This HowTo shold be the base to be able to create a Nethserver LXC Template for Proxmox. You need a running DHCP-Server in your LAN.

Please test it and give us a feedback to improve it…

Create the LXC-Container:

grafik1017×519 28.8 KB

grafik1502×1095 51.2 KB

grafik1502×1095 37.1 KB

grafik1502×1095 44.6 KB

grafik1502×1095 35.6 KB

grafik1502×1095 36.5 KB

grafik1502×1095 66.1 KB

grafik1502×1095 33.7 KB

grafik1502×1095 57.2 KB

Install Nethserver with:

# Update the system:
yum --enablerepo=* clean all && yum update -y

# Optional Install nano and nmap:
yum install nano nmap -y

# Enable NethServer software repositories with this command:
yum install -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm

# To install the base system, run:
nethserver-install

# Reboot:
reboot

# Setup eth0:
db networks set eth0 ethernet role green
signal-event interface-update

# Reboot again:
reboot

Hi, I tried and it works. Only problem is the chronyd service not starting for permissions reasons, despite the container being unprivileges. Have you encountered the same problem?

It looks like chronyd is not installed:

grafik789×91 11.3 KB

This is my first contact with LXC, do you have experience with it?

I would like to know what are the differences of LXC and KVM Nethserver-Installations…

Strange, on first install in LXC it reports error for chronyd. This is a limitation that I have always encountered in containers or the permission denied to time management. However I use neth7 as VM with virtulabox for 2 years and then migrated to cluester proxmox for 1 year. I found LXC interesting as it is very fast but unfortunately for some limited functions.

LXC use the kernel of the host, probably for shorewall you could have some issue I bet, KVM is an isolated host and inside you can install whatever compatible x_64 distro with your processor (even if with qemu you can install some ARM distro)

Yes indeed, very fast but unfortunately I found limitations in the management of time and ssh on lxc linux credited on AD nethserver and login user domain. To keep it simple, linux lxc join on AD nethserver but if you try to ssh login with user @ at nothing to do, permission denied errors appear!

You mean, ATM, Nethserver LXC-Containers are not production ready or just with limitations…?

As written before, I found some obvious limitations on LXC on proxmox, installing Neth7 as a VM no problems whatsoever and no limitations.

neth972×420 69.2 KB

OT sorry @fausp does your pfsense is a real virtualized firewall :-?

Or it is just for fun

Does it make sense, for the community, to bring it to a production-ready level?

Sorry for the English, I understand dprefer whether nethserver is worth installing for production in LXC?

Hi

To allow external connections to a LXC, you must disable "unpriviledged Container) and enable some “Features”.
And running as AD, you NEED external connections! How else is a client supposed to do auth on the NethServer when no connections is allowed?
Also: Turn of the standard Proxmox Firewall (On the virtual NIC) of each VM!

Bildschirmfoto 2021-03-20 um 09.42.391250×812 107 KB

Note: If created as unpriviledged, you can’t simply set a “Flag” or execute a “expand-template” as on NethServer to change the “unpriviledged” Flag.

Easiest is do a Backup (Not Snapshot) and Restore (With unpriviledged disabled!).
Then you can set features!

My 2 cents
Andy

Sthepanè the photo is mine, if you refer to the image. If yes my pfsense is not a test it works perfectly with 4 interfaces, vpn captive portal and zabbix client to be monitored. The only limitation is no qemu-guest-agent!

OPNsense also works very well as a KVM in Proxmox, also no qemu-guest-agent available.
This is good enough for productive use (eg spare firewall) or even for clustering with CARP.
Very useful for testing / learning / practicing CARP with 2 virtual Firewalls!

Both OPNsense and PFsense fully support VirtIO, so you get nice 10 GBE NICs on your virtualized Firewall!
And using a larger, eg 120 GB Disk, allows Squid Proxy to run here!

Bildschirmfoto 2021-03-20 um 09.53.381148×506 64 KB

This OPNsense connects my LAN with two LAB-Networks, OPT1 and OPT2.

Andy were you able to find / install qemu-guest-agent on bsd?

I’ve run all three BSDs on Proxmox, the QEMU Agent is not really necessary.

Read here about the development status:

The guest-agent FreeBSD port is not complete, it does not support fsfreeze/thaw (for consistent backups), so this, the most important feature is missing.
The only advantage you will get, is have the network/ip data shown in PVE - VM summary, if this is worth to compile and run an unstable piece of software in your VM?

Only issues are a non clean shutdown, eg when invoked by UPS…
I use an external Raspberry as NUT server, and also connect my virtual OPNsense to this NUT server, then I have no issues with the UPS.

BSDs Softupdates in the FS prevent corrupt Filesystems very well.

My 2 cents
Andy

ok thanks andy, yes it’s true but i noticed that without qemu-guest-agent sometimes the shutdown of the VM is not processed.

Without the QEMU-Guest-Agent, shutdown relies on ACPI, which is very unreliable!

With the QEMU-Guest-Agent, even a heavily loaded Windows Server shuts down very fast and cleanly…

I watched a webinar abt OPNsense and they said that it is not possible to reach 10G with VirtIO because FreeBSD drivers…

True, but you CAN get more than the average 1 GBE…