compute-tools: Host Setup ========================= 1. Debian Packages ------------------- apt install bridge-utils ifenslave vlan 2. Boot Parameters ------------------ 2.1 CGroup Memory Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the memory controller the following boot parameter needs to be used: cgroup_enable=memory 2.2 CGroup Swap Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the swap controller the following boot parameter needs to be used: swapaccount=1 2.3 vsyscall ~~~~~~~~~~~~ In order to be able to execute binaries linked to older libc versions (<= wheezy) newer linux versions (>= buster), add the following boot parameter (see #881813 for more information): vsyscall=emulate 3. Networking ~~~~~~~~~~~~~ 3.1 Enable IPv4 Forwarding ~~~~~~~~~~~~~~~~~~~~~~~~~~ apt install procps echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf sysctl -p 3.2 Configure Network Bridge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2.1 Bridge: 1 Interface, standalone, DHCP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface eno1 inet manual auto bridge0 iface bridge0 inet dhcp bridge_ports eno1 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.2 Bridge: 1 Interface, standalone, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface eno1 inet manual auto bridge0 iface bridge0 inet static address 10.0.0.2 gateway 10.0.0.1 netmask 24 pre-up ip link set eno1 down pre-up ip link set eno1 up bridge_ports eno1 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.3 Bridge: 2 logical Interfaces, subnet, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp auto bridge0 iface bridge0 inet static address 10.0.0.1 netmask 24 pre-up ip link add name bridge0 type bridge post-down ip link delete bridge0 type bridge bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 3.2.4 Bridge: 3 physical Interfaces, vlan, bonding, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/network/interfaces << EOF # /etc/network/interfaces source /etc/network/interfaces.d/* auto lo iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp iface eno2 inet manual iface eno3 inet manual auto bond0 iface bond0 inet manual up ip link set bond0 up down ip link set bond0 down slaves eno2 eno3 bond-mode 4 bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-lacp-rate 1 bond-xmit-hash-policy layer2+3 iface bond0.100 inet manual vlan-raw-device bond0 auto bridge-100 iface bridge-100 inet static address 10.100.0.2 netmask 24 bridge_ports bond0.100 bridge_fd 0 bridge_maxwait 0 bridge_stp 0 EOF 4. Enabling user namespace for unprivileged containers ------------------------------------------------------ Linux supports unprivileged containers with the user namespace. By default the user namespace is disabled on Debian systems (see #898446). To enable user namespace, edit the following file for a permant change: /etc/sysctl.d/zz-compute-tools.conf sysctl -p or enable it manually with: echo 1 > /proc/sys/kernel/unprivileged_userns_clone Note that containers need to be started with the correct configuration in /etc/compute-tools/container/config to run unpriviled (private-users option). 5. Enabling container-shell --------------------------- Managing privileged containers requires root privileges. In order to allow unprivileged users to manage privileged containers without granting them privileges or accounts, the container-shell can be used together with sudo and a container user. sudo adduser --gecos "compute-tools,,," \ --home /var/lib/open-infrastructure/container-shell \ --shell /usr/bin/container-shell 6. IPv4 and IPv6 dual-stack --------------------------- Examples for /etc/network/interfaces above work for IPv6 too when using correct IPv6 addresses and netmasks. In order to use dual-stack, bridges must have a IPv4 address assigned (can be a dummy one from a privacy range or 127.0.0.0/8). Let me repeat: dual-stack only works when you assign a primary IPv6 address (private or public, doesn't matter) *and* add an additional IPv4 address. Yes, the IPv4 address can be a private address, the containers can still have a public IPv4 address. A complete example looks like this: auto bridge0 iface bridge0 inet6 static address 2a07:6b47:4::4:1 netmask 48 up ip addr add 127.4.4.1 dev $IFACE down ip addr del 127.4.4.1 dev $IFACE bridge_fd 0 bridge_maxwait 0 bridge_stp 0 bridge-mcquerier 1