[SOLVED] Q: How best to work with cloud-init and lxc ?

[norbertk]

Hello all,
i have some hosts running on a local proxmox server and on the hetzner cloud. On proxmox I work with lxc containers.

I try to script the setup of these machines as much as possible and strive to define them completely with 'source code' .

In this context I learned about 'cloud-init' which opens a lot of possibilities. Hetzer cloud offers the option to submit cloud-init user-data during creation of a machine and I read in the Cloud-init tutorial that lxc offers this possibility too.

The forum entries here and the sources I found on the net describe the combination of proxmox and cloud-init with virtual machines and not containers.

Is there something special to know if I want to work with lxc ?

Any pointers and ideas welcome and many thanks for reading

Norbert

 

[fahadshery]

You can use mini cloud images (available both for Ubuntu and Rocky) as vm-templates in the proxmox and spin them up whenever you like. The best thing is whenever you will spin up a new VM off of it, it will be updated to the latest version

 

[norbertk]

You can use mini cloud images (available both for Ubuntu and Rocky) as vm-templates in the proxmox and spin them up whenever you like. The best thing is whenever you will spin up a new VM off of it, it will be updated to the latest version

So we don't talk about lxc here, but quemu - VMs ?

 

[fahadshery]

So we don't talk about lxc here, but quemu - VMs ?

we do but I prefer VMs (depending on your workload) or docker from a security stand point.

 

[norbertk]

In a way I gave up, but I found a solution I like:

In one single step i get a strong base to work with ansible in a new container

On the proxmox node I place 2 generic scripts:

#!/bin/bash
SCRIPT=_provsion_script.sh
pct push  $1 /usr/local/bin/$SCRIPT  usr/local/bin/$SCRIPT -perms 700
pct exec $1 /usr/local/bin/$SCRIPT

_provision_script.sh itself looks like this:

#!/bin/bash
#managed by ansible
set -e
FILENAME=/var/local/proxmox_provisioned
if [ -f $FILENAME ] ; then
        echo "bereits initialisiert, Datei $FILENAME existiert"
        exit 1
else
        cat << EOF  >  /etc/ssh/sshd_config.d/99-initial.conf
        AuthorizedKeysFile /etc/ssh/authorized_keys/%u
        PermitRootLogin no
        ListenAddress 0.0.0.0:<portno>
        ListenAddress [::]:<portno>
EOF
        # apt update, upgrate install sudo

        apt update
        apt upgrade -y
        apt install sudo

        # user ansible

        adduser --system --home /home/ansible --ingroup staff --shell /bin/bash ansible

        # ... ssh

        mkdir -p  /etc/ssh/authorized_keys
        cat <<EOF > /etc/ssh/authorized_keys/ansible
        ssh-ed25519 xxxxxxxxxx
        chown ansible:staff /etc/ssh/authorized_keys/ansible

        # ... sudo

        cat <<EOF > /etc/sudoers.d/ansible
        ansible ALL=(ALL:ALL) NOPASSWD:ALL
EOF
        chmod 0440 /etc/sudoers.d/ansible

        # restart sshd

        systemctl restart sshd.service
        systemctl status  sshd.service
        echo 'Done' $(date) > $FILENAME
fi

I create new node and call

./provision_lxc.sh <vmid>

If I have no access to the node (like for example at hetzner) I can start the `_provision_script.sh` as root and get tzhe same result. The whole thing is aimed at debian.

 

[unshortness]

In a way I gave up, but I found a solution I like:

In one single step i get a strong base to work with ansible in a new container

On the proxmox node I place 2 generic scripts:

#!/bin/bash
SCRIPT=_provsion_script.sh
pct push  $1 /usr/local/bin/$SCRIPT  usr/local/bin/$SCRIPT -perms 700
pct exec $1 /usr/local/bin/$SCRIPT

_provision_script.sh itself looks like this:

#!/bin/bash
#managed by ansible
set -e
FILENAME=/var/local/proxmox_provisioned
if [ -f $FILENAME ] ; then
        echo "bereits initialisiert, Datei $FILENAME existiert"
        exit 1
else
        cat << EOF  >  /etc/ssh/sshd_config.d/99-initial.conf
        AuthorizedKeysFile /etc/ssh/authorized_keys/%u
        PermitRootLogin no
        ListenAddress 0.0.0.0:<portno>
        ListenAddress [::]:<portno>
EOF
        # apt update, upgrate install sudo

        apt update
        apt upgrade -y
        apt install sudo

        # user ansible

        adduser --system --home /home/ansible --ingroup staff --shell /bin/bash ansible

        # ... ssh

        mkdir -p  /etc/ssh/authorized_keys
        cat <<EOF > /etc/ssh/authorized_keys/ansible
        ssh-ed25519 xxxxxxxxxx
        chown ansible:staff /etc/ssh/authorized_keys/ansible

        # ... sudo

        cat <<EOF > /etc/sudoers.d/ansible
        ansible ALL=(ALL:ALL) NOPASSWD:ALL
EOF
        chmod 0440 /etc/sudoers.d/ansible

        # restart sshd

        systemctl restart sshd.service
        systemctl status  sshd.service
        echo 'Done' $(date) > $FILENAME
fi

I create new node and call

./provision_lxc.sh <vmid>

If I have no access to the node (like for example at hetzner) I can start the `_provision_script.sh` as root and get tzhe same result. The whole thing is aimed at Debian.

Thank you for this example. I was thinking about using this, but as I was looking at each step trying to understand what the script does, I think I discovered a typo. Shouldn't there be another EOF after the line "ssh-ed25519 xxxxxxxxxx"?

Without this I think all of the text until the next EOF will be added to /etc/ssh/authorized_keys/ansible and the command "chown ansible:staff /etc/ssh/authorized_keys/ansible" would not be run and nothing would be added to "/etc/sudoers.d/ansible".