В данном руководстве будет рассмотрена настройка выделенного сервера с виртуализацией на основе OpenVZ.
Доступ к контейнерам извне будет возможен посредством OpenVPN
Итак:
ОС — Centos 6.7, IP сервера — 1.2.3.4, внутренняя сеть 10.55.0.0/24
Установка
1 2 3 4 5 |
wget -P /etc/yum.repos.d/ https://ftp.openvz.org/openvz.repo rpm --import https://ftp.openvz.org/RPM-GPG-Key-OpenVZ yum install vzkernel1 |
/etc/sysctl.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# On Hardware Node we generally need # packet forwarding enabled and proxy arp disabled net.ipv4.ip_forward = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.default.proxy_arp = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # We do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 |
vim /etc/modprobe.d/openvz.conf
1 |
options nf_conntrack ip_conntrack_disable_ve0=0 |
SELinux
1 |
echo "SELINUX=disabled" > /etc/sysconfig/selinux |
1 |
yum install vzctl vzquota ploop |
iptables
1 2 3 4 5 6 |
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 10.33.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.33.0.0/24 -j ACCEPT iptables -t nat -A PREROUTING --dst 1.2.3.4 -p udp --dport 2295 -j DNAT --to-destination 10.55.55.199:2295 iptables -t nat -A POSTROUTING -p udp -m udp -s 10.55.55.199 --sport 2295 -j SNAT --to-source 1.2.3.4:2295 iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -i eth0 -j DNAT --to-destination 10.55.55.203:80 iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 443 -i eth0 -j DNAT --to-destination 10.55.55.203:443 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart |
Создаём контейнеры
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
vzctl create 199 --ostemplate centos-7-x86_64 vzctl set 199 --save --name openvpn \ --ipadd 10.55.55.199 --hostname openvpn.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --cpus 1 --ram 512M --swap 1G --diskspace 5G vzctl start 199 vzctl create 210 --ostemplate centos-7-x86_64 vzctl set 210 --save --name postgress.dev --ipadd 10.55.55.210 \ --hostname postgres_dev.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 8G --swap 8G --diskspace 10G vzctl start 210 vzctl create 211 --ostemplate centos-7-x86_64 vzctl set 211 --save --name mysql.dev --ipadd 10.55.55.211 \ --hostname mysql_dev.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 8G --swap 8G --diskspace 10G vzctl start 211 vzctl create 220 --ostemplate centos-7-x86_64 vzctl set 220 --save --name web.dev --ipadd 10.55.55.220 \ --hostname web.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 4G --swap 4G --diskspace 10G vzctl start 220 |
vzlist
1 2 3 4 5 |
CTID NPROC STATUS IP_ADDR HOSTNAME 199 21 running 10.55.55.199 openvpn.co 210 21 running 10.55.55.210 postgres_dev.co 211 21 running 10.55.55.211 mysql_dev.co 220 21 running 10.55.55.220 web.co |
OpenVPN
1 |
vzctl enter 199 |
Проверяем наличие устройства tun
:
1 2 |
[root@openvpn /]# file /dev/net/tun /dev/net/tun: cannot open (No such file or directory) |
Если поддержки нет, выходим из контейнера (ctrl + d)
1 2 3 4 5 6 7 8 9 |
vzctl set 199 --devices c:10:200:rw --save vzctl stop 199 vzctl set 199 --capability net_admin:on --save vzctl start 199 vzctl exec 199 mkdir -p /dev/net vzctl exec 199 mknod /dev/net/tun c 10 200 vzctl exec 199 chmod 600 /dev/net/tun vzctl set 199 --devnodes net/tun:rw --save vzctl enter 199 |
Установим репозиторий Epel
1 2 |
yum install epel-release yum install openvpn easy-rsa |
1 |
yum install openvpn easy-rsa |
1 |
cp /usr/share/doc/openvpn-2.3.10/sample/sample-config-files/server.conf /etc/openvpn/server.conf |
vim /etc/openvpn/server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
port 2295 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.55.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.55.55.0 255.255.255.0" #push "redirect-gateway autolocal" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "comp_lzo 1" keepalive 10 120 user nobody group nobody persist-key persist-tun comp-lzo status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
mkdir -p /etc/openvpn/easy-rsa/keys cp -r /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ vim /etc/openvpn/easy-rsa/vars cd /etc/openvpn/easy-rsa source ./vars ./clean-all # для первой итерации ./build-ca ls -la /etc/openvpn/easy-rsa/keys ./build-key-server server ./build-dh ./build-key client_name ls -l /etc/openvpn/easy-rsa/keys cd keys/ cp dh2048.pem ca.crt server.crt server.key /etc/openvpn systemctl -f enable openvpn@server.service systemctl start openvpn@server.service systemctl status openvpn@server.service |
iptables
1 2 3 4 5 6 |
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -i venet0 -m state --state NEW -p udp --dport 2295 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -o venet0 -j MASQUERADE iptables -I FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -s 10.55.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.55.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.55.0.0/24 -j SNAT --to-source 10.55.55.199 service iptables save service iptables restart |
systemctl start openvpn@server.service
systemctl -l status openvpn@server.service
Вуаля…