3.157 tt3
10.0.3.247 tt4

Add to .ssh/config
test login to a container

ssh -A l2

ssh db2
The authenticity of host 'db2 (10.0.3.33)' can't be established.
ECDSA key fingerprint is SHA256:7bXF15CyU9CrXe3ChczawIAEOnr7zVGNgXkXK/ptjqA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'db2,10.0.3.33' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.10.0-16-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.