diff --git a/docs/books/.pages b/docs/books/.pages index b77b5b87ea..2f4e1a20c3 100644 --- a/docs/books/.pages +++ b/docs/books/.pages @@ -5,6 +5,6 @@ nav: - Learning Ansible: learning_ansible - Learning Bash: learning_bash - Learning Rsync: learning_rsync - - LXD Production Server: lxd_server + - LXD Server: lxd_server - DISA STIG: disa_stig - ... diff --git a/docs/books/lxd_server/00-toc.md b/docs/books/lxd_server/00-toc.md index 6968696761..22f742d51f 100644 --- a/docs/books/lxd_server/00-toc.md +++ b/docs/books/lxd_server/00-toc.md @@ -1,5 +1,5 @@ --- -title: LXD Server +title: Introduction author: Steven Spencer contributors: Ezequiel Bruni tested with: 8.5, 8.6, 9.0 diff --git a/docs/books/lxd_server/01-install.md b/docs/books/lxd_server/01-install.md index bc43ed4b84..6f78cc9f84 100644 --- a/docs/books/lxd_server/01-install.md +++ b/docs/books/lxd_server/01-install.md @@ -11,7 +11,7 @@ tags: # Chapter 1: Install and Configuration -Throughout this section you will need to be the root user or you will need to be able to _sudo_ to root. +Throughout this chapter you will need to be the root user or you will need to be able to _sudo_ to root. ## Install EPEL and OpenZFS Repositories @@ -195,51 +195,3 @@ net.core.bpf_jit_limit = 3000000000 ``` Do the same with a few other settings in the override file (above) to verify that changes have been made. - -### Enabling ZFS And Setting Up The Pool (8.6 Only) - -If you have UEFI secure boot turned off, this should be fairly easy. First, load the ZFS module with modprobe: - -``` -/sbin/modprobe zfs -``` - -This should not return an error, it should simply return to the command prompt when done. If you get an error, stop now and begin troubleshooting. Again, make sure that secure boot is off as that will be the most likely culprit. - -Next we need to take a look at the disks on our system, determine what has the OS loaded on it, and what is available to use for the ZFS pool. We will do this with _lsblk_: - -``` -lsblk -``` - -Which should return something like this (your system will be different!): - -``` -AME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT -loop0 7:0 0 32.3M 1 loop /var/lib/snapd/snap/snapd/11588 -loop1 7:1 0 55.5M 1 loop /var/lib/snapd/snap/core18/1997 -loop2 7:2 0 68.8M 1 loop /var/lib/snapd/snap/lxd/20037 -sda 8:0 0 119.2G 0 disk -├─sda1 8:1 0 600M 0 part /boot/efi -├─sda2 8:2 0 1G 0 part /boot -├─sda3 8:3 0 11.9G 0 part [SWAP] -├─sda4 8:4 0 2G 0 part /home -└─sda5 8:5 0 103.7G 0 part / -sdb 8:16 0 119.2G 0 disk -├─sdb1 8:17 0 119.2G 0 part -└─sdb9 8:25 0 8M 0 part -sdc 8:32 0 149.1G 0 disk -└─sdc1 8:33 0 149.1G 0 part -``` - -In this listing, we can see that */dev/sda* is in use by the operating system, so we are going to use */dev/sdb* for our zpool. Note that if you have multiple free hard drives, you may wish to consider using raidz (a software raid specifically for ZFS). - -That falls outside the scope of this document, but should definitely be a consideration for production, as it offers better performance and redundancy. For now, let's create our pool on the single device we have identified: - -``` -zpool create storage /dev/sdb -``` - -What this says is to create a pool called "storage" that is ZFS on the device */dev/sdb*. - -Once the pool is created, it's a good idea to reboot the server again at this point. diff --git a/docs/books/lxd_server/02-zfs_setup.md b/docs/books/lxd_server/02-zfs_setup.md index 0a6d990070..371ac7bf7d 100644 --- a/docs/books/lxd_server/02-zfs_setup.md +++ b/docs/books/lxd_server/02-zfs_setup.md @@ -11,7 +11,9 @@ tags: # Chapter 2: ZFS Setup -If you are using Rocky Linux 8.6 and have already installed ZFS, this section will walk you through ZFS setup. +Throughout this chapter you will need to be the root user or able to `sudo` to become root. + +If you have already installed ZFS, this section will walk you through ZFS setup. ## Enabling ZFS and setting Up the pool diff --git a/docs/books/lxd_server/03-lxdinit.md b/docs/books/lxd_server/03-lxdinit.md index 28e5fa9d1f..7e94e70ca1 100644 --- a/docs/books/lxd_server/03-lxdinit.md +++ b/docs/books/lxd_server/03-lxdinit.md @@ -12,7 +12,7 @@ tags: # Chapter 3: LXD Initialization and User Setup -There are separate procedures for Rocky Linux 8.6 and 9.0 below, with the 8.6 version assuming that you are using a ZFS storage pool. +Throughout this chapter you will need to be root or able to `sudo` to become root. In addition, we are assuming that you have setup a ZFS storage pool as described in [Chapter 2](02-zfs_setup). You can use a different storage pool if you have chosen not to use ZFS, but you will need to make adjustments to the initialization questions and answers. ## LXD Initialization diff --git a/docs/books/lxd_server/04-firewall.md b/docs/books/lxd_server/04-firewall.md index 8adbe4e9cb..dc55083c46 100644 --- a/docs/books/lxd_server/04-firewall.md +++ b/docs/books/lxd_server/04-firewall.md @@ -11,6 +11,8 @@ tags: # Chapter 4: Firewall Setup +Throughout this chapter you will need to be root or able to `sudo` to become root. + As with any server, you need to make sure that it is secured from the outside world and on your LAN. While our example server only has a LAN interface, it is totally possible to have two interfaces, one each facing your LAN and WAN networks. While we cover `iptables` rules in this procedure, we **highly** recommend using the `firewalld` procedure instead (see the note below). ## Firewall Set Up - iptables @@ -19,6 +21,8 @@ As with any server, you need to make sure that it is secured from the outside wo Starting with Rocky Linux 9.0, `iptables` and all of the associated utilities are officially deprecated. This means that in future versions of the OS, perhaps as early as 9.1, they will disappear altogether. For this reason, you should skip down to the `firewalld` procedure below before continuing. + It's actually a good idea to use `firewalld` for Rocky Linux 8.6 as well, but we *do* offer you the option of using `iptables` if you really want it. + Before continuing, you will want a firewall set up on your server. This example is using _iptables_ and [this procedure](../../guides/security/enabling_iptables_firewall.md) to disable _firewalld_. If you prefer to use _firewalld_, simply substitute in _firewalld_ rules using the instructions below this section. Create your firewall.conf script: diff --git a/docs/books/lxd_server/05-lxd_images.md b/docs/books/lxd_server/05-lxd_images.md index 208141b708..1ff70e4fe2 100644 --- a/docs/books/lxd_server/05-lxd_images.md +++ b/docs/books/lxd_server/05-lxd_images.md @@ -11,7 +11,7 @@ tags: # Chapter 5: Setting Up and Managing Images -Throughout this chapter and from here on out unless otherwise noted, you will be running commands as your unprivileged user. ("lxdadmin" if you are following along with these documents). +Throughout this chapter you will need to execute commands as your unprivileged user ("lxdadmin" if you have been following this book from the beginning). ## List Available Images diff --git a/docs/books/lxd_server/06-profiles.md b/docs/books/lxd_server/06-profiles.md index 94f0852c57..1b1e6ba60e 100644 --- a/docs/books/lxd_server/06-profiles.md +++ b/docs/books/lxd_server/06-profiles.md @@ -11,6 +11,8 @@ tags: # Chapter 6: Profiles +Throughout this chapter you will need to execute commands as your unprivileged user ("lxdadmin" if you've been following from the beginning in this book). + You get a default profile when you install LXD, and this profile cannot be removed or modified. That said, you can use the default profile to create new profiles to use with your containers. If you look at our container listing you will notice that the IP address in each case is assigned from the bridged interface. In a production environment, you may want to use something else. This might be a DHCP assigned address from your LAN interface or even a statically assigned address from your WAN. diff --git a/docs/books/lxd_server/07-configurations.md b/docs/books/lxd_server/07-configurations.md index 706d2e6631..d7c96698c5 100644 --- a/docs/books/lxd_server/07-configurations.md +++ b/docs/books/lxd_server/07-configurations.md @@ -11,6 +11,8 @@ tags: # Chapter 7: Container Configuration Options +Throughout this chapter you will need to execute commands as your unprivileged user ("lxdadmin" if you've been following from the beginning in this book). + There are a wealth of options for configuring the container once you have it installed. Before we get into how to see those, however, let's take a look at the info command for a container. In this example, we will use the ubuntu-test container: ``` diff --git a/docs/books/lxd_server/08-snapshots.md b/docs/books/lxd_server/08-snapshots.md index 26085f801b..a5fed6cefd 100644 --- a/docs/books/lxd_server/08-snapshots.md +++ b/docs/books/lxd_server/08-snapshots.md @@ -11,6 +11,8 @@ tags: # Chapter 8: Container Snapshots +Throughout this chapter you will need to execute commands as your unprivileged user ("lxdadmin" if you've been following along from the beginning of this book). + Container snapshots, along with a snapshot server (which we will get to more later), are probably the most important aspect of running a production LXD server. Snapshots ensure quick recovery, and can be used for safety when you are, say, updating the primary software that runs on a particular container. If something happens during the update that breaks that application, you simply restore the snapshot and you are back up and running with only a few seconds worth of downtime. The author used LXD containers for PowerDNS public facing servers, and the process of updating those applications became so much more worry-free, since you can snapshot the container first before continuing. diff --git a/docs/books/lxd_server/09-snapshot_server.md b/docs/books/lxd_server/09-snapshot_server.md index 3eac16d241..0b09c841be 100644 --- a/docs/books/lxd_server/09-snapshot_server.md +++ b/docs/books/lxd_server/09-snapshot_server.md @@ -11,6 +11,8 @@ tags: # Chapter 9: Snapshot Server +This chapter uses a combination of the privileged (root) user, and the unprivileged (lxdadmin) user, based on the tasks we are executing. + As noted at the beginning, the snapshot server for LXD should be a mirror of the production server in every way possible. The reason is that you may need to take it to production in the event of a hardware failure, and having not only backups, but a quick way to bring up production containers, keeps those systems administrator panic phone calls and text messages to a minimum. THAT is ALWAYS good! So the process of building the snapshot server is exactly like the production server. To fully emulate our production server set up, do all of **Chapters 1-4** again on the snapshot server, and when completed, return to this spot. @@ -32,7 +34,7 @@ In our lab, the primary LXD server is running on 192.168.1.106 and the snapshot Next, we need to allow all traffic between the two servers. To do this, we are going to modify the /etc/firewall.conf file with the following. First, on the lxd-primary server, add this line: -### IPTables - Rocky Linux 8.6 and below only +### Iptables - (Use the `firewalld` procedure if possible) ``` IPTABLES -A INPUT -s 192.168.1.141 -j ACCEPT @@ -46,7 +48,7 @@ IPTABLES -A INPUT -s 192.168.1.106 -j ACCEPT This allows bi-directional traffic of all types to travel between the two servers. -### Firewalld - Rocky Linux 9.0 (also works with 8.x) +### Firewalld ``` firewall-cmd zone=trusted add-source=192.168.1.141 --permanent @@ -66,7 +68,7 @@ firewall-cmd reload ## Setting Up The Primary and Snapshot Server Relationship (continued) -Next, as the "lxdadmin" user, we need to set the trust relationship between the two machines. This is done by executing the following on lxd-primary: +Next, as our unprivileged (lxdadmin) user, we need to set the trust relationship between the two machines. This is done by executing the following on lxd-primary: ``` lxc remote add lxd-snapshot @@ -127,7 +129,7 @@ After a short period of time has expired, the copy will be complete. Want to fin +-------------------+---------+------+------+-----------+-----------+ ``` -Success! Now let's try starting it. Because we are starting it on the lxd-snapshot server, we need to stop it first on the lxd-primary server: +Success! Now let's try starting it. Because we are starting it on the lxd-snapshot server, we need to stop it first on the lxd-primary server to avoid an IP address conflict: ``` lxc stop rockylinux-test-9 @@ -182,4 +184,3 @@ GREAT, but we certainly don't want a new snapshot every day without getting rid ``` lxc config set rockylinux-test-9 snapshots.expiry 1d ``` - diff --git a/docs/books/lxd_server/10-automating.md b/docs/books/lxd_server/10-automating.md index 27fc9f8f0e..a38a8e8d6b 100644 --- a/docs/books/lxd_server/10-automating.md +++ b/docs/books/lxd_server/10-automating.md @@ -11,6 +11,8 @@ tags: # Chapter 10: Automating Snapshots +Throughout this chapter you will need to be root or able to `sudo` to become root. + Automating the snapshot process makes things a whole lot easier. ## Automating The Snapshot Copy Process diff --git a/docs/books/lxd_server/30-appendix_a.md b/docs/books/lxd_server/30-appendix_a.md index 71e9c08af4..31aac29ce1 100644 --- a/docs/books/lxd_server/30-appendix_a.md +++ b/docs/books/lxd_server/30-appendix_a.md @@ -10,7 +10,7 @@ tags: # Appendix A - Workstation Setup -While not a part of the chapters for an LXD Production Server, this procedure will help those who wish to have a lab environment, or semi-permanent OS and application, running on a Rocky Linux workstation or laptop. +While not a part of the chapters for an LXD Server, this procedure will help those who wish to have a lab environment, or semi-permanent OS and application, running on a Rocky Linux workstation or laptop. ## Prerequisites