User:Fog Watch/A server on RAID dm-crypt and LXC

Introduction
This is a "how I did it", not a "how to". Accordingly it is written in first person.

The document describes a server built for home use.

Gentoo was chosen because maintenance is tremendous. Ext4 was chosen as its recent and current.

This latest incarnation of the server is a migration from vserver to LXC. The change was undertaken because one is not in the kernel, whereas the other is. Also networking under LXC is more flexible.

There doesn't seem much point in containerising the operating system without putting them in containers, so everything, including root, is put into a logical volume.

I don't want my data to go wandering through physical theft or disk RMA's. The physical volume is therefore a dm-crypt device. I don't use LUKS.

The dm-crypt is put onto a /dev/md1 RAID 1 device, just to add a little protection from disk failure. Both disks are partitioned about the same. Except, /dev/sda2 is used to store bootable ISOs and /dev/sdb2 is swap.

Layers
Gentoo will be installed on the following stack
 * Gentoo
 * ext4
 * LXC
 * LVM2 logical volumes
 * dm-crypt
 * RAID 1
 * GPT disk partitions.

RAID 1
mdadm --create --verbose /dev/md0 --level=mirror --raid-devices=2 /dev/sda4 missing mdadm --create --verbose /dev/md1 --level=mirror --raid-devices=2 /dev/sda5 missing

GPT disk partitions
1           2048          206847   100.0 MiB   EF00  EFI system partition 2         206848         8595455   4.0 GiB     8300  ISOs 3        8595456        16984063   4.0 GiB     8200  Swap 4       16984064        17188863   100.0 MiB   FD00  Boot 5       17188864       117231374   47.7 GiB    FD00  LVM Physical volume

dm-crypt
create keyfile

base64 /dev/random | head -c 1024 > /tmp/keyfile

cryptsetup create --cipher aes-xts-plain64 --key-file /mnt/floppy/keyfile cryptmd1 /dev/md1

Initramfs
The following is a fairly comprehensive list of commands that were used to construct an initial RAM file system.

The libraries to be copied into the initramfs vary over time. So the following is only an approximation, and only for 1 Jan 2016.

Migrating from Vserver to LXC
When the kernel is patched with vserver, networking inside a container is unavailable. This makes migrating from one to the other difficult.

To migrate, first make an initial container from a tarball or such like. Then chroot into this and follow the handbook. The container is then only useful when the kernel is changed over to one that is unpatched.

System
Default system config:

Use the other options from the wiki.

Privileged
All of the containers will be internally facing. Because of this and the additional problems with unprivileged containers, privileged will be used here.

Establish reasonable default container config:

causes problems with bringing up the interface. Search  for usage to explore template parameters. Of particular interest might be  and.

The full path for fstab is needed, otherwise the file is not found.

No, you don't have to  or add a line to

Unprivileged
Unprivileged are good for providing services to the Internet. Use the  of. The suggested config is about right:

You don't need a users, but you may as well have one.

Comply with prerequisites.

Autostart
Need to be able to initiate a user script at boot up from a shell. First, need a self-signed certificate:

And then set up fcron to run a script.

Sudo can be tied down for this.