refactoring and cleanup

2023-05-19 08:07:36 +02:00
parent 24f2758f16
commit 9c96a4e12a
33 changed files with 50 additions and 42 deletions
--- a/content/container/docker.md
+++ b/content/container/docker.md
@ -0,0 +1,205 @@
+---
+title: "Docker"
+menu:
+  main:
+    parent: Container
+---
+
+# deploy docker container
+
+## systemd service file
+Generic systemd service file starting docker container using `docker compose`
+```
+[Unit]
+Description=%N service with docker compose
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+TimeoutStartSec=1200
+
+WorkingDirectory=/etc/docker-compose/%N
+
+# Remove old containers, images and volumes and update it
+ExecStartPre=/usr/bin/docker compose down -v
+ExecStartPre=/usr/bin/docker compose rm -fv
+ExecStartPre=/usr/bin/docker compose pull
+
+# Compose up
+ExecStart=/usr/bin/docker compose up
+
+# Compose down, remove containers and volumes
+ExecStop=/usr/bin/docker compose down -v
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Create a folder /etc/docker-compose/*service-name* and place your `docker-compose.yml` there.
+Then symlink or copy the systemd service file to /etc/systemd/system/*service-name*.service.
+
+You can start the container using
+```
+systemctl start <service-name>
+```
+
+To automatically start the container when your server is booting enable the systemd service like any other service on your machine
+```
+systemctl enable <service-name>
+```
+
+## docker-compose examples
+### portainer
+[Portainer](https://portainer.io) is a nice looking and easy to use web based frontend for managing all your docker containers.
+```
+version: '3'
+
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    container_name: portainer
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/portainer:/data
+    ports:
+      - 9000:9000
+```
+
+### watchtower
+[Watchtower](https://containrrr.dev/watchtower/) keeps all your docker container up to date.
+The following compose file uses `WATCHTOWER_SCHEDULE` to configure execution time of the updates.
+```
+version: '3'
+
+services:
+  watchtower:
+    image: containrrr/watchtower
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+    - WATCHTOWER_CLEANUP=true
+    - WATCHTOWER_INCLUDE_RESTARTING=true
+    - WATCHTOWER_SCHEDULE=0 0 23 * * *
+    ports:
+      - 8002:8080
+```
+
+### monit
+["Your faithful employee, Monit"](https://mmonit.com/monit/) ;-)
+A simple and easy to use monitoring solution for all of your services.
+```
+version: '3'
+
+services:
+  monit:
+    image: maltyxx/monit:latest
+    container_name: monit
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/monit/etc:/etc/monit
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    ports:
+      - 2812:2812
+    environment:
+      - "MONIT_USERNAME=admin"
+      - "MONIT_PASSWORD=someSecretPassword"
+```
+
+### smokeping
+[Smokeping](https://oss.oetiker.ch/smokeping/) is a great way to blame your ISP. 
+"My services die when my roundtrip time to <random target server on the other side end of the world> exceeds 20ms".
+And best of all, it is written in perl.
+```
+version: '3'
+
+services:
+  smokeping:
+    image: linuxserver/smokeping:latest
+    container_name: smokeping
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/smokeping/config:/config
+      - /opt/docker/smokeping/data:/data
+    ports:
+      - 8001:80
+```
+
+### ipv6nat
+A little tweak for dockers "great" IPv6 support :-/
+```
+version: '3'
+
+services:
+  ipv6nat:
+    image: robbertkl/ipv6nat:latest
+    container_name: ipv6nat
+    restart: always
+    privileged: true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /usr/lib/modules:/lib/modules:ro
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: "host"
+```
+
+### atlas-probe
+A software probe for the [RIPE ATLAS](https://atlas.ripe.net/) project. 
+One of the more advanced examples I use.
+
+The file creates a new network with IPv6 ULA addresses. 
+Yes I know ... but docker seem to lack such bleeding edge technology (aka prober IPv6 support).
+It limits resource usage (CPU, RAM) of the docker container as well. 
+```
+version: '3'
+
+services:
+  atlas-probe:
+    image: jamesits/ripe-atlas:latest
+    container_name: atlas-probe
+    restart: unless-stopped
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /opt/docker/atlas-probe/etc:/var/atlas-probe/etc
+      - /opt/docker/atlas-probe/status:/var/atlas-probe/status
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+      - DAC_OVERRIDE
+      - NET_RAW
+    environment:
+      - RXTXRPT=yes
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: "64M"
+        reservations:
+          memory: "64M"
+    networks:
+      - ripe-atlas-network
+networks:
+  ripe-atlas-network:
+    name: ripe-atlas-network
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: fd00:a1a3::/48
+```
--- a/content/container/lxc-networking.md
+++ b/content/container/lxc-networking.md
@ -0,0 +1,84 @@
+---
+title: 'LXC Networking'
+menu:
+  main:
+    parent: Container
+---
+
+# LXC network configurations
+
+## create network bridge
+```
+brctl add br0
+```
+
+## add virtual ethernet interface to container 
+
+Add the following lines to _/var/lib/lxc/container/config_
+```
+lxc.net.0.type  = veth
+lxc.net.0.link  = br0
+lxc.net.0.flags = up
+lxc.net.0.name  = eth0
+```
+
+## iptables
+### port forwarding
+iptables (IPv4) and ip6tables (IPv6) DNAT target to forward services to container.
+
+```
+iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8448 -j DNAT \
+        --to-destination 10.3.0.31:8448
+```
+
+### masquerading
+Translate outgoing traffic from container to public IP address
+
+```
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+```
+
+## IPv6
+### network configuration
+#### host 
+```
+ip addr add fd00::1/8 dev br0
+```
+```
+cat > /etc/sysctl.d/ipv6-forwarding.conf <<EOF
+net.ipv6.conf.eth0.accept_ra = 2
+net.ipv6.conf.br0.accept_ra = 2
+net.ipv6.conf.default.accept_ra = 2
+net.ipv6.conf.all.accept_ra = 2
+
+net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.default.forwarding = 1
+net.ipv6.conf.eth0.forwarding = 1
+net.ipv6.conf.br0.forwarding = 1
+EOF
+```
+
+#### container
+```
+ip addr add fd00::20:1/64 dev eth0
+ip route add default via fd00::1 dev eth0
+```
+
+### port forwarding
+```
+ip6tables \
+  -t nat \
+  -A PREROUTING \
+  -d 2a03:4000:15:68::20/128 \
+  -i eth0 \
+  -p tcp \
+  -m tcp \
+  --dport 587 \
+  -j DNAT \
+  --to-destination [fd00::20:1]:587
+```
+
+### masquerade
+```
+ip6tables -t nat -A POSTROUTING -s fd00::20:1/128 -o eth0 -j SNAT --to-source 2a03:4000:15:68::20
+```