7

I am trying to setup a server where I would be running multiple apps. Mostly internal but could also be open source projects like Redmine. They would all be Rails/Ruby apps/test scripts running on headless browsers. In essence, I am trying to setup a heroku like environment internally and wanted some sort of process isolation between these running processes.

I first stumbled upon chroot jails and then learnt about LXC. LXC seems to offer a better control over plain chroot jails. I have an nginx frontend and I would like to run the webserver app processes (thin/mongrel/webrick) in isolated containers. Usually we simply start off these processes on the local ip address and have nginx proxy to them. What is the best way to get this done? Do people setup a static bridged IP for the container and have nginx point to it? How do I ensure that webservers running in the containers are only accessible to host outside?

Documentation about LXC seems to be a bit sparse. Pointers to some good tutorials or HOWTOs would be greatly appreciated. My target deployment environment is a Lucid 64 bit box.

P.S. I am not a linux guru. So, be gentle.

Vagmi Mudumbai
  • 183
  • 1
  • 7

2 Answers2

13

Let's assume that your own IP is 192.168.1.1, your gateway is 192.168.1.254 and your network is 192.168.1.0/24.

You should make a bridged interface on your host machine, like this in /etc/network/interfaces file

 auto lo
 iface lo inet loopback

 auto br0
 iface br0 inet static
     address 192.168.1.1
     network 192.168.1.0
     netmask 255.255.255.0
     broadcast 192.168.1.255
     gateway 192.168.1.254
     bridge_ports eth0
     bridge_stp off
     bridge_fd 3
     bridge_hello 1
     bridge_maxage 5

and then install a basic ubuntu in LXC:

 apt-get install lxc vlan bridge-utils python-software-properties screen
 mkdir /lxc
 debootstrap oeniric /lxc/ubuntu
 chroot ubuntu
 locale-gen en_US.UTF-8
 apt-get update
 apt-get install lxcguest ssh
 passwd
 rm /etc/mtab
 ln -s /proc/mounts /etc/mtab
 exit

create a file /lxc/ubuntu.config with the content

 lxc.utsname = ubuntu
 lxc.tty = 8
 lxc.rootfs = /lxc/ubuntu
 lxc.mount = /lxc/ubuntu.fstab
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
 lxc.network.name = eth0
 lxc.network.mtu = 1500
 lxc.network.ipv4 = 192.168.1.10/24

/lxc/ubuntu.fstab with

 none /lxc/ubuntu/dev/pts devpts defaults 0 0
 none /lxc/ubuntu/proc proc defaults 0 0
 none /lxc/ubuntu/sys sysfs defaults 0 0
 none /lxc/ubuntu/run tmpfs defaults 0 0

add to /lxc/ubuntu/etc/rc.local

 route add default gw 192.168.1.254

edit /lxc/ubuntu/etc/resolv.cont according your needs.

Then you can create your machine with

 lxc-create -f /lxc/ubuntu.config -n ubuntu

then start

 lxc-start -n ubuntu

or stop

 lxc-stop -n ubuntu

or finally destroy

 lxc-destroy -n ubuntu

Your new virtual machine will have the IP 192.168.1.10 and will be accessible on the network.

Stone
  • 7,011
  • 1
  • 21
  • 33
0

If you rather not want to give external IP adresses to the container or can't:

The Debian Wiki page on LXC mentions two variants of accomplishing that using NAT on the host machine. I'm using the approach with libvirt and have had no problems with that so far.

I don't know what it's like under Ubuntu, but it's probably not that much different there.

The Wiki page may seem like a good information source, but the maintainer himself says that you should rather refer to the file /usr/share/doc/lxc/README.Debian for up-to-date information.

moschlar
  • 126
  • 5