compute-tools: Host Setup (with systemd-networkd)
=================================================


1. Debian Packages
-------------------

apt install systemd-networkd bridge-utils

Make sure to enable networkd (sudo systemctl enable systemd-networkd)
and convert /etc/network/interfaces (see systemd-networkd documentation).


2. Boot Parameters
------------------

2.1 CGroup Memory Controller (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In order to enable the memory controller the following boot parameter needs to be used:

	cgroup_enable=memory


2.2 CGroup Swap Controller (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In order to enable the swap controller the following boot parameter needs to be used:

	swapaccount=1

2.3 vsyscall (legacy)
~~~~~~~~~~~~~~~~~~~~~

In order to be able to execute binaries linked to older libc versions
(<= wheezy) on newer linux versions (>= buster), add the following boot
parameter (see #881813 for more information):

	vsyscall=emulate


3. Networking
~~~~~~~~~~~~~

3.1 Configure Network Bridge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.1.1 Bridge: 1 Interface, standalone, DHCP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/systemd/network/bridge0.netdev << EOF
[NetDev]
Name=bridge0
Kind=bridge
EOF

cat > /etc/systemd/network/bridge0.network << EOF
[Match]
Name=bridge0

[Network]
DHCP=yes
EOF


3.1.2 Bridge: 1 Interface, standalone, static
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/systemd/network/bridge0.netdev << EOF
[NetDev]
Name=bridge0
Kind=bridge
EOF

cat > /etc/systemd/network/bridge0.network << EOF
[Match]
Name=bridge-0

[Network]
Address=10.0.0.2/24
Gateway=10.0.0.1
EOF


3.1.3 Bridge: 3 physical Interfaces, vlan, bonding, static
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat > /etc/systemd/network/eno2.network<< EOF
[Match]
Name=eno2

[Network]
Bond=bond0
EOF

cat > /etc/systemd/network/eno3.network<< EOF
[Match]
Name=eno3

[Network]
Bond=bond0
EOF

cat > /etc/systemd/network/bond0.netdev << EOF
[NetDev]
Name=bond0
Kind=bond

[Bond]
Mode=802.3ad
TransmitHashPolicy=layer3+4
MIIMonitorSec=0.1
UpDelaySec=0.2
DownDelaySec=0.2
EOF

cat > /etc/systemd/network/bond0.network << EOF
[Match]
Name=bond0

[Network]
VLAN=100
EOF

cat > /etc/systemd/network/vlan-100.netdev << EOF
[NetDev]
Name=vlan-100
Kind=vlan

[VLAN]
Id=100
EOF

cat > /etc/systemd/network/vlan-100.network << EOF
[Match]
Name=vlan-100

[Network]
Bridge=bridge-100
EOF

cat > /etc/systemd/network/bridge-100.netdev << EOF
[NetDev]
Name=bridge-100
Kind=bridge
EOF

cat > /etc/systemd/network/bridge-100.network << EOF
[Match]
Name=bridge-100

[Network]
Address=10.100.0.2/24
Gateway=10.100.0.1
EOF


4. Enabling user namespace for unprivileged containers
------------------------------------------------------

Linux supports unprivileged containers with the user namespace.
By default the user namespace is disabled on Debian systems (see #898446).
To enable user namespace, edit the following file for a permant change:

  /etc/sysctl.d/zz-compute-tools.conf
  sysctl -p

or enable it manually with:

  echo 1 > /proc/sys/kernel/unprivileged_userns_clone

Note that containers need to be started with the correct
configuration in /etc/compute-tools/container/config to run unpriviled
(private-users option).


5. Enabling container-shell
---------------------------

Managing privileged containers requires root privileges. In order to allow
unprivileged users to manage privileged containers without granting them
privileges or accounts, the container-shell can be used together with sudo
and a container user.

  sudo adduser --gecos "compute-tools,,," \
	--home /var/lib/open-infrastructure/container-shell \
	--shell /usr/bin/container-shell


6. IPv4 and IPv6 dual-stack
---------------------------

Examples for /etc/network/interfaces above work for IPv6 too when using correct
IPv6 addresses and netmasks.

In order to use dual-stack, bridges must have a IPv4 address assigned
(can be a dummy one from a privacy range or 127.0.0.0/8).

Let me repeat: dual-stack only works when you assign a primary IPv6 address
(private or public, doesn't matter) *and* add an additional IPv4 address.
Yes, the IPv4 address can be a private address, the containers can still
have a public IPv4 address.

A complete example looks like this:

auto bridge0
iface bridge0 inet6 static
	address			2a07:6b47:4::4:1
	netmask			48

	up			ip addr add 127.4.4.1 dev $IFACE
	down			ip addr del 127.4.4.1 dev $IFACE

	bridge_fd		0
	bridge_maxwait		0
	bridge_stp		0
	bridge-mcquerier	1