User:Fog Watch/A server on RAID dm-crypt and LXC

Introduction
This is a "how I did it", not a "how to". Accordingly it is written in first person.

The document describes a server built for home use.

Gentoo was chosen because maintenance is tremendous. Ext4 was chosen as its recent and current.

This latest incarnation of the server is a migration from vserver to LXC. The change was undertaken because one is not in the kernel, whereas the other is. Also networking under LXC is more flexible.

There doesn't seem much point in containerising the operating system without putting them in containers, so everything, including root, is put into a logical volume.

I don't want my data to go wandering through physical theft or disk RMA's. The physical volume is therefore a dm-crypt device. I don't use LUKS.

The dm-crypt is put onto a /dev/md1 RAID 1 device, just to add a little protection from disk failure. Both disks are partitioned about the same. Except, /dev/sda2 is used to store bootable ISOs and /dev/sdb2 is swap.

Layers
Gentoo will be installed on the following stack
 * Gentoo
 * ext4
 * LXC
 * LVM2 logical volumes
 * dm-crypt
 * RAID 1
 * GPT disk partitions.

Initramfs
The following is a fairly comprehensive list of commands that were used to construct an initial RAM file system.

The libraries to be copied into the initramfs vary over time. So the following is only an approximation, and only for 1 Jan 2016.

Migrating from Vserver to LXC
When the kernel is patched with vserver, networking inside a container is unavailable. This makes migrating from one to the other difficult.

To migrate, first make an initial container from a tarball or such like. Then chroot into this and follow the handbook. The container is then only useful when the kernel is changed over to one that is unpatched.

System
Default system config:

Use the other options from the wiki.

Privileged
All of the containers will be internally facing. Because of this and the additional problems with unprivileged containers, privileged will be used here.

Establish reasonable default container config:

causes problems with bringing up the interface. Search  for usage to explore template parameters. Of particular interest might be  and.

The full path for fstab is needed, otherwise the file is not found.

No, you don't have to  or add a line to

Unprivileged
Unprivileged are good for providing services to the Internet. Use the  of. The suggested config is about right:

You don't need a users, but you may as well have one.

Comply with prerequisites.

Autostart
Need to be able to initiate a user script at boot up from a shell. First, need a self-signed certificate:

And then set up fcron to run a script.

Sudo can be tied down for this.