container-tools: Host Setup =========================== 1. Debian Packages ------------------- apt install bridge-utils ifenslave vlan 2. Boot Parameters ------------------ 2.1 CGroup Memory Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the memory controller the following boot parameter needs to be used: cgroup_enable=memory 2.2 CGroup Swap Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the swap controller the following boot parameter needs to be used: swapaccount=1 2.3 vsyscall ~~~~~~~~~~~~ In order to be able to execute binaries linked to older libc versions (<= wheezy) newer linux versions (>= buster), add the following boot parameter (see #881813 for more information): vsyscall=emulate 3. Networking ~~~~~~~~~~~~~ 3.1 Enable IPv4 Forwarding ~~~~~~~~~~~~~~~~~~~~~~~~~~ apt install procps echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf sysctl -p 3.2 Configure Network Bridge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2.1 Bridge: 1 Interface, standalone, DHCP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface eno1 inet manual allow-hotplug bridge0 iface bridge0 inet dhcp bridge_ports eno1 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.2 Bridge: 1 Interface, standalone, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface eno1 inet manual allow-hotplug bridge0 iface bridge0 inet static address 10.0.0.2 gateway 10.0.0.1 netmask 255.255.255.0 pre-up ip link set eno1 down pre-up ip link set eno1 up bridge_ports eno1 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.3 Bridge: 2 logical Interfaces, subnet, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp allow-hotplug bridge0 iface bridge0 inet static address 10.0.0.1 netmask 255.255.255.0 pre-up ip link add name bridge0 type bridge post-down ip link delete bridge0 type bridge bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp iface eno2 inet manual iface eno3 inet manual allow-hotplug bond0 iface bond0 inet manual up ip link set bond0 0.0.0.0 up down ip link set bond0 down slaves eno2 eno3 bond-mode 4 bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-xmit-hash-policy layer2+3 iface bond0.100 inet manual vlan-raw-device bond0 allow-hotplug br100 iface br100 inet static address 10.100.0.2 #gateway 10.100.0.1 netmask 255.255.255.0 post-up ip route add 10.100.0.0/24 via 10.100.0.1 dev br100 post-down ip route del 10.100.0.0/24 dev br100 bridge_ports bond0.100 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 4. Enabling user namespace for unprivileged containers ------------------------------------------------------ Linux supports unprivileged containers with the user namespace. By default the user namespace is disabled on Debian systems (see #898446). To enable user namespace, edit the following file for a permant change: /etc/sysctl.d/zz-container-tools.conf sysctl -p or enable it manually with: echo 1 > /proc/sys/kernel/unprivileged_userns_clone Note that containers need to be started with the correct configuration in /etc/container-tools/config to run unpriviled (private-users option). 5. Enabling container-shell --------------------------- Managing privileged containers requires root privileges. In order to allow unprivileged users to manage privileged containers without granting them privileges or accounts, the container-shell can be used together with sudo and a container user. sudo adduser --gecos "container-tools,,," \ --home /var/lib/machines/container-tools \ --shell /usr/bin/container-shell \ --no-create-home container