Setup of a new CAcert LXC container with Puppet agent


Update the LXC setup documentation. lxc-setup might not work with LXC 3.0 that is used on Infra02 since 2019-07-13.


Network considerations

  • Decide on a hostname for the container. The hostname should be short and correspond to the functionality provided by the container.

  • Define an IPv4 address from the subnet if the container should be reachable from the outside via IPv4. If the services provide HTTP or HTTPS services you will not need a dedicated IP address because virtual hosting and SNI can be used via Proxyin

  • Define an IPv6 address in the 2001:7b8:616:162:2::/80 subnet. There is no reason not to use IPv6 for new services.

  • Define an IPv4 address in the subnet if the container should be reachable from other CAcert machines than Infra02 or other Non-Critical Systems.

  • Define an IPv4 address in the subnet. Containers that are only used by other containers do not need any other IP addresses than this one.


Please use the same last octet for all IP addresses of a container if possible

Storage considerations

  • Define the size of the LVM volume for the root filesystem. Be conservative, volume size can be increased on demand.

OS considerations

  • Define the OS userland version for the container. Use the latest Debian stable release if there are no good reasons not to.


sudo env http_proxy=http://proxyout:3128 https_proxy=http://proxyout:3128 \
  lxc-create --name=<container> --template=debian \
  --bdev=lvm --vgname=<host> --thinpool=containerpool \
  --lvname=container_<container> --fssize=15G \
  --logfile=/root/lxccreate_<container>.log --logpriority=INFO \
  -- \
  --release=bullseye \

sudo lxc-exec <container> apt autoremove --purge isc-dhcp-client

Setup puppet-agent

  • define puppet configuration for the new container in Hiera / sitemodules in the CAcert Git repository cacert-puppet on Git

  • see Puppet agent installation for agent setup (install the agent from official Puppet repositories)

  • make sure that DNS resolution is performed by Infra02. The /etc/resolv.conf should contain the following lines:

  • set the certname in /etc/puppetlabs/puppet/puppet.conf to match the name of the file in hieradata/nodes/ for the system:

    certname = <system>
  • run:

    root@system:  puppet agent --test --noop

    to create a new certificate for the system and send a signing request to the puppet master

  • sign the system certificate on the puppet master using:

    root@puppet:  puppet cert sign <system>
  • run:

    root@system:  puppet agent --test --noop

    on the system to see whether the catalog for the machine compiles and what it would change

  • apply the catalog with:

    root@system:  puppet agent --test
  • start the puppet agent using:

    root@system:  /etc/init.d/puppet start

Post-Setup task