LXC / contained
Description
A LXC container using nested virtualization responsible for running the majority of my services that run as docker containers.
Configuration
Resources
Hostname | CPU | Memory |
---|---|---|
contained | 6 vCPU | 24GB |
Storage
Mount Point | Source | Mount Path | Size | Options |
---|---|---|---|---|
rootfs | local-zfs:subvol-100-disk-0 | / | 8GB | noatime |
mp0 | /storage/zpool10/downloads | /storage/downloads | - | noatime;nodev;noexec;nosuid |
mp1 | /storage/zpool10/downloads/incomplete | /storage/downloads/incomplete | - | noatime;nodev;noexec;nosuid |
mp2 | /storage/zpool10/media | /storage/media | - | noatime;nodev;noexec;nosuid |
mp3 | /storage/zpool10/services | /storage/services | - | |
mp4 | vpool-zfs:subvol-100-disk-1 | /var/lib/docker | 384GB | noatime |
Networking
Interfaces
ID | Type | Name | Link | IPv4 Address | IPv6 Address | Description |
---|---|---|---|---|---|---|
net0 | bridge | eth0 | vmbr3 | 10.0.8.2/21 | DHCPv6 | DMZ |
net1 | bridge | eth2 | vmbr4 | - | - | WARP |
Docker Networks
A brief overview of how I have my networking setup for Docker.
blackbox_containers
Type | Gateway | IP/Subnet | IP Range |
---|---|---|---|
bridge | - | - | - |
Traefik binds to the host ports on LXC / Contained for HTTP(S) traffic that has been forwarded from firewall and proxies it to the appropriate container using this bridge network.
- Containers that are part of this network can directly access other containers in this network using their hostnames and/or container names.
- Using hostnames to network containers provides an IP agnostic way to communicate while reducing overhead of SSL.
- Containers in this network are not publically accessible, access is controlled with Traefik acting as a gatekeeper.
**NOTE** All publically accessible containers should be part of the blackbox_containers
network.
Creation Command
docker network create --driver bridge blackbox_containers
a_warp
Type | Gateway | IP/Subnet | IP Range |
---|---|---|---|
macvlan | 10.0.9.1 | 10.0.9.2/24 | 10.0.9.128/25 |
All containers which need anonimity should be connected to this network so their traffic is automatically routed through a VPN. It is prefixed with a_
because networks are added to containers alphabetically and this must be added first to be assigned as the default gateway.
**NOTE** All containers that want to mask the location of their traffic should be part of the a_warp
network.
Creation Command
docker network create --driver macvlan --subnet 10.0.9.2/24 --gateway 10.0.9.1 --ip-range 10.0.9.128/25 --opt parent=eth2 a_warp
No Comments