Project-Insanity

Site Tools

Trace:
Hotfix release available: 2024-02-06a "Kaos". upgrade now! [55.1] (what's this?)
New release available: 2024-02-06 "Kaos". upgrade now! [55] (what's this?)
systemd-nspawn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
systemd-nspawn [2018/08/23 14:19] 2a01:4f8:191:327:cc15:b5ff:feff:63fbsystemd-nspawn [2021/10/31 10:42] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +===== Prepare base image =====
 +<code bash>
 +pacman -S arch-install-scripts
 +btrfs subvol create /var/lib/container/archlinux-base
 +mkdir /etc/systemd/nspawn
 +pacstrap /var/lib/container/archlinux-base base
 +systemctl enable --now systemd-networkd systemd-resolved
 +</code>
 +===== Prepare child image =====
 +Setting UID range for container: Using a multiple of 65536, e.g. 65536 * 70 for this machine as. To match the user http (always uid 33) on the container, a user on the host with the same permissions should therefore have the UID: 65536 * 70 + 33.
 +<code bash>
 +useradd -m -u $((65536 * 70 + 33)) archlinux-dokuwiki
 +mkdir /home/archlinux-dokuwiki/data
 +chown -R archlinux-dokuwiki:archlinux-dokuwiki /home/archlinux-dokuwiki/data
 +</code>
 +PrivateUsers parameter is here equal to 65536 * 70
 +<code bash>
 +systemd-nspawn -nD /var/lib/machines/archlinux-dokuwiki --template=/var/lib/container/archlinux-base --private-users-chown --private-users=4587520 --boot &
 +</code>
 +<code bash>
 +pacman -S ansible
 +wget "https://github.com/BaxterStockman/ansible-connection-machinectl/raw/master/connection_plugins/machinectl.py" -O /usr/lib/python2.7/site-packages/ansible/plugins/connection/machinectl.py
 +machinectl shell root@archlinux-dokuwiki /bin/bash -c "systemctl enable --now systemd-networkd systemd-resolved" 
 +machinectl shell root@archlinux-dokuwiki /bin/bash -c "pacman -Sy python2 --noconfirm"
 +git clone ...
 +cd ...
 +ansible-galaxy install -r requirements.yml
 +sudo -E ansible-playbook -c machinectl -i inventory -v archlinux-dokuwiki.yml
 +</code>
 +After bootstrapping we can enable our mount:
 +<file - /etc/systemd/nspawn/archlinux-dokuwiki.nspawn>
 +[Exec]
 +PrivateUsers=4587520
 +
 +[Files]
 +PrivateUsersChown=true
 +Bind=/home/archlinux-dokuwiki/data:/var/lib/dokuwiki/data
 +
 +[Network]
 +Private=yes
 +VirtualEthernet=yes
 +</file>
 +<code bash>
 +machinectl terminate archlinux-dokuwiki
 +systemctl enable systemd-nspawn@archlinux-dokuwiki.service
 +systemctl restart systemd-nspawn@archlinux-dokuwiki
 +</code>
 +===== Maintainance =====
 +Reset child
 +<code bash>
 +systemctl stop systemd-nspawn@archlinux-dokuwiki
 +btrfs subvolume delete /var/lib/machines/archlinux-dokuwiki/var/lib/machines 
 +btrfs subvolume delete /var/lib/machines/archlinux-dokuwiki
 +</code>
 +===== Todo =====
 +  * auto update base image, auto reboot childs
 +  * private ethernet
 +  * bind data
 +
 +===== Bugs =====
 +<file - ~/.ansible/roles/geerlingguy.nginx/templates/nginx.conf.j2>
 +#pid        {{ nginx_pidfile }};
 +</file>
 +  * machine not starting automatically (systemctl enable systemd-nspawn@machine-dokuwiki)
 +
 +===== Tips =====
 +Iptables forward host port to container
 +<code bash>
 +iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to 10.0.0.10:80 
 +</code>
 +Container ip and port can be checked with nmap
 +<code bash>
 +nmap -p 80 archlinux-dokuwiki
 +</code>
  

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki