From cbfc4abda5f50267b8b2a40de90ee57424381ec6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 20 Apr 2024 19:12:42 +0200 Subject: Adding upstream version 20221223. Signed-off-by: Daniel Baumann --- share/doc/host-setup.txt | 217 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 share/doc/host-setup.txt (limited to 'share/doc/host-setup.txt') diff --git a/share/doc/host-setup.txt b/share/doc/host-setup.txt new file mode 100644 index 0000000..083e1aa --- /dev/null +++ b/share/doc/host-setup.txt @@ -0,0 +1,217 @@ +compute-tools: Host Setup (with systemd-networkd) +================================================= + + +1. Debian Packages +------------------- + +apt install systemd-networkd bridge-utils + +Make sure to enable networkd (sudo systemctl enable systemd-networkd) +and convert /etc/network/interfaces (see systemd-networkd documentation). + + +2. Boot Parameters +------------------ + +2.1 CGroup Memory Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the memory controller the following boot parameter needs to be used: + + cgroup_enable=memory + + +2.2 CGroup Swap Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the swap controller the following boot parameter needs to be used: + + swapaccount=1 + +2.3 vsyscall (legacy) +~~~~~~~~~~~~~~~~~~~~~ + +In order to be able to execute binaries linked to older libc versions +(<= wheezy) on newer linux versions (>= buster), add the following boot +parameter (see #881813 for more information): + + vsyscall=emulate + + +3. Networking +~~~~~~~~~~~~~ + +3.1 Configure Network Bridge +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +3.1.1 Bridge: 1 Interface, standalone, DHCP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/bridge0.netdev << EOF +[NetDev] +Name=bridge0 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge-0 + +[Network] +DHCP=yes +EOF + + +3.1.2 Bridge: 1 Interface, standalone, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/bridge0.netdev << EOF +[NetDev] +Name=bridge0 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge-0 + +[Network] +Address=10.0.0.2/24 +Gateway=10.0.0.1 +EOF + + +3.1.3 Bridge: 3 physical Interfaces, vlan, bonding, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/eno2.network<< EOF +[Match] +Name=eno2 + +[Network] +Bond=bond0 +EOF + +cat > /etc/systemd/network/eno3.network<< EOF +[Match] +Name=eno3 + +[Network] +Bond=bond0 +EOF + +cat > /etc/systemd/network/bond0.netdev << EOF +[NetDev] +Name=bond0 +Kind=bond + +[Bond] +Mode=802.3ad +TransmitHashPolicy=layer3+4 +MIIMonitorSec=0.1 +UpDelaySec=0.2 +DownDelaySec=0.2 +EOF + +cat > /etc/systemd/network/bond0.network << EOF +[Match] +Name=bond0 + +[Network] +VLAN=100 +EOF + +cat > /etc/systemd/network/vlan-100.netdev << EOF +[NetDev] +Name=vlan-100 +Kind=vlan + +[VLAN] +Id=100 +EOF + +cat > /etc/systemd/network/vlan-100.netdev << EOF +[Match] +Name=vlan-100 + +[Network] +Bridge=bridge-100 +EOF + +cat > /etc/systemd/network/bridge-100.netdev << EOF +[NetDev] +Name=bridge-100 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge-100.network << EOF +[Match] +Name=bridge-100 + +[Network] +Address=10.100.0.2/24 +Gateway=10.100.0.1 +EOF + + +4. Enabling user namespace for unprivileged containers +------------------------------------------------------ + +Linux supports unprivileged containers with the user namespace. +By default the user namespace is disabled on Debian systems (see #898446). +To enable user namespace, edit the following file for a permant change: + + /etc/sysctl.d/zz-compute-tools.conf + sysctl -p + +or enable it manually with: + + echo 1 > /proc/sys/kernel/unprivileged_userns_clone + +Note that containers need to be started with the correct +configuration in /etc/compute-tools/container/config to run unpriviled +(private-users option). + + +5. Enabling container-shell +--------------------------- + +Managing privileged containers requires root privileges. In order to allow +unprivileged users to manage privileged containers without granting them +privileges or accounts, the container-shell can be used together with sudo +and a container user. + + sudo adduser --gecos "compute-tools,,," \ + --home /var/lib/open-infrastructure/container-shell \ + --shell /usr/bin/container-shell + + +6. IPv4 and IPv6 dual-stack +--------------------------- + +Examples for /etc/network/interfaces above work for IPv6 too when using correct +IPv6 addresses and netmasks. + +In order to use dual-stack, bridges must have a IPv4 address assigned +(can be a dummy one from a privacy range or 127.0.0.0/8). + +Let me repeat: dual-stack only works when you assign a primary IPv6 address +(private or public, doesn't matter) *and* add an additional IPv4 address. +Yes, the IPv4 address can be a private address, the containers can still +have a public IPv4 address. + +A complete example looks like this: + +auto bridge0 +iface bridge0 inet6 static + address 2a07:6b47:4::4:1 + netmask 48 + + up ip addr add 127.4.4.1 dev $IFACE + down ip addr del 127.4.4.1 dev $IFACE + + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 + bridge-mcquerier 1 -- cgit v1.2.3