User:StefanLangenmaier/Poor man's Cluster/Host

Host
As a host Gentoo with the following features will be used:


 * lxc/docker
 * btrfs
 * kexec
 * dd-client (dyndns)
 * ntp-client
 * iptables
 * libvirtd
 * sshd
 * dmcrypt

Kexec
With btrfs we can already do root filesystem snapshots which can be used to roll back any updates to the system. There is one missing point - the active kernel. To have a safe way to try a kernel update and to roll back in case of error we're going to use kexec.

With kexec we can load a kernel that will replace the current kernel without doing a full hardware reboot. The running system will restart but only to start with the selected kernel. This way we can test any kernel and in case of a problem we do a hardware reboot and the known working kernel will loaded as usual.

You can find example of how to work with kexec on the Kdump page, as of kernel 4.3 I had problems specifying the command line. (If the command line was specified the new kernel hung on the restart.) My workaround is to compile the whole command line directly into the kernel. This way the execution is as simple as the following to try out safely a new kernel:

$ mount /boot $ kexec -l /boot/zImage-with-cmdline-builtin $ umount /boot $ kexec -e

SSHD
Only certificate based login

iptables
libvirtd creates the nat network for the containers. To forward an external port to lxc container behind a nat network.

iptables -I FORWARD -d 192.168.122.71/32 -p tcp -m state --state NEW -m tcp --dport 9091 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9091 -j DNAT --to 192.168.122.71:9091
 * 1) once for each port that should be forwarded


 * http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
 * Iptables
 * http://serverfault.com/questions/170079/forwarding-ports-to-guests-in-libvirt-kvm/170641#170641