Is it possible to access the lxc container from the Internet?

B

BloodVIRUS2021-11-29 14:40:18

LXC

BloodVIRUS, 2021-11-29 14:40:18

Hello. I have one fat server, and I constantly do something on it. For yourself, for others, for educational purposes or for some other reason. And the idea came up so that I would not kill the server with all sorts of different specific software, to raise a virtual machine for each task. The choice fell on the LXC. It seems not difficult. I installed it on an experimental server, and ran Ubuntu inside lxc in a couple of commands.
Everything is fine, Ubuntu starts up inside, there is Internet inside the Ubuntu container, packages are installed. Everything seems to be great. But how can I make sure that I can enter the container using a direct ip? So that you don’t have to enter the server first, and then enter the container from under the terminal. Is it possible to do so?
Well, the same question, can I place a couple of sites inside containers? In the classical form, everything is simple. I buy a domain, I make an A record on the ip of the server, and going through the domain, my requests will go to the server itself. Is it possible to do the same magic with lxc? The entire Google is inundated with posts from the 2016s, in which, on the contrary, they are at war with Internet access from under the container. It already works for me out of the box.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Melkij, 2021-11-29
@melkij

Is it possible to do so?
Well, the same question, can I place a couple of sites inside containers?

Can.
This is purely a networking issue.
Start here: https://wiki.debian.org/LXC/SimpleBridge
Most likely you have one ipv4 and therefore you are interested in setting up a bridge without adding a physical interface of the main system to it + setting up NAT for traffic passing from the bridge.
To accommodate externally visible services, rules are added to redirect incoming packets (for example, to ports 443 and 80) to the internal IP of this virtual bridge.

A

Andrey Barbolin, 2021-11-29
@dronmaxman

how to make it so that I can enter the container by direct ip?

The easiest option is to forward the port using iptables.

export WAN_IP="91.1.1.2"
export LXC_IP="10.1.1.1"
export FORWARD_PORT="443"
iptables -A FORWARD -d $LXC_IP -j ACCEPT
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp -m tcp --dport $FORWARD_PORT -j DNAT --to-destination $LXC_IP:$FORWARD_PORT

Well, the same question, can I place a couple of sites inside containers?

The most correct solution would be to use nginx proxy. You install a proxy on ubuntu, configure domains and certificates on it, and then proxy requests for LXC containers.

server {
        listen   80;
        server_name  mysite.example.com;

          location /.well-known/acme-challenge/ {
                access_log off;
                default_type "text/plain";
        }
          return 301 https://$host$request_uri;
}
server {
    listen 443 ssl; # managed by Certbot;
    server_name mysite.example.com;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

ssl on;
    ssl_certificate /etc/letsencrypt/live/mysite.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mysite.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location / {
        proxy_pass http://10.1.1.1:80;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        }

}

D

Drno, 2021-11-29
@Drno

docker, if for sites or similar
KVM - if you need to torment the entire system