5 files changed, 395 insertions, 47 deletions
diff --git a/share/doc/examples/buster.cfg b/share/doc/examples/bookworm.cfg
index cfc8595..1f878f4 100644
--- a/share/doc/examples/buster.cfg
+++ b/share/doc/examples/bookworm.cfg
@@ -1,5 +1,5 @@
-# example for automated Debian 10 (buster) based container creation
-# using: sudo container create -s debian
+# example for automated Debian 12 (bookworm) based container building
+# using: sudo container build -s debian
 
 debconf debconf/priority select critical
 debconf debconf/frontend select Noninteractive
@@ -9,16 +9,16 @@ compute-tools container/mode select debian
 #compute-tools container/preseed-files string 
 #compute-tools container/include-preseed-files string 
 
-compute-tools container/distribution select buster
+compute-tools container/distribution select bookworm
 #compute-tools container/parent-distribution select 
 
 compute-tools container/architecture select auto
 
-compute-tools container/archives multiselect buster-security, buster-updates
+compute-tools container/archives multiselect bookworm-security, bookworm-updates
 #compute-tools container/parent-archives multiselect 
 
 compute-tools container/mirror string https://deb.debian.org/debian
-compute-tools container/mirror-security string http://security.debian.org
+compute-tools container/mirror-security string https://security.debian.org
 
 #compute-tools container/parent-mirror string 
 #compute-tools container/parent-mirror-security string 
diff --git a/share/doc/examples/container-images.sh b/share/doc/examples/container-images.sh
new file mode 100755
index 0000000..b711048
--- /dev/null
+++ b/share/doc/examples/container-images.sh
@@ -0,0 +1,113 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+#
+# SPDX-License-Identifier: GPL-3.0+
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+# Description: example for automated Debian base system container image builds
+# Requires:    debootstrap plzip xz-utils sudo
+# Usage:       ./container-images.sh
+
+set -e
+
+ARCHITECTURES="amd64 i386"
+DISTRIBUTIONS="buster bullseye bookworm sid"
+MIRROR="https://deb.debian.org/debian"
+INCLUDE="dbus"
+
+KEY="0x55CF1BF986ABB9C7"
+
+COMPRESSIONS="gz lz xz"
+
+DATE="$(date +%Y%m%d)"
+
+for DISTRIBUTION in ${DISTRIBUTIONS}
+do
+	for ARCHITECTURE in ${ARCHITECTURES}
+	do
+		TITLE="Debian ${DISTRIBUTION} ${DATE}/${ARCHITECTURE}"
+		SYSTEM="debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}"
+
+		sudo debootstrap --arch=${ARCHITECTURE} --include=${INCLUDE} ${DISTRIBUTION} ${SYSTEM} ${MIRROR}
+		sudo chroot "${SYSTEM}" apt-get clean
+
+		VERSION="$(cat ${SYSTEM}/etc/debian_version)"
+
+		case "${VERSION}" in
+			[0-9]*)
+				TITLE="Debian ${VERSION} (${DISTRIBUTION}) ${DATE}/${ARCHITECTURE}"
+				SYSTEM="debian-${VERSION}-${DATE}_${ARCHITECTURE}"
+
+				sudo mv "debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}" "${SYSTEM}"
+				;;
+		esac
+
+		sudo rm -f "${SYSTEM}/etc/apt/apt.conf.d/01autoremove-kernels"
+		sudo rm -f "${SYSTEM}/etc/hostname"
+		sudo rm -f "${SYSTEM}/etc/machine-id"
+		sudo rm -f "${SYSTEM}/etc/resolv.conf"
+		sudo rm -f "${SYSTEM}/var/lib/systemd/catalog/database"
+
+		for COMPRESSION in ${COMPRESSIONS}
+		do
+			case "${COMPRESSION}" in
+				gz)
+					TAR_OPTIONS="--gzip"
+					;;
+
+				lz)
+					TAR_OPTIONS="--lzip"
+					;;
+
+				xz)
+					TAR_OPTIONS="--xz"
+					;;
+			esac
+
+			echo "Building ${SYSTEM}.system.tar.${COMPRESSION}"
+			sudo tar ${TAR_OPTIONS} -cf "${SYSTEM}.system.tar.${COMPRESSION}" "${SYSTEM}"
+
+			echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sha512"
+			sha512sum "${SYSTEM}.system.tar.${COMPRESSION}" > "${SYSTEM}.system.tar.${COMPRESSION}.sha512"
+
+			if [ -n "${KEY}" ]
+			then
+				echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sig"
+				gpg -a -b --default-key ${KEY} ${SYSTEM}.system.tar.${COMPRESSION}
+				mv "${SYSTEM}.system.tar.${COMPRESSION}.asc" "${SYSTEM}.system.tar.${COMPRESSION}.sig"
+			fi
+
+			echo "Building ${SYSTEM}.system.tar.${COMPRESSION} symlink"
+			ln -sf "${SYSTEM}.system.tar.${COMPRESSION}" "$(echo ${SYSTEM}.system.tar.${COMPRESSION} | sed -e "s|${DATE}|current|")"
+
+			echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sha512 copy"
+			sed -e "s|${DATE}|current|" "${SYSTEM}.system.tar.${COMPRESSION}.sha512" > "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sha512 | sed -e "s|${DATE}|current|")"
+
+			if [ -e "${SYSTEM}.system.tar.${COMPRESSION}.sig" ]
+			then
+				echo "Building ${SYSTEM}.system.tar.${COMPRESSION}.sig copy"
+				cp "${SYSTEM}.system.tar.${COMPRESSION}.sig" "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sig | sed -e "s|${DATE}|current|")"
+			fi
+		done
+
+		sudo rm -rf "${SYSTEM}"
+
+cat >> container-list.txt << EOF
+${SYSTEM}.system.tar | ${TITLE}
+EOF
+
+	done
+done
diff --git a/share/doc/examples/engywuck-backports.cfg b/share/doc/examples/graograman-backports.cfg
index 392c40d..d1d2640 100644
--- a/share/doc/examples/engywuck-backports.cfg
+++ b/share/doc/examples/graograman-backports.cfg
@@ -1,5 +1,5 @@
-# example for automated Progress Linux 5+ (engywuck-backports) container creation
-# using: sudo container create -s progress-linux
+# example for automated Progress Linux 7.99 (graograman-backports) container building
+# using: sudo container build -s progress-linux
 
 debconf debconf/priority select critical
 debconf debconf/frontend select Noninteractive
@@ -9,22 +9,22 @@ compute-tools container/mode select progress-linux
 #compute-tools container/preseed-files string 
 #compute-tools container/include-preseed-files string 
 
-compute-tools container/distribution select engywuck-backports
+compute-tools container/distribution select graograman-backports
 #compute-tools container/parent-distribution select 
 
 compute-tools container/architecture select auto
 
-compute-tools container/archives multiselect engywuck-security, engywuck-updates, engywuck-extras, engywuck-backports, engywuck-backports-extras
+compute-tools container/archives multiselect graograman-security, graograman-updates, graograman-extras, graograman-backports, graograman-backports-extras
 #compute-tools container/parent-archives multiselect 
 
-compute-tools container/mirror string https://cdn.deb.progress-linux.org/packages
-compute-tools container/mirror-security string https://cdn.deb.progress-linux.org/packages
+compute-tools container/mirror string https://deb.progress-linux.org/packages
+compute-tools container/mirror-security string https://deb.progress-linux.org/packages
 
 compute-tools container/parent-mirror string https://deb.debian.org/debian
-compute-tools container/parent-mirror-security string http://security.debian.org
+compute-tools container/parent-mirror-security string https://security.debian.org
 
-compute-tools container/archive-areas multiselect main, contrib, non-free
-compute-tools container/parent-archive-areas multiselect main, contrib, non-free
+compute-tools container/archive-areas multiselect main, contrib, non-free, non-free-firmware
+compute-tools container/parent-archive-areas multiselect main, contrib, non-free, non-free-firmware
 
 compute-tools container/packages string knot-resolver openssh-server
 
diff --git a/share/doc/HOST-SETUP.txt b/share/doc/host-setup.old.txt
index e413872..69368d1 100644
--- a/share/doc/HOST-SETUP.txt
+++ b/share/doc/host-setup.old.txt
@@ -1,5 +1,5 @@
-compute-tools: Host Setup
-=========================
+compute-tools: Host Setup (with ifupdown)
+=========================================
 
 
 1. Debian Packages
@@ -11,27 +11,27 @@ apt install bridge-utils ifenslave vlan
 2. Boot Parameters
 ------------------
 
-2.1 CGroup Memory Controller
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+2.1 CGroup Memory Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 In order to enable the memory controller the following boot parameter needs to be used:
 
 	cgroup_enable=memory
 
 
-2.2 CGroup Swap Controller
-~~~~~~~~~~~~~~~~~~~~~~~~~~
+2.2 CGroup Swap Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 In order to enable the swap controller the following boot parameter needs to be used:
 
 	swapaccount=1
 
-2.3 vsyscall
-~~~~~~~~~~~~
+2.3 vsyscall (legacy)
+~~~~~~~~~~~~~~~~~~~~~
 
 In order to be able to execute binaries linked to older libc versions
-(<= wheezy) newer linux versions (>= buster), add the following boot parameter
-(see #881813 for more information):
+(<= wheezy) on newer linux versions (>= buster), add the following boot
+parameter (see #881813 for more information):
 
 	vsyscall=emulate
 
@@ -39,18 +39,10 @@ In order to be able to execute binaries linked to older libc versions
 3. Networking
 ~~~~~~~~~~~~~
 
-3.1 Enable IPv4 Forwarding
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-apt install procps
-echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf
-sysctl -p
-
-
-3.2 Configure Network Bridge
+3.1 Configure Network Bridge
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-3.2.1 Bridge: 1 Interface, standalone, DHCP
+3.1.1 Bridge: 1 Interface, standalone, DHCP
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 cat > /etc/network/interfaces << EOF
@@ -63,7 +55,7 @@ iface lo inet loopback
 
 iface eno1 inet manual
 
-allow-hotplug bridge0
+auto bridge0
 iface bridge0 inet dhcp
 	bridge_ports	eno1
 	bridge_fd	0
@@ -72,7 +64,7 @@ iface bridge0 inet dhcp
 EOF
 
 
-3.2.2 Bridge: 1 Interface, standalone, static
+3.1.2 Bridge: 1 Interface, standalone, static
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 cat > /etc/network/interfaces << EOF
@@ -85,7 +77,7 @@ iface lo inet loopback
 
 iface eno1 inet manual
 
-allow-hotplug bridge0
+auto bridge0
 iface bridge0 inet static
 	address		10.0.0.2
 	gateway		10.0.0.1
@@ -101,7 +93,7 @@ iface bridge0 inet static
 EOF
 
 
-3.2.3 Bridge: 2 logical Interfaces, subnet, static
+3.1.3 Bridge: 2 logical Interfaces, subnet, static
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 cat > /etc/network/interfaces << EOF
@@ -115,7 +107,7 @@ iface lo inet loopback
 allow-hotplug eno1
 iface eno1 inet dhcp
 
-allow-hotplug bridge0
+auto bridge0
 iface bridge0 inet static
 	address		10.0.0.1
 	netmask		24
@@ -129,7 +121,7 @@ iface bridge0 inet static
 EOF
 
 
-3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static
+3.1.4 Bridge: 3 physical Interfaces, vlan, bonding, static
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 cat > /etc/network/interfaces << EOF
@@ -147,7 +139,7 @@ iface eno2 inet manual
 
 iface eno3 inet manual
 
-allow-hotplug bond0
+auto bond0
 iface bond0 inet manual
 	up			ip link set bond0 up
 	down			ip link set bond0 down
@@ -164,15 +156,11 @@ iface bond0 inet manual
 iface bond0.100 inet manual
 	vlan-raw-device bond0
 
-allow-hotplug br100
-iface br100 inet static
+auto bridge-100
+iface bridge-100 inet static
 	address			10.100.0.2
-	#gateway		10.100.0.1
 	netmask			24
 
-	post-up			ip route add 10.100.0.0/24 via 10.100.0.1 dev br100
-	post-down		ip route del 10.100.0.0/24 dev br100
-
 	bridge_ports		bond0.100
 	bridge_fd		0
 	bridge_maxwait		0
@@ -210,3 +198,33 @@ and a container user.
   sudo adduser --gecos "compute-tools,,," \
 	--home /var/lib/open-infrastructure/container-shell \
 	--shell /usr/bin/container-shell
+
+
+6. IPv4 and IPv6 dual-stack
+---------------------------
+
+Examples for /etc/network/interfaces above work for IPv6 too when using correct
+IPv6 addresses and netmasks.
+
+In order to use dual-stack, bridges must have a IPv4 address assigned
+(can be a dummy one from a privacy range or 127.0.0.0/8).
+
+Let me repeat: dual-stack only works when you assign a primary IPv6 address
+(private or public, doesn't matter) *and* add an additional IPv4 address.
+Yes, the IPv4 address can be a private address, the containers can still
+have a public IPv4 address.
+
+A complete example looks like this:
+
+auto bridge0
+iface bridge0 inet6 static
+	address			2a07:6b47:4::4:1
+	netmask			48
+
+	up			ip addr add 127.4.4.1 dev $IFACE
+	down			ip addr del 127.4.4.1 dev $IFACE
+
+	bridge_fd		0
+	bridge_maxwait		0
+	bridge_stp		0
+	bridge-mcquerier	1
diff --git a/share/doc/host-setup.txt b/share/doc/host-setup.txt
new file mode 100644
index 0000000..083e1aa
--- /dev/null
+++ b/share/doc/host-setup.txt
@@ -0,0 +1,217 @@
+compute-tools: Host Setup (with systemd-networkd)
+=================================================
+
+
+1. Debian Packages
+-------------------
+
+apt install systemd-networkd bridge-utils
+
+Make sure to enable networkd (sudo systemctl enable systemd-networkd)
+and convert /etc/network/interfaces (see systemd-networkd documentation).
+
+
+2. Boot Parameters
+------------------
+
+2.1 CGroup Memory Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable the memory controller the following boot parameter needs to be used:
+
+	cgroup_enable=memory
+
+
+2.2 CGroup Swap Controller (optional)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable the swap controller the following boot parameter needs to be used:
+
+	swapaccount=1
+
+2.3 vsyscall (legacy)
+~~~~~~~~~~~~~~~~~~~~~
+
+In order to be able to execute binaries linked to older libc versions
+(<= wheezy) on newer linux versions (>= buster), add the following boot
+parameter (see #881813 for more information):
+
+	vsyscall=emulate
+
+
+3. Networking
+~~~~~~~~~~~~~
+
+3.1 Configure Network Bridge
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+3.1.1 Bridge: 1 Interface, standalone, DHCP
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/systemd/network/bridge0.netdev << EOF
+[NetDev]
+Name=bridge0
+Kind=bridge
+EOF
+
+cat > /etc/systemd/network/bridge0.network << EOF
+[Match]
+Name=bridge-0
+
+[Network]
+DHCP=yes
+EOF
+
+
+3.1.2 Bridge: 1 Interface, standalone, static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/systemd/network/bridge0.netdev << EOF
+[NetDev]
+Name=bridge0
+Kind=bridge
+EOF
+
+cat > /etc/systemd/network/bridge0.network << EOF
+[Match]
+Name=bridge-0
+
+[Network]
+Address=10.0.0.2/24
+Gateway=10.0.0.1
+EOF
+
+
+3.1.3 Bridge: 3 physical Interfaces, vlan, bonding, static
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+cat > /etc/systemd/network/eno2.network<< EOF
+[Match]
+Name=eno2
+
+[Network]
+Bond=bond0
+EOF
+
+cat > /etc/systemd/network/eno3.network<< EOF
+[Match]
+Name=eno3
+
+[Network]
+Bond=bond0
+EOF
+
+cat > /etc/systemd/network/bond0.netdev << EOF
+[NetDev]
+Name=bond0
+Kind=bond
+
+[Bond]
+Mode=802.3ad
+TransmitHashPolicy=layer3+4
+MIIMonitorSec=0.1
+UpDelaySec=0.2
+DownDelaySec=0.2
+EOF
+
+cat > /etc/systemd/network/bond0.network << EOF
+[Match]
+Name=bond0
+
+[Network]
+VLAN=100
+EOF
+
+cat > /etc/systemd/network/vlan-100.netdev << EOF
+[NetDev]
+Name=vlan-100
+Kind=vlan
+
+[VLAN]
+Id=100
+EOF
+
+cat > /etc/systemd/network/vlan-100.netdev << EOF
+[Match]
+Name=vlan-100
+
+[Network]
+Bridge=bridge-100
+EOF
+
+cat > /etc/systemd/network/bridge-100.netdev << EOF
+[NetDev]
+Name=bridge-100
+Kind=bridge
+EOF
+
+cat > /etc/systemd/network/bridge-100.network << EOF
+[Match]
+Name=bridge-100
+
+[Network]
+Address=10.100.0.2/24
+Gateway=10.100.0.1
+EOF
+
+
+4. Enabling user namespace for unprivileged containers
+------------------------------------------------------
+
+Linux supports unprivileged containers with the user namespace.
+By default the user namespace is disabled on Debian systems (see #898446).
+To enable user namespace, edit the following file for a permant change:
+
+  /etc/sysctl.d/zz-compute-tools.conf
+  sysctl -p
+
+or enable it manually with:
+
+  echo 1 > /proc/sys/kernel/unprivileged_userns_clone
+
+Note that containers need to be started with the correct
+configuration in /etc/compute-tools/container/config to run unpriviled
+(private-users option).
+
+
+5. Enabling container-shell
+---------------------------
+
+Managing privileged containers requires root privileges. In order to allow
+unprivileged users to manage privileged containers without granting them
+privileges or accounts, the container-shell can be used together with sudo
+and a container user.
+
+  sudo adduser --gecos "compute-tools,,," \
+	--home /var/lib/open-infrastructure/container-shell \
+	--shell /usr/bin/container-shell
+
+
+6. IPv4 and IPv6 dual-stack
+---------------------------
+
+Examples for /etc/network/interfaces above work for IPv6 too when using correct
+IPv6 addresses and netmasks.
+
+In order to use dual-stack, bridges must have a IPv4 address assigned
+(can be a dummy one from a privacy range or 127.0.0.0/8).
+
+Let me repeat: dual-stack only works when you assign a primary IPv6 address
+(private or public, doesn't matter) *and* add an additional IPv4 address.
+Yes, the IPv4 address can be a private address, the containers can still
+have a public IPv4 address.
+
+A complete example looks like this:
+
+auto bridge0
+iface bridge0 inet6 static
+	address			2a07:6b47:4::4:1
+	netmask			48
+
+	up			ip addr add 127.4.4.1 dev $IFACE
+	down			ip addr del 127.4.4.1 dev $IFACE
+
+	bridge_fd		0
+	bridge_maxwait		0
+	bridge_stp		0
+	bridge-mcquerier	1