Details

Reviewers

dereckson

Maniphest Tasks

T466: Create a systemd unit to start lxc mailserver container

Commits

rOPS4906917c70f9: Create a systemd unit and scripts in order to automatize a lxc mailserver…

Summary

The mail server is isolated into a lxc container. We want this mail server to be operational at startup

This requires two tasks:

start the container mailserver through lxc-start
add to iptables rules for NAT forwarding

We also provide a stop script to clean iptables.

Resolves T466.

Test Plan

To evaluate the container status, we used 3 ways:

try a telnet connection from an external server to see if the SMTP server (see below)
lxc-top
iptables -L | grep 10.0.3.8 (the IP of the mailserver container)

It has also been tested in Dwellers through systemd and works.

$ telnet -4 dwellers.nasqueron.org 25

Trying 212.129.32.223...
Connected to dwellers.nasqueron.org.
Escape character is '^]'.
220 mail.nasqueron.org ESMTP Postfix (Debian/GNU)

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

Sandlayth updated this revision to Diff 234.Dec 9 2015, 18:56

Sandlayth retitled this revision from to [WIP] Create a systemd unit and scripts in order to automatize a lxc mailserver container launch.

Sandlayth updated this object.

Sandlayth edited the test plan for this revision. (Show Details)

Sandlayth added a reviewer: dereckson.

Sandlayth added a task: T466: Create a systemd unit to start lxc mailserver container.

Sandlayth added subscribers: dereckson, Sandlayth.

Sandlayth edited the test plan for this revision. (Show Details)Dec 9 2015, 18:57

Sandlayth added projects: Operations sprint 0, Servers, Mail.Dec 9 2015, 18:59

Comments in lxc_start apply also for lxc_stop.

roles/mailserver/systemd-unit/files/lxc-containers.service
2 ↗	(On Diff #234)	The description of a systemd unit is the service provided, not an action. For example this description currently leads to the following journal entries: Dec 09 12:55:13 dwellers.nasqueron.org systemd[1]: Stopped Launch lxc mailserver container. Dec 09 12:56:16 dwellers.nasqueron.org systemd[1]: Starting Launch lxc mailserver container...
7 ↗	(On Diff #234)	Here we should be coherent with other existing stuff. In a previous systemd task, we wrote a `docker-container-status` script. I would suggest here lxc-container-mailserver-start and lxc-container-mailserver stop
roles/mailserver/systemd-unit/files/lxc_start
1 ↗	(On Diff #234)	Use sh anytime bash is not required.
8 ↗	(On Diff #234)	Container name should be a variable. $CONTAINER_NAME for example.
10 ↗	(On Diff #234)	Both Dwellers and mailserver container IPs should be variables, ens192 too. `$IPTABLES -t nat -I PREROUTING -i $HOST_INTERFACE -p TCP -d $HOST_IP/32 --dport 25 -j DNAT --to-destination $CONTAINER_IP:25`
11 ↗	(On Diff #234)	This one is tricky, so let's keep as it (but store the 21080 in a $WEB_PORT variable). For the others rules, we can use a for loop. See http://www.tutorialspoint.com/unix/unix-loop-control.htm for implementation example.

Good work, the systemd unit works well.

Commit message

Commit first line should be shorter. Then, use paragraphs, not a sentence starting by a lowercase.

Code review

See inline comments.

This revision now requires changes to proceed.Dec 9 2015, 21:52

dereckson mentioned this in D20: Systemd unit to start and stop Docker containers.Dec 9 2015, 21:57

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch

dereckson retitled this revision from [WIP] Create a systemd unit and scripts in order to automatize a lxc mailserver container launch to Create a systemd unit and scripts in order to automatize a lxc mailserver container launch.Dec 16 2015, 10:36

dereckson updated this object.

dereckson edited the test plan for this revision. (Show Details)

dereckson edited edge metadata.

Nickel.

Some last details.

roles/mailserver/systemd-unit/files/lxc-container-mailserver-stop
14	As we have absolutely everything else configurable, we could add docker0 and 21080 here too.
16	This is not a web port. They match SMTP, IMAP or POP mail servers.
26	Same here, just PORT would be fine.
roles/mailserver/systemd-unit/files/lxc-container-mailserver.service
3	extraneous space This is THE string to bring some love to in systemd, as it's the string used in the journal. First, the description starts with an uppercase according https://coreos.com/docs/launching-containers/launching/getting-started-with-systemd/ and http://www.freedesktop.org/software/systemd/man/systemd.service.html. Then, I wonder if we shouldn't hide low-level implementation details. If so: `Description=Mail server` If a more low-level is deemed more valuable: `Description=LXC mail server container`

This revision now requires changes to proceed.Dec 16 2015, 10:45

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch

Add variables for docker network interface, and nginx port.

Replacing WEB_PORT variables by PORT ; indeed it store also mail ports

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch

Fix extra space.

Sandlayth mentioned this in T466: Create a systemd unit to start lxc mailserver container.Dec 16 2015, 11:13

Read again the comment about the systemd description, it should not start by lowercase.

This revision now requires changes to proceed.Dec 16 2015, 12:03

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch

Adding capital letter

Okay, that runs the following commands:

Start script

/usr/bin/lxc-start -n mailserver -d
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 110 -j DNAT --to-destination 10.0.3.8:110
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587
/usr/sbin/iptables -t nat -I PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 21080 -j DNAT --to-destination 10.0.3.8:80
/usr/sbin/iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25
/usr/sbin/iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143
/usr/sbin/iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465
/usr/sbin/iptables -t nat -I PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587

Stop script

/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25
/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 110 -j DNAT --to-destination 10.0.3.8:110
/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143
/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465
/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587
/usr/sbin/iptables -t nat -D PREROUTING -i ens192 -p TCP -d 212.129.32.223/32 --dport 21080 -j DNAT --to-destination 10.0.3.8:80
/usr/sbin/iptables -t nat -D PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 25 -j DNAT --to-destination 10.0.3.8:25
/usr/sbin/iptables -t nat -D PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 143 -j DNAT --to-destination 10.0.3.8:143
/usr/sbin/iptables -t nat -D PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 465 -j DNAT --to-destination 10.0.3.8:465
/usr/sbin/iptables -t nat -D PREROUTING -i docker0 -p TCP -d 212.129.32.223/32 --dport 587 -j DNAT --to-destination 10.0.3.8:587
/usr/bin/lxc-stop -n mailserver

Looks good to me.

This revision is now accepted and ready to land.Dec 16 2015, 13:49

Closed by commit rOPS4906917c70f9: Create a systemd unit and scripts in order to automatize a lxc mailserver… (authored by Sandlayth, committed by dereckson). · Explain WhyDec 16 2015, 13:52

This revision was automatically updated to reflect the committed changes.

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch
ClosedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 247

roles/mailserver/systemd-unit/files/lxc-container-mailserver-start

roles/mailserver/systemd-unit/files/lxc-container-mailserver-stop

roles/mailserver/systemd-unit/files/lxc-container-mailserver.service

Create a systemd unit and scripts in order to automatize a lxc mailserver container launchClosedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 247

roles/mailserver/systemd-unit/files/lxc-container-mailserver-start

roles/mailserver/systemd-unit/files/lxc-container-mailserver-stop

roles/mailserver/systemd-unit/files/lxc-container-mailserver.service

Create a systemd unit and scripts in order to automatize a lxc mailserver container launch
ClosedPublic
Actions

Revision Contents
Changeset List