LXCコンテナのインストール

[root@server1 /]# mkdir -p /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d/ [root@server1 /]# cp /etc/yum.repos.d/CentOS-Base.repo /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d/ [root@server1 /]# cd /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d [root@server1 yum.repos.d]# sed -ie 's/\$releasever/7/g' CentOS-Base.repo 

 [root@server1 yum.repos.d]# yum groupinstall core --installroot=/var/lib/libvirt/lxc/openvpn1/ --nogpgcheck -y 

 [root@server1 yum.repos.d]# chroot /var/lib/libvirt/lxc/openvpn1/ /bin/bash -c "/bin/echo RootPasswordhere | /usr/bin/passwd --stdin root" Changing password for user root. passwd: all authentication tokens updated successfully. 

 [root@server1 ssh]# echo pts/0 >> /var/lib/libvirt/lxc/openvpn1/etc/securetty 

 [root@server1 ssh]# echo openvpn1.cloud.bellintegrator.com > /var/lib/libvirt/lxc/openvpn1/etc/hostname 

 [root@server1 /]# touch /var/lib/libvirt/lxc/openvpn1/etc/network [root@server1 /]# echo -e "DEVICE=eth0\nONBOOT=yes\nBOOTPROTO=static\nIPADDR=10.209.102.12\nNETMASK=255.255.255.0\nGATEWAY=10.209.102.1" >/var/lib/libvirt/lxc/openvpn1/etc/sysconfig/network-scripts/ifcfg-eth0 

  [root@server1 /]# echo -e "search cloud.bellintegrator.com\nnameserver 10.209.102.11\nnameserver 8.8.8.8" >/var/lib/libvirt/lxc/openvpn1/etc/resolv.conf 

 [root@server1 yum.repos.d]# virt-install --connect lxc:// --name openvpn1 --ram 512 --os-variant rhel7 --network bridge=br0 --filesystem /var/lib/libvirt/lxc/openvpn1/,/ Starting install... Creating domain... | 0 B 00:00 Connected to domain openvpn1 Escape character is ^] systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization lxc-libvirt. Detected architecture x86-64. Welcome to CentOS Linux 7 (Core)! Initializing machine ID from container UUID. Failed to install release agent, ignoring: No such file or directory Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory. [ OK ] Reached target Remote File Systems. [ OK ] Reached target Encrypted Volumes. [ OK ] Reached target Swap. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Listening on Journal Socket. [ OK ] Created slice System Slice. Mounting POSIX Message Queue File System... [ OK ] Reached target Slices. Mounting Huge Pages File System... Starting Configure read-only root support... Starting Load/Save Random Seed... [ OK ] Reached target Local File Systems (Pre). Starting Journal Service... Mounting FUSE Control File System... Mounting Configuration File System... Starting Rebuild Hardware Database... Mounting Debug File System... [ OK ] Created slice system-getty.slice. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Delayed Shutdown Socket. Starting Rebuild Dynamic Linker Cache... [ OK ] Mounted Debug File System. [ OK ] Mounted Configuration File System. [ OK ] Mounted FUSE Control File System. [ OK ] Mounted POSIX Message Queue File System. [ OK ] Mounted Huge Pages File System. [ OK ] Started Load/Save Random Seed. [ OK ] Started Configure read-only root support. [ OK ] Started Journal Service. Starting Flush Journal to Persistent Storage... [ OK ] Reached target Local File Systems. Starting Mark the need to relabel after reboot... Starting Tell Plymouth To Write Out Runtime Data... Starting Rebuild Journal Catalog... [ OK ] Started Rebuild Dynamic Linker Cache. [ OK ] Started Mark the need to relabel after reboot. [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Rebuild Journal Catalog. [ OK ] Started Create Volatile Files and Directories. Starting Security Auditing Service... [ OK ] Started Tell Plymouth To Write Out Runtime Data. [FAILED] Failed to start Security Auditing Service. See 'systemctl status auditd.service' for details. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Rebuild Hardware Database. Starting Show Plymouth Boot Screen... Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Reached target System Initialization. [ OK ] Reached target Timers. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. Starting Cleanup of Temporary Directories... [ OK ] Started Cleanup of Temporary Directories. [ OK ] Started Show Plymouth Boot Screen. [ OK ] Reached target Paths. [ OK ] Reached target Basic System. [ OK ] Started D-Bus System Message Bus. Starting D-Bus System Message Bus... Starting firewalld - dynamic firewall daemon... Starting System Logging Service... Starting Permit User Sessions... Starting Dump dmesg to /var/log/dmesg... Starting OpenSSH Server Key Generation... [ OK ] Started irqbalance daemon. Starting irqbalance daemon... Starting Login Service... [ OK ] Started Permit User Sessions. Starting Terminate Plymouth Boot Screen... [ OK ] Started Command Scheduler. Starting Command Scheduler... Starting Wait for Plymouth Boot Screen to Quit... [ OK ] Started System Logging Service. [ OK ] Started Dump dmesg to /var/log/dmesg. CentOS Linux 7 (Core) Kernel 3.10.0-327.18.2.el7.x86_64 on an x86_64 openvpn1 login: CTRL + ] ^]Domain creation completed. 

 [root@server1 /]# virsh -c lxc:/// console openvpn1 Connected to domain openvpn1 Escape character is ^] CentOS Linux 7 (Core) Kernel 3.10.0-327.18.2.el7.x86_64 on an x86_64 openvpn1 login: root Password: <RootPasswordhere> Last login: Wed May 18 11:40:58 on pts/0 [root@openvpn1 ~]# reboot Sending SIGTERM to remaining processes... Sending SIGKILL to remaining processes... Rebooting. [root@server1 /]# 

 [root@openvpn1 ~]# yum install ipa-client -y [root@openvpn1 ~]# ipa-client-install --mkhomedir Discovery was successful! Client hostname: openvpn1.cloud.bellintegrator.com Realm: CLOUD.BELLINTEGRATOR.COM DNS Domain: cloud.bellintegrator.com IPA Server: freeipa1.cloud.bellintegrator.com BaseDN: dc=cloud,dc=bellintegrator,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin@CLOUD.BELLINTEGRATOR.COM: adminpassword Successfully retrieved CA cert Subject: CN=Certificate Authority,O=CLOUD.BELLINTEGRATOR.COM Issuer: CN=Certificate Authority,O=CLOUD.BELLINTEGRATOR.COM Valid From: Fri Apr 15 10:01:10 2016 UTC Valid Until: Tue Apr 15 10:01:10 2036 UTC Enrolled in IPA realm CLOUD.BELLINTEGRATOR.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm CLOUD.BELLINTEGRATOR.COM trying https://freeipa1.cloud.bellintegrator.com/ipa/json Forwarding 'ping' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring cloud.bellintegrator.com as NIS domain. Client configuration complete. 

 [root@openvpn1 ~]# shutdown -h now 

 [root@server1 ~]# virsh -c lxc:// edit openvpn1 

  <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/var/lib/libvirt/lxc/openvpn1/'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='00:16:3e:20:de:5a'/> <source bridge='br0'/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> <hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> 

 [root@server1 ~]# virsh -c lxc:// start openvpn1 

OpenVPNサービスの基本構成

 [root@openvpn1 ~]# yum install epel-release -y 

 [root@openvpn1 ~]# yum install openvpn easy-rsa -y 

 [root@openvpn1 ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ 

  [root@openvpn1 ~]# cat /etc/openvpn/server.conf port 1194 proto udp #tun-mtu 1400 dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem tls-auth ta.key 0 server 192.168.233.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.209.102.0 255.255.255.0" push "route 10.209.101.0 255.255.255.0" push "route 10.209.105.0 255.255.255.0" push "dhcp-option DNS 10.209.102.11" duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 

 [root@openvpn1 ~]# echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf [root@openvpn1 ~]# sysctl -p 

 [root@openvpn1 ~]# firewall-cmd --permanent --add-service=openvpn success [root@openvpn1 ~]# firewall-cmd --add-service=openvpn Success 

証明書と必要なセキュリティファイルの生成

 [root@openvpn1 ~]# openssl dhparam -out /etc/openvpn/dh2048.pem 2048 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............+......................................................................................................................................................... ........................................................................................................................................................................+..................................................................................+.......................................................................................................................................................................................................................................................................................................++*++* 

 [root@openvpn1 ~]# openvpn --genkey --secret /etc/openvpn/ta.key 

 [root@openvpn1 ~]# mkdir -p /etc/openvpn/easy-rsa/keys [root@openvpn1 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa [root@openvpn1 ~]# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf 

 [root@openvpn1 ~]# cat /etc/openvpn/easy-rsa/vars |egrep -v "^#|^$" export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanJose" export KEY_ORG="BellIntegrator" export KEY_EMAIL="some@e.mail" export KEY_OU="CloudComputing" export KEY_NAME="server" export KEY_CN="openvpn1.cloud.bellintegrator.com" 

 [root@openvpn1 ~]# cd /etc/openvpn/easy-rsa [root@openvpn1 ~]# source ./vars [root@openvpn1 ~]# ./clean-all [root@openvpn1 ~]# ./build-ca Generating a 2048 bit RSA private key .......+++ ......+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: <ENTER> State or Province Name (full name) [CA]: <ENTER> Locality Name (eg, city) [SanJose]: <ENTER> Organization Name (eg, company) [BellIntegrator]: <ENTER> Organizational Unit Name (eg, section) [CloudComputing]: <ENTER> Common Name (eg, your name or your server's hostname) [openvpn1.cloud.bellintegrator.com]: <ENTER> Name [server]: <ENTER> Email Address [some@e.mail]: <ENTER> •     : [root@openvpn1 ~]# ./build-key-server server [root@openvpn2 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ............+++ .......................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanJose]: Organization Name (eg, company) [BellIntegrator]: Organizational Unit Name (eg, section) [CloudComputing]: Common Name (eg, your name or your server's hostname) [server]: Name [server]: Email Address [akropachev@bellintegrator.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanJose' organizationName :PRINTABLE:'BellIntegrator' organizationalUnitName:PRINTABLE:'CloudComputing' commonName :PRINTABLE:'server' name :PRINTABLE:'server' emailAddress :IA5STRING:' some@e.mail ' Certificate is to be certified until May 21 14:40:30 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 

 [root@openvpn1 ~]# cd /etc/openvpn/easy-rsa/keys [root@openvpn1 ~]# cp ca.crt server.crt server.key /etc/openvpn 

FreeIPA（ldap auth）を介した認証の構成

 [root@openvpn1 ~]# yum install wget rpm-build re2c doxygen openldap-devel check-devel gcc-objc gnustep-base-devel autoconf -y [root@openvpn1 ~]# wget http://mirror.yandex.ru/fedora/linux/releases/22/Everything/source/SRPMS/o/openvpn-auth-ldap-2.0.3-16.fc22.src.rpm [root@openvpn1 ~]# rpm -ivh openvpn-auth-ldap*.rpm [root@openvpn1 ~]# cd /root/rpmbuild/SPECS/ [root@openvpn1 SPECS]# rpmbuild -bb /root/rpmbuild/SPECS/openvpn-auth-ldap.spec 

 [root@openvpn1 ~]# rpm -ivh /root/rpmbuild/RPMS/x86_64/openvpn-auth-ldap-2.0.3-16.el7.centos.x86_64.rpm 

 [root@openvpn1 SPECS]# cat /etc/openvpn/auth/ldap.conf |egrep -v "^$|^$" <LDAP> # LDAP server URL URL ldaps://freeipa1.cloud.bellintegrator.com # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN uid=system,cn=sysaccounts,cn=etc,dc=cloud,dc=bellintegrator,dc=com # Bind Password Password YourLdapPassword # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "cn=users,cn=accounts,dc=cloud,dc=bellintegrator,dc=com" # User Search Filter #SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(&(uid=%u)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=cloud,dc=bellintegrator,dc=com)(!(nsaccountlock=TRUE)))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # # Add group members to a PF table (disabled) # #PFTable ips_vpn_eng # </Group> </Authorization> 

 [root@openvpn1 ~]# cat /etc/openvpn/server.conf port 1194 proto udp #tun-mtu 1400 dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem tls-auth ta.key 0 #cipher AES-256-CBC plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so auth/ldap.conf #client-cert-not-required username-as-common-name server 192.168.233.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.209.102.0 255.255.255.0" push "route 10.209.101.0 255.255.255.0" push "route 10.209.105.0 255.255.255.0" push "dhcp-option DNS 10.209.102.11" duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 

 [root@openvpn1 ~]# systemctl restart openvpn@server 

 [root@openvpn1 ~]# cd /etc/openvpn/easy-rsa [root@openvpn1 ~]# ./build-key client 

 [root@openvpn1 ~]# mkdir /root/client; cp /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/client.key /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/ca.crt /root/client/ [root@openvpn1 /]# ls /root/client/ ca.crt client.crt client.key ta.key 

 [root@openvpn1 ~]# cat /root/client/client.ovpn client dev tun proto udp remote 10.209.102.12 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca ca.crt cert client.crt key client.key auth-user-pass tls-auth ta.key 1 #cipher AES-256-CBC 

 [root@client ~]# openvpn --config /root/client/client.ovpn