LXC

From UntangleWiki
Jump to: navigation, search

LXC Container Overview

LXC (or "linux containers") is a virtualization method that allows linux to launch virtual machines with very minimal overhead. In Untangle, this can be very useful in some scenarios. This allows you to easily instantiate a new virtual host on the network to use for testing. Untangle will process the LXC container's traffic just like any regular host on the Internal network.

Example

Lets say you are offsite and someone calls you and claims that they can not reach a website. Often one of the tests I will do is test if the website is reachable at all from that location. I can SSH to Untangle and do a simple wget http://example.com to verify that Untangle itself can reach the website. However, if Untangle can reach the website but the user still can't then you still have to determine where the issue is occuring.

However, there is no easy way to test "from behind" Untangle like the user is doing. So often you end up walking them through how to give you remote access so you can see it for yourself. This will allow you to run tests "from behind" Untangle and see if the sessions are going to the correct policy, and being filter appropriately, etc.

With LXC, you can instantiate an new virtual machine the Untangle server itself, that is effectively an internal host on the network. This allows easy processing of network traffic *through* the Untangle server without having to setup remote access to a real internal host.

Usage

To start the LXC container simply run:

/usr/share/untangle-lxc-client/bin/untangle-lxc-start

The first time you run this command it will initialize the LXC disk image from scratch and it will need to download some utilities from the web so Untangle must be online. This will start the VM and start some very basic services (like SSH).

You can SSH to the VM at this point, but you likely haven't set a password. So the easier way to access it is via "attaching" to the terminal. To do this run:

/usr/share/untangle-lxc-client/bin/untangle-lxc-attach

This will give you a shell in the LXC container. Any commands run from here would be just like running from a physical machine on the internal network. As such you can test your Untangle configuration with normal commands:

ping 8.8.8.8 host example.com wget 'http://example.com'

Once your testing is complete the LXC container can be stopped with:

/usr/share/untangle-lxc-client/bin/untangle-lxc-stop

Make sure you stop the LXC container because it is technically a host on the internal network and by default will be reachable by other internal hosts.

Details

The LXC container/VM actually has an address of 192.0.2.2. The Untangle is its default gateway and Untangle has an address of 192.0.2.1

All sessions from the LXC will appear to be from 192.0.2.2

The LXC container isn't actually on the "Internal" network - its on its own virtual network internal to the Untangle server. However, for testing of policy and configuration we make the LXC container appear as if its coming from the "Internal" network. There is a setting "lxcInterfaceId" in the network settings that determines which interface the LXC container "lives" on. The default is 0, which is the first non-WAN interface. You can set it to a specific interface if desired.

Testing

The ATS suite can leverage the LXC container just like a normal host. The LXC container is configured by default with all the tools necessary to run the test suite.

After starting the LXC container, You can specify the LXC container using the -h argument

/usr/share/untangle/bin/ut-runtest -h 192.0.2.2

192.0.2.2 is now the default if no host is specified so you can also just run all the tests with:

/usr/share/untangle/bin/ut-runtest