Can Yunohost just be run in LXD containers?

Discuss
#1

First, let me say I just discovered Yunohost. I use LXD quite a bit so now I want to understand a couple things about Yunohost.

I know the web site says:

When ran on the host, the ./ynh-dev command allows you to manage YunoHost’s dev
LXCs.

and also it describes setting up the ynh-dev environment with LXD/LXC containers here:
https://github.com/YunoHost/ynh-dev

So once the functionalities of the LXD/LXC containers works can they be used in Production. If so do the LXD/LXC containers require any changes or would I just
clone/copy ones I want to use?

thanks

Brian

1 Like
#2

I’m a bit confused but basically :

  • yes you can run perfectly run Yunohost in Docker and we do this all the time in the context of development and also some pieces of infrastructure like the new yunohost documentation is itself in a yunohost inside a LXC
  • if your intention is to run a production server DO NOT use ynh-dev. Ynh-dev is just tooling to easily deploy a dev environment. If you want to install Yunohost inside a LXC, just create Debian Buster LXC and follow this documentation (basically running curl|bash)
  • You indeed need some special tweaks to the LXC, namely enabling nesting (in fact probably needed for a raw Debian Buster ? idk … this comes from the fact that some debian packages/services want to use some systemd sandboxing feature) AND possibly the container should be privileged (not 100% sure about this)
2 Likes
#3

You can run yunohost in a lxc container without problem. My yunohost instance works like that without problem.
You have to install a debian lxc and then install yunohost on top of debian.

1 Like
#4

Sounds simple enough.

Enabling nesting is just a config setting but I think perhaps creating/editing the debian
container’s LXD Profile might let me enable nesting for any container created using
that profile. I’ll check.

Does Yunohost use LXD’s Proxy Port command to forward from Host to the container like this for Port 80:

$ lxc config device add mycontainer myport80 proxy listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80 Device myport80 added to mycontainer

#5

Well holy cow I didn’t know that shit existed ?!

YunoHost doesn’t do anything like that because … well, if you install yunohost inside the container, it doesn’t has access to the host anyway

Nevertheless that command sounds super interesting and much more easy to configure than an nginx reverse proxy (which is what we do in the context of the yunohost infrastructure and that’s hugely complex for many reasons)

#6

We do that because we have just one IPv4 on host server.

#7

(and because we have different domain to route between different container in fact … yeah …)

#8

I used this for my Yunohost, and there’s an issue with this.

I’ve been getting outside spam being sent through my server, and I couldn’t figure out why. There’s no compromised accounts, nor any malformed PHP scripts. Blocking port 25 took care of the problem, but looking at postfix configuration files, I believe that Yunohost is configured to accept any emails coming from localhost/127.0.0.1 as automatically valid.

The problem being, because of how the proxy works, a quick netstat shows all connections as coming from 127.0.0.1. Observe:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:389           127.0.0.1:59096         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:55064         127.0.0.1:389           TIME_WAIT   -
tcp        0      0 127.0.0.1:59092         127.0.0.1:389           ESTABLISHED 895/nginx: worker p
tcp        0      0 127.0.0.1:389           127.0.0.1:58064         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:58984         127.0.0.1:389           ESTABLISHED 713/nslcd
tcp        0      0 127.0.0.1:59096         127.0.0.1:389           ESTABLISHED 895/nginx: worker p
tcp        0      0 127.0.0.1:58046         127.0.0.1:389           ESTABLISHED 713/nslcd
tcp        0      0 127.0.0.1:58064         127.0.0.1:389           ESTABLISHED 713/nslcd
tcp        0      0 127.0.0.1:389           127.0.0.1:59092         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:389           127.0.0.1:58068         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:389           127.0.0.1:58046         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:51928         127.0.0.1:3306          ESTABLISHED 341/node
tcp        0      0 127.0.0.1:58068         127.0.0.1:389           ESTABLISHED 713/nslcd
tcp        0      0 127.0.0.1:53920         127.0.0.1:57300         ESTABLISHED -
tcp        0      0 127.0.0.1:389           127.0.0.1:59654         ESTABLISHED 427/slapd
tcp        0      0 127.0.0.1:57300         127.0.0.1:53920         ESTABLISHED 1159/sshd: admin [p
tcp        0      0 127.0.0.1:59654         127.0.0.1:389           ESTABLISHED 713/nslcd
tcp        0      0 127.0.0.1:389           127.0.0.1:58984         ESTABLISHED 427/slapd
tcp6       0      0 127.0.0.1:3306          127.0.0.1:51928         ESTABLISHED 460/mysqld
udp        0      0 127.0.0.1:54948         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:44202         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:54957         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:47278         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:44206         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:55492         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:42693         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:34502         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:44240         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:49368         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:60648         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:54003         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:55543         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:40705         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:51971         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:44300         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:41741         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:42805         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:41273         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:52029         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:45394         127.0.1.1:53            ESTABLISHED 895/nginx: worker p
udp        0      0 127.0.0.1:42335         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:37728         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:56164         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:52075         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:54635         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:58235         127.0.0.1:53            ESTABLISHED 895/nginx: worker p
udp        0      0 127.0.0.1:35232         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:60323         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:47556         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:40902         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:53220         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:56805         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:39415         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:37891         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:54796         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:46113         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:54315         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:51256         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:39992         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:37438         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:52326         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:56423         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:50798         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:47239         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:47751         127.0.0.1:53            ESTABLISHED 881/rspamd: normal
udp        0      0 127.0.0.1:48779         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:42128         127.0.0.1:53            ESTABLISHED 880/rspamd: control
udp        0      0 127.0.0.1:47250         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp        0      0 127.0.0.1:36504         127.0.0.1:53            ESTABLISHED 879/rspamd: rspamd_
udp6       0      0 ::1:47282               ::1:47282               ESTABLISHED 542/postgres ```

Apparently poorly configured load balancers have a similar problem. (It still won’t let me connect as root, though I suspect that’s simply because I never gave it a key for root login.)

So this may not be tenable for general users without some reconfiguration. If I’m reading this correctly, a quick fix would be to send the host machine’s IP instead of 127.0.0.1 to the proxy connect, so that it doesn’t think the requests are coming from localhost.

However, a more robust fix would be to also give your container a static IP, and add nat=true to the proxy device so the actual originating IP request is passed. But the command line for this is a bit different. Assuming an IP of 192.0.2.0 for the host and 192.0.2.1 for the container, this should work…

$ lxc config device add mycontainer myport80 proxy listen=tcp:192.0.2.0:80 connect=tcp:192.0.2.1:80 nat=true

This didn’t actually work for me, but my NAT configuration is probably slightly funky; that said, it still functions like the first option, so it’s not going to do any harm (as far as I know). NAT seems to make it run faster too, but that might just be because it’s not choked full of spam.

It’s a really simple and useful command, just, make sure it doesn’t turn outside traffic into localhost traffic, or postfix will send every single email it’s asked to.

tl;dr: Don’t proxy to 127.0.0.1 or postfix will send spam constantly!

3 Likes