With the new Funtoo Compute Infrastructure (FCI), it will be possible to run your own LXD container daemon service inside you container.
This gives you a multitude of options how to use your container to the limits. With this option you could "containerise" your services into smaller containers, for example running mail-server and web-server in a separate container and further limiting the harm done should one of your containers be compromised from the bad internet.
The new FCI even supports running docker applications inside your container.
In this club we are going to try to post some interesting tutorials as how to get you started with LXD in LXD and other things related to containers.
For now I have compiled basic information on Funtoo Wiki about LXD and Docker in LXD.
Funtoo Wiki: LXD in LXD
Funtoo Wiki: Docker in LXD
Please let us know what you think about the recent changes in FCI and about the upcoming features.
Happy Funputing on your Funtainers!
When I got a Funtoo container, the first thing I wanted to do with it, was host a website. I'm new at this, so I looked up numerous tutorials, but none of them were specific to Funtoo, so I thought I'd write my own, for future reference and for the benefit of other new Funtoo users. It's a pretty basic setup, but I welcome any suggestions as to how it can be expanded or improved. Here are all the steps that I have gone through in setting up my web server.
First, install nginx by typing:
# emerge nginx
The configuration file for Nginx is located at "/etc/nginx/nginx.conf". I found that the default configuration in Funtoo worked just fine, so I moved straight on to configuring the server. If you have your own domain name, you can configure your DNS to point that address at your Funtoo container, but the Funtoo container has a default address of "(name).host.funtoo.org", so that is the address that I will use for the rest of this tutorial. You can set up a server for that address by typing:
# nano /etc/nginx/sites-enabled/(name).host.funtoo.org
And adding this to the file:
>server { listen 80; server_name (name).host.funtoo.org; root /var/www/(name).host.funtoo.org/; location / { index index.html index.htm; }}
Then create the server root directory:
# mkdir /var/www/(name).host.funtoo.org
And add a simple test page:
# nano /var/www/(name).host.funtoo.org/index.html
Start the nginx service by typing:
# /etc/init.d/nginx start
Now the index page should be accessible from any web browser by typing "(name).host.funtoo.org" into the address bar. That's all it takes to host web sites on a Funtoo container, but I want my websites accessible through https, rather than http, I need certificates to verify my site's identity. You can get a free certificate from LetsEncrypt using a program called Certbot.
Install certbot by typing:
# emerge certbot
And use it by typing:
# certbot certonly --webroot -w /var/www/(name).host.funtoo.org -d (name).host.funtoo.org
Now there should be certificates for the website located at /etc/letsencrypt/live/(name).host.funtoo.org/
Next, to reconfigure the server to redirect visitors to ssl, type:
# nano /etc/nginx/sites-enabled/(name).host.funtoo.org
And change the file's contents to this:
>server { listen 80; server_name (name).host.funtoo.org; return 301 https://$host$request_uri;}server { listen 443 ssl; server_name (name).host.funtoo.org; root /var/www/(name).host.funtoo.org/; ssl_certificate /etc/letsencrypt/live/(name).host.funtoo.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/(name).host.funtoo.org/privkey.pem; location / { index index.html index.htm; }}
Restart Nginx by typing:
# /etc/init.d/nginx restart
And the web site can now be accessed securely through ssl.
One thing that I found, was that when I have multiple domain names pointing at my server, if I don't have entries set up for them in Nginx, it has the default behavior of redirecting requests for unspecified domain names to the first available server. I'd rather not have this happen, so I edited the Nginx configuration file:
# nano /etc/nginx/nginx.conf
And just above the line that says "include /etc/nginx/sites-enabled/*;" I added this:
>server { server_name _; listen *:80 default_server deferred; return 444;}
This makes it so that all defaulted requests return no response.
That's all that I've done to set up my web server so far. If you're a beginner like me, I hope you find it helpful, and if you're more advanced than me, any advice you can offer will be greatly appreciated
If anybody has any questions or suggestions, write a comment or send me a message. All requests for clarification, correction, expansion, and improvement are welcome, and I'll edit and add to this tutorial as necessary.
Well, I wanted to play with VirtualBox on Funtoo again.
Setup metro to create a custom stage3, added my stuff I use.
All went well, chrooted into the new install, did all the normal setup stuff.
Rebooted into the new install. all was fine in the world.
Adjusted my VM's to use VirtualBox, and even finally got OS X to work right virtualised.
Then the bullshit. How the fuck do you autostart vm's on boot.
Went down the google rabbit hole, all the info was based on other Distros or outdated info.
Fuck!!!!
So I did what any self respecting person would do. I built a rc startup script.
Well (4) actually.
So here they are.
1) vbox.example - this is the /etc/conf.d file - set options there. rename file to the name of the service - vbox.myvm
2) vbox.tmpl - this is the rc script that goes in to /etc/init.d, then create symbolic link to the vm name, use like netif.tmpl
# ln -s /etc/init.d/vbox.tmpl /etc/init.d/vbox.myvm
3) vboxd.start - goes into the /etc/vboxd dir - starts the vm. The correct vm config is passed to the script by init script
4) vboxd.stop - goes into the /etc/vboxd dir - stops the vm. The correct vm config is passed to the script by init script
And that's it.
I can run as any user, VirtualBox segments the available vm's according to user, so a VM under ckurlinski will not show up under root.
Nice for some things, suck for writing a init script.
All VM's will run under created user, and can be set to start / stop with different parameters: headless , saved state.
Sends info to dmesg also.
The last thing I would like to do is create a portage package.... Not even sure where to start on that .....
Thanks for sharing.
Not sure how many people out there are like me, but here is a project I just about to complete for a client.
I'm not in the IT industry, I'm in construction, a master plumber by trade, but do a lot of building management system integrations, and a lot of really specialty projects, like custom fire pits with iPad controls, high end pools ( we're talking 100K gal completely automated, heat pump / solar water heater for potable water, large solar systems ( looking forward to trying out the Tesla Power Wall ). Generally, anything that requires a computer interface, I'll do. Basic anything is boring, and not for me.
Well, this leads my to my latest project that's wrapping up. (3) Years ago, I did a pool system for a client, but they didn't have time to build a structure over the equipment, and over the last (3) years the equipment is starting to fail, the Bahamian sun and sea is brutal on this kind of stuff. So I proposed to he client to build a structure over the equipment to protect it. He said great idea, what will it cost, and I went huh?
After some thought and a lot of design work, I draw some plans up and priced it to the client, and he said great, when can you start.
So here is the original design.
And here is the final structure without paint.
The only modification from the original design was the doors, which I custom built from Number 1 grade fir, and used some left over epi wood for the siding. Sanding and painting is all that is left.
If you use a content management system for your site, it probably already deals with mobile systems. But, what if you have parts of your site that aren't in a CMS, or you do your site by hand?
Well, it would be nice to either redirect from www.example.com to m.example.com, or (my preference), to redirect to a subdirectory. I like the subdirectory approach because I can easily share content with the main site via symlinks (such as the content management system). Normally, this isn't a nice thing to do to your caches since any caches along the way won't know that the symlinked files aren't the same, but if you can solve that, let me know.
The following method redirects the user if they are on a mobile browser, but still allows them to use the "Request Desktop Site" feature. Just include the file in your tengine or nginx server configuration. The actual rewrite is done at the end. Scroll to the bottom and you'll see the line to edit. I tried to attach the file, but it said I'm not permitted to upload files of that type. Cut-Paste or email me and I'll send it to you.
>#- This file for doing redirects based on mobile detectionset $mobile_rewrite do_not_perform;#- chi http_user_agent for mobile / smart phonesif ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {set $mobile_rewrite perform;}if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {set $mobile_rewrite perform;}set $force_dt_cookie "";if ($args ~ 'desktop=true') {set $mobile_rewrite do_not_perform;set $force_dt_cookie "desktop=true";}add_header Set-Cookie $force_dt_cookie;if ($http_cookie ~ 'desktop=true') {set $mobile_rewrite do_not_perform;}location /m {error_page 404 /m/error/404.html;}#- redirect to /m except /m, /mail, /joomlaif ($mobile_rewrite = perform ) {rewrite ^(?!(/m|/joomla)+) /m$request_uri? break;break;}#- To redirect to m.example.com, change above rewrite to# rewrite ^ https://m.example.com$request_uri? break;
That's it! I just put my mobile files in the /m directory of the server.
OK, you've got your SSL certificate and you have tengine or nginx setup, but you need it secure. After all, you've heard of all the recent DH attacks, BEAST, CRIME, FREAK, Heartbleed and others, right? Is your system already secure? Test it! Check out The SSL Labs Test Site. I'm getting an A+ rating! The following assumes tengine, but nginx is exactly the same, just s/tengine/nginx/g;
Need a certificate? OK - I highly recommend StartSSL. It's FREE! These guys will step you through the process by following the instructions on their site. If you have problems, the tech support via email is instantaneous and incredibly professional. My cert was the free variety, but if I ever upgrade, I will go to them because the support (to a non-paying customer no less) was so good.
OK ... Make a file /etc/tengine/ssl.conf (or equiv for nginx):
>#- Ports to listen on, all addresses, IPv6 and IPv4listen [::]:443 ssl;listen 443 ssl;#- Support current SSL standards and options onlyssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";ssl_session_tickets off;ssl_stapling on;ssl_stapling_verify on;#- And some security related headersadd_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;
Now, go into your sites-available and in the server{} configuration for the site you want to include SSL, add these lines:
>include /etc/tengine/ssl.conf;ssl_dhparam /etc/ssl/tengine/dhparam4096;ssl_trusted_certificate /etc/ssl/tengine/startssl_trust_chain.crt;ssl_certificate /etc/ssl/tengine/ssl-unified.crt;ssl_certificate_key /etc/ssl/tengine/ssl.key;
Now, there are 4 files here for SSL in addition to the one we just included. Let's look at where they come from. First, you should have a certificate file (ssl.crt in the following), and a key for that file (private_ssl.key). The CRT begins with "-----BEGIN CERTIFICATE-----", but you will need to view this in vi, not less (less will try to decode many of these files). Your private key is password protected (the key is "-----BEGIN RSA PRIVATE KEY-----" followed by a line that says ENCRYPTED). Since you probably don't want to issue a password every time you start your server, let's fix that first.
>openssl rsa -in private_ssl.key -out /etc/ssl/tengine/ssl.key
Easy enough? And we have one of our lines done. 3 to go!
The next is to create a chain of certificates back to the root. For StartSSL, you download their cert:
>wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
Then make the file you need with your cert and theirs. Here's your next 2 files!
>cat ssl.crt sub.class1.server.sha2.ca.pem > /etc/ssl/tengine/ssl-unified.crtcp sub.class1.server.sha2.ca.pem /etc/ssl/tengine/startssl_trust_chain.crt
Now, the final command for the final file:
>openssl dhparam -out /etc/ssl/tengine/dhparam4096 4096
4096 might be overkill, but 1024 is the minimum and you might as well go all out just in case 1024 gets broken next month!
Be sure all these files are secure!
>chmod 0600 /etc/ssl/tengine/*
Delete originals, clean up, then restart tengine.
Next I'll cover gzip compression, detecting mobile client, and joomla configuration. Any particular one anyone wants to see first?
drobbins demands faqs so yer gonna get em...
embedding images results in thumbnails, they're forever hosted at funtoo untill drobbins decided to nuke the website.
to make large image postings, navigate to the tools above the post entry form and to the left of <> is an image to feed external (or internal) urls to.
in the "my media" button you can attach garbage to posts, such as your blog entries or images you've posted.... like my "punch babies" or "dead larry"
above is a quote box to the right of <> to get past the quote box, press enter a few times....
<> is code... it pops up a window to enter code, to get past it again press enter a few times.
><h1><b>hello</b>world</h1>
twitter just links a twitter link. @6three6sixes6
to the left of font is special bb code. you can enter acronyms twitters and some others. they give hover dialog, mouse over the below word to see it in action.
shart
below the post is attachment stuff.... attach files to show up in my media for future postings.
to change forum entry titles, ie from "my funtoo's borked" to "[solved]my funtoo's borked" go to "full editor mode" instead of quick edit mode.
bam that's the faq jack
id like a torrenty style cryptographically secure protocol that supports revision control, that users could host locally cached content they've viewed from recent websites botnet style with throttle control that is geo & route metric aware to make the internet much more efficient. users could provide disk quotas and quotas per site and the crypto part would be used to distribute database contents. wiki style permissions for admins to work on the site, then propagate back to the main server like a convergence broadcast? several browsers support 1/4th of this paradigm already in holding stuff in the browsers cache.
ex: go to coffee shop, load google, revision control pings for hash, no change sites the same > serve, everyone on the router hits my cached google and get their own cached google if they have that turned on, detect lan saturation of local google, transparently start phasing that data out of the cache if the upstream nodes share throttle is set higher. it'll still be fast because you're nabbing it over lan.
im totally a dreamer
I'm a big fan of trying anything new, but the cardinal rule for me is this:
Don't mess with the data. If you don't what to lose those irreplaceable pics of grandma, keep it on a separate drive.
This is my mantra. I love playing with my system, updating, tweaking, and exploring.
But this can be dangerous to your data.
This is also the reason why I chosen to use zfs as my storage for all my data. I can get to it from just anywhere. If it's unix(-like), I can download the kernel modules and access it.
I feel like zfs is the becoming the unix(-like) version of fat32. Let me explain.
I just did some consulting on a smartos job, but I had to p2v an existing Windows 2k3 server, with a dying hard drive.
Smartos is great an all, but it is really not setup to virtualise an existing machine.
So I place the failing drive into my setup, created a zvol the same size as the failing drive, dd the old drive to the new zvol.
Created a new KVM instance, and booted the thing up.
After some general cleanup and a massive amount of defragging, I had a good image ready for production.
Smartos side of things was fine, json took a little getting used to, helps finding a good validating editor, zfs send | zfs receive, brought up the zvol, and away I went with the client configuration, igmadm create and all. Now the setup is in production, and all seems to be well.
But the real point of this endeavour is this, ZFS is getting to the point of being truly cross platform.
The only thing that can't read ZFS is windows, and that access is a samba share away.
As much as I like Smartos, I love Funtoo. If I was going to roll out a data centre with clean installs, then Smartos is a great base.
But p2v a small business client, not so sure.
That's why I'm thinking about a Smartos like Funtoo usb bootable read-only install, and keeping with the way Funtoo is, basically a recipe for using the existing tools to create it, because that is the right way to do it.
Our BDFL gives us the tools to do anything we want with his creation, we as users of Funtoo, get to assemble it as we need to get the job done.
This is my idea, bootable usb Funtoo minimal, bare essential tools, read only root, builtin zfs kernel and xen hypervisor.
Now just to figure out how to do it........
Gentoo was my first linux try that made sense. The source code is there, the compiler is there. And everything makes sense. There are difficulties along the way, but because the system made sense, it is always a worthwhile goal to overcome these difficulties. Maybe, Gentoo is a more coherent system. And now, that Funtoo is here, i will definitely give it a try.
sorry drobbins, winters coming, and this -23 Celsius shit drives me crazy, i have alot of time to think about things.
my quest is to wake from recurring dreams, to the collective recurring dream people call reality.
ok personal philosophy... im a pantheist, meaning i see nature as god, and science as the quest to know god. i am a very small part of nature therefore i am small part of god. my parents are my creator, and they are of nature. im observing what's right in front of me.....
personal meaning of life.... the meaning of life to me is to create a better world than i was given for my children, and their childrens children. my work ethic is next to insane. ill work to the bone for zero pay to these ends. im a how and why kind of person, "because" is not a sufficient answer. i do acknowledge i do not know everything, and sometimes i have to accept "i dont know how it works but it does" as an answer.
programmatic unbalanced equations with fractal recursion, of infinite loops, and applied mathematics.... just as a computer program can feed back in on its self and perpetually load my dreams consist of using applied mathematics to make this problem a real world problem. i want to harness the power of the infinite loop, that leads back to its starting point to give another power cycle.
how this works, the chain on the right side is longer, and heavier than on the left. the equation is unbalanced, and feeds back into its self. its a natural fractal.
https://www.youtube.com/watch?v=2QRKzwgG_-U
this one is like swinging on a swing set, you pump, and relax at specific times... you accumulate more energy than you put into it. only a robot is doing the pumping...
