Виртуализация на основе OpenVZ + OpenVPN
В данном руководстве будет рассмотрена настройка выделенного сервера с виртуализацией на основе OpenVZ. Доступ к контейнерам извне будет возможен посредством OpenVPN Итак: ОС — Centos 6.7, IP сервера — 1.2.3.4, внутренняя сеть 10.55.0.0/24 Установка
|
1 2 3 4 5 |
wget -P /etc/yum.repos.d/ https://ftp.openvz.org/openvz.repo rpm --import https://ftp.openvz.org/RPM-GPG-Key-OpenVZ yum install vzkernel1 |
/etc/sysctl.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# On Hardware Node we generally need # packet forwarding enabled and proxy arp disabled net.ipv4.ip_forward = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.default.proxy_arp = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # We do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0 |
vim /etc/modprobe.d/openvz.conf
|
1 |
options nf_conntrack ip_conntrack_disable_ve0=0 |
SELinux
|
1 |
echo "SELINUX=disabled" > /etc/sysconfig/selinux |
|
1 |
yum install vzctl vzquota ploop |
iptables
|
1 2 3 4 5 6 |
yum install iptables-services -y systemctl mask firewalld systemctl enable iptables systemctl stop firewalld systemctl start iptables iptables --flush |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -s 10.33.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.33.0.0/24 -j ACCEPT iptables -t nat -A PREROUTING --dst 1.2.3.4 -p udp --dport 2295 -j DNAT --to-destination 10.55.55.199:2295 iptables -t nat -A POSTROUTING -p udp -m udp -s 10.55.55.199 --sport 2295 -j SNAT --to-source 1.2.3.4:2295 iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -i eth0 -j DNAT --to-destination 10.55.55.203:80 iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 443 -i eth0 -j DNAT --to-destination 10.55.55.203:443 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save service iptables restart |
Создаём контейнеры
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
vzctl create 199 --ostemplate centos-7-x86_64 vzctl set 199 --save --name openvpn \ --ipadd 10.55.55.199 --hostname openvpn.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --cpus 1 --ram 512M --swap 1G --diskspace 5G vzctl start 199 vzctl create 210 --ostemplate centos-7-x86_64 vzctl set 210 --save --name postgress.dev --ipadd 10.55.55.210 \ --hostname postgres_dev.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 8G --swap 8G --diskspace 10G vzctl start 210 vzctl create 211 --ostemplate centos-7-x86_64 vzctl set 211 --save --name mysql.dev --ipadd 10.55.55.211 \ --hostname mysql_dev.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 8G --swap 8G --diskspace 10G vzctl start 211 vzctl create 220 --ostemplate centos-7-x86_64 vzctl set 220 --save --name web.dev --ipadd 10.55.55.220 \ --hostname web.co \ --nameserver 8.8.8.8 --nameserver 8.8.4.4 \ --onboot yes --ram 4G --swap 4G --diskspace 10G vzctl start 220 |
vzlist
|
1 2 3 4 5 |
CTID NPROC STATUS IP_ADDR HOSTNAME 199 21 running 10.55.55.199 openvpn.co 210 21 running 10.55.55.210 postgres_dev.co 211 21 running 10.55.55.211 mysql_dev.co 220 21 running 10.55.55.220 web.co |
OpenVPN
|
1 |
vzctl enter 199 |
Проверяем наличие… Читать далее »