Testing out changes in a production environment is never a good idea. However prepping test servers can be tedious as you have to find the hardware and setup the operating system before you can begin. So I want a faster and more cost effective medium, turning a single Cloud Server into a virtualized host server for my test servers. Welcome OpenVZ.
Taken from the providers site, OpenVZ (Open Virtuozzo) is an operating system-level virtualization technology for Linux. It allows a physical server to run multiple isolated operating system instances, called containers, virtual private servers (VPSs), or virtual environments (VEs.) OpenVZ is similar to Solaris Containers and LXC.
To managed my OpenVZ containers, I prefer to use Proxmox, which provides a clean control panel for managing my containers.
This guide will document how to install Proxmox on a 2G Rackspace Cloud Server running Debian 7. The Proxmox installation will install everything needed to run OpenVZ.
Install Proxmox
For this to work, we need a vanilla Debian 7 Cloud Server, and install Proxmox on top of it, which will install the required kernel.
To get things started, update /etc/hosts to setup your fqdn, and remove any resolvable ipv6 domains:
[root@proxmox ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.168.6.177 proxmox.yourdomain.com proxmox pvelocalhost # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
Now backup the /etc/apt/source.list, and create a fresh one to use proxmox’s repos:
mv /etc/apt/sources.list /etc/apt/sources.list.bak vim /etc/apt/sources.list [ ADD ] deb http://ftp.at.debian.org/debian wheezy main contrib # PVE repository provided by proxmox.com, only for installation (this repo will stay on 3.1) deb http://download.proxmox.com/debian wheezy pve # security updates deb http://security.debian.org/ wheezy/updates main contrib
Now add the Proxmox VE repository key:
wget -O- "http://download.proxmox.com/debian/key.asc" | apt-key add -
Update the package index and then update the system to install Proxmox:
apt-get update && apt-get dist-upgrade
Install proxmox kernel and headers:
apt-get install pve-firmware pve-kernel-2.6.32-26-pve apt-get install pve-headers-2.6.32-26-pve
7. Update grub and reboot into proxmox kernel:
vim /etc/default/grub # From GRUB_DEFAULT=0 # To GRUB_DEFAULT=3 ... update-grub2 reboot
Once the cloud server comes back online, confirm you are running the pve kernel
uname -a Linux proxmox 2.6.32-26-pve #1 SMP Mon Oct 14 08:22:20 CEST 2013 x86_64 GNU/Linux
** If the kernel is a 3.2 kernel, something is wrong and grub booted off default kernel, not pve. Go back and confirm all the steps worked properly.
Remove the old Debian Kernel as it is no longer needed:
apt-get remove linux-image-amd64 linux-image-3.2.0-4-amd64 linux-base update-grub
Install proxmox ve packages
apt-get install proxmox-ve-2.6.32 ntp ssh lvm2 postfix ksm-control-daemon vzprocps open-iscsi bootlogd
Open up firewall to allow inbound 8006 from your workstations IP address:
ufw allow from x.x.x.x
Setup NAT for VE’s
As the Rackspace Cloud server comes with 1 IP address, I will be making use of NAT’ed IP addresses to assign to my individual containers. The steps are documented below:
Update /etc/sysctl.conf to allow ip_forwarding:
vim /etc/sysctl.conf [ ADD ] net.ipv4.ip_forward=1
Then apply the new setting:
sysctl -p
To setup the NAT rules, we need to setup a script that will start on boot. Below is a script that I found on https://vpsaddicted.com/install-and-configure-proxmox-ve-for-nat-ipv4-vps-on-debian-wheezy/.
Two things need to be taken into consideration here:
1. Change IP address below (123.123.123.123) in the NAT rule to your Cloud server’s public IP address.
2. This assumes you want to use a 10.0.0.0/24 network for your VE’s.
vim /etc/init.d/vz-routing
#!/bin/sh
case "$1" in
start) echo "vz-routing started"
# It's important that you change the SNAT IP to the one of your server (not the local but the internet IP)
# The following line adds a route to the IP-range that we will later assign to the VPS. That's how you get internet access on # your VPS.
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 123.123.123.123
# Allow servers to have access to internet:
/sbin/iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT
# Be sure to add net.ipv4.ip_forward=1 to /etc/sysctl.conf, then run sysctl -p
# These are the rules for any port forwarding you want to do
# In this example, all traffic to and from the ports 11001-11019 gets routed to/from the VPS with the IP 10.0.0.1.
# Also the port 11000 is routed to the SSH port of the vps, later on you can ssh into your VPS through yourip:11000
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 11000 -j DNAT --to 10.0.0.1:22
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 11001:11019 -j DNAT --to 10.0.0.1
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 11001:11019 -j DNAT --to 10.0.0.1
# In my case I also dropped outgoing SMTP traffic, as it's one of the most abused things on servers
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 25
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 2525
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 587
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 465
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 2526
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 110
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 143
#/sbin/iptables -A FORWARD -j DROP -p tcp --destination-port 993
;;
*) echo "Usage: /etc/init.d/vz-routing {start}"
exit 2
;;
esac
exit 0
Setup permissions, set to run on boot, and run it:
chmod 755 /etc/init.d/vz-routing update-rc.d vz-routing defaults /etc/init.d/vz-routing start
That should be it! Navigate your browser to the control panel, login with your root SSH credentials, and your ready to go:
https://x.x.x.x:8006