diff options
Diffstat (limited to 'share/doc')
-rw-r--r-- | share/doc/examples/bookworm.cfg (renamed from share/doc/examples/buster.cfg) | 10 | ||||
-rwxr-xr-x | share/doc/examples/container-images.sh | 113 | ||||
-rw-r--r-- | share/doc/examples/graograman-backports.cfg (renamed from share/doc/examples/engywuck-backports.cfg) | 18 | ||||
-rw-r--r-- | share/doc/host-setup.old.txt (renamed from share/doc/HOST-SETUP.txt) | 84 | ||||
-rw-r--r-- | share/doc/host-setup.txt | 217 |
5 files changed, 395 insertions, 47 deletions
diff --git a/share/doc/examples/buster.cfg b/share/doc/examples/bookworm.cfg index cfc8595..1f878f4 100644 --- a/share/doc/examples/buster.cfg +++ b/share/doc/examples/bookworm.cfg @@ -1,5 +1,5 @@ -# example for automated Debian 10 (buster) based container creation -# using: sudo container create -s debian +# example for automated Debian 12 (bookworm) based container building +# using: sudo container build -s debian debconf debconf/priority select critical debconf debconf/frontend select Noninteractive @@ -9,16 +9,16 @@ compute-tools container/mode select debian #compute-tools container/preseed-files string #compute-tools container/include-preseed-files string -compute-tools container/distribution select buster +compute-tools container/distribution select bookworm #compute-tools container/parent-distribution select compute-tools container/architecture select auto -compute-tools container/archives multiselect buster-security, buster-updates +compute-tools container/archives multiselect bookworm-security, bookworm-updates #compute-tools container/parent-archives multiselect compute-tools container/mirror string https://deb.debian.org/debian -compute-tools container/mirror-security string http://security.debian.org +compute-tools container/mirror-security string https://security.debian.org #compute-tools container/parent-mirror string #compute-tools container/parent-mirror-security string diff --git a/share/doc/examples/container-images.sh b/share/doc/examples/container-images.sh new file mode 100755 index 0000000..b711048 --- /dev/null +++ b/share/doc/examples/container-images.sh @@ -0,0 +1,113 @@ +#!/bin/sh + +# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net> +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. + +# Description: example for automated Debian base system container image builds +# Requires: debootstrap plzip xz-utils sudo +# Usage: ./container-images.sh + +set -e + +ARCHITECTURES="amd64 i386" +DISTRIBUTIONS="buster bullseye bookworm sid" +MIRROR="https://deb.debian.org/debian" +INCLUDE="dbus" + +KEY="0x55CF1BF986ABB9C7" + +COMPRESSIONS="gz lz xz" + +DATE="$(date +%Y%m%d)" + +for DISTRIBUTION in ${DISTRIBUTIONS} +do + for ARCHITECTURE in ${ARCHITECTURES} + do + TITLE="Debian ${DISTRIBUTION} ${DATE}/${ARCHITECTURE}" + SYSTEM="debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}" + + sudo debootstrap --arch=${ARCHITECTURE} --include=${INCLUDE} ${DISTRIBUTION} ${SYSTEM} ${MIRROR} + sudo chroot "${SYSTEM}" apt-get clean + + VERSION="$(cat ${SYSTEM}/etc/debian_version)" + + case "${VERSION}" in + [0-9]*) + TITLE="Debian ${VERSION} (${DISTRIBUTION}) ${DATE}/${ARCHITECTURE}" + SYSTEM="debian-${VERSION}-${DATE}_${ARCHITECTURE}" + + sudo mv "debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}" "${SYSTEM}" + ;; + esac + + sudo rm -f "${SYSTEM}/etc/apt/apt.conf.d/01autoremove-kernels" + sudo rm -f "${SYSTEM}/etc/hostname" + sudo rm -f "${SYSTEM}/etc/machine-id" + sudo rm -f "${SYSTEM}/etc/resolv.conf" + sudo rm -f "${SYSTEM}/var/lib/systemd/catalog/database" + + for COMPRESSION in ${COMPRESSIONS} + do + case "${COMPRESSION}" in + gz) + TAR_OPTIONS="--gzip" + ;; + + lz) + TAR_OPTIONS="--lzip" + ;; + + xz) + TAR_OPTIONS="--xz" + ;; + esac + + echo "Building ${SYSTEM}.system.tar.${COMPRESSION}" + sudo tar ${TAR_OPTIONS} -cf "${SYSTEM}.system.tar.${COMPRESSION}" "${SYSTEM}" + + echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sha512" + sha512sum "${SYSTEM}.system.tar.${COMPRESSION}" > "${SYSTEM}.system.tar.${COMPRESSION}.sha512" + + if [ -n "${KEY}" ] + then + echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sig" + gpg -a -b --default-key ${KEY} ${SYSTEM}.system.tar.${COMPRESSION} + mv "${SYSTEM}.system.tar.${COMPRESSION}.asc" "${SYSTEM}.system.tar.${COMPRESSION}.sig" + fi + + echo "Building ${SYSTEM}.system.tar.${COMPRESSION} symlink" + ln -sf "${SYSTEM}.system.tar.${COMPRESSION}" "$(echo ${SYSTEM}.system.tar.${COMPRESSION} | sed -e "s|${DATE}|current|")" + + echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sha512 copy" + sed -e "s|${DATE}|current|" "${SYSTEM}.system.tar.${COMPRESSION}.sha512" > "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sha512 | sed -e "s|${DATE}|current|")" + + if [ -e "${SYSTEM}.system.tar.${COMPRESSION}.sig" ] + then + echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sig copy" + cp "${SYSTEM}.system.tar.${COMPRESSION}.sig" "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sig | sed -e "s|${DATE}|current|")" + fi + done + + sudo rm -rf "${SYSTEM}" + +cat >> container-list.txt << EOF +${SYSTEM}.system.tar | ${TITLE} +EOF + + done +done diff --git a/share/doc/examples/engywuck-backports.cfg b/share/doc/examples/graograman-backports.cfg index 392c40d..d1d2640 100644 --- a/share/doc/examples/engywuck-backports.cfg +++ b/share/doc/examples/graograman-backports.cfg @@ -1,5 +1,5 @@ -# example for automated Progress Linux 5+ (engywuck-backports) container creation -# using: sudo container create -s progress-linux +# example for automated Progress Linux 7.99 (graograman-backports) container building +# using: sudo container build -s progress-linux debconf debconf/priority select critical debconf debconf/frontend select Noninteractive @@ -9,22 +9,22 @@ compute-tools container/mode select progress-linux #compute-tools container/preseed-files string #compute-tools container/include-preseed-files string -compute-tools container/distribution select engywuck-backports +compute-tools container/distribution select graograman-backports #compute-tools container/parent-distribution select compute-tools container/architecture select auto -compute-tools container/archives multiselect engywuck-security, engywuck-updates, engywuck-extras, engywuck-backports, engywuck-backports-extras +compute-tools container/archives multiselect graograman-security, graograman-updates, graograman-extras, graograman-backports, graograman-backports-extras #compute-tools container/parent-archives multiselect -compute-tools container/mirror string https://cdn.deb.progress-linux.org/packages -compute-tools container/mirror-security string https://cdn.deb.progress-linux.org/packages +compute-tools container/mirror string https://deb.progress-linux.org/packages +compute-tools container/mirror-security string https://deb.progress-linux.org/packages compute-tools container/parent-mirror string https://deb.debian.org/debian -compute-tools container/parent-mirror-security string http://security.debian.org +compute-tools container/parent-mirror-security string https://security.debian.org -compute-tools container/archive-areas multiselect main, contrib, non-free -compute-tools container/parent-archive-areas multiselect main, contrib, non-free +compute-tools container/archive-areas multiselect main, contrib, non-free, non-free-firmware +compute-tools container/parent-archive-areas multiselect main, contrib, non-free, non-free-firmware compute-tools container/packages string knot-resolver openssh-server diff --git a/share/doc/HOST-SETUP.txt b/share/doc/host-setup.old.txt index e413872..69368d1 100644 --- a/share/doc/HOST-SETUP.txt +++ b/share/doc/host-setup.old.txt @@ -1,5 +1,5 @@ -compute-tools: Host Setup -========================= +compute-tools: Host Setup (with ifupdown) +========================================= 1. Debian Packages @@ -11,27 +11,27 @@ apt install bridge-utils ifenslave vlan 2. Boot Parameters ------------------ -2.1 CGroup Memory Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +2.1 CGroup Memory Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the memory controller the following boot parameter needs to be used: cgroup_enable=memory -2.2 CGroup Swap Controller -~~~~~~~~~~~~~~~~~~~~~~~~~~ +2.2 CGroup Swap Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the swap controller the following boot parameter needs to be used: swapaccount=1 -2.3 vsyscall -~~~~~~~~~~~~ +2.3 vsyscall (legacy) +~~~~~~~~~~~~~~~~~~~~~ In order to be able to execute binaries linked to older libc versions -(<= wheezy) newer linux versions (>= buster), add the following boot parameter -(see #881813 for more information): +(<= wheezy) on newer linux versions (>= buster), add the following boot +parameter (see #881813 for more information): vsyscall=emulate @@ -39,18 +39,10 @@ In order to be able to execute binaries linked to older libc versions 3. Networking ~~~~~~~~~~~~~ -3.1 Enable IPv4 Forwarding -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -apt install procps -echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf -sysctl -p - - -3.2 Configure Network Bridge +3.1 Configure Network Bridge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -3.2.1 Bridge: 1 Interface, standalone, DHCP +3.1.1 Bridge: 1 Interface, standalone, DHCP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF @@ -63,7 +55,7 @@ iface lo inet loopback iface eno1 inet manual -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet dhcp bridge_ports eno1 bridge_fd 0 @@ -72,7 +64,7 @@ iface bridge0 inet dhcp EOF -3.2.2 Bridge: 1 Interface, standalone, static +3.1.2 Bridge: 1 Interface, standalone, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF @@ -85,7 +77,7 @@ iface lo inet loopback iface eno1 inet manual -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet static address 10.0.0.2 gateway 10.0.0.1 @@ -101,7 +93,7 @@ iface bridge0 inet static EOF -3.2.3 Bridge: 2 logical Interfaces, subnet, static +3.1.3 Bridge: 2 logical Interfaces, subnet, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF @@ -115,7 +107,7 @@ iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet static address 10.0.0.1 netmask 24 @@ -129,7 +121,7 @@ iface bridge0 inet static EOF -3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static +3.1.4 Bridge: 3 physical Interfaces, vlan, bonding, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF @@ -147,7 +139,7 @@ iface eno2 inet manual iface eno3 inet manual -allow-hotplug bond0 +auto bond0 iface bond0 inet manual up ip link set bond0 up down ip link set bond0 down @@ -164,15 +156,11 @@ iface bond0 inet manual iface bond0.100 inet manual vlan-raw-device bond0 -allow-hotplug br100 -iface br100 inet static +auto bridge-100 +iface bridge-100 inet static address 10.100.0.2 - #gateway 10.100.0.1 netmask 24 - post-up ip route add 10.100.0.0/24 via 10.100.0.1 dev br100 - post-down ip route del 10.100.0.0/24 dev br100 - bridge_ports bond0.100 bridge_fd 0 bridge_maxwait 0 @@ -210,3 +198,33 @@ and a container user. sudo adduser --gecos "compute-tools,,," \ --home /var/lib/open-infrastructure/container-shell \ --shell /usr/bin/container-shell + + +6. IPv4 and IPv6 dual-stack +--------------------------- + +Examples for /etc/network/interfaces above work for IPv6 too when using correct +IPv6 addresses and netmasks. + +In order to use dual-stack, bridges must have a IPv4 address assigned +(can be a dummy one from a privacy range or 127.0.0.0/8). + +Let me repeat: dual-stack only works when you assign a primary IPv6 address +(private or public, doesn't matter) *and* add an additional IPv4 address. +Yes, the IPv4 address can be a private address, the containers can still +have a public IPv4 address. + +A complete example looks like this: + +auto bridge0 +iface bridge0 inet6 static + address 2a07:6b47:4::4:1 + netmask 48 + + up ip addr add 127.4.4.1 dev $IFACE + down ip addr del 127.4.4.1 dev $IFACE + + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 + bridge-mcquerier 1 diff --git a/share/doc/host-setup.txt b/share/doc/host-setup.txt new file mode 100644 index 0000000..083e1aa --- /dev/null +++ b/share/doc/host-setup.txt @@ -0,0 +1,217 @@ +compute-tools: Host Setup (with systemd-networkd) +================================================= + + +1. Debian Packages +------------------- + +apt install systemd-networkd bridge-utils + +Make sure to enable networkd (sudo systemctl enable systemd-networkd) +and convert /etc/network/interfaces (see systemd-networkd documentation). + + +2. Boot Parameters +------------------ + +2.1 CGroup Memory Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the memory controller the following boot parameter needs to be used: + + cgroup_enable=memory + + +2.2 CGroup Swap Controller (optional) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to enable the swap controller the following boot parameter needs to be used: + + swapaccount=1 + +2.3 vsyscall (legacy) +~~~~~~~~~~~~~~~~~~~~~ + +In order to be able to execute binaries linked to older libc versions +(<= wheezy) on newer linux versions (>= buster), add the following boot +parameter (see #881813 for more information): + + vsyscall=emulate + + +3. Networking +~~~~~~~~~~~~~ + +3.1 Configure Network Bridge +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +3.1.1 Bridge: 1 Interface, standalone, DHCP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/bridge0.netdev << EOF +[NetDev] +Name=bridge0 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge-0 + +[Network] +DHCP=yes +EOF + + +3.1.2 Bridge: 1 Interface, standalone, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/bridge0.netdev << EOF +[NetDev] +Name=bridge0 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge0.network << EOF +[Match] +Name=bridge-0 + +[Network] +Address=10.0.0.2/24 +Gateway=10.0.0.1 +EOF + + +3.1.3 Bridge: 3 physical Interfaces, vlan, bonding, static +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +cat > /etc/systemd/network/eno2.network<< EOF +[Match] +Name=eno2 + +[Network] +Bond=bond0 +EOF + +cat > /etc/systemd/network/eno3.network<< EOF +[Match] +Name=eno3 + +[Network] +Bond=bond0 +EOF + +cat > /etc/systemd/network/bond0.netdev << EOF +[NetDev] +Name=bond0 +Kind=bond + +[Bond] +Mode=802.3ad +TransmitHashPolicy=layer3+4 +MIIMonitorSec=0.1 +UpDelaySec=0.2 +DownDelaySec=0.2 +EOF + +cat > /etc/systemd/network/bond0.network << EOF +[Match] +Name=bond0 + +[Network] +VLAN=100 +EOF + +cat > /etc/systemd/network/vlan-100.netdev << EOF +[NetDev] +Name=vlan-100 +Kind=vlan + +[VLAN] +Id=100 +EOF + +cat > /etc/systemd/network/vlan-100.netdev << EOF +[Match] +Name=vlan-100 + +[Network] +Bridge=bridge-100 +EOF + +cat > /etc/systemd/network/bridge-100.netdev << EOF +[NetDev] +Name=bridge-100 +Kind=bridge +EOF + +cat > /etc/systemd/network/bridge-100.network << EOF +[Match] +Name=bridge-100 + +[Network] +Address=10.100.0.2/24 +Gateway=10.100.0.1 +EOF + + +4. Enabling user namespace for unprivileged containers +------------------------------------------------------ + +Linux supports unprivileged containers with the user namespace. +By default the user namespace is disabled on Debian systems (see #898446). +To enable user namespace, edit the following file for a permant change: + + /etc/sysctl.d/zz-compute-tools.conf + sysctl -p + +or enable it manually with: + + echo 1 > /proc/sys/kernel/unprivileged_userns_clone + +Note that containers need to be started with the correct +configuration in /etc/compute-tools/container/config to run unpriviled +(private-users option). + + +5. Enabling container-shell +--------------------------- + +Managing privileged containers requires root privileges. In order to allow +unprivileged users to manage privileged containers without granting them +privileges or accounts, the container-shell can be used together with sudo +and a container user. + + sudo adduser --gecos "compute-tools,,," \ + --home /var/lib/open-infrastructure/container-shell \ + --shell /usr/bin/container-shell + + +6. IPv4 and IPv6 dual-stack +--------------------------- + +Examples for /etc/network/interfaces above work for IPv6 too when using correct +IPv6 addresses and netmasks. + +In order to use dual-stack, bridges must have a IPv4 address assigned +(can be a dummy one from a privacy range or 127.0.0.0/8). + +Let me repeat: dual-stack only works when you assign a primary IPv6 address +(private or public, doesn't matter) *and* add an additional IPv4 address. +Yes, the IPv4 address can be a private address, the containers can still +have a public IPv4 address. + +A complete example looks like this: + +auto bridge0 +iface bridge0 inet6 static + address 2a07:6b47:4::4:1 + netmask 48 + + up ip addr add 127.4.4.1 dev $IFACE + down ip addr del 127.4.4.1 dev $IFACE + + bridge_fd 0 + bridge_maxwait 0 + bridge_stp 0 + bridge-mcquerier 1 |