compute-tools: Host Setup
=========================


1. Debian Packages
-------------------

apt install bridge-utils ifenslave vlan


2. Boot Parameters
------------------

2.1 CGroup Memory Controller
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In order to enable the memory controller the following boot parameter needs to be used:

	cgroup_enable=memory


2.2 CGroup Swap Controller
~~~~~~~~~~~~~~~~~~~~~~~~~~

In order to enable the swap controller the following boot parameter needs to be used:

	swapaccount=1

2.3 vsyscall
~~~~~~~~~~~~

In order to be able to execute binaries linked to older libc versions
(<= wheezy) newer linux versions (>= buster), add the following boot parameter
(see #881813 for more information):

	vsyscall=emulate


3. Networking
~~~~~~~~~~~~~

3.1 Enable IPv4 Forwarding
~~~~~~~~~~~~~~~~~~~~~~~~~~

apt install procps
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf
sysctl -p


3.2 Configure Network Bridge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.2.1 Bridge: 1 Interface, standalone, DHCP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface eno1 inet manual

allow-hotplug bridge0
iface bridge0 inet dhcp
	bridge_ports	eno1
	bridge_fd	0
	bridge_maxwait	0
	bridge_stp	0
EOF


3.2.2 Bridge: 1 Interface, standalone, static
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface eno1 inet manual

allow-hotplug bridge0
iface bridge0 inet static
	address		10.0.0.2
	gateway		10.0.0.1
	netmask		24

	pre-up		ip link set eno1 down
	pre-up		ip link set eno1 up

	bridge_ports	eno1
	bridge_fd	0
	bridge_maxwait	0
	bridge_stp	0
EOF


3.2.3 Bridge: 2 logical Interfaces, subnet, static
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eno1
iface eno1 inet dhcp

allow-hotplug bridge0
iface bridge0 inet static
	address		10.0.0.1
	netmask		24

	pre-up		ip link add name bridge0 type bridge
	post-down	ip link delete bridge0 type bridge

	bridge_fd	0
	bridge_maxwait	0
	bridge_stp	0
EOF


3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/network/interfaces << EOF
# /etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eno1
iface eno1 inet dhcp

iface eno2 inet manual

iface eno3 inet manual

allow-hotplug bond0
iface bond0 inet manual
	up			ip link set bond0 up
	down			ip link set bond0 down

	slaves			eno2 eno3

	bond-mode		4
	bond-miimon		100
	bond-downdelay		200
	bond-updelay		200
	bond-lacp-rate		1
	bond-xmit-hash-policy	layer2+3

iface bond0.100 inet manual
	vlan-raw-device bond0

allow-hotplug br100
iface br100 inet static
	address			10.100.0.2
	#gateway		10.100.0.1
	netmask			24

	post-up			ip route add 10.100.0.0/24 via 10.100.0.1 dev br100
	post-down		ip route del 10.100.0.0/24 dev br100

	bridge_ports		bond0.100
	bridge_fd		0
	bridge_maxwait		0
	bridge_stp		0
EOF


4. Enabling user namespace for unprivileged containers
------------------------------------------------------

Linux supports unprivileged containers with the user namespace.
By default the user namespace is disabled on Debian systems (see #898446).
To enable user namespace, edit the following file for a permant change:

  /etc/sysctl.d/zz-compute-tools.conf
  sysctl -p

or enable it manually with:

  echo 1 > /proc/sys/kernel/unprivileged_userns_clone

Note that containers need to be started with the correct
configuration in /etc/compute-tools/container/config to run unpriviled
(private-users option).


5. Enabling container-shell
---------------------------

Managing privileged containers requires root privileges. In order to allow
unprivileged users to manage privileged containers without granting them
privileges or accounts, the container-shell can be used together with sudo
and a container user.

  sudo adduser --gecos "compute-tools,,," \
	--home /var/lib/open-infrastructure/container-shell \
	--shell /usr/bin/container-shell