Not long ago, I was looking through my container configurations in the Proxmox GUI and noticed that one very important container had been running as privileged. I must’ve forgotten to click the “Unprivileged” checkbox when I was creating it. For security sake, I try making all of my containers unprivileged. It makes things like sharing files between the host and containers slightly more difficult, but if that particular container is ever compromised by someone with malicious intent, it makes it much more difficult for that malicious actor to compromise the entire host. See the Proxmox documentation on unprivileged containers for more information.
To make this particular container more secure, and to avoid having to set everything up again, I thought it might be easier to simply try and converting it to an unprivileged container. While you can’t just shut the container down, go into the GUI and mark it unprivileged, you can create a backup and make a new container from that backup unprivileged. If you clicked the link to the Proxmox documentation from earlier, you’d see just what I was talking about. In it, you can see under the Creation section, that all you need to do is run
pct restore 1234 var/lib/vz/dump/vzdump-lxc-1234-2016_03_02-02_31_03.tar.gz
-ignore-unpack-errors 1 -unprivileged
where the first 1234 is your new container ID, and the second (in the backup file) is the old container ID. You can overwrite the previous container with the restore, but it might be a safer bet to just create a new container and then shutdown your old one.
You can also do this through the GUI by navigating to the backups of your container, selecting your backup, and clicking restore. However, when I ran it through the GUI, it gave errors and destroyed the container. Thank goodness for backups, right? Even when running the above command in the CLI, I received errors. Fortunately, they were easy enough to troubleshoot. If you see something like
400 Parameter verification failed.
storage: storage ‘local’ does not support container directories
then you’ll need to specify your storage. This is easy enough to get around by providing the –storage option and selecting the proper storage location. In my case, the entire command looked like
pct restore 1234 /var/lib/vz/dump/vzdump-lxc-1234-2018_05_25-10_29_59.tar.lzo
-ignore-unpack-errors 1 -unprivileged –storage local-zfs.
With that done, you can start up your new container and use it the same way you were before, but this time, it’s a little more secure.
Category: Server
I hate typing the same commands over and over into the terminal. I hate it so much that every time I have CLI deja-vu, the first thing I say to myself is “How can I automate this?” Usually, it’s as simple as adding a quick alias to my `~/.bash_aliases` file but this time I did that along with throwing together a quick bash script. If you ever install the storjshare client on an Ubuntu or Debian based machine, putting these aliases and script on your system might help you with a few of the commands I found myself typing frequently.
Storjshare Aliases
https://gist.github.com/Dilden/ec379a64532ec5e1d36586fd35ed0101
If these helped you out at all, let me know by starring the repo or leaving a comment here.
UPDATE!Something that bothered me about the storjshare daemon was that it didn’t startup when the system did. Depending on how you look at this, it can be a good thing. Fewer system resources consumed during startup is nice, but if it’s the only thing you’re hosting on your machine and you’re striving for up-time, then it’s a necessity. To get around this quickly and easily, you can update the cron jobs to fire on startup.
@reboot su – YOUR_STORJ_USER_HERE -c “storjshare daemon && storjshare start -c /home/YOUR_STORJ_USER_HERE/.config/storjshare/configs/YOUR_STORJ_NODE_ID.json”
This will likely need to be put in your root user’s cron which you can gain access to with the command `crontab -e` (while logged in as root).
I threw together a simple bash script to be run via cron jobs that will backup an entire WordPress site. Technically, it will work for a lot more than that assuming the site you’re backing up has a single directory to be backed up and a MySQL/MariaDB database. It’s a fairly simple script and it is easy to expand to work with multiple directories. Just take a look at the source for yourself!
To use, fill in the information at the top of the script (site name, database name, database user + password, path to site, and backup path), upload the script to `/etc/cron.daily/` on your server and you’ll be good to go!
Take note of the `SITE_PATH` variable at the top of the script. For whatever reason, there needs to be a space between the first “/” and the rest of the path.
In keeping with my previous posts discussing deployments with Git and Capistrano, I thought it appropriate to mention the latest tool I’ve been using to automate shipping code; Deployer. Since discovering Deployer, I’ve dropped Capistrano and git deployments. Those tools were fine, and if you’re developing with Ruby, I’d encourage you to stick with Capistrano but since I’m doing most of my development with PHP, it only makes sense to use something that was made for PHP and can be easily installed alongside all of my other dependencies with Composer.
So what do you have to do to get started deploying your PHP code quickly, easily, and securely? Let’s dig in.
Installation
There are a few ways to handle this: 1) install Deployer globally with a curl/wget request, 2) install using composer on a per project basis, or 3) install globally with composer. If you install globally, Deployer will function in the same way a global composer install works. That is, you’ll download a .phar archive, move that .phar archive into a directory where it can be run that works with your environment’s PATH, and make that it executable.
curl -LO https://deployer.org/deployer.pharmv deployer.phar /usr/local/bin/dep
chmod +x /usr/local/bin/dep
That’s all you have to do for a global install of Deployer. Otherwise, you can install with one simple line using composer.
composer require deployer/deployer for per project basis or composer global require deployer/deployer for the global composer install.
If you did the curl request, Deployer should work using the command “dep.” If using composer, it’ll probably be “php vendor/bin/dep” but this can be corrected for by creating a quick alias in your system’s .bashrc file that looks like so:
alias dep=’php vendor/bin/dep’
Usage
Once we have Deployer installed, we can use it by navigating to our project’s root directory. In there, type dep init to create a deploy.php file. We’re going to modify ours so that it looks similar to the one below. Feel free to use as needed.
<?php
namespace Deployer;
require ‘recipe/common.php’;
// Project name
set(‘application’, ‘PROJECT_NAME_HERE’);
// Project repository
set(‘repository’, ‘YOUR_GIT_REPO_HERE’);
// [Optional] Allocate tty for git clone. Default value is false.
set(‘git_tty’, true);
// Shared files/dirs between deployments
set(‘shared_files’, []);
set(‘shared_dirs’, [’vendor’]);
set(‘keep_releases’, 5);
// Writable dirs by web server
set(‘writable_dirs’, []);
// Hosts
// live is the alias of the server, this would come in handy
// when specifying which server to deploy if I had another to include
host(‘live’)
->hostname(‘DEPLOY_TO_THIS_SERVER’)
->user(‘USER_TO_DEPLOY_AS’)
->identityFile(‘~/.ssh/id_rsa’)
->set(‘deploy_path’, ‘PATH_TO_DEPLOY_TO’)
->set(‘composer_options’, ‘install –no-dev’)
->set(‘branch’, ‘master’);
// Tasks
// This is sample task that I’ve included to show how simple
// it is to customize your deployer configuration. For now,
// it just needs to be declared and we’ll call it later.
// Runs database migrations using a package called Phinx (post to come later)
desc(‘Phinx DB migrations’);
task(‘deploy:migrate’, function () {
run(‘cd {{release_path}} && php vendor/bin/phinx migrate -e live’);
});
desc(‘Deploy your project’);
task(‘deploy’, [
‘deploy:info’,
‘deploy:prepare’,
‘deploy:lock’,
‘deploy:release’,
‘deploy:update_code’,
‘deploy:shared’,
‘deploy:writable’,
‘deploy:vendors’,
‘deploy:migrate’,
‘deploy:clear_paths’,
‘deploy:symlink’,
‘deploy:unlock’,
‘cleanup’,
‘success’
]);
// [Optional] If deploy fails automatically unlock.
after(‘deploy:failed’, ‘deploy:unlock’);
This file should be pretty self explanatory so I won’t go through it line by line but notice there are a couple of things that should be pointed out. Firstly, the shared directories are useful so that on my production server, I don’t have 5 different vendor folders that need to be installed every time I deploy. Next, I’ve specified an alias for my server and called it live. That makes running the deployment command very simple and gives me the option to specify which host to deploy to, should I need to add another host. Thirdly, I’ve specified that for this host live, I should run composer with the –no-dev flag so that dependencies like Deployer aren’t installed. And finally, my custom task deploy:migrate is called after the deploy:vendors. This doesn’t necessarily need to be called here, but it does need to be called after deploy:update_code as that is the task that will pull my code from the git repo, and I don’t want to be running and older version of the migrations.
Launch!
Now what? Deploy! Just kidding, there is actually one other thing you should check before you deploy. Some services like Bitbucket, require that your production server can pull down your git repo. You may need to create an SSH key on your server and add the public key to your git repo’s access keys. Check your repo’s settings to make sure your server can pull code from there.
Now, you can launch and it’s as easy as dep deploy live. Assuming you’ve pushed all of your code to your repo, you should see the latest version running on your server!
If you’re at all into homelabbing, are a server administrator, or have an interest virtualization, you’ve probably heard of Proxmox. In my case, I just love to tinker with my homelab. One of the things I love about Proxmox, is how quickly I can get a containerized server up and running. All I need to do is open the web interface, click ‘Create CT’, fill out a couple of fields, and it’s done. It takes less than a minute to get an entirely new server on my network. The downside? I have to reinstall various services like Apache/nginx, PHP, and MySQL/MariaDB every time I spin up a new container. Now, I know what you’re thinking:
Couldn’t you just use a turnkey template provided by Proxmox with everything pre-installed?
And you’re right, I could do that but I want to have complete control over these containers. I want to know everything that’s installed them. So what’s next best option?
Create one container with everything that I regularly need, and use that as a template. It sounds intimidating, but it’s so ridiculously simple that I’m concerned with how short this blog post will be. Here’s what you do:
Create a new container using the whichever distro you prefer. I went with Ubuntu 16.04
Start that container
SSH into that container (or you can SSH into Proxmox and use the command pct enter <container ID> to access your new container)
Install all of the services that you need. Things like nginx, PHP 7, MariaDB, Git, and the Let’s Encrypt Certbot could be useful for web dev projects.
Verify everything you need is working with this container.
Exit your container and shut it down.
In the Proxmox web GUI under Server View, select your container and navigate to Backup
Create a new backup but be sure to select GZIP compression
After your backup finishes, open a terminal to your Proxmox environment (not the container)
Find the backup you just made under /var/lib/vz/dump/<backup-name>.tar.gz and copy it to /var/lib/vz/template/cache/<new-backup-name>.tar.gz
You’ve just created a new LXC template for use with your Proxmox 5.0 environment. Now anytime you want to spin up another container, you can just select that as your template! Also, the container that you previously created is still valid so feel free to use that as well.