odpalneie dnsmasq na fab.pl:1122 i sprawdzenie w termshark

doc/main.md

@@ -0,0 +1,273 @@
+---
+title: Basic Configuration of dnsmasq in an Incus Container on Debian
+  with Netplan
+---
+
+# Introduction
+
+This guide provides step-by-step instructions for setting up `dnsmasq`
+as a DNS and DHCP server in an Incus container running Debian. The
+network configuration is managed using Netplan to ensure proper network
+integration.
+
+# Prerequisites
+
+Before proceeding, ensure the following:
+
+\- Incus is installed on the host system (`sudo apt install incus`).
+
+\- A Debian-based container is created in Incus.
+
+\- Basic knowledge of Linux networking and container management.
+
+\- Root or sudo access to the host and container.
+
+# Step-by-Step Configuration
+
+## Creating and Setting Up the Incus Container
+
+Create a Debian container named `deb1` using the following commands on
+the host:
+
+``` {.bash language="bash"}
+incus create images:debian/12 deb1
+incus config set deb1 security.syscalls.intercept.mount true
+incus config set deb1 security.nesting true
+incus config set deb1 security.privileged true
+incus start deb1
+```
+
+The `security.syscalls.intercept.mount`, `security.nesting`, and
+`security.privileged` settings are required for `dnsmasq` and Docker to
+function correctly in the container.
+
+## Firewall Configuration
+
+To allow traffic forwarding between the `incusbr0` bridge and the `wlo1`
+wireless interface, the following iptables rules are applied:
+
+    sudo iptables -A FORWARD -i incusbr0 -o wlo1 -j ACCEPT
+    sudo iptables -A FORWARD -i wlo1 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+## Installing Additional Packages
+
+Install the necessary packages inside the container:
+
+``` {.bash language="bash"}
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install -y \
+    netplan.io \
+    sudo vim nano git tmux mc zip unzip curl wget htop lynx \
+    iproute2 termshark bridge-utils \
+    python3 python3-ipython python3-pyroute2 python3-scapy \
+    docker.io docker-compose
+```
+
+## Configuring Users and Permissions
+
+Configure user access and permissions within the container.
+
+### Changing the Root Password
+
+Set the root password to \"passroot\":
+
+``` {.bash language="bash"}
+incus exec deb1 -- bash -c 'echo "root:passroot" | chpasswd'
+```
+
+### Adding a New User
+
+Add a new user named \"user\" with the password \"pass\" and add them to
+the \"sudo\" and \"docker\" groups:
+
+``` {.bash language="bash"}
+sudo useradd -m -s /bin/bash -G sudo user && echo 'user:pass' | sudo chpasswd
+```
+
+## Accessing the Container
+
+Access the container's shell:
+
+``` {.bash language="bash"}
+incus exec deb1 -- su - user 
+```
+
+# Setting Up a Veth Pair Between Container and Network Namespace
+
+To enable direct communication between a container and a network
+namespace, a virtual Ethernet (`veth`) pair is created. The following
+Python script (`link.py`) is used to create a `veth` pair between the
+`deb1` (an Incus container) and the `ns1` network namespace, with
+interfaces named `vA` and `vB`.
+
+    sudo python3 link.py -n1 vA -t2 incus -ns2 deb1 -n2 vB
+
+This command:
+
+\- Creates a `veth` pair with one end (`vA`) in the default namespace
+and the other end (`vB`) in the `deb1`'s network namespace.
+
+\- Ensures the interfaces are set up and operational, allowing network
+traffic to flow between the container and the `ns1` namespace (or
+default namespace if `ns1` is not explicitly created).
+
+The script uses the `pyroute2` library to manage network interfaces and
+namespaces, and supports container types such as Incus, LXC, LXD, and
+Docker. Ensure the `deb1` is running in Incus before executing the
+command.
+
+## Configuring the Network with Netplan
+
+Configure the container's network using Netplan to assign a static IP
+address. Create or edit the Netplan configuration file at
+`/etc/netplan/01-netcfg.yaml`:
+
+``` {.bash language="bash"}
+incus exec deb1 -- nano /etc/netplan/01-netcfg.yaml
+```
+
+Add the following configuration:
+
+``` {.yaml language="yaml"}
+network:
+  version: 2
+  ethernets:
+    vB:
+      dhcp4: no
+      addresses:
+        - 192.168.1.10/24
+      routes:
+        - to: default
+          via: 192.168.1.1
+      nameservers:
+        addresses: [8.8.8.8, 8.8.4.4]
+```
+
+Apply the configuration:
+
+``` {.bash language="bash"}
+incus exec deb1 -- netplan apply
+```
+
+## Installing dnsmasq
+
+Update the package list and install `dnsmasq`:
+
+``` {.bash language="bash"}
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install dnsmasq -y
+```
+
+## Configuring dnsmasq
+
+Edit the `dnsmasq` configuration file at `/etc/dnsmasq.conf`:
+
+``` {.bash language="bash"}
+incus exec deb1 -- nano /etc/dnsmasq.conf
+```
+
+Add or modify the following settings to enable DNS and DHCP:
+
+    # DNS settings
+    domain-needed
+    bogus-priv
+    no-resolv
+    server=8.8.8.8
+    server=8.8.4.4
+    local=/example.local/
+    domain=example.local
+
+    # DHCP settings
+    dhcp-range=192.168.1.100,192.168.1.200,12h
+    dhcp-option=3,192.168.1.1
+    dhcp-option=6,8.8.8.8,8.8.4.4
+
+**Explanation:**
+
+\- `domain-needed`: Prevents incomplete domain names from being sent to
+upstream DNS.
+
+\- `bogus-priv`: Blocks reverse DNS lookups for private IP ranges.
+
+\- `no-resolv`: Disables reading `/etc/resolv.conf`.
+
+\- `server`: Specifies upstream DNS servers (Google DNS in this case).
+
+\- `local` and `domain`: Configures a local domain.
+
+\- `dhcp-range`: Defines the IP range for DHCP clients (from
+192.168.1.100 to 192.168.1.200, lease time 12 hours).
+
+\- `dhcp-option`: Sets the default gateway (option 3) and DNS servers
+(option 6).
+
+## System-Level Adjustments for Network Stability
+
+In some cases, especially in nested or privileged containers, additional
+system-level adjustments are necessary to ensure proper network
+functionality and avoid conflicts.
+
+To remount the `/sys` filesystem as read-write (required if certain
+networking tools fail due to mount restrictions):
+
+``` {.bash language="bash"}
+sudo mount -o remount,rw /sys
+sudo systemctl restart systemd-udevd
+```
+
+Additionally, to prevent DNS conflicts with `systemd-resolved`, which
+may interfere with `dnsmasq`, stop and disable the service:
+
+``` {.bash language="bash"}
+sudo systemctl stop systemd-resolved
+sudo systemctl disable systemd-resolved
+```
+
+This ensures that `dnsmasq` can bind to port 53 without conflicts. If
+you require `systemd-resolved`, consider configuring it to listen on a
+different interface or using socket activation.
+
+## Starting and Enabling dnsmasq
+
+Restart and enable the `dnsmasq` service:
+
+``` {.bash language="bash"}
+incus exec deb1 -- systemctl restart dnsmasq
+incus exec deb1 -- systemctl enable dnsmasq
+```
+
+Verify that `dnsmasq` is running:
+
+``` {.bash language="bash"}
+incus exec deb1 -- systemctl status dnsmasq
+```
+
+## Testing the Configuration
+
+Test DNS resolution from within the container:
+
+``` {.bash language="bash"}
+incus exec deb1 -- nslookup example.local 192.168.1.10
+```
+
+To test DHCP, connect a client device to the same network and verify
+that it receives an IP address in the range
+`192.168.1.100–192.168.1.200`.
+
+# Troubleshooting
+
+If `dnsmasq` fails to start:
+
+\- Check the logs: `incus exec deb1 – journalctl -u dnsmasq`.
+
+\- Ensure no other service is using port 53 (DNS) or 67 (DHCP).
+
+\- Verify the network configuration with `incus exec deb1 – ip a` and
+`incus exec deb1 – ping 8.8.8.8`.
+
+# Conclusion
+
+This guide configures `dnsmasq` as a DNS and DHCP server in an Incus
+container on Debian. The Netplan configuration ensures proper network
+setup. For advanced configurations, refer to the `dnsmasq` documentation
+(`man dnsmasq`).

doc/main.tex

@@ -32,20 +32,6 @@
   morestring=[b]{'}
 }
 
-% Define Python language for listings
-\lstdefinelanguage{python}{
-  keywords={def,class,import,from,as,try,except,with,return,raise,if,elif,else,for,in,while,break,continue},
-  keywordstyle=\color{blue}\bfseries,
-  basicstyle=\ttfamily\small,
-  sensitive=true,
-  comment=[l]{\#},
-  commentstyle=\color{gray}\itshape,
-  stringstyle=\color{red},
-  morestring=[b]{"},
-  morestring=[b]{'},
-  identifierstyle=\color{black}
-}
-
 \begin{document}
 
 \title{Basic Configuration of dnsmasq in an Incus Container on Debian with Netplan}
@@ -54,36 +40,48 @@
 \maketitle
 
 \section{Introduction}
-This guide provides step-by-step instructions for setting up \texttt{dnsmasq} as a DNS and DHCP server in an Incus container running Debian. The network configuration is managed using Netplan and a custom Python script to create virtual Ethernet (veth) pairs and bridges, ensuring proper network integration.
+This guide provides step-by-step instructions for setting up \texttt{dnsmasq} as a DNS and DHCP server in an Incus container running Debian. The network configuration is managed using Netplan to ensure proper network integration.
 
 \section{Prerequisites}
 Before proceeding, ensure the following:
-\begin{itemize}
-  \item Incus is installed on the host system (\texttt{sudo apt install incus}).
-  \item A Debian-based container is created in Incus.
-  \item Python 3 and the \texttt{pyroute2} package are installed on the host (\texttt{sudo apt install python3 python3-pyroute2}).
-  \item Basic knowledge of Linux networking and container management.
-  \item Root or sudo access to the host and container.
-\end{itemize}
+
+  
+- Incus is installed on the host system (\texttt{sudo apt install incus}).
+  
+- A Debian-based container is created in Incus.
+  
+- Basic knowledge of Linux networking and container management.
+  
+- Root or sudo access to the host and container.
+
 
 \section{Step-by-Step Configuration}
 
 \subsection{Creating and Setting Up the Incus Container}
-Create a Debian container named \texttt{dnsmasq-container} using the following commands on the host:
+Create a Debian container named \texttt{deb1} using the following commands on the host:
 \begin{lstlisting}[language=bash]
-incus create images:debian/12 dnsmasq-container
-incus config set dnsmasq-container security.syscalls.intercept.mount true
-incus config set dnsmasq-container security.nesting true
-incus config set dnsmasq-container security.privileged true
-incus start dnsmasq-container
+incus create images:debian/12 deb1
+incus config set deb1 security.syscalls.intercept.mount true
+incus config set deb1 security.nesting true
+incus config set deb1 security.privileged true
+incus start deb1
 \end{lstlisting}
 The \texttt{security.syscalls.intercept.mount}, \texttt{security.nesting}, and \texttt{security.privileged} settings are required for \texttt{dnsmasq} and Docker to function correctly in the container.
 
+\subsection{Firewall Configuration}
+To allow traffic forwarding between the \texttt{incusbr0} bridge and the \texttt{wlo1} wireless interface, the following iptables rules are applied:
+
+\begin{lstlisting}
+sudo iptables -A FORWARD -i incusbr0 -o wlo1 -j ACCEPT
+sudo iptables -A FORWARD -i wlo1 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -P FORWARD ACCEPT
+\end{lstlistingi}
+
 \subsection{Installing Additional Packages}
 Install the necessary packages inside the container:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- apt update
-incus exec dnsmasq-container -- apt install -y \
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install -y \
     netplan.io \
     sudo vim nano git tmux mc zip unzip curl wget htop lynx \
     iproute2 termshark bridge-utils \
@@ -97,86 +95,49 @@ Configure user access and permissions within the container.
 \subsubsection{Changing the Root Password}
 Set the root password to "passroot":
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- bash -c 'echo "root:passroot" | chpasswd'
+incus exec deb1 -- bash -c 'echo "root:passroot" | chpasswd'
 \end{lstlisting}
 
 \subsubsection{Adding a New User}
 Add a new user named "user" with the password "pass" and add them to the "sudo" and "docker" groups:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- useradd -m -s /bin/bash user
-incus exec dnsmasq-container -- bash -c 'echo "user:pass" | chpasswd'
-incus exec dnsmasq-container -- usermod -aG sudo user
-incus exec dnsmasq-container -- usermod -aG docker user
+sudo useradd -m -s /bin/bash -G sudo user && echo 'user:pass' | sudo chpasswd
 \end{lstlisting}
 
 \subsection{Accessing the Container}
 Access the container's shell:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- bash
+incus exec deb1 -- su - user 
 \end{lstlisting}
 
-\subsection{Installing dnsmasq}
-Update the package list and install \texttt{dnsmasq}:
-\begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- apt update
-incus exec dnsmasq-container -- apt install dnsmasq -y
+\section{Setting Up a Veth Pair Between Container and Network Namespace}
+To enable direct communication between a container and a network namespace, a virtual Ethernet (\texttt{veth}) pair is created. The following Python script (\texttt{link.py}) is used to create a \texttt{veth} pair between the \texttt{deb1} (an Incus container) and the \texttt{ns1} network namespace, with interfaces named \texttt{vA} and \texttt{vB}.
+
+\begin{lstlisting}
+sudo python3 link.py -n1 vA -t2 incus -ns2 deb1 -n2 vB
 \end{lstlisting}
 
-\subsection{Configuring Network with Veth Pairs and Netplan}
-To enable advanced networking, use the provided Python script (\texttt{link.py}) to create a virtual Ethernet (veth) pair connecting the container to the host's network namespace, with an optional bridge for network integration. Save the following script as \texttt{link.py} on the host:
+This command:
 
-\begin{lstlisting}[language=python]
-import argparse
-import os
-import subprocess
-import sys
-from pyroute2 import IPRoute, NetNS
   
-# ... (rest of the link.py script as provided) ...
-\end{lstlisting}
+- Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace.
   
-Run the script to create a veth pair, move one end to the container's network namespace, and attach it to a bridge on the host. First, identify the container's name or ID:
-\begin{lstlisting}[language=bash]
-incus list
-\end{lstlisting}
-Assuming the container name is \texttt{dnsmasq-container}, execute the script with sudo privileges:
-\begin{lstlisting}[language=bash]
-sudo python3 link.py --namespace1 dnsmasq-container --namespace2 1 \
-    --name1 veth-container --name2 veth-host \
-    --bridge2 br0 --type1 incus
-\end{lstlisting}
+- Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created).
 
-\textbf{Explanation:}
-\begin{itemize}
-  \item \texttt{--namespace1 dnsmasq-container}: Specifies the container's network namespace (Incus container).
-  \item \texttt{--namespace2 1}: Specifies the default (host) namespace.
-  \item \texttt{--name1 veth-container}: Names the veth interface inside the container.
-  \item \texttt{--name2 veth-host}: Names the veth interface on the host.
-  \item \texttt{--bridge2 br0}: Attaches the host's veth interface to a bridge named \texttt{br0}.
-  \item \texttt{--type1 incus}: Indicates that \texttt{namespace1} is an Incus container.
-\end{itemize}
 
-Before running the script, ensure the bridge \texttt{br0} exists on the host. Create it if necessary:
-\begin{lstlisting}[language=bash]
-sudo ip link add name br0 type bridge
-sudo ip link set br0 up
-\end{lstlisting}
-
-The script exposes the container's network namespace, creates the veth pair, moves \texttt{veth-container} to the container's namespace, attaches \texttt{veth-host} to \texttt{br0}, and brings both interfaces up.
+The script uses the \texttt{pyroute2} library to manage network interfaces and namespaces, and supports container types such as Incus, LXC, LXD, and Docker. Ensure the \texttt{deb1} is running in Incus before executing the command.
 
 \subsection{Configuring the Network with Netplan}
-Configure the container's network using Netplan to assign a static IP address to the \texttt{veth-container} interface (aliased as \texttt{eth0} for simplicity). Create or edit the Netplan configuration file at \texttt{/etc/netplan/01-netcfg.yaml} inside the container:
+Configure the container's network using Netplan to assign a static IP address. Create or edit the Netplan configuration file at \texttt{/etc/netplan/01-netcfg.yaml}:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- nano /etc/netplan/01-netcfg.yaml
+incus exec deb1 -- nano /etc/netplan/01-netcfg.yaml
 \end{lstlisting}
 Add the following configuration:
 \begin{lstlisting}[language=yaml]
 network:
   version: 2
   ethernets:
-    eth0:
-      match:
-        name: veth-container
+    vB:
       dhcp4: no
       addresses:
         - 192.168.1.10/24
@@ -186,33 +147,25 @@ network:
       nameservers:
         addresses: [8.8.8.8, 8.8.4.4]
 \end{lstlisting}
-
-\textbf{Explanation:}
-\begin{itemize}
-  \item \texttt{match: name: veth-container}: Matches the \texttt{veth-container} interface created by the script, aliased as \texttt{eth0}.
-  \item \texttt{dhcp4: no}: Disables DHCP to use a static IP.
-  \item \texttt{addresses}: Assigns the static IP \texttt{192.168.1.10/24}.
-  \item \texttt{routes}: Sets the default gateway to \texttt{192.168.1.1}.
-  \item \texttt{nameservers}: Specifies Google's DNS servers.
-\end{itemize}
-
 Apply the configuration:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- netplan apply
+incus exec deb1 -- netplan apply
 \end{lstlisting}
 
-Verify the network configuration:
+\subsection{Installing dnsmasq}
+Update the package list and install \texttt{dnsmasq}:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- ip a show eth0
-incus exec dnsmasq-container -- ping 8.8.8.8
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install dnsmasq -y
 \end{lstlisting}
 
 \subsection{Configuring dnsmasq}
 Edit the \texttt{dnsmasq} configuration file at \texttt{/etc/dnsmasq.conf}:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- nano /etc/dnsmasq.conf
+incus exec deb1 -- nano /etc/dnsmasq.conf
 \end{lstlisting}
 Add or modify the following settings to enable DNS and DHCP:
+
 \begin{lstlisting}
 # DNS settings
 domain-needed
@@ -226,48 +179,82 @@ domain=example.local
 # DHCP settings
 dhcp-range=192.168.1.100,192.168.1.200,12h
 dhcp-option=3,192.168.1.1
-dhcp-option=6,8.8.8.8,8.8.4.4
+
+# Opcja DHCP numer 6 (dhcp-option=6) służy do ustawiania adresu serwera DNS dla klientów DHCP
+dhcp-option=6,192.168.1.10
 \end{lstlisting}
 
 \textbf{Explanation:}
-\begin{itemize}
-  \item \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS.
-  \item \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges.
-  \item \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}.
-  \item \texttt{server}: Specifies upstream DNS servers (Google DNS in this case).
-  \item \texttt{local} and \texttt{domain}: Configures a local domain.
-  \item \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours).
-  \item \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6).
-\end{itemize}
+
+  
+- \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS.
+  
+- \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges.
+  
+- \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}.
+  
+- \texttt{server}: Specifies upstream DNS servers (Google DNS in this case).
+  
+- \texttt{local} and \texttt{domain}: Configures a local domain.
+  
+- \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours).
+  
+- \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6).
+
+
+% ————————————————————————————————
+% 🔧 NOWA SEKCJA: System-Level Adjustments
+% ————————————————————————————————
+
+\subsection{System-Level Adjustments for Network Stability}
+In some cases, especially in nested or privileged containers, additional system-level adjustments are necessary to ensure proper network functionality and avoid conflicts.
+
+To remount the \texttt{/sys} filesystem as read-write (required if certain networking tools fail due to mount restrictions):
+\begin{lstlisting}[language=bash]
+sudo mount -o remount,rw /sys
+sudo systemctl restart systemd-udevd
+\end{lstlisting}
+
+Additionally, to prevent DNS conflicts with \texttt{systemd-resolved}, which may interfere with \texttt{dnsmasq}, stop and disable the service:
+\begin{lstlisting}[language=bash]
+sudo systemctl stop systemd-resolved
+sudo systemctl disable systemd-resolved
+\end{lstlisting}
+
+This ensures that \texttt{dnsmasq} can bind to port 53 without conflicts. If you require \texttt{systemd-resolved}, consider configuring it to listen on a different interface or using socket activation.
+
+% ————————————————————————————————
 
 \subsection{Starting and Enabling dnsmasq}
 Restart and enable the \texttt{dnsmasq} service:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- systemctl restart dnsmasq
-incus exec dnsmasq-container -- systemctl enable dnsmasq
+incus exec deb1 -- systemctl restart dnsmasq
+incus exec deb1 -- systemctl enable dnsmasq
 \end{lstlisting}
 Verify that \texttt{dnsmasq} is running:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- systemctl status dnsmasq
+incus exec deb1 -- systemctl status dnsmasq
 \end{lstlisting}
 
 \subsection{Testing the Configuration}
 Test DNS resolution from within the container:
 \begin{lstlisting}[language=bash]
-incus exec dnsmasq-container -- nslookup example.local 192.168.1.10
+incus exec deb1 -- nslookup example.local 192.168.1.10
 \end{lstlisting}
-To test DHCP, connect a client device to the same network (via the \texttt{br0} bridge) and verify that it receives an IP address in the range \texttt{192.168.1.100--192.168.1.200}.
+To test DHCP, connect a client device to the same network and verify that it receives an IP address in the range \texttt{192.168.1.100--192.168.1.200}.
 
 \section{Troubleshooting}
 If \texttt{dnsmasq} fails to start:
-\begin{itemize}
-  \item Check the logs: \texttt{incus exec dnsmasq-container -- journalctl -u dnsmasq}.
-  \item Ensure no other service is using port 53 (DNS) or 67 (DHCP).
-  \item Verify the network configuration with \texttt{incus exec dnsmasq-container -- ip a} and \texttt{incus exec dnsmasq-container -- ping 8.8.8.8}.
-  \item Confirm the veth pair and bridge setup: \texttt{ip link show} on the host and \texttt{incus exec dnsmasq-container -- ip link show}.
-\end{itemize}
+
+  
+- Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}.
+  
+- Ensure no other service is using port 53 (DNS) or 67 (DHCP).
+  
+- Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}.
+
 
 \section{Conclusion}
-This guide configures \texttt{dnsmasq} as a DNS and DHCP server in an Incus container on Debian. The \texttt{link.py} script and Netplan configuration ensure a robust network setup with veth pairs and static IP addressing. For advanced configurations, refer to the \texttt{dnsmasq} documentation (\texttt{man dnsmasq}) and \texttt{pyroute2} documentation.
+This guide configures \texttt{dnsmasq} as a DNS and DHCP server in an Incus container on Debian. The Netplan configuration ensures proper network setup. For advanced configurations, refer to the \texttt{dnsmasq} documentation (\texttt{man dnsmasq}).
 
 \end{document}

doc/~

@@ -0,0 +1,257 @@
+\documentclass[a4paper,12pt]{article}
+\usepackage[utf8]{inputenc}
+\usepackage[T1]{fontenc}
+\usepackage{lmodern}
+\usepackage{geometry}
+\geometry{margin=1in}
+\usepackage{listings}
+\usepackage{xcolor}
+\usepackage{parskip}
+
+\lstset{
+  basicstyle=\ttfamily\small,
+  breaklines=true,
+  frame=single,
+  numbers=left,
+  numberstyle=\tiny,
+  keywordstyle=\color{blue},
+  commentstyle=\color{gray},
+  stringstyle=\color{red}
+}
+
+% Define YAML language for listings
+\lstdefinelanguage{yaml}{
+  keywords={true,false,null,yaml,network,version,ethernets,dhcp4,addresses,routes,to,via,nameservers},
+  keywordstyle=\color{blue}\bfseries,
+  basicstyle=\ttfamily\small,
+  sensitive=false,
+  comment=[l]{\#},
+  commentstyle=\color{gray}\itshape,
+  stringstyle=\color{red},
+  morestring=[b]{"},
+  morestring=[b]{'}
+}
+
+\begin{document}
+
+\title{Basic Configuration of dnsmasq in an Incus Container on Debian with Netplan}
+\author{}
+\date{}
+\maketitle
+
+\section{Introduction}
+This guide provides step-by-step instructions for setting up \texttt{dnsmasq} as a DNS and DHCP server in an Incus container running Debian. The network configuration is managed using Netplan to ensure proper network integration.
+
+\section{Prerequisites}
+Before proceeding, ensure the following:
+
+  
+- Incus is installed on the host system (\texttt{sudo apt install incus}).
+  
+- A Debian-based container is created in Incus.
+  
+- Basic knowledge of Linux networking and container management.
+  
+- Root or sudo access to the host and container.
+
+
+\section{Step-by-Step Configuration}
+
+\subsection{Creating and Setting Up the Incus Container}
+Create a Debian container named \texttt{deb1} using the following commands on the host:
+\begin{lstlisting}[language=bash]
+incus create images:debian/12 deb1
+incus config set deb1 security.syscalls.intercept.mount true
+incus config set deb1 security.nesting true
+incus config set deb1 security.privileged true
+incus start deb1
+\end{lstlisting}
+The \texttt{security.syscalls.intercept.mount}, \texttt{security.nesting}, and \texttt{security.privileged} settings are required for \texttt{dnsmasq} and Docker to function correctly in the container.
+
+\subsection{Firewall Configuration}
+To allow traffic forwarding between the \texttt{incusbr0} bridge and the \texttt{wlo1} wireless interface, the following iptables rules are applied:
+
+\begin{lstlisting}
+sudo iptables -A FORWARD -i incusbr0 -o wlo1 -j ACCEPT
+sudo iptables -A FORWARD -i wlo1 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -P FORWARD ACCEPT
+\end{lstlistingi}
+
+\subsection{Installing Additional Packages}
+Install the necessary packages inside the container:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install -y \
+    netplan.io \
+    sudo vim nano git tmux mc zip unzip curl wget htop lynx \
+    iproute2 termshark bridge-utils \
+    python3 python3-ipython python3-pyroute2 python3-scapy \
+    docker.io docker-compose
+\end{lstlisting}
+
+\subsection{Configuring Users and Permissions}
+Configure user access and permissions within the container.
+
+\subsubsection{Changing the Root Password}
+Set the root password to "passroot":
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- bash -c 'echo "root:passroot" | chpasswd'
+\end{lstlisting}
+
+\subsubsection{Adding a New User}
+Add a new user named "user" with the password "pass" and add them to the "sudo" and "docker" groups:
+\begin{lstlisting}[language=bash]
+sudo useradd -m -s /bin/bash -G sudo user && echo 'user:pass' | sudo chpasswd
+\end{lstlisting}
+
+\subsection{Accessing the Container}
+Access the container's shell:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- su - user 
+\end{lstlisting}
+
+\section{Setting Up a Veth Pair Between Container and Network Namespace}
+To enable direct communication between a container and a network namespace, a virtual Ethernet (\texttt{veth}) pair is created. The following Python script (\texttt{link.py}) is used to create a \texttt{veth} pair between the \texttt{deb1} (an Incus container) and the \texttt{ns1} network namespace, with interfaces named \texttt{vA} and \texttt{vB}.
+
+\begin{lstlisting}
+sudo python3 link.py -n1 vA -t2 incus -ns2 deb1 -n2 vB
+\end{lstlisting}
+
+This command:
+
+  
+- Creates a \texttt{veth} pair with one end (\texttt{vA}) in the default namespace and the other end (\texttt{vB}) in the \texttt{deb1}'s network namespace.
+  
+- Ensures the interfaces are set up and operational, allowing network traffic to flow between the container and the \texttt{ns1} namespace (or default namespace if \texttt{ns1} is not explicitly created).
+
+
+The script uses the \texttt{pyroute2} library to manage network interfaces and namespaces, and supports container types such as Incus, LXC, LXD, and Docker. Ensure the \texttt{deb1} is running in Incus before executing the command.
+
+\subsection{Configuring the Network with Netplan}
+Configure the container's network using Netplan to assign a static IP address. Create or edit the Netplan configuration file at \texttt{/etc/netplan/01-netcfg.yaml}:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- nano /etc/netplan/01-netcfg.yaml
+\end{lstlisting}
+Add the following configuration:
+\begin{lstlisting}[language=yaml]
+network:
+  version: 2
+  ethernets:
+    vB:
+      dhcp4: no
+      addresses:
+        - 192.168.1.10/24
+      routes:
+        - to: default
+          via: 192.168.1.1
+      nameservers:
+        addresses: [8.8.8.8, 8.8.4.4]
+\end{lstlisting}
+Apply the configuration:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- netplan apply
+\end{lstlisting}
+
+\subsection{Installing dnsmasq}
+Update the package list and install \texttt{dnsmasq}:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- apt update
+incus exec deb1 -- apt install dnsmasq -y
+\end{lstlisting}
+
+\subsection{Configuring dnsmasq}
+Edit the \texttt{dnsmasq} configuration file at \texttt{/etc/dnsmasq.conf}:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- nano /etc/dnsmasq.conf
+\end{lstlisting}
+Add or modify the following settings to enable DNS and DHCP:
+\begin{lstlisting}
+# DNS settings
+domain-needed
+bogus-priv
+no-resolv
+server=8.8.8.8
+server=8.8.4.4
+local=/example.local/
+domain=example.local
+
+# DHCP settings
+dhcp-range=192.168.1.100,192.168.1.200,12h
+dhcp-option=3,192.168.1.1
+dhcp-option=6,8.8.8.8,8.8.4.4
+\end{lstlisting}
+
+\textbf{Explanation:}
+
+  
+- \texttt{domain-needed}: Prevents incomplete domain names from being sent to upstream DNS.
+  
+- \texttt{bogus-priv}: Blocks reverse DNS lookups for private IP ranges.
+  
+- \texttt{no-resolv}: Disables reading \texttt{/etc/resolv.conf}.
+  
+- \texttt{server}: Specifies upstream DNS servers (Google DNS in this case).
+  
+- \texttt{local} and \texttt{domain}: Configures a local domain.
+  
+- \texttt{dhcp-range}: Defines the IP range for DHCP clients (from 192.168.1.100 to 192.168.1.200, lease time 12 hours).
+  
+- \texttt{dhcp-option}: Sets the default gateway (option 3) and DNS servers (option 6).
+
+
+% ————————————————————————————————
+% 🔧 NOWA SEKCJA: System-Level Adjustments
+% ————————————————————————————————
+
+\subsection{System-Level Adjustments for Network Stability}
+In some cases, especially in nested or privileged containers, additional system-level adjustments are necessary to ensure proper network functionality and avoid conflicts.
+
+To remount the \texttt{/sys} filesystem as read-write (required if certain networking tools fail due to mount restrictions):
+\begin{lstlisting}[language=bash]
+sudo mount -o remount,rw /sys
+sudo systemctl restart systemd-udevd
+\end{lstlisting}
+
+Additionally, to prevent DNS conflicts with \texttt{systemd-resolved}, which may interfere with \texttt{dnsmasq}, stop and disable the service:
+\begin{lstlisting}[language=bash]
+sudo systemctl stop systemd-resolved
+sudo systemctl disable systemd-resolved
+\end{lstlisting}
+
+This ensures that \texttt{dnsmasq} can bind to port 53 without conflicts. If you require \texttt{systemd-resolved}, consider configuring it to listen on a different interface or using socket activation.
+
+% ————————————————————————————————
+
+\subsection{Starting and Enabling dnsmasq}
+Restart and enable the \texttt{dnsmasq} service:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- systemctl restart dnsmasq
+incus exec deb1 -- systemctl enable dnsmasq
+\end{lstlisting}
+Verify that \texttt{dnsmasq} is running:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- systemctl status dnsmasq
+\end{lstlisting}
+
+\subsection{Testing the Configuration}
+Test DNS resolution from within the container:
+\begin{lstlisting}[language=bash]
+incus exec deb1 -- nslookup example.local 192.168.1.10
+\end{lstlisting}
+To test DHCP, connect a client device to the same network and verify that it receives an IP address in the range \texttt{192.168.1.100--192.168.1.200}.
+
+\section{Troubleshooting}
+If \texttt{dnsmasq} fails to start:
+
+  
+- Check the logs: \texttt{incus exec deb1 -- journalctl -u dnsmasq}.
+  
+- Ensure no other service is using port 53 (DNS) or 67 (DHCP).
+  
+- Verify the network configuration with \texttt{incus exec deb1 -- ip a} and \texttt{incus exec deb1 -- ping 8.8.8.8}.
+
+
+\section{Conclusion}
+This guide configures \texttt{dnsmasq} as a DNS and DHCP server in an Incus container on Debian. The Netplan configuration ensures proper network setup. For advanced configurations, refer to the \texttt{dnsmasq} documentation (\texttt{man dnsmasq}).
+
+\end{document}

py/link.py

@@ -427,3 +427,4 @@ def main():
 if __name__ == "__main__":
     main()
 
+

scripts/incus_script_1.sh

@@ -1,5 +1,5 @@
-incus create images:debian/12 dnsmasq-container
-incus config set dnsmasq-container security.syscalls.intercept.mount true
-incus config set dnsmasq-container security.nesting true
-incus config set dnsmasq-container security.privileged true
-incus start dnsmasq-container
+incus create images:debian/12 deb1
+incus config set deb1 security.syscalls.intercept.mount true
+incus config set deb1 security.nesting true
+incus config set deb1 security.privileged true
+incus start deb1

scripts/incus_scripts_ALLinONE.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Restart usługi dnsmasq w kontenerze
+incus exec deb1 -- systemctl restart dnsmasq
+
+# Włącz automatyczne uruchamianie dnsmasq przy starcie
+incus exec deb1 -- systemctl enable dnsmasq
+
+# Sprawdź status usługi dnsmasq
+incus exec deb1 -- systemctl status dnsmasq
+
+# Test DNS — nslookup
+incus exec deb1 -- nslookup example.local 192.168.1.10
+
+# Utwórz nowy kontener deb1 z obrazu Debian 12
+incus create images:debian/12 deb1
+
+# Konfiguracja bezpieczeństwa dla kontenera deb1
+incus config set deb1 security.syscalls.intercept.mount true
+incus config set deb1 security.nesting true
+incus config set deb1 security.privileged true
+
+# Uruchom kontener deb1
+incus start deb1
+
+# Aktualizacja pakietów w kontenerze deb1
+incus exec deb1 -- apt update
+
+# Instalacja potrzebnych pakietów
+incus exec deb1 -- apt install -y \
+    netplan.io \
+    sudo vim nano git tmux mc zip unzip curl wget htop lynx \
+    iproute2 termshark bridge-utils \
+    python3 python3-ipython python3-pyroute2 python3-scapy \
+    docker.io docker-compose
+
+# Ustaw hasło root
+incus exec deb1 -- bash -c 'echo "root:passroot" | chpasswd'
+
+# Dodaj użytkownika "user" z hasłem "pass" i  grupą "sudo" i " docker"   (opcja dla wewnątrz kontenera i z ns1
+# Wariant ns1
+sudo incus exec deb1 -- su - sudo useradd -m -s /bin/bash -G sudo,docker user && echo 'user:pass' | sudo chpasswd
+
+# Wariant inside container
+sudo useradd -m -s /bin/bash -G sudo,docker user && echo 'user:pass' | sudo chpasswd
+
+# Wejście do powłoki bash w kontenerze (opcjonalne)
+incus exec deb1 -- bash -c "echo 'Wchodzimy do bash...'; exec bash"
+
+# Aktualizacja pakietów ponownie
+incus exec deb1 -- apt update
+
+# Instalacja dnsmasq
+incus exec deb1 -- apt install dnsmasq -y
+
+# Edycja konfiguracji Netplan
+incus exec deb1 -- nano /etc/netplan/01-netcfg.yaml
+
+# Zastosowanie zmian konfiguracji sieciowej
+incus exec deb1 -- netplan apply
+
+# Edycja konfiguracji dnsmasq.conf
+incus exec deb1 -- nano /etc/dnsmasq.conf
+
+echo "Skrypt zakończony."
+
+#made by mbiast and babcia (siah)

todo/better_aproach.txt

@@ -0,0 +1 @@
+ allign czy konf container from inside /outside side`

todo/firewall.txt

@@ -0,0 +1 @@
+sudo iptables -P FORWARD ACCEPT

token.txt

@@ -1 +1 @@
-t8:37b0111174ee4067a3c1c27dace2f4874d3f0860
+da086cb72f6790bee9fc30d03577587f44afbb7f