lxc-snapshots - run pi-hole or openvpn automatically in a lxc

graysky · 2017-07-21 21:22:30

I have been using lxc snapshots for a while now to containerize services such as pi-hole, nextcloud, and openvpn (server) for my home VPN. I find the entire strategy of creating a single base container and then using lxc-copy to snapshot it via an overlayfs mount to these 3 service containers very appealing. My sense is that security is better for web-exposed things such as nextcloud and openvpn this way because when finished, I use lxc-destroy to delete the container, so anything potentially compromised therein is gone. It also simplifies system maintenance since I only need to update the base lxc and all 3 of the snapshots are then updated as well.

So... I wrote a simple wrapper script to do this and a corresponding systemd service unit and made it more generic for others to use. Note that the nextcloud script is a bit complex so I am just currently providing configurations for pi-hole and openvpn (server).

The wrapper is "smart" in the sense that if you modify key files in the container, they are copied back to the host before the container is destroyed and then copied back when it is started back up. For example, the pihole.log, changes to the white or black lists, etc. See the manpage or github page README for instructions. Tested and running fine on Arch (x86_64) and Arch ARM (both aarch64 and armv7).

AUR package: https://aur.archlinux.org/packages/lxc-snapshots
Project home: https://github.com/graysky2/lxc-snapshots

Feedback is welcomed.

Last edited by graysky (2017-07-21 21:24:21)

MS1 · 2018-02-04 12:27:10

Thank you for this program for openvpn. I think it's more secure in case a bad guy gets in to your openvpn since the container is deleted when you stop it.

Arch Linux

#1 2017-07-21 21:22:30

lxc-snapshots - run pi-hole or openvpn automatically in a lxc

#2 2018-02-04 12:27:10

Re: lxc-snapshots - run pi-hole or openvpn automatically in a lxc

Board footer