Nethserver on ProxMox LXC

Hello all,

As an experiment, last night I went about installing Nehtserver in a Centos 7 lxc container on proxmox 6.3 latest. After hitting a wall for a bit, I have it running and doing basic firewall, ad blocking and such. The stickiest bit was immediately after running:
yum install -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm
nethserver-install
I would lose access to both of the VMBR I had assigned to this Centos container in proxmox. They were confirmed working and pulling updates from the internet via the centos terminal prior to that last command. After that last command, Centos7 lost access and I could not connect to the nethserver web interface either.

The fix for me was found at the end of the page linked below:
https://wiki.nethserver.org/doku.php?id=virtual_network_interface
/sbin/e-smith/db networks set dummy0 ethernet ipaddr 192.168.10.2 netmask 255.255.255.0 role green && /sbin/e-smith/db networks setprop eth0 role red && /sbin/e-smith/signal-event interface-update

I had two virtual nics so I did not set up a dummy nic as the webpage described, but used both eth1 and eth2 instead:
/sbin/e-smith/db networks set eth1 ethernet ipaddr 192.168.10.2 netmask 255.255.255.0 role green && /sbin/e-smith/db networks setprop eth0 role red && /sbin/e-smith/signal-event interface-update

after that I was able to connect to the web interface at https://192.168.10.2:9090 and complete the configuration. Basic functions, except Chronyd, all seem to work well. My proxmox server uses NTP to set its time and the LXC gets its RTC from proxmox, so I just left time to manual. Runs nicely and only utilizes around 300 MiB of additional memory with an install size of 2.5 GiB on hardrive.

Now finally to my question, I wanted to add another interface to Nethserver so I added one to the LXC via proxmox. Centos7 sees it (ip a, ifconfig verified), but I can’t figure out why nethserver does not. Any clues and where to start or look.

NethServer Version: 7.9
Module: your_module

I don’t know if LXC network adapters are automatically binded to network card detection on NethServer.
I know that EXSi it’s not the same as LXC via Proxmox, but if I add a network card on the guest, i find it immediately on the network dashboard of NethServer.

So… two questions:

  • which is the network driver used by CentOS?
  • which kind of segment/zone are you adding to your NethServer install?

@vesalius

Hi

Is the LXC Container used set up as an “unpriviledged container” in Proxmox?
If unpriviledged is set, you WILL have difficulties.

AFAIK, this can not be changed after installation of LXC VM…
-> Features like NFS/SMB/Nesting also needs to be set right from the beginning.

@pike

In VMWare ESXi, as well as in Proxmox (using KVM) both systems are using “Full Virtualization” and both will display the NIC right away in NethServer.

Using LXC has a few BIG Gotchas: The first one Harold managed to overcome.
Adding NICs is another one,
and the next BIG issue would be adding in an AD Account Provider.

NethServer’s AD is a Jail/Container running in NethServer. The virtual NIC Bridge used by the AD is the BIG issue here…

I tried this 1 and 2 years ago, and ran into a wall here. YMMV.

Good Luck, and give Feedback if and how it works!

My 2 cents
Andy

1 Like

Thanks for the quick replies.

@pike Centos7, via ‘ethtool -i eth2’, reports driver: veth, version: 1.0, for all three interfaces. I intend it to be another red connection but never get to the point where Nethserver acknowledges the new Nics presence. My initial red/wan connection is working fine.

@Andy_Wismer Unpriviledged was the default yes, so that’s something and I had not checked the other features either. Thanks for the heads up on AD, not sure that will be required for my setup but always better to know ahead of time just in case. OK, will likely redo the container as you suggested and see where that gets me.

The other idea I had was to add the 3rd or even 4th nic with the beginning command that allows me access to the Web UI, that way I don’t have to go back and figure it out later.

/sbin/e-smith/db networks set eth1 ethernet ipaddr 192.168.10.2 netmask 255.255.255.0 role green && /sbin/e-smith/db networks setprop eth2 role red && /sbin/e-smith/db networks setprop eth0 role red && /sbin/e-smith/signal-event interface-update

I did try reusing that command in the terminal to force nethserver to see the new nic after install, but no luck there.
/sbin/e-smith/db networks setprop eth2 role red && /sbin/e-smith/signal-event interface-update

Thanks again all.

@vesalius

Thanks for your additional infos…

A small tip:

When following an example, make sure YOU define your network, not an example you copied from the web creates and defines your Network!

This is the 5th time this week I’m confronted with a “hosted” server that followed the NethServer instruction about a virtual NIC - to the letter or better, to the IP. All these 5 NethServers are using the same IP as in the example… :slight_smile:

Same goes for OpenVPN specific networks, most don’t bother to define their own network, and use 10.10.0.0/24. As I use a lot of networks, I create all OpenVPN networks to reflect the 3 Octet in the target LAN, and using 10.99.x.x as a signal: OpenVPN Network here!

Example:

My Home LAN: 192.168.31.0/24.
The OpenVPN Network to connect home uses: 10.99.31.0/24.

I can identify my OpenVPNs by name or Network IP… :slight_smile:

My 2 cents
Andy

PS: I’ve been building and defining networks for the past 25 years, I’m not used to throwing a dice to create a network number for me… :slight_smile:

Yes sir. IP/subnet and Nic names were changed to what I wanted and not just copied from the webpage.

I have WireGuard running on a alpine linux VM, to decreases resources while increasing speed. I hope Nethserver makes this an option in the near future. Next project, once I get this working is to set up an alpine-lxc to run wireguard. All on my home network and running in parallel to a production network my family uses, so really just play time to see how low I can drop the required resources to run all this and remain in a virtualized environment. Proxmox makes this sort of stuff a lot easier to mess with through trial an error.

1 Like

@vesalius

Proxmox is a fantastic Lab-Tool. Firing up a VM or any Linux just for a test. Especially using LXC and Templates, it’s soooo incredibly fast!

My Home Proxmox - and my LAB Proxmox are identical, but older (9 years old) HP Proliants ML110 G6 with each 16 GB RAM (maxed out). But both still serve their purpose. Newer hardware planned for end of year… :slight_smile:

I’m using OPNsense as firewall ( A PCengines hardware), but also as VM in Proxmox for Testing. OPNsense comes with WireGuard, just as an info… :slight_smile:

https://www.pcengines.ch/newshop.php?c=4
I’m using the apu4d4 (Quad core CPU, 4 GB RAM, 4 Intel NICs), with a 120 GB mSSD, for about 155$ all together.

Low power, no moving parts (noise), and the big advantage is I have Internet when I’m reinstalling my Proxmox (or whatever)!

My 2 cents
Andy

A virtual LAN (vLAN99) passes Internet from a different subnet to my LAB OPNsense Firewall…

Nice setup. Moving toward 3 to 4 cheap quiet 10g machines and then Proxmox HA with ceph and zfs. Want to try and make the router/firewall a low resource HA LXC/VM which is why nethserver has my attention. Do not need to do any of that, but it’s my indoor hobby while stuck at home so much these days like almost everyone else.

I use cheap used enterprise L3 switches from Brocade ICX6450 and 6610 with Ruckus unleashed AP r710 powered by POE as the backbone and pfSense as my edge router currently. Segregated IOT, guest, gaming and work Vlans with QOS. I also utilize a Transit Vlan5 for all the VLANs I want to inter-vlan routing at wire speed on the switch. Is the OPNsense wireguard implementation a package and userspace or at the kernel level? I was of the understanding that it would not be built into the kernel until freeBSd 13, but obviously do not know. Alpine linux is so incredibly small and I am currently enamored. A full install alpine-vm uses 100 MiB while an alpine-LXC uses 2-5 MiB of ram.

@vesalius

In OPNsense, Wireguard is still a package (userspace, AFAIK). But still, one click and you’re good.
And all configuration in a sleek GUI.
Cool features, like config backup via API (A one liner in NethServer!), a partial restore from backup (eg only DHCP stuff) and a fast menu search are what comes to mind right away.

I plan to switch to CEPH / PBS (Proxmox Backup Server) on my new hardware, end of year. Now is still planning and building VMs/LXCs… It’s also my hobby - and job! :slight_smile:

Andy

PS: If I may ask, where are you located?
I’m in nothern Switzerland, right on the border to Constance, in Germany.

I’m also running Home Assistant on a Proxmox VM (And on a Raspberry for testing).

Texas, USA.

All hobby, although network redundancy is big for me working from home in the medical field and needing hours of instantaneous reliable access to acute cases and imaging. All planning and trialing now for me as well.

I went with homebridge on an Ubuntu LXC, which takes up more resources than a full alpine VM ;), to match up with my largely HomeKit smart home. Also ran on raspberry’s previously but intrigued with a Proxmox HA setup so moved it. Wonderful to make your acquaintance. I would have been an IT guy that does landscaping in another life!

1 Like

Thurgau/Switzerland greets Texas!
(Thurgau is the “state” in Switzerland I live in, we call it a “Canton”)

And just today I had to deal with DICOM stuff… :slight_smile: Small world!

One of my IT clients runs a “Arthros Center”, he’s a specialist in that kind of stuff, elderly and the sporty are their main clients, as you can imagine.
They’re also equipped with Proxmox, NethServer and OPNsense. The UPS is managed by a dedicated Raspberry, running NUT as server. The PACS is a Mac running Horos. All data, especially the DICOM / PACS stuff are synched to 3 sites, one of them his home… :slight_smile:

It’s off hours, so that’s what the orange boxes mean…

No doc likes to lose the PACS data… :slight_smile:

My 2 cents
Andy

PS: Try Home Assistant, I have a feeling you might very much like it.
It integrates well with iOS and Android, auto recognizes a lot of IOT devices - and runs very well as a small VM in Proxmox. I’m using a 30 GB VM Disk, 4 cores and 4 GB RAM, although most times it only uses 1-2…

The right thing to play with on a weekend! :slight_smile:

2 Likes

@vesalius

This looks really cool:

Andy

OK the command I used to add multiple interfaces to the Proxmox LXC was:

/sbin/e-smith/db networks set eno2 ethernet ipaddr 192.168.10.30 netmask 255.255.255.0 role green && /sbin/e-smith/db networks set eno1 ethernet ipaddr 10.10.50.6 netmask 255.255.255.0 role green && /sbin/e-smith/db networks set eno3 ethernet ipaddr 192.168.1.1 netmask 255.255.255.0 role green && /sbin/e-smith/db networks setprop eno0 role red && /sbin/e-smith/signal-event interface-update

Have 4 up and running now. Probably could get more specific in the command, but once available in the web gui I can do what I want with them. As far as I can tell you can use as many SET commands as needed for interfaces, but only 1 SETPROP.

@Andy_Wismer I will for sure check it out, but about to go on shift so I have to stop all this fun stuff for 12 hours or so.

1 Like

Oh and so far it works from both the Unpriviledged yes and Unpriviledged No LXC I have setup to compare.

1 Like

If I would need a full OS, I’d choose a VM instead of an LXC. If it were a single service, then an LXC is probably a lot quicker set up and takes less resources.

@robb

If I need a fully blown hardware, I’d choose hardware! I can choose the GPU and whatever. Even down to the bluetooth version.

But being honest - I don’t see ANY need for this stuff on a virtualized server!
If it will run in a LXC, I’ll use a LXC, simply because it uses less overhead than a VM.
15-20% full a full VM, vs 1-2% for a LXC?
No chance a VM can come close!

But not everything will / can run in a LXC container… And I like my Neth as a VM, even if it’s just because the integrated AD works without issues!

For my personal use, I setup a Debian 10 with Mate Desktop, I use Mate as it works very well with RDP, which is what I’m using to access it. And it’s a LXC.
I also have a Win10 as a VM, also for RDP access.
Both have 8 GB RAM allocated, in case I run applications which need more.
But normally, the Win10 is eating 90-94% of allocated RAM, wheras the Debian is using 5-8% of the same amount of allocated RAM…

My 2 cents
Andy

@robb No doubt that a VM or even better as @Andy_Wismer stated, bare metal are the easier and obvious options. This was more about can I do this, than something that had to happen to power my network today or even next week. Everything including threat shield, IPS and fail2ban working over my short trial. still only using 300 MiB with everything up. Have to see if the VLans i create on each interface work and connect as expected.

@Andy_Wismer FYI, in case this helps you in the future I happened to see that you can change a LXC from privileged to unprivileged and vice versa. Not via GUI though.

It is possible to convert an existing CT into an unprivileged CT by doing a backup, then a restore on console:

pct restore 1234 var/lib/vz/dump/vzdump-lxc-1234-2016_03_02-02_31_03.tar.gz -ignore-unpack-errors 1 -unprivileged

2 Likes

@vesalius

With a Backup / Restore you can almost recreate the world!
But not via GUI, not with a simple config modif or a command like NethServers e-smith SETPROP…

It’s also the easiest way to convert from raw to qcow2 or vica versa…

I know!

:wink:

My 2 cents
Andy

Took a while, but starting messing around with the LXC script version of whiskerz007. May need to use some zwave devices and trialing HA to tie those back into HomeKit. Thanks for the suggestion.

@vesalius

Hi

I just recently added my Aeotec Gen5 zWave USB Stick to my HomeAssistant installation.
Just had to pass thru the right USB, my first go I hit the wrong one! :slight_smile:

There were 2 USB devices, the second one worked right from the outset. :slight_smile:

Homekit integration seems to work quite well with HA. YMMV.

My 2 cents
Andy

1 Like