summaryrefslogtreecommitdiffstats
path: root/share/doc/host-setup.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2021-07-24 18:45:00 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2021-07-24 18:55:37 +0000
commitd20677330a40013f3b371fa0734de9ad7a069235 (patch)
treef4b1e2d7e40490a45c45e762048c16b8a615386d /share/doc/host-setup.txt
parentAdding upstream version 20210630. (diff)
downloadopen-infrastructure-compute-tools-d20677330a40013f3b371fa0734de9ad7a069235.tar.xz
open-infrastructure-compute-tools-d20677330a40013f3b371fa0734de9ad7a069235.zip
Adding upstream version 20210724.upstream/20210724
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'share/doc/host-setup.txt')
-rw-r--r--share/doc/host-setup.txt230
1 files changed, 230 insertions, 0 deletions
diff --git a/share/doc/host-setup.txt b/share/doc/host-setup.txt
new file mode 100644
index 0000000..9a9ec94
--- /dev/null
+++ b/share/doc/host-setup.txt
@@ -0,0 +1,230 @@
+compute-tools: Host Setup
+=========================
+
+
+1. Debian Packages
+-------------------
+
+apt install bridge-utils ifenslave vlan
+
+
+2. Boot Parameters
+------------------
+
+2.1 CGroup Memory Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable the memory controller the following boot parameter needs to be used:
+
+ cgroup_enable=memory
+
+
+2.2 CGroup Swap Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable the swap controller the following boot parameter needs to be used:
+
+ swapaccount=1
+
+2.3 vsyscall (legacy)
+~~~~~~~~~~~~~~~~~~~~~
+
+In order to be able to execute binaries linked to older libc versions
+(<= wheezy) on newer linux versions (>= buster), add the following boot
+parameter (see #881813 for more information):
+
+ vsyscall=emulate
+
+
+3. Networking
+~~~~~~~~~~~~~
+
+3.1 Configure Network Bridge
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+3.1.1 Bridge: 1 Interface, standalone, DHCP
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/network/interfaces << EOF
+# /etc/network/interfaces
+
+source /etc/network/interfaces.d/*
+
+auto lo
+iface lo inet loopback
+
+iface eno1 inet manual
+
+auto bridge0
+iface bridge0 inet dhcp
+ bridge_ports eno1
+ bridge_fd 0
+ bridge_maxwait 0
+ bridge_stp 0
+EOF
+
+
+3.1.2 Bridge: 1 Interface, standalone, static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/network/interfaces << EOF
+# /etc/network/interfaces
+
+source /etc/network/interfaces.d/*
+
+auto lo
+iface lo inet loopback
+
+iface eno1 inet manual
+
+auto bridge0
+iface bridge0 inet static
+ address 10.0.0.2
+ gateway 10.0.0.1
+ netmask 24
+
+ pre-up ip link set eno1 down
+ pre-up ip link set eno1 up
+
+ bridge_ports eno1
+ bridge_fd 0
+ bridge_maxwait 0
+ bridge_stp 0
+EOF
+
+
+3.1.3 Bridge: 2 logical Interfaces, subnet, static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/network/interfaces << EOF
+# /etc/network/interfaces
+
+source /etc/network/interfaces.d/*
+
+auto lo
+iface lo inet loopback
+
+allow-hotplug eno1
+iface eno1 inet dhcp
+
+auto bridge0
+iface bridge0 inet static
+ address 10.0.0.1
+ netmask 24
+
+ pre-up ip link add name bridge0 type bridge
+ post-down ip link delete bridge0 type bridge
+
+ bridge_fd 0
+ bridge_maxwait 0
+ bridge_stp 0
+EOF
+
+
+3.1.4 Bridge: 3 physical Interfaces, vlan, bonding, static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/network/interfaces << EOF
+# /etc/network/interfaces
+
+source /etc/network/interfaces.d/*
+
+auto lo
+iface lo inet loopback
+
+allow-hotplug eno1
+iface eno1 inet dhcp
+
+iface eno2 inet manual
+
+iface eno3 inet manual
+
+auto bond0
+iface bond0 inet manual
+ up ip link set bond0 up
+ down ip link set bond0 down
+
+ slaves eno2 eno3
+
+ bond-mode 4
+ bond-miimon 100
+ bond-downdelay 200
+ bond-updelay 200
+ bond-lacp-rate 1
+ bond-xmit-hash-policy layer2+3
+
+iface bond0.100 inet manual
+ vlan-raw-device bond0
+
+auto bridge-100
+iface bridge-100 inet static
+ address 10.100.0.2
+ netmask 24
+
+ bridge_ports bond0.100
+ bridge_fd 0
+ bridge_maxwait 0
+ bridge_stp 0
+EOF
+
+
+4. Enabling user namespace for unprivileged containers
+------------------------------------------------------
+
+Linux supports unprivileged containers with the user namespace.
+By default the user namespace is disabled on Debian systems (see #898446).
+To enable user namespace, edit the following file for a permant change:
+
+ /etc/sysctl.d/zz-compute-tools.conf
+ sysctl -p
+
+or enable it manually with:
+
+ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
+
+Note that containers need to be started with the correct
+configuration in /etc/compute-tools/container/config to run unpriviled
+(private-users option).
+
+
+5. Enabling container-shell
+---------------------------
+
+Managing privileged containers requires root privileges. In order to allow
+unprivileged users to manage privileged containers without granting them
+privileges or accounts, the container-shell can be used together with sudo
+and a container user.
+
+ sudo adduser --gecos "compute-tools,,," \
+ --home /var/lib/open-infrastructure/container-shell \
+ --shell /usr/bin/container-shell
+
+
+6. IPv4 and IPv6 dual-stack
+---------------------------
+
+Examples for /etc/network/interfaces above work for IPv6 too when using correct
+IPv6 addresses and netmasks.
+
+In order to use dual-stack, bridges must have a IPv4 address assigned
+(can be a dummy one from a privacy range or 127.0.0.0/8).
+
+Let me repeat: dual-stack only works when you assign a primary IPv6 address
+(private or public, doesn't matter) *and* add an additional IPv4 address.
+Yes, the IPv4 address can be a private address, the containers can still
+have a public IPv4 address.
+
+A complete example looks like this:
+
+auto bridge0
+iface bridge0 inet6 static
+ address 2a07:6b47:4::4:1
+ netmask 48
+
+ up ip addr add 127.4.4.1 dev $IFACE
+ down ip addr del 127.4.4.1 dev $IFACE
+
+ bridge_fd 0
+ bridge_maxwait 0
+ bridge_stp 0
+ bridge-mcquerier 1