Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Thu May 23, 2013 12:14 am 
Offline

Joined: Wed May 22, 2013 11:48 pm
Posts: 1
I would like to run an OpenVPN client inside of an LXC container in order to isolate several applications which must only use a certain OpenVPN connection. I understand that this is probably possible to do using careful routing, but I want to guarantee that these applications (which use several protocols and multiple TCP/UDP ports) absolutely cannot use the default route. My issue is that the provided 32-bit Arch kernel does not provide a few necessary kernel options:
Code:
[root@blah blah]# lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: required
User namespace: missing
Network namespace: missing
Multiple /dev/pts instances: missing

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: missing
Macvlan: missing
Vlan: enabled
File capabilities: enabled
I would switch to pv-grub, but the stock 32-bit Arch kernel does not support xen, and the 32-bit Arch kernel with xen support in the AUR is extremely out of date.
I could compile my own kernel and keep it up to date, but this would be an annoyance. Is there any chance we could get these options compiled into the next provided 32-bit Arch kernel? CONFIG_PID_NS and CONFIG_NET_NS would probably be sufficient for OpenVPN, but I'm not totally sure.

Alternatively, if anyone knows of a better way to guarantee that certain processes will only use an OpenVPN connection, and that other processes will not have this OpenVPN connection available to them, I would certainly be interested.


Top
   
PostPosted: Thu May 23, 2013 2:33 am 
Offline
Senior Newbie

Joined: Wed Jan 28, 2009 10:24 am
Posts: 11
Website: http://www.limetech.org
I would also very much like to have these options enabled in the Linode-provided kernels.


Top
   
PostPosted: Mon May 27, 2013 11:28 pm 
Offline
Senior Member

Joined: Sat Nov 27, 2010 2:32 am
Posts: 180
Website: https://blog.timheckman.net/
Location: San Francisco, CA
While it would be an annoyance, I'd suggest rolling your own kernel. We try to keep our kernels as slim as possible while still providing functionality that a large number of users can benefit from. Anything outside of those features would require running the distribution-supplied kernel, or compiling your own.

It also appears that the x86_64 Arch Linux kernel may have DomU support built in, as mentioned in the comments for the AUR:

- https://aur.archlinux.org/packages/linux-xen/

-Tim

_________________
'If debugging is the process of removing bugs, then programming must be the process of putting them in.' //Edsger Dijkstra
'Nothing is withheld from us which we have conceived to do.' | 'Do things that have never been done.' //Russell Kirsch


Top
   
PostPosted: Tue Sep 10, 2013 4:56 pm 
Offline

Joined: Tue Sep 10, 2013 4:35 pm
Posts: 1
Quote:
While it would be an annoyance, I'd suggest rolling your own kernel. We try to keep our kernels as slim as possible while still providing functionality that a large number of users can benefit from. Anything outside of those features would require running the distribution-supplied kernel, or compiling your own.
LXC is based on some fairly standard features found in recent kernels (>= 2.6.29), called cgroups and namespaces, which are combined to form a sort of super-chroot() called a "container". The kernel versions that Linode runs (3.8 and 3.10) are almost always built with full container support, and an increasing amount of software (especially server software) assumes working containers. The current Linode configuration causes issues when attempting to run modern daemon management software such as Systemd and Docker, which use containers heavily.

There are a significant number of ad-hoc tutorials on the web for how to get a working container-enabled kernel on Linode, usually involving some customized distribution kernel plus pv-grub magic. It would be much easier for users if this commonly used kernel feature were enabled by default in Linode's kernels.

The following kernel options are required for a fully functioning container setup (from http://lxc.sourceforge.net/man/lxc.html). Even if some of them can't be added to the Linode default kernels (e.g. due to being experimental), it's still useful to have as many of these as possible:
Code:
* General setup
  * Control Group support
    -> Namespace cgroup subsystem
    -> Freezer cgroup subsystem
    -> Cpuset support
    -> Simple CPU accounting cgroup subsystem
    -> Resource counters
      -> Memory resource controllers for Control Groups
  * Group CPU scheduler
    -> Basis for grouping tasks (Control Groups)
  * Namespaces support
    -> UTS namespace
    -> IPC namespace
    -> User namespace
    -> Pid namespace
    -> Network namespace
* Device Drivers
  * Character devices
    -> Support multiple instances of devpts
  * Network device support
    -> MAC-VLAN support (can be a module)
    -> Virtual ethernet pair device (can be a module)
* Networking
  * Networking options
    -> 802.1d Ethernet Bridging (can be a module)
* Security options
  -> File POSIX Capabilities


Top
   
PostPosted: Tue Sep 10, 2013 6:28 pm 
Offline
Senior Member

Joined: Sun Mar 07, 2010 6:47 pm
Posts: 1970
Website: http://www.rwky.net
Location: Earth
Just a note, the Ubuntu 12.04 stock kernel fully supports lxc and xen, also the lxc package is very good with useful cli utilities. I know it's not arch but if you don't mind switching distro it works great on both 32 and 64 bit. I have a 32 bit instance running LXC on Linode and 64 bit instances on dedicated servers.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue


Top
   
PostPosted: Sun Sep 22, 2013 4:05 pm 
Offline
Junior Member

Joined: Tue Sep 30, 2008 8:07 pm
Posts: 27
Website: http://www.nivex.net/
Location: Hillsborough, NC, US
Quote:
We try to keep our kernels as slim as possible while still providing functionality that a large number of users can benefit from.
How many people are using CONFIG_ATA_OVER_ETH ? Can we swap that out for the LXC stuff? :)

-- Kevin


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group