Recipe for Colo Containers

LXC Container - Debian 9

  • Create CT: debian 9.4 lxc template, 4 cpu limit, 20 gb (or 40 gb) hdd, 1024/2048/4096 mb ram, 512/1024 mb swap
  • enable fuse container (see http://myatus.com/p/quick-note-fuse-inside-proxmox-lxc-container/):<code> echo $'lxc.autodev: 1\nlxc.hook.autodev: sh -c “mknod -m 0666 ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229”' » /etc/pve/lxc/###.conf </code>
  • add mounts of old container to new container e.g. pct set 204 --mp0 hdd6tb:vm-104-disk-1,mp=/mnt/glpavideo --mp1 ssd256gb:vm-104-disk-1,mp=/mnt/old
  • pct start 204 && pct enter 204
  • …in the container…
  • reset the root password (since proxmox sets it using an older, less-secure hashing algorithm): passwd
  • migrate users:
    tail -n4 /mnt/old/etc/passwd >> /etc/passwd
    tail -n4 /mnt/old/etc/shadow >> /etc/shadow
  • migrate groups:
    tail -n5 /mnt/old/etc/group >> /etc/group
    tail -n5 /mnt/old/etc/gshadow >> /etc/gshadow
  • use console:
    adduser tdobes adm
    adduser tdobes systemd-journal

    …now you can ssh in

  • sed -i -e 's/"syntax on/syntax on/g' -e 's/"set background=dark/set background=dark/g' -e 's/"set showcmd/set showcmd/g' -e 's/"set showmatch/set showmatch/g' -e 's/"set ignorecase/set ignorecase/g' -e 's/"set smartcase/set smartcase/g' -e 's/"set incsearch/set incsearch/g' -e 's/"set autowrite/set autowrite/g' -e 's/"set hidden/set hidden/g' -e 's/"set mouse=a/set mouse=nic/g' /etc/vim/vimrc
  • vi /etc/vim/vimrc # – and uncomment autocmd block for jumping to last position
  • aptitude update && aptitude forget-new && aptitude full-upgrade
  • aptitude install apache2 php-fpm
  • for glpa-web: aptitude install php-mcrypt
  • a2enmod rewrite proxy_fcgi ssl userdir && a2enconf php7.0-fpm
  • # a2ensite default-ssl
  • sed -i -e 's/^ServerTokens OS$/#ServerTokens OS/g' -e 's/#ServerTokens Full/#ServerTokens Full\nServerTokens Prod/g' /etc/apache2/conf-enabled/security.conf # security paranoia for audit
  • sed -i -e 's/^post_max_size = 8M$/post_max_size = 50M/g' -e 's/^upload_max_filesize = 2M$/upload_max_filesize = 50M/g' /etc/php/7.0/fpm/php.ini
  • systemctl restart php7.0-fpm
  • systemctl restart apache2
  • rm /var/www/html/index.html
  • aptitude install ca-certificates
  • # Let's Encrypt – see https://github.com/lukas2511/dehydrated
    aptitude install dehydrated-apache2 cronic
    
    echo '#!/bin/sh' > /usr/local/sbin/hook_apache-dehydrated
    echo >> /usr/local/sbin/hook_apache-dehydrated
    echo 'case "$1" in' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "deploy_challenge")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "clean_challenge")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "deploy_cert")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    echo "hook reloading apache2..."' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    # reload apache2' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    systemctl reload apache2' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit $?' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "unchanged_cert")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  *)' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    echo "unrecognized hook: $1"' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 1' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo 'esac' >> /usr/local/sbin/hook_apache-dehydrated
    chmod +x /usr/local/sbin/hook_apache-dehydrated
    echo 'HOOK=/usr/local/sbin/hook_apache-dehydrated' > /etc/dehydrated/conf.d/hook_apache.sh
    
    cp -a /mnt/old/etc/dehydrated/domains.txt /etc/dehydrated/domains.txt
    rsync -aix /mnt/old/var/lib/dehydrated/ /var/lib/dehydrated/
    SITE=glpa.org
    sed -e $"s|^\t\tSSLCertificateFile\t/etc/ssl/certs/ssl-cert-snakeoil.pem$|\t\tSSLCertificateFile /var/lib/dehydrated/certs/$SITE/fullchain.pem|g" -e $"s|^\t\tSSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key$|\t\tSSLCertificateKeyFile /var/lib/dehydrated/certs/$SITE/privkey.pem|g" /etc/apache2/sites-available/default-ssl.conf > /etc/apache2/sites-enabled/000-default-ssl.conf
    SITE=
    
    dehydrated -c
    
    # if using staging server to test, verify that server has appropriate key, then rerun on production system:
    # rm /etc/dehydrated/conf.d/staging.sh
    # rm -r /var/lib/dehydrated/private_key.* /var/lib/dehydrated/certs
    # dehydrated -c
    
    echo '1 7,19 * * * root cronic dehydrated -c' > /etc/cron.d/letsencrypt
  • on Drupal sites ONLY (not m-mproductions.com):
    • aptitude install mariadb-server mariadb-client php-mysql
    • <code> mypass=`date +%s | sha256sum | base64 | head -c 15` mysqladmin –user=root password $mypass echo $'[client]\nuser=root\nhost=localhost\npassword='$mypass > ~/.my.cnf chmod 0700 ~/.my.cnf mypass= </code>
    • mysql
      CREATE USER tdobes@localhost IDENTIFIED BY '***PASSWORD***';
      GRANT ALL PRIVILEGES ON *.* TO tdobes@localhost WITH GRANT OPTION;
      \q
      rm ~/.mysql_history
    • aptitude install git tmux
    • aptitude install phpmyadmin # (when asked, enable for apache2, tell it yes when asked about creating db, and provide no password to randomly generate)
    • force phpmyadmin to HTTPS only:
      echo '<Directory /usr/share/phpmyadmin/>' > /etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf
      echo 'RewriteEngine On' >> /etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf
      echo 'RewriteCond %{HTTPS} off' >> /etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf
      echo 'RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]' >> /etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf
      echo '</Directory>' >> /etc/apache2/sites-enabled/phpmyadmin-force_ssl.conf
    • enable remote SSH access to old system to migrate db: ssh-keygen , then cat .ssh/id_rsa.pub >> /mnt/old/root/.ssh/authorized_keys
    • migrate databases: ssh 192.168.222.4 mysqldump -p***PASSWORD*** --add-drop-database --databases drupal civicrm pleiades_drupal pleiades_civicrm | mysql
    • migrate db credentials: ssh 192.168.222.4 'mysqldump -p***PASSWORD*** mysql db user --skip-add-drop-table --no-create-info --complete-insert --where="User IN (\"drupal\", \"civicrm\", \"pleiades_drupal\", \"pleiades_civicrm\")"' | mysql mysql && mysql -e 'flush privileges;'
    • recreate drupal apache config:
      echo '<Directory /var/www/html/>' > /etc/apache2/sites-enabled/drupal.conf
      cat /var/www/html/.htaccess >> /etc/apache2/sites-enabled/drupal.conf
      echo '</Directory>' >> /etc/apache2/sites-enabled/drupal.conf
    • merge in any site-specific settings into /etc/apache2/sites-enabled/drupal.conf
    • a2enmod headers expires # these are used by drupal
    • aptitude --without-recommends install php-uploadprogress # drupal wants this too (without recommends to avoid apache mod_php)
  • migrate ssh keys: cp -a /mnt/old/etc/ssh/ssh_host_*key* /etc/ssh/
  • migrate homes: rsync -aix --del /mnt/old/home/ /home/
  • migrate webroot: rsync -aix --del /mnt/old/var/www/ /var/www/
  • migrate apache config: rsync -ai --ignore-existing /mnt/old/etc/apache2/sites-enabled/ /etc/apache2/sites-enabled/
  • migrate cron scripts: rsync -ai --ignore-existing --exclude php5 /mnt/old/etc/cron.d/ /etc/cron.d/
  • for iyb vm:
    • migrate http basic auth files: rsync -aix --del /mnt/old/etc/apache2/auth /etc/apache2/
    • aptitude install unzip
  • for glpa vm:
    • a2enmod proxy_http # needed to pass through HLS to stream vm
    • php 7.3 backport:
      aptitude install apt-transport-https
      #wget -O- "https://packages.sury.org/php/apt.gpg" | apt-key add -
      wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
      echo 'deb https://packages.sury.org/php/ stretch main' > /etc/apt/sources.list.d/php.list
      aptitude update && aptitude full-upgrade # (but disable libapache2-mod-php, which is recommended by php-uploadprogress)
      a2disconf php7.0-fpm && a2enconf php7.3-fpm && systemctl reload apache2
      sed -i -e 's/^post_max_size = 8M$/post_max_size = 50M/g' -e 's/^upload_max_filesize = 2M$/upload_max_filesize = 50M/g' /etc/php/7.3/fpm/php.ini
      systemctl reload php7.3-fpm
      systemctl stop php7.0-fpm && systemctl disable php7.0-fpm
      systemctl enable php7.3-fpm && systemctl start php7.3-fpm
computer/colo_container_recipe.txt · Last modified: 2019/04/18 12:06 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS