b111d4fb1740af293307c54e7a5b3b60b268c7b3
[cacert-infradocs.git] / docs / lxcsetup.rst
1 =====================================================
2 Setup of a new CAcert LXC container with Puppet agent
3 =====================================================
4
5 Preparation
6 ===========
7
8 Network considerations
9 ----------------------
10
11 - Decide on a hostname for the container. The hostname should be short and
12 correspond to the functionality provided by the container.
13 - Define an IPv4 address from the :ip:v4range:`213.154.225.224/27` subnet if
14 the container should be reachable from the outside via IPv4. If the services
15 provide HTTP or HTTPS services you will not need a dedicated IP address
16 because virtual hosting and SNI can be used via :doc:`systems/proxyin`
17 - Define an IPv6 address in the :ip:v6range:`2001:7b8:616:162:2::/80` subnet.
18 There is no reason not to use IPv6 for new services.
19 - Define an IPv4 address in the :ip:v4range:`172.16.2.0/24` subnet if the
20 container should be reachable from other CAcert machines than
21 :doc:`systems/infra02` or other :doc:`systems`.
22 - Define an IPv4 address in the :ip:v4range:`10.0.0.0/24` subnet. Containers
23 that are only used by other containers do not need any other IP addresses
24 than this one.
25
26 .. note::
27
28 Please use the same last octet for all IP addresses of a container if
29 possible
30
31 Storage considerations
32 ----------------------
33
34 - Define the size of the LVM volume for the root filesystem. Be conservative,
35 volume size can be increased on demand.
36
37 OS considerations
38 -----------------
39
40 - Define the OS userland version for the container. Use the latest Debian
41 stable release if there are no good reasons not to.
42
43 Setup
44 =====
45
46 - Define machine parameters for in lxc-setup.ini
47 - Run :command:`lxc-setup` (uses lxc-create/debootstrap and makes sure that
48 systemd-sysv is not setup in the containers)
49 - Define firewall rules in a separate file in :file:`/etc/ferm/ferm.d/` on
50 :doc:`systems/infra02`.
51
52 Setup puppet-agent
53 ------------------
54
55 .. todo:: describe puppet setup
56
57 .. code-block:: bash
58
59 sudo apt-get install wget
60 wget -4 -T 2 http://apt.puppetlabs.com/puppetlabs-release-pc1-jessie.deb
61 sudo dpkg -i puppetlabs-release-pc1-jessie.deb
62 sudo apt-get install puppet-agent
63
64 - Define puppet configuration for the new container in Hiera.
65
66 Post-Setup task
67 ===============
68
69 - Document the new container in a file of the :file:`docs/systems` directory of
70 the `Infrastructure documentation
71 <https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=tree;f=docs/systems>`_.
72 - Setup machine-admin alias on :doc:`systems/email`.