compute-tools: Host Setup ========================= Overview: - systemd-network fuer kupfer, access, problemlos - systemd-network fuer lwl, nur fuer interface up - ovs fuer lwl, nur config (d.h. bridge, bond, vlan) - systemd-network fuer lwl setzt ip adressen -> decide: alternativ zu ovs macht heavy lifting (bridge/bond/vlan), kanns auch networkd machen. falls 1. Debian Packages ------------------- apt install openvswitch-switch 2. Boot Parameters ------------------ 2.1 CGroup Memory Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the memory controller the following boot parameter needs to be used: cgroup_enable=memory 2.2 CGroup Swap Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~ In order to enable the swap controller the following boot parameter needs to be used: swapaccount=1 2.3 vsyscall ~~~~~~~~~~~~ In order to be able to execute binaries linked to older libc versions (<= wheezy) newer linux versions (>= buster), add the following boot parameter (see #881813 for more information): vsyscall=emulate 3. Networking ~~~~~~~~~~~~~ 3.1 Enable IPv4 Forwarding ~~~~~~~~~~~~~~~~~~~~~~~~~~ apt install procps echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_foward.conf sysctl -p 3.2 Configure Network Bridge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2.1 Bridge: 1 Interface, standalone, DHCP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/systemd/network/eno1.network << EOF [Match] Name=eno1 [Network] BindCarrier=bridge0 LinkLocalAddressing=no EOF cat > /etc/systemd/network/bridge0.network << EOF [Match] Name=bridge0 [Network] DHCP=ipv4 EOF ovs-vsctl add-br bridge0 ovs-vsctl add-port bridge0 eno1 3.2.2 Bridge: 1 Interface, standalone, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/systemd/network/eno1.network << EOF [Match] Name=eno1 [Network] BindCarrier=bridge0 LinkLocalAddressing=no EOF cat > /etc/systemd/network/bridge0.network << EOF [Match] Name=bridge0 [Network] DHCP=no Address=10.0.0.2/24 Gateway=10.0.0.1 EOF ovs-vsctl add-br bridge0 ovs-vsctl add-port bridge0 eno1 3.2.3 Bridge: 3 physical Interfaces, vlan, bonding, static ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cat > /etc/systemd/network/eno1.network << EOF [Match] Name=eno1 [Network] DHCP=ipv4 EOF cat > /etc/systemd/network/eno2.network << EOF [Match] Name=eno2 [Network] BindCarrier=bridge0 LinkLocalAddressing=no EOF cat > /etc/systemd/network/eno3.network << EOF [Match] Name=eno3 [Network] BindCarrier=bridge0 LinkLocalAddressing=no EOF cat > /etc/systemd/network/bridge0.network << EOF [Match] Name=bridge0 [Network] LinkLocalAddressing=no EOF cat > /etc/systemd/network/bridge-100.network << EOF [Match] Name=bridge-100 [Network] Address=10.100.0.2/24 EOF ovs-vsctl add-br bridge0 ovs-vsctl add-bond bridge0 bond0 eno2 eno3 \ bond_mode=balance-tcp \ lacp=active \ other_config:lacp-time=fast \ other_config:bond-detect-mode=miimon \ other_config:bond-miimon-interval=100 \ other_config:bond_updelay=200 trunks=100 \ ovs-vsctl add-br bridge-100 bridge0 100 4. Enabling user namespace for unprivileged containers ------------------------------------------------------ Linux supports unprivileged containers with the user namespace. By default the user namespace is disabled on Debian systems (see #898446). To enable user namespace, edit the following file for a permant change: /etc/sysctl.d/zz-compute-tools.conf sysctl -p or enable it manually with: echo 1 > /proc/sys/kernel/unprivileged_userns_clone Note that containers need to be started with the correct configuration in /etc/compute-tools/container/config to run unpriviled (private-users option). 5. Enabling container-shell --------------------------- Managing privileged containers requires root privileges. In order to allow unprivileged users to manage privileged containers without granting them privileges or accounts, the container-shell can be used together with sudo and a container user. sudo adduser --gecos "compute-tools,,," \ --home /var/lib/open-infrastructure/container-shell \ --shell /usr/bin/container-shell 6. IPv4 and IPv6 dual-stack --------------------------- Examples for /etc/network/interfaces above work for IPv6 too when using correct IPv6 addresses and netmasks. In order to use dual-stack, bridges must have a IPv4 address assigned (can be a dummy one from a privacy range or 127.0.0.0/8). Let me repeat: dual-stack only works when you assign a primary IPv6 address (private or public, doesn't matter) *and* add an additional IPv4 address. Yes, the IPv4 address can be a private address, the containers can still have a public IPv4 address. A complete example looks like this: auto bridge0 iface bridge0 inet6 static address 2a07:6b47:4::4:1 netmask 48 up ip addr add 127.4.4.1 dev $IFACE down ip addr del 127.4.4.1 dev $IFACE bridge_fd 0 bridge_maxwait 0 bridge_stp 0 bridge-mcquerier 1