i-MSCP inside a LXC container (Managed by Proxmox 4.x)

  • Howto install i-MSCP inside a LXC container (Debian Jessie) managed by Proxmox 4.x


    I. Creation of the LXC container

    • Connect to proxmox interface
    • Go to local (pve) storage --> templates section and download the debian-8.0-standard LXC template

      • Warning: In the latest Proxmox version, there is a new kind of LXC container called Unprivileged Container. Be aware that this kind of container doesn't works with the Systemd version that is provided by Debian Jessie. Indeed, for that kind container, Systemd version equal or greater than 220 is required. This is not a problem with the above debian template because SysVinit is used in place of Systemd but if you want switch to Systemd later on, you must me be aware of this fact and upgrade your Systemd version using the jessie-backports repository.
      • Note that privileged containers are no considered safe by the Proxmox team.
    • Create a new LXC container. In our case, the initial config of our LXC container looks as follow:


    As you can see, that is an Unprivileged Container.

    II. Adjusting the LXC container configuration to meet i-MSCP requirements

    • From the proxmox host, create a new /etc/apparmor.d/lxc/lxc-imscp apparmor profile for i-MSCP with the following content:


      • Code
        1. # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
        2. # will source all profiles under /etc/apparmor.d/lxcprofile lxc-container-imscpflags=(attach_disconnected,mediate_deleted) {
        3. #include <abstractions/lxc/container-base>
        4. mount, remount, umount,
        5. }
    • Reload apparmor: service apparmor reload
    • If all went well, you should have the new apparmor profile correctly detected:


      • Shell-Script
        1. root@pve:~# apparmor_status
        2. apparmor module is loaded.
        3. 6 profiles are loaded.
        4. 6 profiles are in enforce mode.
        5. /usr/bin/lxc-start lxc-container-default lxc-container-default-cgns lxc-container-default-with-mounting lxc-container-default-with-nesting lxc-container-imscp
        6. 0 profiles are in complain mode.
        7. 0 processes have profiles defined.
        8. 0 processes are in enforce mode.
        9. 0 processes are in complain mode.
        10. 0 processes are unconfined but have a profile defined.
    • Update the LXC container configuration by adding the following lines at end of the /etc/pve/nodes/pve/lxc/<VMID> file:

      • Code
        1. lxc.cap.drop:lxc.aa_profile: lxc-container-imscp
      • Explanations

        • First line: We simply erase list of any previously dropped capabilities, meaning that the container will have all capabilities
        • Second line: We change the apparmor profile by our own to allow mount, remount and umount operations inside the LXC container
    • Restart the LXC container to make the changes operational: pct stop <VMID> && pct start <VMID>

    Note: you can skip that last step if your LXC container is not running yet.

    III. Update of the LXC container

    • From the proxmox host, start the LXC container: pct start <VMID>
    • From the proxmox host, enter to the LXC container: pct enter <VMID>
    • From the LXC container, run: apt-get update && apt-get --assume-yes dist-upgrade
    • From the LXC container, run: apt-get install locales-all
    • From the LXC container, run: LANG=C dpkg-reconfigure locales, then, select All locales on first dialog and select None on second dialog
    • Edit the /etc/ssh/sshd_config file and change PermitRootLogin without-password to PermitRootLogin yes
    • Restart the ssh service: service ssh restart
    • Exit the LXC container: exit

    IV. i-MSCP installation

    • Login to the LXC container through SSH
    • Install the pre-required packages: apt-get --no-install-recommends install ca-certificates perl whiptail
    • Make sure to enable source repository in your /etc/apt/sources.list file. Your /etc/apt/sources.list file should looks like:


      • Code
        1. deb http://ftp.debian.org/debian/ jessie main non-free contribdeb-src http://ftp.debian.org/debian/ jessie main non-free contribdeb http://security.debian.org/ jessie/updates main contrib non-freedeb-src http://security.debian.org/ jessie/updates main contrib non-free# jessie-updates, previously known as 'volatile'deb http://ftp.debian.org/debian/ jessie-updates main contrib non-freedeb-src http://ftp.debian.org/debian/ jessie-updates main contrib non-free
    • Download and extract the i-MSCP archive into /usr/local/src:


      • Shell-Script
        1. # cd /usr/local/src# wget https://github.com/i-MSCP/imscp/archive/<version>.tar.gz
        2. # tar -xzf <version>.tar.gz
    • Process i-MSCP installation as usually:


      • Shell-Script
        1. # cd imscp-<version>
        2. # perl imscp-autoinstall -d

    V. Making sure that all is working properly

    • Login to the control panel as administrator
    • Create a new reseller
    • Switch to the newly created reseller interface
    • Create a new client account

    If all goes well, log directory for that new domain should have been remounted as read-only without any problem. For instance:

    Shell-Script
    1. root@lxc:~# mount | grep /var/www/virtual/
    2. /dev/mapper/pve-vm--100--disk--1 on /var/www/virtual/test.tld/logs/test.tld type ext4 (ro,relatime,stripe=16,data=ordered)

    You're DONE ;)
    Last update on 20170522
    See also:

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    account_detailed.gif

  • Hi everyone,


    I have a small addendum to this documentation.


    The documented approach still works under Proxmox 5.x. However, for the container configuration (/etc/pve/nodes/pve/lxc/<VMID>) the configuration key lxc.aa_profile has been deprecated. To avoid warning messages under Proxmox 5.x, use the new configuration key lxc.apparmor.profile instead.