Differences

This shows you the differences between two versions of the page.

--- systemd-nspawn [2018/02/10 11:31] – 46.5.2.217
+++ systemd-nspawn [2021/10/31 10:42] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+===== Prepare base image =====
+<code bash>
+pacman -S arch-install-scripts
+btrfs subvol create /var/lib/container/archlinux-base
+mkdir /etc/systemd/nspawn
+pacstrap /var/lib/container/archlinux-base base
+systemctl enable --now systemd-networkd systemd-resolved
+</code>
+===== Prepare child image =====
+Setting UID range for container: Using a multiple of 65536, e.g. 65536 * 70 for this machine as. To match the user http (always uid 33) on the container, a user on the host with the same permissions should therefore have the UID: 65536 * 70 + 33.
+<code bash>
+useradd -m -u $((65536 * 70 + 33)) archlinux-dokuwiki
+mkdir /home/archlinux-dokuwiki/data
+chown -R archlinux-dokuwiki:archlinux-dokuwiki /home/archlinux-dokuwiki/data
+</code>
+PrivateUsers parameter is here equal to 65536 * 70
+<code bash>
+systemd-nspawn -nD /var/lib/machines/archlinux-dokuwiki --template=/var/lib/container/archlinux-base --private-users-chown --private-users=4587520 --boot &
+</code>
+<code bash>
+pacman -S ansible
+wget "https://github.com/BaxterStockman/ansible-connection-machinectl/raw/master/connection_plugins/machinectl.py" -O /usr/lib/python2.7/site-packages/ansible/plugins/connection/machinectl.py
+machinectl shell root@archlinux-dokuwiki /bin/bash -c "systemctl enable --now systemd-networkd systemd-resolved"
+machinectl shell root@archlinux-dokuwiki /bin/bash -c "pacman -Sy python2 --noconfirm"
+git clone ...
+cd ...
+ansible-galaxy install -r requirements.yml
+sudo -E ansible-playbook -c machinectl -i inventory -v archlinux-dokuwiki.yml
+</code>
+After bootstrapping we can enable our mount:
+<file - /etc/systemd/nspawn/archlinux-dokuwiki.nspawn>
+[Exec]
+PrivateUsers=4587520
+[Files]
+PrivateUsersChown=true
+Bind=/home/archlinux-dokuwiki/data:/var/lib/dokuwiki/data
+[Network]
+Private=yes
+VirtualEthernet=yes
+</file>
+<code bash>
+machinectl terminate archlinux-dokuwiki
+systemctl enable systemd-nspawn@archlinux-dokuwiki.service
+systemctl restart systemd-nspawn@archlinux-dokuwiki
+</code>
+===== Maintainance =====
+Reset child
+<code bash>
+systemctl stop systemd-nspawn@archlinux-dokuwiki
+btrfs subvolume delete /var/lib/machines/archlinux-dokuwiki/var/lib/machines
+btrfs subvolume delete /var/lib/machines/archlinux-dokuwiki
+</code>
+===== Todo =====
+  * auto update base image, auto reboot childs
+  * private ethernet
+  * bind data
+===== Bugs =====
+<file - ~/.ansible/roles/geerlingguy.nginx/templates/nginx.conf.j2>
+#pid        {{ nginx_pidfile }};
+</file>
+  * machine not starting automatically (systemctl enable systemd-nspawn@machine-dokuwiki)
+===== Tips =====
+Iptables forward host port to container
+<code bash>
+iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to 10.0.0.10:80
+</code>
+Container ip and port can be checked with nmap
+<code bash>
+nmap -p 80 archlinux-dokuwiki
+</code>