From f36095ed361afeaad2f44720ada816ec3bee7cb6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 24 Jul 2021 20:45:13 +0200 Subject: Merging upstream version 20210724. Signed-off-by: Daniel Baumann --- share/bash-completion/container | 4 +- share/config/container.conf.in | 2 +- share/doc/HOST-SETUP.txt | 238 ----------------------------------- share/doc/host-setup.txt | 230 +++++++++++++++++++++++++++++++++ share/logrotate/container | 2 + share/procps/zz-container.conf | 2 + share/scripts/debconf | 8 +- share/scripts/debootstrap | 4 +- share/sudo/container-shell | 2 + share/systemd/container-auto.service | 2 + share/systemd/container@.service | 2 + 11 files changed, 252 insertions(+), 244 deletions(-) delete mode 100644 share/doc/HOST-SETUP.txt create mode 100644 share/doc/host-setup.txt (limited to 'share') diff --git a/share/bash-completion/container b/share/bash-completion/container index d966d7a..2fb49aa 100644 --- a/share/bash-completion/container +++ b/share/bash-completion/container @@ -1,5 +1,5 @@ -# bash-completion -# +# Open Infrastructure: compute-tools + # Copyright (C) 2014-2021 Daniel Baumann # # SPDX-License-Identifier: GPL-3.0+ diff --git a/share/config/container.conf.in b/share/config/container.conf.in index 3ab014d..d3f9a48 100644 --- a/share/config/container.conf.in +++ b/share/config/container.conf.in @@ -1,4 +1,4 @@ -# compute-tools: @NAME@ +# Open Infrastructure: compute-tools [start] cnt.auto=@CNT_AUTO@ diff --git a/share/doc/HOST-SETUP.txt b/share/doc/HOST-SETUP.txt deleted file mode 100644 index 6b368f0..0000000 --- a/share/doc/HOST-SETUP.txt +++ /dev/null @@ -1,238 +0,0 @@ -compute-tools: Host Setup -========================= - - -1. Debian Packages -------------------- - -apt install bridge-utils ifenslave vlan - - -2. Boot Parameters ------------------- - -2.1 CGroup Memory Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In order to enable the memory controller the following boot parameter needs to be used: - - cgroup_enable=memory - - -2.2 CGroup Swap Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In order to enable the swap controller the following boot parameter needs to be used: - - swapaccount=1 - -2.3 vsyscall -~~~~~~~~~~~~ - -In order to be able to execute binaries linked to older libc versions -(<= wheezy) newer linux versions (>= buster), add the following boot parameter -(see #881813 for more information): - - vsyscall=emulate - - -3. Networking -~~~~~~~~~~~~~ - -3.1 Enable IPv4 Forwarding -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -apt install procps -echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf -sysctl -p - - -3.2 Configure Network Bridge -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -3.2.1 Bridge: 1 Interface, standalone, DHCP -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -iface eno1 inet manual - -auto bridge0 -iface bridge0 inet dhcp - bridge_ports eno1 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 -EOF - - -3.2.2 Bridge: 1 Interface, standalone, static -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -iface eno1 inet manual - -auto bridge0 -iface bridge0 inet static - address 10.0.0.2 - gateway 10.0.0.1 - netmask 24 - - pre-up ip link set eno1 down - pre-up ip link set eno1 up - - bridge_ports eno1 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 -EOF - - -3.2.3 Bridge: 2 logical Interfaces, subnet, static -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -allow-hotplug eno1 -iface eno1 inet dhcp - -auto bridge0 -iface bridge0 inet static - address 10.0.0.1 - netmask 24 - - pre-up ip link add name bridge0 type bridge - post-down ip link delete bridge0 type bridge - - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 -EOF - - -3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -cat > /etc/network/interfaces << EOF -# /etc/network/interfaces - -source /etc/network/interfaces.d/* - -auto lo -iface lo inet loopback - -allow-hotplug eno1 -iface eno1 inet dhcp - -iface eno2 inet manual - -iface eno3 inet manual - -auto bond0 -iface bond0 inet manual - up ip link set bond0 up - down ip link set bond0 down - - slaves eno2 eno3 - - bond-mode 4 - bond-miimon 100 - bond-downdelay 200 - bond-updelay 200 - bond-lacp-rate 1 - bond-xmit-hash-policy layer2+3 - -iface bond0.100 inet manual - vlan-raw-device bond0 - -auto bridge-100 -iface bridge-100 inet static - address 10.100.0.2 - netmask 24 - - bridge_ports bond0.100 - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 -EOF - - -4. Enabling user namespace for unprivileged containers ------------------------------------------------------- - -Linux supports unprivileged containers with the user namespace. -By default the user namespace is disabled on Debian systems (see #898446). -To enable user namespace, edit the following file for a permant change: - - /etc/sysctl.d/zz-compute-tools.conf - sysctl -p - -or enable it manually with: - - echo 1 > /proc/sys/kernel/unprivileged_userns_clone - -Note that containers need to be started with the correct -configuration in /etc/compute-tools/container/config to run unpriviled -(private-users option). - - -5. Enabling container-shell ---------------------------- - -Managing privileged containers requires root privileges. In order to allow -unprivileged users to manage privileged containers without granting them -privileges or accounts, the container-shell can be used together with sudo -and a container user. - - sudo adduser --gecos "compute-tools,,," \ - --home /var/lib/open-infrastructure/container-shell \ - --shell /usr/bin/container-shell - - -6. IPv4 and IPv6 dual-stack ---------------------------- - -Examples for /etc/network/interfaces above work for IPv6 too when using correct -IPv6 addresses and netmasks. - -In order to use dual-stack, bridges must have a IPv4 address assigned -(can be a dummy one from a privacy range or 127.0.0.0/8). - -Let me repeat: dual-stack only works when you assign a primary IPv6 address -(private or public, doesn't matter) *and* add an additional IPv4 address. -Yes, the IPv4 address can be a private address, the containers can still -have a public IPv4 address. - -A complete example looks like this: - -auto bridge0 -iface bridge0 inet6 static - address 2a07:6b47:4::4:1 - netmask 48 - - up ip addr add 127.4.4.1 dev $IFACE - down ip addr del 127.4.4.1 dev $IFACE - - bridge_fd 0 - bridge_maxwait 0 - bridge_stp 0 - bridge-mcquerier 1 diff --git a/share/doc/host-setup.txt b/share/doc/host-setup.txt new file mode 100644 index 0000000..9a9ec94 --- /dev/null +++ b/share/doc/host-setup.txt @@ -0,0 +1,230 @@ +compute-tools: Host Setup +========================= + + +1. Debian Packages +------------------- + +apt install bridge-utils ifenslave vlan + + +2. Boot Parameters +------------------ + +2.1 CGroup Memory Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the memory controller the following boot parameter needs to be used: + + cgroup_enable=memory + + +2.2 CGroup Swap Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the swap controller the following boot parameter needs to be used: + + swapaccount=1 + +2.3 vsyscall (legacy) +~~~~~~~~~~~~~~~~~~~~~ + +In order to be able to execute binaries linked to older libc versions +(<= wheezy) on newer linux versions (>= buster), add the following boot +parameter (see #881813 for more information): + + vsyscall=emulate + + +3. Networking +~~~~~~~~~~~~~ + +3.1 Configure Network Bridge +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +3.1.1 Bridge: 1 Interface, standalone, DHCP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/network/interfaces << EOF +# /etc/network/interfaces + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback + +iface eno1 inet manual + +auto bridge0 +iface bridge0 inet dhcp + bridge_ports eno1 + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 +EOF + + +3.1.2 Bridge: 1 Interface, standalone, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/network/interfaces << EOF +# /etc/network/interfaces + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback + +iface eno1 inet manual + +auto bridge0 +iface bridge0 inet static + address 10.0.0.2 + gateway 10.0.0.1 + netmask 24 + + pre-up ip link set eno1 down + pre-up ip link set eno1 up + + bridge_ports eno1 + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 +EOF + + +3.1.3 Bridge: 2 logical Interfaces, subnet, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/network/interfaces << EOF +# /etc/network/interfaces + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback + +allow-hotplug eno1 +iface eno1 inet dhcp + +auto bridge0 +iface bridge0 inet static + address 10.0.0.1 + netmask 24 + + pre-up ip link add name bridge0 type bridge + post-down ip link delete bridge0 type bridge + + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 +EOF + + +3.1.4 Bridge: 3 physical Interfaces, vlan, bonding, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/network/interfaces << EOF +# /etc/network/interfaces + +source /etc/network/interfaces.d/* + +auto lo +iface lo inet loopback + +allow-hotplug eno1 +iface eno1 inet dhcp + +iface eno2 inet manual + +iface eno3 inet manual + +auto bond0 +iface bond0 inet manual + up ip link set bond0 up + down ip link set bond0 down + + slaves eno2 eno3 + + bond-mode 4 + bond-miimon 100 + bond-downdelay 200 + bond-updelay 200 + bond-lacp-rate 1 + bond-xmit-hash-policy layer2+3 + +iface bond0.100 inet manual + vlan-raw-device bond0 + +auto bridge-100 +iface bridge-100 inet static + address 10.100.0.2 + netmask 24 + + bridge_ports bond0.100 + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 +EOF + + +4. Enabling user namespace for unprivileged containers +------------------------------------------------------ + +Linux supports unprivileged containers with the user namespace. +By default the user namespace is disabled on Debian systems (see #898446). +To enable user namespace, edit the following file for a permant change: + + /etc/sysctl.d/zz-compute-tools.conf + sysctl -p + +or enable it manually with: + + echo 1 > /proc/sys/kernel/unprivileged_userns_clone + +Note that containers need to be started with the correct +configuration in /etc/compute-tools/container/config to run unpriviled +(private-users option). + + +5. Enabling container-shell +--------------------------- + +Managing privileged containers requires root privileges. In order to allow +unprivileged users to manage privileged containers without granting them +privileges or accounts, the container-shell can be used together with sudo +and a container user. + + sudo adduser --gecos "compute-tools,,," \ + --home /var/lib/open-infrastructure/container-shell \ + --shell /usr/bin/container-shell + + +6. IPv4 and IPv6 dual-stack +--------------------------- + +Examples for /etc/network/interfaces above work for IPv6 too when using correct +IPv6 addresses and netmasks. + +In order to use dual-stack, bridges must have a IPv4 address assigned +(can be a dummy one from a privacy range or 127.0.0.0/8). + +Let me repeat: dual-stack only works when you assign a primary IPv6 address +(private or public, doesn't matter) *and* add an additional IPv4 address. +Yes, the IPv4 address can be a private address, the containers can still +have a public IPv4 address. + +A complete example looks like this: + +auto bridge0 +iface bridge0 inet6 static + address 2a07:6b47:4::4:1 + netmask 48 + + up ip addr add 127.4.4.1 dev $IFACE + down ip addr del 127.4.4.1 dev $IFACE + + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 + bridge-mcquerier 1 diff --git a/share/logrotate/container b/share/logrotate/container index 0722aa5..d1783de 100644 --- a/share/logrotate/container +++ b/share/logrotate/container @@ -1,3 +1,5 @@ +# Open Infrastructure: compute-tools + /var/log/compute-tools/container.log { compress create 0640 root adm diff --git a/share/procps/zz-container.conf b/share/procps/zz-container.conf index c464c42..61c047d 100644 --- a/share/procps/zz-container.conf +++ b/share/procps/zz-container.conf @@ -1,3 +1,5 @@ +# Open Infrastructure: compute-tools + # The default limits are set to low for running many containers # and eventually lead to errors like the following on container start: # diff --git a/share/scripts/debconf b/share/scripts/debconf index 9a703e5..86c871f 100755 --- a/share/scripts/debconf +++ b/share/scripts/debconf @@ -602,10 +602,14 @@ EOF IPV4_ADDRESS1_PART4="$(echo ${IPV4_ADDRESS1} | cut -d. -f4)" IPV6_ADDRESS1="$(${DIG} AAAA +short ${NAME} | tail -n1)" - # TODO: address parts + # FIXME: address parts + + export IPV4_ADDRESS1 IPV4_ADDRESS1_PART1 IPV4_ADDRESS1_PART2 IPV4_ADDRESS1_PART3 IPV4_ADDRESS1_PART4 + export IPV6_ADDRESS1 fi - sed -e "s|@NAME@|${NAME}|g" \ + sed -e "s|@FILE@|${FILE}|g" \ + -e "s|@NAME@|${NAME}|g" \ -e "s|@IPV4_ADDRESS1@|${IPV4_ADDRESS1}|g" \ -e "s|@IPV4_ADDRESS1_PART1@|${IPV4_ADDRESS1_PART1}|g" \ -e "s|@IPV4_ADDRESS1_PART2@|${IPV4_ADDRESS1_PART2}|g" \ diff --git a/share/scripts/debootstrap b/share/scripts/debootstrap index f0db7e8..9f5b6eb 100755 --- a/share/scripts/debootstrap +++ b/share/scripts/debootstrap @@ -174,9 +174,11 @@ do fi done +# Run mkdir -p "${MACHINES}" - ${BOOTSTRAP} ${BOOTSTRAP_OPTIONS} --arch=${ARCHITECTURE} --include=${INCLUDE} ${DISTRIBUTION} ${MACHINES}/${NAME} ${MIRROR} + +# Cleaning apt cache chroot "${MACHINES}/${NAME}" apt clean # Setting hostname diff --git a/share/sudo/container-shell b/share/sudo/container-shell index cd3f74d..c4108a6 100644 --- a/share/sudo/container-shell +++ b/share/sudo/container-shell @@ -1 +1,3 @@ +# Open Infrastructure: compute-tools + container ALL=NOPASSWD: /usr/bin/container diff --git a/share/systemd/container-auto.service b/share/systemd/container-auto.service index 805bdc6..50f8ac6 100644 --- a/share/systemd/container-auto.service +++ b/share/systemd/container-auto.service @@ -1,3 +1,5 @@ +# Open Infrastructure: compute-tools + [Unit] Description=compute-tools automatic start and stop Documentation=man:container-auto diff --git a/share/systemd/container@.service b/share/systemd/container@.service index 5d4425e..4bd7be5 100644 --- a/share/systemd/container@.service +++ b/share/systemd/container@.service @@ -1,3 +1,5 @@ +# Open Infrastructure: compute-tools + [Unit] Description="Container: %i" Documentation=man:compute-tools -- cgit v1.2.3