Difference between revisions of "Quick Notes"
| Line 117: | Line 117: | ||
*** <code>scp Deb-12-NFS.tar.zst '''''user'''''@'''''mywebserver''''':/var/www/html/LXCtemplates/</code> | *** <code>scp Deb-12-NFS.tar.zst '''''user'''''@'''''mywebserver''''':/var/www/html/LXCtemplates/</code> | ||
Now you can add it to your '''CT Templates''' storage on any PVE server you're working on. | Now you can add it to your '''CT Templates''' storage on any PVE server you're working on. | ||
==Installing OpenVPN & PIA as a client on an LXC== | |||
===Edit the containers config file (On the PVE host)=== | |||
Add these 2 lines to the containers configuration | |||
* vi /etc/pve/lxc/8028.conf | |||
** lxc.cgroup2.devices.allow: c 10:200 rwm | |||
** lxc.mount.entry: /dev/net dev/net none bind,create=dir | |||
Reboot the container | |||
===install openvpn & the PIA files (On the LXC container)=== | |||
* sudo apt-get install openvpn unzip | |||
* sudo mkdir /etc/openvpn/PIA | |||
* cd /etc/openvpn/PIA | |||
* sudo wget <nowiki>https://www.privateinternetaccess.com/openvpn/openvpn.zip</nowiki> | |||
* sudo unzip openvpn.zip | |||
===Configure openvpn (On the LXC container)=== | |||
* cd /etc/openvpn | |||
** Copy the exit point you like from inside PIA here & change the extension to .conf | |||
** Edit the .conf file and remove the '''<nowiki><crl-verify></nowiki>''' block. (For some reason PIAs CRL blocks are ALWAYS malformed...) | |||
** Add '''/etc/openvpn/auth.txt''' to the line: '''auth-user-pass''' | |||
* sudo vi auth.txt | |||
** copy your PIA username & password into this file (on 2 lines...) | |||
* sudo vi /etc/default/openvpn | |||
** uncomment the '''#AUTOSTART="all"''' line | |||
* sudo service openvpn restart | |||
From this point on, accessing the internet from the LXC will go through your chosen PIA exit point. | |||
For some reason, startup of the LXC seems pretty slow. Not sure why, but patience is a virtue... | |||
=== Testing === | |||
* wget <nowiki>http://ipinfo.io/ip</nowiki> -qO - | |||
Should give you an IP address that does NOT match your actual external IP | |||
* whois `wget <nowiki>http://ipinfo.io/ip</nowiki> -qO -` | |||
Will give you a wall-o-text. In that wall-o-text, you'll find the country code of where ipinfo.io thinks you are. (This, of course, should match your chosen exit point...) | |||
Revision as of 22:44, 14 September 2025
Sections here are really just placeholders with enough information to get started on building actual articles...
rDNS
This is gonna get interesting...
What does it take to make rDNS work from outside the network?
Local Mail Service
(This will depend on whether rDNS works out...)
Better Permissions Handling
 |
12 (bookworm) |
sudo apt install aclsudo mkdir /FOOBARsudo chown -R :users /FOOBARsudo chmod -R g+ws /FOOBARsudo setfacl -R -m g:users:rwx /FOOBAR
Now, the directory /FOOBAR is writeable by anyone in the users group.
Do keep in mind that users is a default group that all accounts are a member of. You could also create specific groups and add each user to specific groups for finer granularity.
Some Links
- Wikipedia : setuid
- Wikipedia : Access-control list
- StackExchange : Getting new files to inherit group permissions on Linux
- StackExchange : Using setfacl to create recursive permissions for Apache with rsync
Linux USERs and GROUPs
Eventually to be an article about how granular access control works on Linux...
Development Testing for a Backup Server
|
12 (bookworm) |
This will eventually be fully fleshed out as instructions for building proper backup servers on separate machines including off-site backups.
Currently testing on a pair of LXCs, both configured as priveledged containers (tho this may not be needed).
Interesting side-quest: Apparently, unpriviledged containers do a bit of weirdness with bind-mount ownerships. There are instructions to work around this, but I have yet to work through this... For the moment, I'm using priviledged containers to work around it.
- VMID 999001: storage
- VMID 999002: backup
I've created a user named draal with specific responsibility for handling backups.(because remote access by root is stupid...)
draal has an equivalent account on ALL involved machines and is set up with ssh keys to avoid the use of password-based access.
On the PVE Server:
(setting up the storage for the test LXCs...)
mkdir /mnt/Storage-0mkdir /mnt/Storage-1mount -L Storage-0 /mnt/Storage-0mount -L Storage-1 /mnt/Storage-1vi /etc/fstab
LABEL=Storage-0 /mnt/Storage-0 ext4 defaults 0 0 LABEL=Storage-1 /mnt/Storage-1 ext4 defaults 0 0
pct set 999001 -mp0 /mnt/Storage-0,mp=/mnt/Storage # storagepct set 999002 -mp0 /mnt/Storage-1,mp=/mnt/Storage # backup
On "storage"
(logged in as draal)
ssh-keygenssh-copy-id draal@backupsudo apt install acl rsyncsudo setfacl -R -m u:draal:rwx /mnt/Storage
On "backup"
(logged in as draal)
ssh-keygenssh-copy-id draal@storagesudo apt install acl rsyncsudo setfacl -R -m u:draal:rwx /mnt/Storage
Testing rsync commands
In order to test things, I've basically dumped a copy of my Documents folder into /mnt/Storage on the storage LXC. This is around 25GB of incredibley mixed & sloppy crap varying from zero-length placeholders to USB binaries...
Everything from here on is done while logged in to storage as draal.
cd /mnt/Storagersync -Aaiz * backup:/mnt/Storage- copies all files to the backup machine
- Took about 7 minutes... (measured by wrapping the command in a time command)
- (& if you run it again, only copies NEW or CHANGED files)
- Every change I made took substantially under 1 second...
- copies all files to the backup machine
rsync -Aaiz --delete * backup:/mnt/Storage- Will actually synchronize. (i.e. It will DELETE any files from the destination that have been removed on the source.)
- DANGER...DANGER...DANGER
- This may NOT be exactly what you want to do in a backup situation.
- (But it might... Your choice...)
Custom LXC Templates
- Create an LXC
- My example is an NFS capable LXC with VMID 666...
- Configure it
- Install your preferred standard set of apps & such...
From the PVE command line:
- remove the network interface
pct set 666 --delete net0
- Do a backup
- Gonna need a bunch of available space (I mount a spare 2TB drive specifically for the purpose on the machine where I build these and cd to that drive before this step...)
vzdump 666 --mode stop --compress zstd --dumpdir .
- Rename the backup to a more useful name
mv vzdump-lxc-666-2025_02_04-14_19_43.tar.zst Deb-12-NFS.tar.zst
- Copy it to someplace you can access it from the PVE UI
- Option 1: For direct Upload (Some oddities happen... More research needed)
scp Deb-12-NFS.tar.zst user@mydesktopmachine:~
- Option 2: For Download from URL
scp Deb-12-NFS.tar.zst user@mywebserver:/var/www/html/LXCtemplates/
- Option 1: For direct Upload (Some oddities happen... More research needed)
Now you can add it to your CT Templates storage on any PVE server you're working on.
Installing OpenVPN & PIA as a client on an LXC
Edit the containers config file (On the PVE host)
Add these 2 lines to the containers configuration
- vi /etc/pve/lxc/8028.conf
- lxc.cgroup2.devices.allow: c 10:200 rwm
- lxc.mount.entry: /dev/net dev/net none bind,create=dir
Reboot the container
install openvpn & the PIA files (On the LXC container)
- sudo apt-get install openvpn unzip
- sudo mkdir /etc/openvpn/PIA
- cd /etc/openvpn/PIA
- sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
- sudo unzip openvpn.zip
Configure openvpn (On the LXC container)
- cd /etc/openvpn
- Copy the exit point you like from inside PIA here & change the extension to .conf
- Edit the .conf file and remove the <crl-verify> block. (For some reason PIAs CRL blocks are ALWAYS malformed...)
- Add /etc/openvpn/auth.txt to the line: auth-user-pass
- sudo vi auth.txt
- copy your PIA username & password into this file (on 2 lines...)
- sudo vi /etc/default/openvpn
- uncomment the #AUTOSTART="all" line
- sudo service openvpn restart
From this point on, accessing the internet from the LXC will go through your chosen PIA exit point.
For some reason, startup of the LXC seems pretty slow. Not sure why, but patience is a virtue...
Testing
- wget http://ipinfo.io/ip -qO -
Should give you an IP address that does NOT match your actual external IP
- whois `wget http://ipinfo.io/ip -qO -`
Will give you a wall-o-text. In that wall-o-text, you'll find the country code of where ipinfo.io thinks you are. (This, of course, should match your chosen exit point...)