24 KiB
OpenWRT Container (ID: 100):
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --tag network --storage local-lvm --cores 2 --memory 128 --swap 0 --rootfs local-lvm:1,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Kali Linux Container (ID: 200):
pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --tag tools --storage local-lvm --cores 2 --memory 2048 --swap 512 --rootfs local-lvm:1,size=16G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Alpine Container (ID: 300):
pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --tag docker --storage local-lvm --cores 2 --memory 1024 --swap 256 --rootfs local-lvm:1,size=8G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
pct start 100
pct stop 100
pct destroy 100
Here's the updated response with the additional information on installing packages via the CLI on OpenWrt:
Proxmox Container Creation
opkg install qemu-ga
OpenWRT Firewall Configuration
The network interface and firewall configuration remains the same as before:
Define Network Interfaces:
Update /etc/config/network to reflect eth1 as the WAN interface:
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
Update Firewall Settings:
Append rules to /etc/config/firewall to allow SSH and HTTPS access:
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-HTTPS'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
Installing Packages via CLI
To install packages via the CLI on OpenWrt, you can use the opkg package management tool. Here's how to go about it:
- Update the Package List: Before installing any new packages, it's a good practice to update the list of packages to ensure you are installing the latest versions available. You can do this by running:
opkg update
- Install a Package: Once the package list is updated, you can install a package by using the
opkg installcommand followed by the package name. For example, if you want to install the QEMU Guest Agent, you would use:
opkg install qemu-ga
-
Check Dependencies:
opkgautomatically handles dependencies for the packages you install. If additional packages are required to fulfill dependencies,opkgwill download and install them as well. -
Configure Packages: Some packages may require configuration after installation. OpenWrt might save configuration files in
/etc/config/, and you might need to edit these files manually or through a web interface (if you have LuCI installed). -
Managing Packages: Besides installing, you can also remove packages with
opkg removeand list installed packages withopkg list-installed. -
Find Available Packages: To see if a specific package is available in the OpenWrt repository, you can search for it using:
opkg list | grep <package-name>
These steps should help you manage packages on your OpenWrt device from the command line. For more detailed information or troubleshooting, you can refer to the OpenWrt documentation or community forums.
Applying the Configuration
After updating the configuration files:
-
Restart Network Services:
/etc/init.d/network restart -
Reload Firewall Settings:
/etc/init.d/firewall restart
This setup reduces the memory and storage footprint of the OpenWRT container while maintaining the necessary network and firewall configurations for SSH and HTTPS access. It also provides guidance on installing and managing packages using the opkg tool in OpenWrt.
Remember to test connectivity, functionality, and package installations thoroughly after applying these changes to ensure the reduced resource allocation meets your requirements and the necessary packages are installed correctly.
The container creation command you provided is close, but let's make a few adjustments to optimize it for a small footprint Alpine container. Here's the updated command:
pct create 200 /var/lib/vz/template/cache/alpine-3.17-default_20230502_amd64.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --storage local-lvm --memory 128 --swap 0 --rootfs local-lvm:2,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Changes made:
- Updated the template file name to
alpine-3.17-default_20230502_amd64.tar.xzto use a specific Alpine version. Replace this with the actual template file name you have downloaded. - Changed
--ostypetoalpineinstead ofunmanaged. This allows Proxmox to apply Alpine-specific configurations. - Reduced the memory to 128MB (
--memory 128) to minimize the footprint. Adjust this value based on your requirements. - Removed the extra
\\characters, as they are not needed in this command.
After creating the container, you can configure the network interfaces and firewall rules similar to the OpenWRT example:
- Update
/etc/network/interfacesto configureeth1as the WAN interface:
auto eth1
iface eth1 inet dhcp
- Configure the firewall rules in
/etc/iptables.rulesto allow SSH and HTTPS access:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
- Apply the network configuration and firewall rules:
service networking restart
iptables-restore < /etc/iptables.rules
- Install and configure any additional packages you need using Alpine's package manager,
apk. For example, to install the QEMU Guest Agent:
apk update
apk add qemu-guest-agent
Remember to thoroughly test the container's functionality and security after applying these configurations to ensure it meets your requirements.
To create a right-sized Kali Linux container for typical use, you can use the following command:
pct create 300 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --storage local-lvm --memory 1024 --swap 512 --rootfs local-lvm:2,size=8G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Explanation of the command:
pct create 300: Creates a new container with ID 300./var/lib/vz/template/cache/kali-default-rootfs.tar.xz: Specifies the path to the Kali Linux template file.--unprivileged 1: Runs the container as an unprivileged user.--arch amd64: Sets the container architecture to 64-bit.--ostype debian: Sets the OS type to Debian, as Kali Linux is based on Debian.--hostname kali-0: Sets the container's hostname to "kali-0".--storage local-lvm: Uses the local LVM storage for the container.--memory 1024: Allocates 1GB of memory to the container.--swap 512: Allocates 512MB of swap space to the container.--rootfs local-lvm:2,size=8G: Creates an 8GB root filesystem for the container on the local LVM storage.--net0 name=eth0,bridge=vmbr0,firewall=1: Configures the first network interface (eth0) to use the vmbr0 bridge and enables the firewall.--net1 name=eth1,bridge=vmbr1,firewall=1: Configures the second network interface (eth1) to use the vmbr1 bridge and enables the firewall.
After creating the container, you can configure the network interfaces and firewall rules as needed. For example, you can update /etc/network/interfaces to configure eth1 as the WAN interface:
auto eth1
iface eth1 inet dhcp
You can also configure firewall rules using iptables or by modifying the /etc/pve/firewall/300.fw file to allow incoming traffic on specific ports or services.
Remember to update and upgrade the Kali Linux packages inside the container and install any additional tools you require for your typical use case.
Note: The resource allocation (memory, swap, and disk size) provided in this example is a general recommendation. You may need to adjust these values based on your specific requirements and the tasks you intend to perform with the Kali Linux container.
Here are the adjusted container creation commands with scaled-down resources:
OpenWRT Container (ID: 100):
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --tag network --storage local-lvm --memory 128 --swap 0 --rootfs local-lvm:1,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Kali Linux Container (ID: 200):
pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --tag tools --storage local-lvm --memory 2048 --swap 512 --rootfs local-lvm:1,size=16G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1
Alpine Container (ID: 300):
pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --tag docker --storage local-lvm --memory 1024 --swap 256 --rootfs local-lvm:1,size=8G --net0 bridge=vmbr1,name=eth0,ip=dhcp,ip6=dhcp,type=veth,firewall=1
pct stop 300
pct destroy 300
Changes:
- Reduced memory to 512MB
- Reduced swap to 256MB
- Reduced rootfs size to 4GB Changes:
- Reduced memory to 64MB
- Reduced rootfs size to 512MB
Please note that these resource adjustments are based on general recommendations for minimal resource usage. Depending on your specific use case and the applications you plan to run inside the containers, you might need to fine-tune these values further.
Remember to monitor the performance and resource utilization of your containers after creating them with these scaled-down resources. If you encounter any issues or need more resources, you can always adjust the values accordingly using the pct resize command.
Proxmox Container Lab Guide
Overview
This guide covers creating and configuring three types of LXC containers in Proxmox VE:
- OpenWRT Container (ID: 100) - Network router/firewall
- Kali Linux Container (ID: 200) - Security testing tools
- Alpine Linux Container (ID: 300) - Lightweight container host
Container Creation Commands
OpenWRT Container (ID: 100)
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \
--unprivileged 1 \
--arch amd64 \
--ostype unmanaged \
--hostname openwrt-0 \
--tag network \
--storage local-lvm \
--cores 2 \
--memory 128 \
--swap 0 \
--rootfs local-lvm:1,size=1G \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1
Kali Linux Container (ID: 200)
pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz \
--unprivileged 1 \
--arch amd64 \
--ostype debian \
--hostname kali-0 \
--tag tools \
--storage local-lvm \
--cores 2 \
--memory 2048 \
--swap 512 \
--rootfs local-lvm:1,size=16G \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1
Alpine Linux Container (ID: 300)
pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz \
--unprivileged 1 \
--arch amd64 \
--ostype alpine \
--hostname alpine-0 \
--tag docker \
--storage local-lvm \
--cores 2 \
--memory 1024 \
--swap 256 \
--rootfs local-lvm:1,size=8G \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1
Container Management Commands
Basic Operations
# Start container
pct start <container_id>
# Stop container
pct stop <container_id>
# Destroy container
pct destroy <container_id>
# Enter container console
pct enter <container_id>
# Check container status
pct status <container_id>
Resource Management
# Resize container storage
pct resize <container_id> rootfs <new_size>
# Modify container configuration
pct set <container_id> --memory <new_memory> --cores <new_cores>
OpenWRT Configuration
Package Management
# Update package list
opkg update
# Install packages
opkg install qemu-ga
# List installed packages
opkg list-installed
# Search for packages
opkg list | grep <package-name>
# Remove packages
opkg remove <package-name>
Network Configuration
Edit /etc/config/network to configure WAN interface:
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
Firewall Configuration
Append to /etc/config/firewall:
config zone
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'Allow-HTTPS'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
Apply OpenWRT Configuration
# Restart network services
/etc/init.d/network restart
# Reload firewall settings
/etc/init.d/firewall restart
Alpine Linux Configuration
Package Management
# Update package index
apk update
# Install packages
apk add qemu-guest-agent
# Upgrade all packages
apk upgrade
# Search for packages
apk search <package-name>
# Remove packages
apk del <package-name>
Network Configuration
Edit /etc/network/interfaces:
auto eth1
iface eth1 inet dhcp
Firewall Configuration
Create /etc/iptables.rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
Apply firewall rules:
iptables-restore < /etc/iptables.rules
Kali Linux Configuration
Package Management
# Update package lists
apt update
# Upgrade packages
apt upgrade
# Install packages
apt install <package-name>
# Search for packages
apt search <package-name>
# Remove packages
apt remove <package-name>
Network Configuration
Edit /etc/network/interfaces:
auto eth1
iface eth1 inet dhcp
Resource Optimization
Minimal Resource Configurations
Ultra-Minimal OpenWRT
pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \
--unprivileged 1 \
--arch amd64 \
--ostype unmanaged \
--hostname openwrt-0 \
--tag network \
--storage local-lvm \
--memory 64 \
--swap 0 \
--rootfs local-lvm:1,size=512M \
--net0 name=eth0,bridge=vmbr0,firewall=1 \
--net1 name=eth1,bridge=vmbr1,firewall=1
Minimal Alpine
pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz \
--unprivileged 1 \
--arch amd64 \
--ostype alpine \
--hostname alpine-0 \
--tag docker \
--storage local-lvm \
--memory 512 \
--swap 256 \
--rootfs local-lvm:1,size=4G \
--net0 bridge=vmbr1,name=eth0,ip=dhcp,ip6=dhcp,type=veth,firewall=1
Troubleshooting Tips
- Container won't start: Check resource allocation and ensure templates are properly downloaded
- Network issues: Verify bridge configuration and firewall rules
- Performance issues: Monitor resource usage with
pct exec <id> -- topor increase allocated resources - Package installation fails: Ensure network connectivity and update package lists first
Best Practices
- Always test connectivity after configuration changes
- Monitor resource usage to optimize allocations
- Keep container templates updated
- Use unprivileged containers for security
- Tag containers for better organization
- Document custom configurations for reproducibility
Proxmox Container Lab Project Ideas
Network Security & Penetration Testing Lab
Project: Complete Security Testing Environment
Containers Used: All three (OpenWRT + Kali + Alpine)
Setup:
- OpenWRT (Router/Firewall): Acts as network segmentation device and target
- Kali Linux: Primary attack platform with full toolset
- Alpine: Hosts vulnerable applications and services for testing
What You'll Learn:
- Network penetration testing methodologies
- Firewall configuration and bypass techniques
- Container security assessment
- Network segmentation and VLAN configuration
Exercises:
- Configure OpenWRT with multiple VLANs for network isolation
- Deploy vulnerable web apps on Alpine (DVWA, WebGoat)
- Use Kali to perform reconnaissance and attacks
- Practice lateral movement between network segments
DevSecOps Pipeline Laboratory
Project: Secure CI/CD with Container Security Scanning
Containers Used: Kali + Alpine
Setup:
- Alpine: Hosts GitLab/Jenkins, Docker registry, and deployment targets
- Kali: Security scanning and vulnerability assessment tools
What You'll Learn:
- Container security scanning integration
- SAST/DAST implementation in pipelines
- Infrastructure as Code security
- Compliance automation
Tools to Deploy:
- GitLab CE or Jenkins on Alpine
- Docker-in-Docker for container builds
- Trivy, Clair, or Anchore for container scanning
- OWASP ZAP integration from Kali
Network Forensics & Incident Response Lab
Project: Complete DFIR Environment
Containers Used: All three
Setup:
- OpenWRT: Network monitoring and packet capture point
- Kali: Forensics tools and malware analysis
- Alpine: Log aggregation (ELK stack) and evidence storage
What You'll Learn:
- Network forensics techniques
- Malware analysis in isolated environments
- Log analysis and correlation
- Incident response procedures
Components:
- Suricata IDS on OpenWRT
- Volatility, Autopsy on Kali
- Elasticsearch/Logstash/Kibana on Alpine
- TheHive for case management
Cloud Security Testing Platform
Project: Multi-Cloud Security Assessment Lab
Containers Used: Kali + Alpine
Setup:
- Alpine: Terraform/Ansible deployment platform, cloud CLIs
- Kali: Cloud security testing tools and scripts
What You'll Learn:
- Cloud misconfigurations identification
- Container orchestration security
- Infrastructure scanning and assessment
- Multi-cloud security management
Tools:
- ScoutSuite, Prowler for AWS/Azure/GCP scanning
- Kubernetes security tools (kube-bench, kube-hunter)
- Cloud security posture management
Honeypot & Deception Technology Lab
Project: Advanced Threat Detection Network
Containers Used: All three
Setup:
- OpenWRT: Network traffic analysis and redirection
- Alpine: Multiple honeypot services and logging
- Kali: Attack simulation and validation
What You'll Learn:
- Honeypot deployment and management
- Threat intelligence collection
- Behavioral analysis of attackers
- Deception technology implementation
Honeypots to Deploy:
- Cowrie (SSH honeypot)
- Dionaea (multi-protocol honeypot)
- Conpot (ICS/SCADA honeypot)
- T-Pot (all-in-one platform)
Software Defined Network (SDN) Security Lab
Project: OpenFlow Network Security Testing
Containers Used: All three
Setup:
- OpenWRT: Modified with OpenFlow support
- Alpine: SDN controller (OpenDaylight/ONOS)
- Kali: SDN-specific security testing tools
What You'll Learn:
- SDN architecture and protocols
- OpenFlow security implications
- Controller security assessment
- Network programmability concepts
Container Escape & Runtime Security Lab
Project: Container Security Hardening Workshop
Containers Used: Kali + Alpine
Setup:
- Alpine: Multiple Docker containers with various security configs
- Kali: Container security assessment tools
What You'll Learn:
- Container escape techniques
- Runtime security monitoring
- Container hardening best practices
- Kubernetes security posture
Scenarios:
- Privileged container escapes
- Kernel exploit demonstrations
- Seccomp/AppArmor bypass techniques
- Runtime security tool evaluation
Network Automation & Orchestration Lab
Project: Infrastructure as Code Security Testing
Containers Used: All three
Setup:
- OpenWRT: Network device automation target
- Alpine: Ansible/Terraform control node
- Kali: Infrastructure security validation
What You'll Learn:
- Network automation security implications
- Infrastructure code vulnerability scanning
- Automated security testing integration
- Configuration drift detection
Industrial Control Systems (ICS) Security Lab
Project: SCADA/PLC Security Assessment Environment
Containers Used: All three
Setup:
- OpenWRT: Network segmentation for OT/IT networks
- Alpine: SCADA HMI simulation and protocol gateways
- Kali: ICS-specific security tools
What You'll Learn:
- Industrial protocol security (Modbus, DNP3, etc.)
- Air-gap bypass techniques
- SCADA system vulnerabilities
- Critical infrastructure protection
Tools:
- OpenPLC for PLC simulation
- ScadaBR for HMI interface
- Metasploit industrial modules
- Nmap industrial scripts
Wireless Security Research Lab
Project: Wi-Fi Security Assessment Platform
Containers Used: Kali + Alpine (OpenWRT optional)
Setup:
- Kali: Wireless security tools and SDR capabilities
- Alpine: Wireless monitoring and logging infrastructure
- OpenWRT: Target wireless access point
What You'll Learn:
- Wi-Fi protocol vulnerabilities
- Wireless penetration testing
- SDR-based security research
- Rogue access point detection
Malware Analysis & Reverse Engineering Lab
Project: Dynamic and Static Malware Analysis Platform
Containers Used: Kali + Alpine
Setup:
- Kali: REMnux tools, disassemblers, debuggers
- Alpine: Cuckoo Sandbox, YARA rules, malware feeds
What You'll Learn:
- Static malware analysis techniques
- Dynamic behavior analysis
- Automated malware processing
- Threat intelligence generation
Implementation Priority Recommendations
Beginner Level (Start Here)
- Network Security Lab - Fundamental skills building
- Container Security Lab - Modern security concepts
Intermediate Level
- DevSecOps Pipeline - Industry-relevant skills
- Honeypot Network - Threat detection experience
Advanced Level
- SDN Security Lab - Cutting-edge networking
- ICS Security Lab - Specialized security domain
Resource Requirements by Project
| Project | Memory | Storage | Complexity |
|---|---|---|---|
| Network Security Lab | 4GB | 30GB | Medium |
| DevSecOps Pipeline | 6GB | 40GB | Medium |
| DFIR Lab | 8GB | 50GB | High |
| Cloud Security | 4GB | 25GB | Medium |
| Honeypot Network | 3GB | 20GB | Low |
| SDN Lab | 6GB | 35GB | High |
| Container Security | 4GB | 25GB | Medium |
| Network Automation | 5GB | 30GB | Medium |
| ICS Security | 6GB | 40GB | High |
| Wireless Security | 4GB | 30GB | Medium |
| Malware Analysis | 8GB | 60GB | High |
Getting Started Checklist
- Choose project based on learning objectives
- Verify resource requirements against available hardware
- Download necessary container templates
- Plan network topology and IP addressing
- Document configuration for reproducibility
- Set up monitoring and logging
- Create backup/snapshot strategy