diff --git a/nspawn-container/README.md b/nspawn-container/README.md new file mode 100644 index 0000000..bc1fbe6 --- /dev/null +++ b/nspawn-container/README.md @@ -0,0 +1,239 @@ +# How to Create a Custom Container on UnifiOS 3.x+ + +This is a guide that shows you how to create your own container on UnifiOS 3.0+, and how to install custom services in your container (such as pihole or adguard home). + +Starting with UnifiOS 3.0, podman/docker support has been removed due to a kernel change. However, you can still create a container with systemd-nspawn, which is what this guide will focus on. + +## Table of Contents + +1. [Instructions](#instructions) + * [Step 1. Create the Container](#step-1-create-the-container) + * [Step 2. Configure the Container](#step-2-configure-the-container) + * [Step 2A. Configure the Container To Use An Isolated MacVLAN Network](#step-2a-configure-the-container-to-use-an-isolated-macvlan-network) + * [Step 3. Configure Persistence Across Firmware Updates](#step-3-configure-persistence-across-firmware-updates) + * [Step 4. Install Custom Services](#step-4-install-custom-services) +2. [FAQ](#faq) + +## Instructions + +### Step 1. Create the Container + +The following commands are all perfomed on the Unifi router in SSH. + +1. We first need to install systemd-container and debootstrap. We will use debootstrap to create a directory with a base debian system, and then use systemd-nspawn to boot the container. + + ```sh + apt -y install systemd-container debootstrap + ``` + +2. Next, we use debootstrap to create a directory called `debian-custom` with a base debian system in `/data/custom/machines`. + + ```sh + mkdir -p /data/custom/machines + cd /data/custom/machines + debootstrap --include=systemd,dbus unstable debian-custom + ``` + * This process can take up to 10 minutes to download and install all the packages. + * The container folder will be 390MB after installation, but can increase to 1GB+ after installing many services (storage management is up to you). + * Note: Instead of debootstrap, you can also use pacstrap or other distributions' tools to create an Arch Linux, Fedora, or other container instead of a debian container (see [examples here](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#Examples)). + +3. Finally, let's bring up a shell on this container, set the root password, and enable the networking service. Run each command one-by-one. + + ```sh + systemd-nspawn -M debian-custom -D /data/custom/machines/debian-custom + passwd root + systemctl enable systemd-networkd + echo "nameserver 1.1.1.1" > /etc/resolv.conf + echo "debian-custom" > /etc/hostname + exit + ``` + + * The first command should put you in a shell in the container. If it doesn't work, something went wrong. + * Note the password will be hidden when you are typing it out in the `passwd root` command, and you will be asked to type it twice. + * We also set the default nameserver to 1.1.1.1 in resolv.conf. You can change this to your own DNS or omit this command if you plan to configure the DNS later. + * The hostname can be set to whatever you want, here debian-custom is used as an example. + +### Step 2. Configure the Container + +Now that the container is created, let's configure it. Make sure you are back on the host OS and not in the container. + +1. First, we will link the container to `/var/lib/machines` so we can control it with `machinectl`. + + ```sh + mkdir -p /var/lib/machines + ln -s /data/custom/machines/debian-custom /var/lib/machines/ + ``` + +2. Next, we will create a `debian-custom.nspawn` file in `/etc/systemd/nspawn` to configure parameters for the container (such as network, bind mounts, etc). Here I use vim to create the file as a personal preference. + + ```sh + mkdir -p /etc/systemd/nspawn + vim /etc/systemd/nspawn/debian-custom.nspawn + ``` + + * For a container that has access to all the host network interfaces and full capabilities to do anything to the system, here is an example nspawn configuration file. Note it is important to set `Boot=on` so systemd boots up inside the container. + + ```ini + [Exec] + Boot=on + Capability=all + + [Network] + Private=off + VirtualEthernet=off + ResolvConf=off + ``` + + * For a more isolated container configured with a macvlan bridge, follow [Step 2A](#step-2a-configure-the-container-to-use-an-isolated-macvlan-network) below instead before running the container. + * For other options, see the nspawn manpage [here](https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html). + +3. After you've configured your nspawn file, let's boot up the container and see if it works. + + ```sh + machinectl start debian-custom + machinectl enable debian-custom + ``` + + * If the container booted up, you can check `machinectl status debian-custom` for information (hint: press 'q' to exit the status log). + * The second enable command will enable the container to start on boot. + +4. Now that the container is running, we should be able to open a shell or login to it. + + * Typing `machinectl shell debian-custom` should open a shell to the machine and bypass login. Typing `exit` in this shell will exit back to the host Unifi OS. + * Typing `machinectl login debian-custom` will give you a login prompt like a normal Linux system. In most cases, you can just use `machinectl shell` to bypass the login for easier access. If you do use the login instead of the shell, you can exit the container by holding the `Ctrl` key and pressing the `]` key 3 times. + +5. Now that you have access to your own container, you can install whatever services you want within it like a normal Linux system ([see examples below](#step-4-install-custom-services)). Make sure you ran `machinectl enable debian-custom` so the container starts on boot. + +### Step 2A: Configure the Container to use an Isolated MacVLAN Network + +This configuration is only needed if you want to isolate the container's network with a macvlan bridge. The following steps are all performed on the host OS. + +1. Download the [10-setup-network.sh](scripts/10-setup-network.sh) script to `/data/on_boot.d` and configure it with your VLAN and IPs for your container and gateway. This script will create a brX.mac interface as a gateway bridge for containers to communicate with. + + ```sh + mkdir -p /data/on_boot.d && cd /data/on_boot.d + curl -LO https://raw.githubusercontent.com/peacey/unifios-utilities/nspawn/nspawn-container/scripts/10-setup-network.sh + vim 10-setup-network.sh + ``` + + * Modify `VLAN` to an existing VLAN network that you want your container to be on. The default is VLAN 5. Make sure this VLAN network is created in Unifi first with a unique subnet and IP (do not use the same IP as you will use for IPV4_IP or IPV4_GW in this script). + * Modify `IPV4_GW` to set the gateway interface's IP. The default is 10.0.5.1/24, but you can use whatever subnet you want as long as it's different than any Unifi subnet. + * Modify `IPV4_IP` to your preferred container IP. The default is 10.0.5.3, but you can use whatever you want as long as its on the same subnet as the gateway subnet `IPV4_GW`. + * Also modify `IPV6_GW` and `IPV6_IP` if you need IPV6 support. Leave them empty for no IPV6 support. + +2. Create or modify your `/etc/systemd/nspawn/debian-custom.nspawn` file with the following parameters. This will tell nspawn to isolate the network and create a macvlan interface in the container from our VLAN bridge. This interface will be called mv-br5. + + ```ini + [Exec] + Boot=on + + [Network] + MACVLAN=br5 + ResolvConf=off + ``` + + * Change br5 to brX where X = VLAN number you used in `10-setup-network.sh`. + +3. Configure your container to set the IP and gateway you defined in `10-setup-network.sh` by creating a network file in the folder `/etc/systemd/network` under your container's directory. Name this file `mv-brX.network` where X = VLAN number you used (e.g. `mv-br5.network`). + + ```sh + cd /data/custom/machines/debian-custom/etc/systemd/network + vim mv-br5.network + ``` + + * The following is an example configuration based on the default settings in `10-setup-network.sh`. + + ```ini + [Match] + Name=mv-br5 + + [Network] + IPForward=yes + Address=10.0.5.3/24 + Gateway=10.0.5.1 + Address=fd62:89a2:fda9:e23::3/64 + Gateway=fd62:89a2:fda9:e23::1 + ``` + + * Make sure to change `Name` to the correct VLAN. + * Change `Address` and `Gateway` accordingly if you changed the settings in `10-setup-network.sh`. + * You can remove the last 2 lines with IPv6 addresses if you don't need IPv6. + +4. Run the `10-setup-network.sh` script, start the container, open a shell on the container, and check the network. + + ```sh + chmod +x /data/on_boot.d/10-setup-network.sh + /data/on_boot.d/10-setup-network.sh + machinectl start debian-custom + machinectl shell debian-custom + ip addr show + ping -c4 1.1.1.1 + ``` + + * You should see the correct IP defined on mv-br5. If no IP has been assigned, make sure you enabled and started the systemd-networkd service and check again: `systemctl enable --now systemd-networkd` + * If you still don't see any IP on mv-br5, then double-check you're using the correct VLAN and put the configuration in the correct location. You can also check `journalctl -eu systemd-networkd` for any errors. + * If pinging 1.1.1.1 doesn't work from within the container, double-check you set the correct container IP in your 10-setup-network.sh. + +5. The script `10-setup-network.sh` in `/data/on_boot.d` needs to be started on boot. + * If you've installed the udm-boot service, it should automatically run any scripts in `/data/on_boot.d` and no further setup is needed. + * If you prefer not to use udm-boot and instead use your own systemd boot service, [here is an example systemd service](scripts/setup-network.service) to run this script at boot. Save it to `/etc/systemd/system/setup-network.service` in the host OS (not container) and then enable it with `systemctl enable setup-network`. + +### Step 3: Configure Persistence Across Firmware Updates + +When the firmware is updated, `/data` (which contains our container storage) and `/etc/systemd` (which contains our boot scripts) are preserved, but `/var` and `/usr` is deleted by the firmware update script. Any additional debian packages that are installed in the host OS like systemd-container are also deleted. This means we need to reinstall the systemd-container package and re-link our container to /var/lib/machines (for machinectl access) when the firmware is upgraded. This can be accomplished with a simple boot script that checks to see if this package is installed on boot. + +1. Download the [0-setup-system.sh](scripts/0-setup-system.sh) script into /data/on_boot.d. + + ```sh + mkdir -p /data/on_boot.d && cd /data/on_boot.d + curl -LO https://raw.githubusercontent.com/peacey/unifios-utilities/nspawn/nspawn-container/scripts/0-setup-system.sh + chmod +x /data/on_boot.d/0-setup-system.sh + ``` + +2. Download the backup dpkg package files for systemd-container and dependencies into `/data/custom/dpkg`. These packages will only be used as a backup install in case the Internet is down after the first boot after an update. + + ```sh + mkdir -p /data/custom/dpkg && cd /data/custom/dpkg + apt download systemd-container libnss-mymachines debootstrap arch-test + ``` + +3. The script `0-setup-system.sh` in `/data/on_boot.d` needs to be started on boot. + * If you've installed the udm-boot service, it should automatically run any scripts in `/data/on_boot.d` and no further setup is needed. + * If you prefer not to use udm-boot and instead use your own systemd boot service, [here is an example systemd service](scripts/setup-system.service) to run this script at boot. Save it to `/etc/systemd/system/setup-system.service` in the host OS (not container) and then enable it with `systemctl enable setup-system`. + +### Step 4: Install Custom Services + +Services can be installed in the container like any linux system. For debian containers, you can use apt or other manual methods. Follow the Debian/Linux guide for your particular software that you want to install. + +* Common examples + * [Pi-Hole](examples/pihole/README.md) + * [AdGuard Home](examples/adguardhome/README.md) + +## FAQ + +1. How do I access a folder from the host OS in the container (e.g. the /data directory)? + + * Edit your `.nspawn` config file and add the following `[Files]` section. You can specify multiple `Bind=` or `BindReadOnly=` lines to bind mount multiple directories. See [nspawn manpage](https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html#Bind=) for more details. + + ```ini + [Files] + Bind=/data:/data + ``` + +2. I am getting security errors trying to run certain privileged commands in the container. + + * Edit your `.nspawn` config file and add `Capability=all` under the `[Exec]` section to unlock all security capablitlites. You can also permit or restrict capabilities for enhanced security (see the [nspawn manpage](https://www.freedesktop.org/software/systemd/man/systemd.nspawn.html#Capability=) for more information). + +3. Some programs complain of a missing /lib/modules folder and can't access kernel modules. + + * Edit your `.nspawn` config file and add `BindReadOnly=/lib/modules` to the `[Files]` section. This will bind mount the /lib/modules folder from the host OS. You might also want to try unlocking all capabilitites or specific ones (as in the above question) if you're still having issues with permissions using certain modules. + +4. iptables doesn't work in the container after I installed it. + + * You need to use iptables-legacy and not iptables-nft because the host OS is still using the legacy iptables. If using a Debian container, you can switch to the legacy iptables with the following commands executed from within the container. Also, you won't be able to see or modify the host's iptables entries if you're using a private/macvlan network for the container. + + ```sh + update-alternatives --set iptables /usr/sbin/iptables-legacy + update-alternatives --set ip6tables /usr/bin/ip6tables-legacy + ``` + diff --git a/nspawn-container/examples/adguardhome/README.md b/nspawn-container/examples/adguardhome/README.md new file mode 100644 index 0000000..4c85b79 --- /dev/null +++ b/nspawn-container/examples/adguardhome/README.md @@ -0,0 +1,22 @@ +## How to Install AdGuard Home in Container + +This guide assumes you have already created and started an nspawn container as instructed in the [main README](../../README.md), and have configured an isolated macvlan network for your container. + +To install AdGuard Home, we simply run the automated install as instructed in the [AdGuard Home documentation](https://github.com/AdguardTeam/AdGuardHome#automated-install-unix). + +1. Spawn a shell to your container. + + ```sh + machinectl shell debian-custom + ``` + +2. Run the automated install command from the adguard documentation and follow the prompts. Refer to the pihole documentation for more details. + + ```sh + apt -y install curl + curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v + ``` + +3. Go to http://10.0.5.3:3000 to configure AdGuard Home (or whatever IP you configured for your container). +4. After configuration, you can access Ad Guard Home web gui at http://10.0.5.3. +5. Now you can set your LAN clients to use the AdGuard Home IP 10.0.5.3 as the DNS, or use dig to test DNS resolution from a client (e.g.: `dig @10.0.5.3 google.com A`). diff --git a/nspawn-container/examples/pihole/README.md b/nspawn-container/examples/pihole/README.md new file mode 100644 index 0000000..4d8eb5f --- /dev/null +++ b/nspawn-container/examples/pihole/README.md @@ -0,0 +1,48 @@ +## How to Install Pi-Hole in Container + +This guide assumes you have already created and started an nspawn container as instructed in the [main README](../../README.md), and have configured an isolated macvlan network for your container. + +To install pihole, we simply run the automated install as instructed in the [pihole documentation](https://docs.pi-hole.net/main/basic-install/) and follow the prompts. + + +1. Spawn a shell to your container. + + ```sh + machinectl shell debian-custom + ``` + +2. Run the automated install command from the pihole documentation and follow the prompts. Refer to the pihole documentation for more details. + + ```sh + apt -y install curl + curl -sSL https://install.pi-hole.net | PIHOLE_SKIP_OS_CHECK=true bash + ``` + + * You must use `PIHOLE_SKIP_OS_CHECK=true` so pihole can be installed on Debian unstable. + * After installation, the debian-custom container has a size of 611 MB after running `apt clean` to delete the package cache. + +3. When the install says a static IP is needed, press Continue. +4. Select an upstream DNS provider on the next page, or add your custom DNS provider. Note all these options can be changed later in the admin panel, so you don't need to be perfect here. +5. On the next page, choose "Yes" to include the default list or "No" to not include any block lists at install (you will have to install your own later in that case). +6. On the next page, choose "Yes" to install the Admin web interface, then "Yes" on the next page to install the default web server that pihole uses (lighthttpd). It's also possible to use nginx instead of lighthttpd, but this isn't covered in this tutorial. +7. On the next two pages, click Yes to enable Query Logging, and enable "Show everything". You can disable query logging or hide information from the log if you prefer. +8. Once the install is finished, it will tell you what your pihole IP and admin password is. +9. You can either use the current admin password the installation gave you, or run `pihole -a -p` to update the password. +10. You should now be able to access the pihole admin page at https://10.0.5.3/admin if you used the default container IP. +11. As a final step, you need to set "Permit all origins" in the Pi-Hole Admin to allow requests from more than one hop away (i.e. your LAN clients). Go to Pi-Hole Admin -> Settings -> DNS -> Permit all origins -> Save. +12. Now you can set your LAN clients to use the pihole IP 10.0.5.3 as the DNS, or use dig to test DNS resolution from a client (e.g.: `dig @10.0.5.3 google.com A`). + +## How to Update or Reconfigure Pi-Hole. + +To update pihole, simply run the following from within the container. + + ```sh + PIHOLE_SKIP_OS_CHECK=true pihole -up + ``` + +In case there is a configuration error and pihole is having trouble, you can reconfigure it from scratch by running: + + + ```sh + PIHOLE_SKIP_OS_CHECK=true pihole -r + ``` diff --git a/nspawn-container/interactive_setup.sh b/nspawn-container/interactive_setup.sh new file mode 100644 index 0000000..eba4e11 --- /dev/null +++ b/nspawn-container/interactive_setup.sh @@ -0,0 +1,281 @@ +#!/bin/bash + +################################################################### +#Script Name : interactive_setup +#Description : This script guides you through creating a custom container on UnifiOS 3.0+ using systemd-nspawn. +# It includes steps for configuring the container, ensuring persistence across firmware updates, +# and installing custom services such as pihole (Not Yet) or adguard home. +# The process involves installing systemd-container and debootstrap and using them to create +# a base debian system in /data/custom/machines directory. +#Author : Apo-mak +#Last Date Edited : 09-04-2023 +################################################################### + +set -e + +dnsfile="10-dns.sh" +container_name="debian-custom" +container_root_pasword="12345678" + +vlan_id="5" +vlan_address="10.0.5.3/24" +vlan_gateway="10.0.5.1" + +## +# Color Variables +## +green='\e[32m' +blue='\e[34m' +clear='\e[0m' + +## +# Color Functions +## + +ColorGreen(){ + echo -ne $green$1$clear +} +ColorBlue(){ + echo -ne $blue$1$clear +} + +############################################## +function set_variables(){ + read -p "Enter the container name [$container_name]: " container_name + container_name=${container_name:-"debian-custom"} + read -p "Enter the container root password [$container_root_pasword]: " container_root_pasword + container_root_pasword=${container_root_pasword:-"12345678"} +} + +function set_container_network_variables(){ + read -p "Enter the container vlan_id [$vlan_id]: " vlan_id + vlan_id=${vlan_id:-"5"} + read -p "Enter the container vlan_address [$vlan_address]: " vlan_address + vlan_address=${vlan_address:-"10.0.5.3/24"} + read -p "Enter the container vlan_gateway [$vlan_gateway]: " vlan_gateway + vlan_gateway=${vlan_gateway:-"10.0.5.1"} +} + +function echo_variables(){ + echo "#### Printing set Variables: ###" + echo "Container Name: $container_name " + echo "Container Root Password: $container_root_pasword " + + echo "Network Vlan ID: $vlan_id " + echo "Container $vlan_address " + echo "Network Getway: $vlan_gateway " + +} + +function create_custom_ontainer_simple(){ + echo "You have selected to setup a container that has access to all the host network + interfaces and full capabilities to do anything to the system" + read -p "Press enter to continue OR ctrl + c to cancel." + create_custom_ontainer ; + setup_networking_simple ; + setup_persistence ; + setup_backup_dpkg_files +} + +function create_custom_ontainer_macvlan(){ + echo "You have selected to setup a container to use an Isolated MacVLAN Network AKA Vlan." + read -p "Press enter to continue OR ctrl + c to cancel." + create_custom_ontainer ; + setup_networking_MACVLAN ; + setup_persistence ; + setup_backup_dpkg_files +} + + +function create_custom_ontainer() { + echo "" + echo " Creating a Custom Container on UnifiOS 3.x" + echo "" + +#### check if directory exists and abort + +if [ -d "/data/custom/machines/$container_name" ] +then + echo "Directory /data/custom/machines/$container_name already exists... aborting the setup ... + try manual setup or setup with new container name." + exit 1 +fi + +### Step 1. Create the Container +echo " Installing the systemd-container and debootstrap" +apt -y install systemd-container debootstrap + +### create a directory called "$container_name" with a base debian system in /data/custom/machines +echo "Creating container required directories" +mkdir -p /data/custom/machines +cd /data/custom/machines +debootstrap --include=systemd,dbus unstable "$container_name" + +### Finally, let's bring up a shell on this container +echo "Set container Root password, Network setting and enable systemd-networkd" +#systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" +#systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" echo "This Echo is from inside the new Container ..." +systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" /bin/bash -c "echo 'root:${container_root_pasword}' | chpasswd" + +echo "In container start network" +systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" /bin/bash -c systemctl enable systemd-networkd + +echo "in container set default DNS 1.1.1.1" +systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" /bin/bash -c echo "nameserver 1.1.1.1" > /etc/resolv.conf \ +echo ""$container_name"" > /etc/hostname + +#### we will link the container to /var/lib/machines so we can control it with machinectl +echo "Linking the container to /var/lib/machines" +mkdir -p /var/lib/machines +ln -s /data/custom/machines/"$container_name" /var/lib/machines/ + +} + +function setup_networking_simple() { + echo "" + echo " Setting up networking Simple" + echo "" +##### we will create a "$container_name".nspawn file in /etc/systemd/nspawn to configure parameters for the container +######(such as network, bind mounts, etc) +echo "configuring parameters for the container " +mkdir -p /etc/systemd/nspawn + +cat < /etc/systemd/nspawn/"$container_name".nspawn +[Exec] +Boot=on +Capability=all + +[Network] +Private=off +VirtualEthernet=off +ResolvConf=off +EOF +} + +function setup_networking_MACVLAN() { + echo "" + echo " Setting up networking MACVLAN" + echo "" +#####we will create a "$container_name".nspawn file in /etc/systemd/nspawn to configure parameters for the container +######(such as network, bind mounts, etc) +echo "configuring parameters for the container " +mkdir -p /etc/systemd/nspawn + +cat < /etc/systemd/nspawn/"$container_name".nspawn +[Exec] +Boot=on + +[Network] +MACVLAN=br$vlan_id +ResolvConf=off +EOF + +##### Configure the Container to use an Isolated MacVLAN Network +echo " Configuring the Container to use an Isolated MacVLAN Network" +cd /data/on_boot.d +if [ -f "$file" ] ; then + rm "$file" +fi +curl -LO https://raw.githubusercontent.com/peacey/unifios-utilities/nspawn/nspawn-container/scripts/10-setup-network.sh +chmod +x 10-setup-network.sh + +cat < /etc/systemd/nspawn/"$container_name".nspawn +[Exec] +Boot=on + +[Network] +MACVLAN=br$vlan_id +ResolvConf=off +EOF + +#####Configure your container to set the IP and gateway you defined in 10-setup-network.sh +cd /data/custom/machines/"$container_name"/etc/systemd/network + +cat < mv-br5.network +[Match] +Name=mv-br$vlan_id + +[Network] +IPForward=yes +Address=$vlan_address +Gateway=$vlan_gateway +EOF + +#### Run the 10-setup-network.sh script to setup the network interface +/data/on_boot.d/10-setup-network.sh +machinectl stop "$container_name" +machinectl start "$container_name" + +} + +function setup_adguard() { + echo "You have selected to setup a AdGuardHome in container $container_name" + read -p "Press enter to continue OR ctrl + c to cancel." + + echo "" + echo " Setting up adguard" + echo "" +############ install addguard ####### + +systemd-nspawn -M "$container_name" -D /data/custom/machines/"$container_name" /bin/bash -c "apt -y install curl && +curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v" + + +echo "Go to http://${vlan_address}:3000 to configure AdGuard Home (or whatever IP your container has if you had select simple install)." +read -p "Press enter to continue" + +} + +function setup_persistence() { + echo "" + echo " Configuring Persistence Across Firmware Updates" + echo "" +#### Configure Persistence Across Firmware Updates +echo "Configuring Persistence Across Firmware Updates" +cd /data/on_boot.d +curl -LO https://raw.githubusercontent.com/peacey/unifios-utilities/nspawn/nspawn-container/scripts/0-setup-system.sh +chmod +x 0-setup-system.sh + +mv 0-setup-system.sh 02-setup-system.sh +} + +function setup_backup_dpkg_files() { + echo "" + echo " Downloading the backup dpkg package files" + echo "" +#### Download the backup dpkg package files for systemd-container and dependencies into /data/custom/dpkg. +#####These packages will only be used as a backup install in case the Internet is down after the first boot after an update. +echo "Configuring backup install" +mkdir -p /data/custom/dpkg && cd /data/custom/dpkg +apt download systemd-container libnss-mymachines debootstrap arch-test + +echo " Container setup has ended .. :) " +} + +menu(){ +echo -ne " +Create a container with systemd-nspawn +Select your option from below: +$(ColorGreen '1)') Create a Custom Container Simple +$(ColorGreen '2)') Create a Custom Container Mac Vlan +$(ColorGreen '3)') Install Adguard in existing container. +$(ColorGreen '4)') Print set Variables. +$(ColorGreen '5)') Set Container Variables (name & Root Password). +$(ColorGreen '6)') Set Container Network Variables. (Vlan ID & IP address). +$(ColorGreen '0)') Exit +$(ColorBlue 'Choose an option:') " + read a + case $a in + 1) create_custom_ontainer_simple ; menu ;; + 2) create_custom_ontainer_macvlan ; menu ;; + 3) setup_adguard ; menu ;; + 4) echo_variables ; menu ;; + 5) set_variables ; menu ;; + 6) set_container_network_variables ; menu ;; + 0) exit 0 ;; + *) echo -e $red"Wrong option."$clear; WrongCommand;; + esac +} + +# Call the menu function +menu \ No newline at end of file diff --git a/nspawn-container/scripts/0-setup-system.sh b/nspawn-container/scripts/0-setup-system.sh new file mode 100644 index 0000000..18cda64 --- /dev/null +++ b/nspawn-container/scripts/0-setup-system.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# This script installs systemd-container if it's not installed. +# Also links any containers from /data/custom/machines to /var/lib/machines. + +if ! dpkg -l systemd-container | grep ii >/dev/null; then + if ! apt -y install systemd-container debootstrap; then + yes | dpkg -i /data/custom/dpkg/*.deb + fi +fi + +mkdir -p /var/lib/machines +for machine in $(ls /data/custom/machines/); do + if [ ! -e "/var/lib/machines/$machine" ]; then + ln -s "/data/custom/machines/$machine" "/var/lib/machines/" + machinectl enable $machine + machinectl start $machine + fi +done diff --git a/nspawn-container/scripts/10-setup-network.sh b/nspawn-container/scripts/10-setup-network.sh new file mode 100644 index 0000000..c3e375d --- /dev/null +++ b/nspawn-container/scripts/10-setup-network.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# This script will create a macvlan bridge interface to allow communication +# between container networks and host networks. +# An interface called brX.mac will be created, where X = $VLAN configured below. +# The interface will be assigned an IP of $IPV4_GW, and $IPV6_GW configured below. +# Routes will be added for the container IP $IPV4 and $IPV6. +# Script is based on 10-dns.sh from unifios-utilities. + +## CONFIGURATION VARIABLES + +# VLAN ID network container will be on. This VLAN has to first be configured as a +# network in Unifi Network settings with a unique IP/subnet. Do not use the same +# IP in the unifi network settings as you will use below for IPV4_IP or IPV4_GW. +VLAN=5 + +# IP addresses of container. +IPV4_IP="10.0.5.3" +# Gateway IP address of macvlan interface. IP above should be in this subnet. +IPV4_GW="10.0.5.1/24" + +# IPv6 container and gateway addresses. These can be empty if not using IPv6. +# Preferably generate your own ULA instead of using the default one below. +# A public IPv6 prefix based on your ISP's prefix can be used too, but any +# prefix changes for dynamic IPv6 prefixes have to be modified manually. +IPV6_IP="fd62:89a2:fda9:e23::3" +IPV6_GW="fd62:89a2:fda9:e23::1/64" + +## END OF CONFIGURATION + +# set VLAN bridge promiscuous +ip link set "br${VLAN}" promisc on + +# create macvlan bridge and add IPv4 IP +ip link add "br${VLAN}.mac" link "br${VLAN}" type macvlan mode bridge +ip addr add "${IPV4_GW}" dev "br${VLAN}.mac" noprefixroute + +# (optional) add IPv6 IP to VLAN bridge macvlan bridge +if [ -n "${IPV6_GW}" ]; then + ip -6 addr add "${IPV6_GW}" dev "br${VLAN}.mac" noprefixroute +fi + +# set macvlan bridge promiscuous and bring it up +ip link set "br${VLAN}.mac" promisc on +ip link set "br${VLAN}.mac" up + +# add IPv4 route to container +ip route add "${IPV4_IP}/32" dev "br${VLAN}.mac" + +# (optional) add IPv6 route to container +if [ -n "${IPV6_IP}" ]; then + ip -6 route add "${IPV6_IP}/128" dev "br${VLAN}.mac" +fi diff --git a/nspawn-container/scripts/setup-network.service b/nspawn-container/scripts/setup-network.service new file mode 100644 index 0000000..45a257d --- /dev/null +++ b/nspawn-container/scripts/setup-network.service @@ -0,0 +1,13 @@ +[Unit] +Description=Setup custom container network service +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/data/on_boot.d/10-setup-network.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target + diff --git a/nspawn-container/scripts/setup-system.service b/nspawn-container/scripts/setup-system.service new file mode 100644 index 0000000..91fb0ef --- /dev/null +++ b/nspawn-container/scripts/setup-system.service @@ -0,0 +1,13 @@ +[Unit] +Description=Setup custom container service +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/data/on_boot.d/0-setup-system.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +