Cyberben's picture

Hello all,

I recently found turnkeylinux.org. I am very interested in the LXC appliance. Excited to begin downloading and deploying multiple TurnKey apps side-by-side on the same host in securely isolated lightweight containers.

Is there a step by step instruction on how to do this the turnkeylinux.org way? Ive been searching for the proper command lines that work with the appliance provided here.

Thank You

 

Forum: 
Cyberben's picture

As a complete novice i was having a hard time figuring out what I was looking at.

Found some things that suggest this might be the LXC available in the Ubuntu 16.04 default repository.

lxc-checkconfig
ls /usr/share/lxc/templates/
lxc-ls

and a lot of other commands respective to this version work. Im just not clear on the specific commands needed to successfully start using the several appliances I want to use.

Thanks

 

 

Jeremy Davis's picture

The LXC appliance page has some basic overview info which is worth reading in full (if you haven't yet - at least until you get to the "Usage details & Logging in for Administration" section).

You'll also notice at the end of the top section (just above the screenshots), there is a link to the LXC appliance usage docs, which should hopefully get you going in the right direction (for use with TurnKey apps at least). Otherwise as you've discovered, it should work as per "usual" (i.e. the default LXC commands should "just work") for TurnKey and non-TurnKey) LXC templates alike.

If you're having a particular issue with something, or there's something in the docs you don't understand, or isn't working as you'd expect, please give further specific details of the issue/confusion and I'll do my best to assist you.

As a bit of background, TurnKey Linux is based on Debian; which is also the basis of Ubuntu (although unlike Ubuntu, TurnKey is completely "binary compatible" with Debian). The current library images (i.e. v15.x series) are built on top of Debian 9/Stretch (currently "oldstable"). The (as yet unreleased) upcoming v16.x series will be based on Debian 10/Buster (currently "stable").

Some other resources you may find of interest are the Debian LXC wiki page and the LXC man page - also available from the terminal of your appliance (as should most other terminal commands). I.e. like this:

man lxc

Please note that whilst the Debian wiki can often give a good overview and general info, Debian wiki pages can sometimes be a bit out of date. The man pages for the specific version (i.e. from the local commandline, or the online 9/Stretch pages in the case of v15.x apps) should always be relevant to the versions you have installed locally.

If you have any further issues or questions, please ask.

Cyberben's picture

Thank you

 

 

Cyberben's picture

My machine is on a home network. I've used this from the usage text:

# cat > /root/wp.inithooks.conf <<EOF
export ROOT_PASS=secretrootpass
export DB_PASS=secretmysqlpass
export APP_PASS=secretadminwppass
export APP_EMAIL=admin@example.com
export APP_DOMAIN=www.example.com
export HUB_APIKEY=SKIP
export SEC_ALERTS=SKIP
export SEC_UPDATES=FORCE
EOF

Continuing from the earlier inithooks example, we'll create a TurnKey Wordpress container using the bridged network configuration.

Create the container:

# lxc-create -n wp1 -f /etc/lxc/bridged.conf -t turnkey -- wordpress -i /root/wp.inithooks.conf -v 15.0-stretch

This could have been shortened because the version now defaults to `latest available`.:

# lxc-create -n wp1 -f /etc/lxc/bridged.conf -t turnkey -- wordpress -i /root/wp.inithooks.conf

Start the container:

# lxc-start -n wp1

List the containers:

# lxc-ls -f

"Wp is running but not connected."

I don't actually understand any of it, I just got that far using that text as a guide. Super unclear on how to use this information to run other applications I actually wanted to.

This is really interesting stuff. I had hoped I could quickly get away from VMware technology using this but its over my head this season.

I'm left wondering what would each of the namesofall.inithooks.conf files be for the respective appliances?

I wanted to use the Samba appliance among others.

If i ever figure it out I will try to post a guide here.

Jeremy Davis's picture

Whilst our LXC appliance should do what you want, considering that the learning curve for the uninitiated (vs VMware for example) is perhaps a little steep, maybe our LXC app isn't the best fit for you? Whilst it's lean but still pretty powerful, perhaps there is a better option for your purposes? Assuming that you are after a locally installable free open source server hosting solution, perhaps the Proxmox Virtual Environment might suit your purposes better? That provides support for LXC too, as well as "proper" full VMs (via KVM - so you can also run Windows or other OS - not just Linux as per LXC). It has a relatively intuitive (web based) admin UI. TurnKey appliances are available for download and usage within the web UI too! :)

It is worth noting that there are some idiosyncrasies with our current images (which I hope to address in our upcoming v16.x release). E.g. launching a "unprivileged" container (the Proxmox default), will fail. Current TurnKey appliances currently requires a "privileged" container - although there is a somewhat clunky workaround documented on the bug (please note that the bug is closed because code that resolves it has been merged; however the images have not been rebuilt as we're holding out for the new, upcoming major version release).


If you'd prefer to persist with TurnKey LXC host:

So could you please clarify what you mean when you say "Wp is running but not connected."? Was that the output that showed up when you listed your containers?

In the example you've used (taken from the docs by the look) you're using the bridged networking. That means that your new container should get assigned an IP address via your network DHCP (just like any other "real" PC on your network would). And it should "just work". It's been a while, but last time I tested, the examples given in the docs created a WordPress container that could be directly accessed via it's (DHCP allocated) IP address.


Re the required contents of inithooks.conf files for other appliances, for starters, you should be able to get by with just using those same ones. Any that are irrelevant will be ignored. Any that are required but not set will be manually/interactively set when you log in via SSH.

If you'd rather it all be pre-seeded from the get go, then all the appliance inithooks should be documented (and there's a link to the inithooks docs at the top of the inithooks section in the LXC docs).

FWIW, as noted at the top of the inithooks doc page (on the website) it notes that we try to keep the docs up to date, but sometimes they get a little out of date, so as a general rule it's often easier to just read the source. Having said that, we're currently midway through transitioning to a new major version (v16.x) so the live docs actually reflect the new (as yet unreleased) version. It should be near enough for your purposes. Whilst there's some new inithooks for v16.x, configuring them on a v15.x system shouldn't cause error, they should just be ignored. In fear of confusing you, it's possible to view the inithooks docs specifically for v15.x and because it's easier for me to link directly to the relevant sections that's what I'll use in this post.

If you want to get a good understanding of how the inithooks work, it's worth at least a skim through the whole page. If there's anything that doesn't make any sense, please ask. Perhaps we can improve them?

Anyway, about 2/3 of the way down, you'll find a section titled: List of initialization hooks and preseeding configuration parameters. The inithook info is displayed in 2 or 3 columns. The first column is the name of the inithook file (which strictly speaking, is irrelevant for your purposes currently; although is useful when we get to the appliance specific inithooks). The second is the variable name you'll need to set in the inithooks.conf file. The 3rd (if it's there) is the values that it will accept. Optional values are in square brackets.

So the first set (i.e. "30rootpass" to "95secupdates") are common to all appliances. The next set (just one line; "29preseed") is for "headless" builds only (FWIW headless builds are when you don't have access to a "proper" terminal - so the LXC builds are headless). The third and final set of inithooks are the appliances specific ones. Appliances that include MySQL (i.e. all of the LAMP based appliances) or PostgreSQL use the top 2 ("35mysqlpass" & "35pgsqlpass" respectively). Then the rest are explicitly named for the appliance they occur in. E.g. for WordPress; set "APP_PASS" and "APP_EMAIL" - as per "40wordpress".

Re your note that you intend to use Samba, which one? We have 2; they both include Samba4 but are configured quite differently. The Fileserver appliance is configured in "stand alone mode" (as per Samba3) and as the name suggests is designed to act as a stand-alone Fileserver. The Domain Controller appliance is configured to be a (Samba4) Active Directory Domain Controller.

Re Fileserver: You'll note that there isn't actually an inithook noted for the Fileserver appliance. That has a twofold reason. Firstly - it's not required for most builds (it recycles the root Linux user account password and also uses it as the Samba root user password too). And secondly - we've neglected to note the exception for LXC. On an LXC instance, as the root Linux user is set on the host, you actually do need to explicitly note the Samba root user password (via APP_USER). As per my notes above, looking at the Fileserver . I've just updated the readme to include that now (although only in master). FYI:

Fileserver appliance specific - LXC only:

    35samba-container       APP_PASS

Linux and Samba user management is separate and discrete. Previously by default Samba users were mapped 1-1 with Linux users and Samba supported syncronization of passwords between the Linux and Samba users (so essentially the difference between the 2 user management systems was hidden from the end user). However due to a significant security issue, this module has been removed. Samba4 has moved to prioritize support for AD integration (which uses a different paradigm - all Samba users are contained within a single Linux user account).

To somewhat work around this limitation, on the TurnKey Fileserver appliance, when you set the root (Linux) user password, the Samba root user password is also set. However for an LXC container, the root password is set on the host, not the guest. So this workaround is not possible. Hence the Samba root password must be set separately.

As noted in the docs, the Domain Controller's inithooks are:

APP_PASS, APP_DOMAIN [, APP_REALM, APP_JOIN, APP_JOIN_NS]

Note APP_JOIN, APP_JOIN_NS are only relevant if you wish to join an existing domain.

Cyberben's picture

Thank you! Forgive me, let me try again,

So I reinstalled the vmdk for LXC from scratch.

I wanted to use Fileserver as the Appliance to start with.

 

My question is: What would these values have to look like, to use the Fileserver

---Start inithooks example---

# cat > /root/wp.inithooks.conf <<EOF
export ROOT_PASS=secretrootpass
export DB_PASS=secretmysqlpass
export APP_PASS=secretadminwppass
export APP_EMAIL=admin@example.com
export APP_DOMAIN=www.example.com
export HUB_APIKEY=SKIP
export SEC_ALERTS=SKIP
export SEC_UPDATES=FORCE
EOF

---End inithooks example---

 

Also: how would this command line change if you wanted to load the Fileserver appliance

---Begin lxc-create example---

# lxc-create -n wp1 -f /etc/lxc/bridged.conf -t turnkey -- wordpress -i /root/wp.inithooks.conf

---End lxc-create example---

 

Studying the way to load the images to the Turnkey LXC appliance.

 

Ben

 

 

Or if you where able to use the images with current version that comes with Ubuntu Server 18-

Loadng Turnkey images on it yourself. The command for the version Turnkey LXC uses would be different

 

From: https://ubuntu.com/blog/lxd-2-0-image-management-512

 

Manually importing images (exerpt from current version )

Importing from a URL

“lxc image import” also works with some special URLs. If you have an https web server which serves a path with the LXD-Image-URL and LXD-Image-Hash headers set, then LXD will pull that image into its image store.

For example you can do:

lxc image import https://dl.stgraber.org/lxd --alias busybox-amd64

When pulling the image, LXD also sets some headers which the remote server could check to return an appropriate image. Those are LXD-Server-Architectures and LXD-Server-Version.

This is meant as a poor man’s image server. It can be made to work with any static web server and provides a user friendly way to import your image.

 

 

 

Jeremy Davis's picture

Whilst it may not be obvious to you, your question re inithooks is answered in my previous post (not to mention the docs I pointed to). I'm trying to take the "teach a man to fish..." approach! :) But perhaps my rambling writing style and my attempt to be exhaustive is making it too hard for you to see the explicit info you're after? Regardless, re-reading the docs a few times now, I keep noticing bits that need update/tweaking, so it's a great opportunity for me to tidy up the docs a bit in preparation of our upcoming v16.x release. I've tweaked my previous post a little too.

So please let me try again... For starters, let me highlight the explicitly relevant bit from my (updated) previous post:

Re the required contents of inithooks.conf files for other appliances, for starters, you should be able to get by with just using those same ones. Any that are irrelevant will be ignored. Any that are required but not set will be manually/interactively set when you log in via SSH.

In the case of the Fileserver appliance, there are no additional values required (so if you use that same inithooks.conf file you should not be required to interactively answer any questions on first SSH login). Plus many of those will be ignored as they are irrelevant to the Fileserver appliance. E.g. to quote myself again:

On an LXC instance, as the root Linux user is set on the host, you actually do need to explicitly note the Samba root user password (via APP_USER). [...] FYI:

Fileserver appliance specific - LXC only:

    35samba-container       APP_PASS

A further recommendation I'd make is that you name your Fileserver inithooks preseeds file something more relevant. What you have posted will generate a file named /root/wp.inithooks.conf, I suggest that you name it something more appropriate such as /root/fserver.inithooks.conf (or whatever takes you fancy; so long as you call that same file when you launch the Fileserver LXC template; it doesn't really matter).

To be explicit; for the Fileserver itself, only the value of APP_PASS will be used/required (to set the fileserver root Samba user password when running on LXC). As hinted in the Inithooks docs - under "Preseeding >> List of initialization hooks and preseeding configuration parameters" the last 3 lines are generically useful. Please note that I have (hopefully) improved that section of the docs in the master branch. So here's the 3 other values you'll likely want to include.

  • HUB_APIKEY=SKIP - will skip adding the Hub API key (or include your Hub API key if you're using our automated remote backup tool, TKLBAM).
  • SEC_ALERTS=SKIP - will skip registering for sec_alerts.
  • SEC_UPDATES=FORCE - will force apt security updates to run on first boot.

So to explicitly summarise all this into an example of what you might do (I removed the leading hash so you can copy/paste into your terminal):

cat > /root/fserver.inithooks.conf <<EOF
export APP_PASS=secret_samba_root_pass
export HUB_APIKEY=SKIP
export SEC_ALERTS=SKIP
export SEC_UPDATES=FORCE
EOF

Then to load the LXC Fileserver appliance (named 'fserver', using the /root/fserver.inithooks.conf created above):

lxc-create -n fserver -f /etc/lxc/bridged.conf -t turnkey -- fileserver -i /root/fserver.inithooks.conf

Re using LXD via Ubuntu, I have no idea really... By my (limited) understanding LXD is essentially a wrapper around LXC. But it's not a part of the TurnKey LXC appliance and I have no experience with it. In a perfect world, we'd have LXD images (available via an "LXD image server"), however it's not been a priority for us, so there has been no progress there. Another community member has played with a fair bit and has done some work on providing better, more integrated support for LXD, but he's been busy travelling so efforts have somewhat stalled AFAIK. Plus it wold also require us (or someone) to provide the LXD image server infrastructure. One day perhaps...?!

To elaborate a little further; AFAIK, under the hood LXD uses vanilla LXC, so it should certainly be possible to use our images with LXC/LXD on Ubuntu. But our images are NOT LXD images. So you can't auto download the template as per your quote. LXC/LXD on Ubuntu also doesn't have support for our inithooks, so you would need to log in via SSH and complete them interactively. Also, from my brief googling, it appears that LXD requires a metadata.yaml file in a specific format which we don't provide. It appears that LXD also uses cloud-init which our images also don't currently include or support.

If you were determined to use Ubuntu rather than our LXC appliance (or Proxmox as mentioned/recommended in my previous post), I'm fairly sure that you could still make it work. I strongly suspect that all of those points mentioned could be worked around, but will require a fair bit more legwork by you. Judging by our conversation to date, I suspect that the required reading and experimentation on your behalf may be a bridge too far at this point (I'm sure you'd be capable, but perhaps unrealistic until you have some more experience with and understanding of LXC/LXD).

Having said that, if you do wish to pursue LXD images, then please be my guest. But I doubt I'll be able to provide much assistance.

Cyberben's picture

Thank you for your help I think i understand how to make lxc-create create the appliance I want.

I have gotten the lxc-create command to create a fileserver and have started it.

I was able to do the same for a test opencart appliance.

However, after starting them i get a message it is not connected.

When I  lxc-console to them from the LXC host, the access is root/enter(no password), seems useless and logs off with every command attempt, making you type root/enter(no password) over and over again.

So the objective is network & administration

New hurdles but im happy for now with your help now I can load the appliance at least!

 

 

Cyberben's picture

Ok so all the turnkey appliances have "turnkey-appliancenames"

example:
debian-9-turnkey-opencart_15.0-1_amd64.tar.gz

The complete release list is here: https://releases.turnkeylinux.org/
in respective folders, reflecting appliance name like:
turnkey-fileserver or turnkey-opencart

Create by calling your created inithook file(opencartserver)and appliance name.

lxc-create -n opencartserver -f /etc/lxc/bridged.conf -t turnkey -- opencart -i /root/opencartserver.inithooks.conf

Start it:

lxc-start -n my-opencartserver

Get a shell inside it with:

lxc-attach -n opencartserver 

cool! now for connection! Thank you so much!

ip address command

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
Cyberben's picture

*See above

lxc-start -n my-opencartserver

is really

lxc-start -n opencartserver
Jeremy Davis's picture

It should have another interface (besides the loopback). TBH, I don't understand why it's not getting one?! I wonder if it's something to do with the way you have VMware networking set up?!

It sounds like I'll have to launch an LXC host appliance myself and double check whether it "just works" as it should... Unfortunately, I'm a bit snowed under ATM but hopefully will get a chance shortly.

FWIW I use our LXC templates (i.e. LXC guests) quite regularly. Although, I run Proxmox as my host because it provides both LXC and KVM (i.e. "proper" VMs like VMware or VirtualBox). Most things run well as LXC, but some things are better as a full VM (e.g. TKLDev).

Actually here's an LXC container I have running locally (Gitea):

ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
8: eth0@if9:  mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 7a:f3:30:51:e5:21 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Cyberben's picture

Using VM Workstation Pro 12

I have loaded the single appliaces using respective .iso or VMDK successfully so I will continue that way for now. The LXC appliance however is not working in my instance and Im sure its due to all sorts of novice varaibles.

I have working opencart and torrent stand alone appliances loaded from a vmdk and .iso

 

Heres some results-

root@lxc ~# cat > /root/wp.inithooks.conf <<EOF
> export ROOT_PASS=secretrootpass
> export DB_PASS=secretmysqlpass
> export APP_PASS=secretadminwppass
> export APP_EMAIL=admin@example.com
> export APP_DOMAIN=www.example.com
> export HUB_APIKEY=SKIP
> export SEC_ALERTS=SKIP
> export SEC_UPDATES=FORCE
> EOF

root@lxc ~# lxc-create -n wp1 -f /etc/lxc/bridged.conf -t turnkey -- wordpress -i /root/wp.inithooks.conf

root@lxc ~# lxc-start -n wp1
Container wp1 not connected:

root@lxc ~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:c4:18:6b brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0c:29:c4:18:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.240/24 brd 192.168.2.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fec4:186b/64 scope link
       valid_lft forever preferred_lft forever
4: natbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether d2:e4:78:9a:54:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.121.1/24 brd 192.168.121.255 scope global natbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::d0e4:78ff:fe9a:540d/64 scope link
       valid_lft forever preferred_lft forever

lxc-attach -n wp1

root@wp1 ~# turnkey-init

The Init Process happens but returns

error: No network adapters detected
root@wp1 ~#

 

Thanks for hanging out with me!

 

Take care!

 

 

Cyberben's picture

Is there any tutorial you can suggest that can help me understand what is going on...

Ive got this on a VMware and when i create a container it says there is no interface on the container.

What the heck am i doing wrong? Everone else seems to have success....

Im sick!

 

Cyberben's picture

Ok we're back,

Video: Linux Containers (LXC) Networking Deep Dive - Video 003a - LXC veth Adapters w/Bridge Int. (br0)

After using some of the things this gentleman did pertaining to Bridging the networks helped me get it going.

I read and tried so much and could not see if it worked that day. This morning I noticed the "FILESERVER" on my network and realized I had a running, connected LXC appliance.

 

I just have to go back and record what worked.

Thanks!

Jeremy Davis's picture

Thanks for your feedback, although I must admit that considering the time and effort that I personally plough into TurnKey, I do think that your comments are a bit harsh!

We certainly DO NOT try to scare away noobs on purpose! And if you would like to elaborate on what you think has been "hidden" I'd be more that happy to try to "shine a light"!

FWIW all the build code for our appliance is available to look through on GitHub and if you are struggling to understand it and/or have questions regarding it, please sign up for a website user account and start a new thread (only logged in users can start a new thread). Please ask for whatever info you are missing and I'll be more than happy to try to answer any questions you may have!

In case you missed it, the main reason that there isn't much more general info (beyond the very basics) is because TurnKey is Debian under the hood (just "a better starting point" than default Debian). So anything you read that is relevant to Debian should generally be relevant to TurnKey. If you are unsure, then just ask!

I wish that I had more time to create better documentation and I'm sure that there is plenty of "curse of knowledge" gaps in our existing docs. But it's certainly not with any bad intention! Our whole mission is to try to make headless Linux servers specifically and open source software in general more accessible to noobs! So as i say, if you have questions, please ask and I will do my best to answer your questions... Having said that, as I've noted above, I'm not particularly familiar with the LXC appliance itself (personally I use Proxmox which includes both KVM and LXC already). I'd like to get more familiar with it, but I'm so busy with other stuff... (Like trying to help users like you!)

So please clarify what you see missing, add some detail on the specifics of what we could be doing better and I'll be more than happy to do that! Having said that, if you're a real Linux noob, then I'm sure sure that starting with the LXC appliance is a good place to start! :) Perhaps try with something a bit more basic first! And/or do some more reading and research on Linux networking...

Also, if you need a hand, I would urge you to start your own thread and spell out how you've set it up so far and exactly what issue you're hitting. I say that as perhaps there is something specific to your environment that is causing an issue here (e.g. if you are running in a VM that is configured with NAT networking, then you'll have issues bridging...). Obviously cross posting here (to get CyberBen's attention) is totally legitimate, but it's probably better to start your own thread if you need support (and post a link here).

Jeremy Davis's picture

All good. I'm sorry if I was a bit sensitive. I guess that because I put so much of myself into TurnKey and work so hard for so little monetary return, I can be a bit quick to take any criticism a bit personally. But I actually do appreciate constructive criticism because it assists us to get a different perspective.

I don't know a lot about dislexia and personally find the commandline much better than trying to find my way around a UI. So if my attitude came across as a bit elitist or something...

FWIW, it's not your fault and your fault alone! We provide TurnKey, at least in part, as an effort to lower the bar to using "headless Linux servers", to make it more accessible to a greater degree of society. So you are EXACTLY our target market (or at least part of...). Ideally we'd like to also be useful to general users too, and even for developers.

Thanks for elaborating on your issue with the wp1 example.

FWIW, I hope to have a closer look at the LXC appliance at some point as we're currently updating appliances.

Bottom line though, no harm done and we're all good. Apologies again if I was a bit sensitive...

Cyberben's picture

Sorry I didnt see this guys.

I was so confused when i started this thread that a lot of it is not usable until after the visble

fit I had. I will do a guide soon extracting the good bits........

I hope you got past container creation,

Here is the link to the post about my solution.

TurnKey LXC - Containers not connected - Solved

I had used Vmware before but knew nothing about LXC. It took me a week to wrap my head around it.

After you get the hang of it you will be cool.

My box is a physical one now running TK LXC for wordpress and fileserv. Its great!

Jeremy Davis's picture

No problem at all. Thanks for coming back with the link. I forgot that you had posted back with your roundup.... Doh! :)

Add new comment