Szwendacz/ContainersWorkspace
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
20 commits 1 branch 0 tags 173 KiB
Dockerfile 58.7%
Python 21.2%
Shell 20.1%
Find a file
Maciej Lebiest 64d54c3f1a add fping to zabbix-agent
2023-08-20 17:04:19 +02:00
cloud-toolbox add python-swiftclient to cloud-toolbox 2023-08-03 14:03:10 +02:00
gui-container updates to gui-container 2023-08-13 17:09:19 +02:00
rathole version upgrades, toolbox WIP 2023-04-23 20:20:41 +02:00
snowflake version upgrades, toolbox WIP 2023-04-23 20:20:41 +02:00
system-toolbox add zabbix-agent, rename toolbox 2023-08-20 16:20:57 +02:00
tor version upgrades, toolbox WIP 2023-04-23 20:20:41 +02:00
wireguard make wireguard entrypoint do proper interruptible sleep 2023-08-06 13:22:52 +02:00
zabbix-agent add fping to zabbix-agent 2023-08-20 17:04:19 +02:00
LICENSE Initial commit 2023-03-17 20:19:29 +01:00
README.md add zabbix-agent, rename toolbox 2023-08-20 16:20:57 +02:00

README.md

Containers-Workspace

Various useful and useless Dockerfiles, often experimental and work in progress

system-toolbox

Fedora based container wih preinstalled many usefull tools for various debug and problem searching purposes run help-toolbox to show what can you do in there

Typical container run options that allows for host data access:

podman run --rm -it --privileged \
    --network host --pid host --ipc host --no-hosts --ulimit host \
    --userns host \
        --name toolbox toolbox

cloud-toolbox

Sounds huge, but it is just set of tools for cloud-based stuff, like openstack-cli, rclone, openshift cli, etc...

Also contains fzf and bash-completion. Mount your bash_history for best experience.

podman run --rm -it \
    -v "$HOME/.bash_history:/root/.bash_history" \
    --security-opt label:disable \
        cloud-toolbox:latest

gui-container

gui-container is an experiment for apps with GUI

how to run with default, permissive options:

podman run --privileged -it \
    -e XDG_RUNTIME_DIR=/runtime_dir \
    -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \
    -e DISPLAY="$DISPLAY" \
    -v /tmp/.X11-unix:/tmp/.X11-unix:rw \
    -v $HOME/.Xauthority:/root/.Xauthority:ro \
    -v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \
    --entrypoint bash \
    --name "gui_container" \
        gui-container:latest

Minimal permissions example (for wayland). Mounting just the display server socket, there will be no sound or anything else:

podman run -it --security-opt label:disable \
    -e XDG_RUNTIME_DIR=/runtime_dir\
    -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \
    -v "$XDG_RUNTIME_DIR/wayland-0:/runtime_dir/wayland-0:rw" \
    --entrypoint bash --name "gui_container" \
        gui-container:latest

starting dbus:

export $(dbus-launch)

allowing podman to connect to X display as "non-network local connections"

xhost +"local:podman@"

unsetting WAYLAD_DISPLAY or DISPLAY can force apps to use the other one

unset DISPLAY
# or
unset WAYLAD_DISPLAY

to mage Qt-based apps work:

export QT_QPA_PLATFORM=wayland

rathole

Compiled from source rathole image.

snowflake

Compiled from source torproject snowflake image.

Tor relay/bridge node

# prepare
cd tor/;
podman build -t tornode .;
chmod 777 ./data ./logs;

# run (network host for easy port bind on ipv6)
podman run -d --read-only --network host \
    -v "/home/user/torrc.conf:/torrc:rw,Z" \
    -v "/home/user/tor/logs:/var/log:Z,rw" \
    -v "/home/user/tor/data:/var/lib/tor:Z,rw" \
    --name tornode tornode:latest

# prepare systemd service for reboot persistence
podman generate systemd --new --name tornode > /etc/systemd/system/tornode.service;
restorecon -v /etc/systemd/system/tornode.service;
systemctl daemon-reload;
systemctl enable --now tornode.service;

# view nyx dashboard
podman exec -it tornode nyx

Wireguard

Simple container that will setup wireguard interface according to /data/wg0.conf and then replace process with pid 1 to sleep infinity. MASQUERADE required for accessing external networks is done by nftables, so it should work with nftables kernel modules, iptables-only modules can be missing.

Before seting up the wg interface, entrypoint will execute files in /setup.d/ if any.

PostUp and PostDown in network interface config should look like this:

PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet nat postrouting oifname "eth*" masquerade
PostDown = nft delete table inet filter

Example run (requires root and privileged for nftables setup)

podman run --privileged --name wireguard -d \
    -v './config:/data:ro' \
    -v './setup:/setup.d:ro' \
    -wireguard:latest

zabbix-agent

Very simple alpine-based zabbix-agent image providing additioanl deps required for SMART monitoring.

Setting up such contenerized agent in systemd based system:

systemctl stop zabbix-agent.service;
podman rm -f zabbix-agent;
rm -f /etc/systemd/system/zabbix-agent.service;

podman run --restart no \
  --network host --pid host --ipc host --no-hosts --ulimit host --userns host \
  --privileged \
  -v "/path/to/custom/config.conf:/etc/zabbix/zabbix_agent2.conf:ro" \
  -v "/sys:/sys:ro" \
  -v "/sys/fs/cgroup:/sys/fs/cgroup:ro" \
  -v "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw" \
  --name zabbix-agent \
  -d localhost/zabbix-agent;

podman generate systemd --new --name zabbix-agent > /etc/systemd/system/zabbix-agent.service;
restorecon -v /etc/systemd/system/zabbix-agent.service;
systemctl daemon-reload;
systemctl enable --now zabbix-agent.service;