[Lxc-users] Setting up server in lxc container for dummies

TuxRaiderPen tuxraiderpen at wpascanner.com
Tue Aug 13 21:21:02 UTC 2013 

On Wednesday, July 31, 2013 23:24:42 Dan Kegel wrote:
> Hi,
> I've been happily using ubuntu's stock lxc (originally
> in 12.04, now in 13.04), and finally have an occasion
> to run a server inside a container.  I'd like it to
> be visible from the outside.
> 
> There are plenty of web pages about this, but they seem to
> assume that you've created the lxc config file by hand.
> I have never done that; I just use whatever lxc-create creates.


Ok... sounds like you might be in a situation I am in/was in..

I use LXC to test a few things... and mainly as a "development system(s)" for 
web servers

ie: I assign a LXC container to each client... may not be the best from a lot 
of perspectives, but for me it allows for a certain sanity and order of 
things...

I like you just let LXC create things.

Kubuntu derived custom distro based on 12.04 LTR & lxc 0.7.5

I needed a way for clients to look at "their server" and check progress of 
development....

Simple solution in *SOME* of the standard routers LinkSys, Netgear etc. is 
just set up a static route for the 10.x.x.x subnet that your LXC containers 
are on to point to the bridge host

example: 

If your LXC-HOST is: 192.168.0.10 and your LXC subnet is 10.0.3.x and your LXC 
lxcbr0 = 10.0.3.1

then setup a static route in your router

to send all of 10.0.3/24 to 10.0.3.1 and then let the LXC host forward on...

You can forward ports for things like Apache, MySQL etc... or what ever to 
10.0.3.IP and again the lxcbr figures out and forwards it on....

That worked great till I upgraded my router to a newer model and then this new 
router ONLY ALLOWS for the forwarded  IP to be WITHIN THE /24 of the LAN... 
URRRRRGRGGGHHH! In some stroke of brilliance or "bug resolution" they closed 
this "loophole/feature (bug)."  

So What to do? ? ? 

I changed the static route to forward to the LXC-HOST IP ie: 192.168.0.10 and 
then the LXC-HOST figures out to route 10.0.3.x to what ever LXC container...

That works great for INTERNAL connections... BUT when clients wanted to review 
development... how to get the port forwarded for say Apache to their 
container? ? 

Forwarding port 80 to the LAN IP of the LXC HOST will NOT work it...

Enter 

rinetd

It basically can forward IP/PORT to NEWIP/PORT ie:

192.168.0.11 80 10.0.3.200 80

So I " sudo apt-get install rinetd " on a machine that has nothing special 
running on it... It probably could even go on the LXC-HOST.. but I chose NOT 
to do this so as not to risk FUBAR'ng the LXC host and its routing etc.... 

So the rinted machine is 192.168.0.11 and then setup the router to forward 
port 80 to 192.168.0.11 and then rinetd forwards this to the LXC container of 
my choice.

This solves the problem... Client can remotely view their server progress, I 
can connect to the containers internally, I can connect remotely.

Cisco IOS based routers could set up routing much easier as IOS is much more 
powerful and doesn't restrict the destination IP like newer routers.

Something like:

ip nat inside source static tcp 10.0.3.2 80 WAN IP 80 extendable
ip nat inside source static tcp 10.0.3.2 443 WAN IP 443 extendable
ip nat inside source static tcp 10.0.3.2 3306 WAN IP 3306 extendable

etc... 

And routing like the older router

ip route 10.10.3.0 255.255.255.0 10.10.3.1

Or what ever your LXC setup is

ip route LXC-SUBNET NETMASK LXCBR0 IP


Again, I chose this route v. changing any LXC container setups from what was 
generated... Mainly as too new at the time I devised this plan to LXC.. I come 
from a world of VMWare Server, ESXi and Player VM's and getting the VM's on 
the LAN works differently in "VMWARE BRIDGE" v. LXC BRIDGE. WAY DIFFERENT. In 
that in VMWare Bridge the VM/Container gets an IP from the LAN and from its 
DHCP etc. just like it was a real physical machine on the LAN.. Now I am sure 
there probably is some way to edit the LXC container configs to do this... but 
in reading this thread and somethings it doesn't seem like this is supported 
or wise... That is MY OPINION and INTERPRETATION, subject to being totally 
wrong. I have a setup that works for the resources I have till I find a nice 
used Cisco device that meets my needs....

More information about the lxc-users mailing list