LXC / contained
Description
A LXC container using nested virtualization responsible for running the majority of my services that run as docker containers.
Configuration
Resources
| Hostname | CPU | Memory |
|---|---|---|
| contained | 6 vCPU | 24GB |
Storage
| Mount Point | Source | Mount Path | Size | Options |
|---|---|---|---|---|
| rootfs | local-zfs:subvol-100-disk-0 | / | 8GB | noatime |
| mp0 | /storage/zpool10/downloads | /storage/downloads | - | noatime;nodev;noexec;nosuid |
| mp1 | /storage/zpool10/downloads/incomplete | /storage/downloads/incomplete | - | noatime;nodev;noexec;nosuid |
| mp2 | /storage/zpool10/media | /storage/media | - | noatime;nodev;noexec;nosuid |
| mp3 | /storage/zpool10/services | /storage/services | - | |
| mp4 | vpool-zfs:subvol-100-disk-1 | /var/lib/docker | 384GB | noatime |
Networking
Interfaces
| ID | Type | Name | Link | IPv4 Address | IPv6 Address | Description |
|---|---|---|---|---|---|---|
| net0 | bridge | eth0 | vmbr3 | 10.0.8.2/21 | DHCPv6 | DMZ |
| net1 | bridge | eth2 | vmbr4 | - | - | WARP |
Docker Networks
A brief overview of how I have my networking setup for Docker.
blackbox_containers
| Type | Gateway | IP/Subnet | IP Range |
|---|---|---|---|
| bridge | - | - | - |
Traefik binds to the host ports on LXC / Contained for HTTP(S) traffic that has been forwarded from firewall and proxies it to the appropriate container using this bridge network.
- Containers that are part of this network can directly access other containers in this network using their hostnames and/or container names.
- Using hostnames to network containers provides an IP agnostic way to communicate while reducing overhead of SSL.
- Containers in this network are not publically accessible, access is controlled with Traefik acting as a gatekeeper.
**NOTE** All publically accessible containers should be part of the blackbox_containers network.
Creation Command
docker network create --driver bridge blackbox_containers
a_warp
| Type | Gateway | IP/Subnet | IP Range |
|---|---|---|---|
| macvlan | 10.0.9.1 | 10.0.9.2/24 | 10.0.9.128/25 |
All containers which need anonimity should be connected to this network so their traffic is automatically routed through a VPN. It is prefixed with a_ because networks are added to containers alphabetically and this must be added first to be assigned as the default gateway.
**NOTE** All containers that want to mask the location of their traffic should be part of the a_warp network.
Creation Command
docker network create --driver macvlan --subnet 10.0.9.2/24 --gateway 10.0.9.1 --ip-range 10.0.9.128/25 --opt parent=eth2 a_warp