242 lines
6.5 KiB
Plaintext
242 lines
6.5 KiB
Plaintext
|
[[Kategorie:Infrastruktur]]
|
||
|
|
||
|
== VIMAGE ==
|
||
|
Netzwerk Stack Virtualisierung unter FreeBSD
|
||
|
|
||
|
== Hardware Info ==
|
||
|
Virtualisiert durch [[intern:Freebert]]
|
||
|
|
||
|
== Software Info ==
|
||
|
* Kernel mit VIMAGE Support
|
||
|
|
||
|
== Verwendungszweck ==
|
||
|
* eigener Network Stack für Jails
|
||
|
|
||
|
== Beispiel ==
|
||
|
[[Datei:Freebert_vimage.jpg]]
|
||
|
|
||
|
== VIMAGE Einrichtung ==
|
||
|
|
||
|
<source lang=bash>
|
||
|
cd /usr/ports/devel/subversion/ && make install clean
|
||
|
|
||
|
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
|
||
|
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
|
||
|
|
||
|
cd /usr
|
||
|
chflags -R noschg /usr/obj/*
|
||
|
rm -rfv /usr/obj/*
|
||
|
rm -rfv /usr/src/*
|
||
|
rm -rfv /usr/src/.svn
|
||
|
|
||
|
cd /usr/src
|
||
|
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
|
||
|
svn up /usr/src
|
||
|
|
||
|
cd /usr/src/sys/amd64/conf
|
||
|
mkdir /root/kernels
|
||
|
cp GENERIC /root/kernels/VIMAGE
|
||
|
ln -s /root/kernels/VIMAGE
|
||
|
vi /root/kernels/VIMAGE
|
||
|
</source>
|
||
|
|
||
|
|
||
|
<source lang=bash>
|
||
|
### ### ### VIMAGE ### ### ###
|
||
|
#
|
||
|
cpu HAMMER
|
||
|
ident VIMAGE
|
||
|
|
||
|
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
|
||
|
makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
|
||
|
|
||
|
### < --- --- --- >
|
||
|
|
||
|
###BUG###device pf
|
||
|
###BUG###device pflog
|
||
|
###BUG###device pfsync
|
||
|
###BUG###device carp
|
||
|
|
||
|
device lagg
|
||
|
device enc
|
||
|
device gre
|
||
|
options XBONEHACK
|
||
|
|
||
|
options TCP_SIGNATURE # include support for RFC 2385
|
||
|
|
||
|
options VIMAGE # Network Stack Virtualization
|
||
|
options NULLFS # NULL filesystem
|
||
|
|
||
|
### VIMAGE - if_bridge/epair virtualization // ###
|
||
|
device if_bridge
|
||
|
device epair
|
||
|
### // VIMAGE - if_bridge/epair virtualization ###
|
||
|
|
||
|
### VIMAGE - netgraph virtualization // ###
|
||
|
options NETGRAPH
|
||
|
options NETGRAPH_ETHER
|
||
|
options NETGRAPH_BRIDGE
|
||
|
options NETGRAPH_EIFACE
|
||
|
options NETGRAPH_SOCKET
|
||
|
### // VIMAGE - netgraph virtualization ###
|
||
|
|
||
|
options ROUTETABLES=16 # max 16 FIB (Forward Information Base/multiple routing tables) support
|
||
|
device tap # virtual link layer 2 device
|
||
|
|
||
|
options ALTQ
|
||
|
options KTR_ALQ
|
||
|
|
||
|
options ALTQ_CBQ # Class Based Queueing
|
||
|
options ALTQ_RED # Random Early Detection
|
||
|
options ALTQ_RIO # RED In/Out
|
||
|
options ALTQ_HFSC # Hierarchical Packet Scheduler
|
||
|
options ALTQ_CDNR # Traffic conditioner
|
||
|
options ALTQ_PRIQ # Priority Queueing
|
||
|
options ALTQ_NOPCC # Required if the TSC is unusable
|
||
|
|
||
|
options VFS_AIO
|
||
|
|
||
|
### options TCP_OFFLOAD # TCP offload
|
||
|
|
||
|
options RACCT
|
||
|
|
||
|
options RCTL
|
||
|
|
||
|
device crypto # core crypto support
|
||
|
device cryptodev # /dev/crypto for access to h/w
|
||
|
|
||
|
device rndtest # FIPS 140-2 entropy tester
|
||
|
|
||
|
device hifn # Hifn 7951, 7781, etc.
|
||
|
options HIFN_DEBUG # enable debugging support: hw.hifn.debug
|
||
|
options HIFN_RNDTEST # enable rndtest support
|
||
|
|
||
|
device ubsec # Broadcom 5501, 5601, 58xx
|
||
|
options UBSEC_DEBUG # enable debugging support: hw.ubsec.debug
|
||
|
options UBSEC_RNDTEST # enable rndtest support
|
||
|
|
||
|
options IPSEC # IP security (requires device crypto)
|
||
|
options IPSEC_NAT_T # NAT-T support, UDP encap of ESP
|
||
|
|
||
|
options FDESCFS # File descriptor filesystem
|
||
|
#
|
||
|
### ### ### VIMAGE ### ### ###
|
||
|
</source>
|
||
|
|
||
|
|
||
|
<source lang=bash>
|
||
|
cd /usr/src
|
||
|
time make buildkernel KERNCONF=VIMAGE
|
||
|
time make installkernel KERNCONF=VIMAGE
|
||
|
|
||
|
reboot
|
||
|
</source>
|
||
|
|
||
|
|
||
|
<source lang=bash>
|
||
|
vi /etc/rc.conf
|
||
|
|
||
|
### VIMAGE // ###
|
||
|
cloned_interfaces="bridge0"
|
||
|
ifconfig_bridge0_name="vswitch0"
|
||
|
ifconfig_vswitch0="addm bge0"
|
||
|
### // VIMAGE ###
|
||
|
|
||
|
### EZJAIL // ###
|
||
|
ezjail_enable="YES"
|
||
|
jail_parameters="vnet=new"
|
||
|
### // EZJAIL ###
|
||
|
|
||
|
vi /etc/sysctl.conf
|
||
|
|
||
|
### EZJAIL // ###
|
||
|
security.jail.allow_raw_sockets=1
|
||
|
security.jail.param.allow.raw_sockets=1
|
||
|
#
|
||
|
net.add_addr_allfibs=4
|
||
|
### // EZJAIL ###
|
||
|
|
||
|
cd /usr/ports/sysutils/ezjail/ && make install clean
|
||
|
|
||
|
vi /usr/local/etc/ezjail.conf
|
||
|
|
||
|
### ### ### EZJAIL ### ### ###
|
||
|
# ezjail_sourcetree=/usr/src
|
||
|
|
||
|
ezjail_use_zfs="YES"
|
||
|
ezjail_use_zfs_for_jails="YES"
|
||
|
ezjail_jailzfs="zroot/ezjail"
|
||
|
|
||
|
ezjail_zfs_properties="-o checksum=fletcher4 -o compression=lz4 -o atime=off"
|
||
|
### ### ### EZJAIL ### ### ###
|
||
|
# EOF
|
||
|
|
||
|
ezjail-admin install
|
||
|
ezjail-admin update -P
|
||
|
|
||
|
ezjail-admin create test01 0.0.0.0
|
||
|
|
||
|
vi /usr/local/etc/ezjail/test01
|
||
|
|
||
|
export jail_test01_exec_stop="/bin/sh /etc/rc.shutdown"
|
||
|
export jail_test01_parameters="allow.raw_sockets=1 allow.sysvipc=1"
|
||
|
#export jail_test01_ip="0.0.0.0"
|
||
|
export jail_test01_exec_prestart0="ifconfig epair1 create up"
|
||
|
export jail_test01_exec_prestart1="ifconfig vswitch0 addm epair1a"
|
||
|
export jail_test01_exec_poststart0="ifconfig epair1b vnet test01"
|
||
|
export jail_test01_exec_poststart1="jexec test01 /sbin/ifconfig epair1b 192.168.0.101/24"
|
||
|
export jail_test01_exec_poststart2="jexec test01 /sbin/route add default 192.168.0.1"
|
||
|
export jail_test01_exec_poststop0="ifconfig epair1a destroy"
|
||
|
|
||
|
vi /usr/local/etc/ezjail/test01
|
||
|
|
||
|
export jail_test01_devfs_ruleset="20"
|
||
|
|
||
|
vi /etc/devfs.rules
|
||
|
|
||
|
### Jail - VIMAGE - // ###
|
||
|
[devfsrules_jail_vimage=20]
|
||
|
add include $devfsrules_hide_all
|
||
|
add include $devfsrules_unhide_basic
|
||
|
add include $devfsrules_unhide_login
|
||
|
add path mem unhide
|
||
|
add path kmem unhide
|
||
|
add path 'bpf*' unhide
|
||
|
add path 'tun*' unhide
|
||
|
### // Jail - VIMAGE - ###
|
||
|
|
||
|
vi /usr/local/etc/ezjail/test01
|
||
|
|
||
|
### OpenVPN // ###
|
||
|
export jail_test01_exec_prestart2="ifconfig tun0 create up"
|
||
|
export jail_test01_exec_poststart3="ifconfig tun0 vnet test01"
|
||
|
export jail_test01_exec_poststop1="ifconfig tun0 destroy"
|
||
|
### // OpenVPN ###
|
||
|
|
||
|
vi /usr/local/etc/ezjail/test01
|
||
|
|
||
|
export jail_test01_local_exec_poststart4="jexec test01_local /sbin/ifconfig epair1b inet6 ffff:ffff:ffff:ffff::ffff prefixlen 64"
|
||
|
export jail_test01_local_exec_poststart5="jexec test01_local /sbin/route add -inet6 default fe80::ffff:ffff:ffff:1dac%epair1b"
|
||
|
|
||
|
vi /etc/sysctl.conf
|
||
|
|
||
|
### VIMAGE // ###
|
||
|
net.link.tap.user_open=1
|
||
|
### // VIMAGE ###
|
||
|
|
||
|
vi /etc/devfs.rules
|
||
|
|
||
|
add path 'tap*' mode 0660 group operator
|
||
|
|
||
|
vi /etc/rc.conf
|
||
|
|
||
|
cloned_interfaces="bridge0 lagg0 tap0"
|
||
|
ifconfig_tap0="up"
|
||
|
ifconfig_vswitch0="addm lagg0 addm tap0"
|
||
|
|
||
|
VBoxManage modifyvm yourmachine --bridgeadapter1 tap0
|
||
|
</source>
|
||
|
|
||
|
== Log ==
|
||
|
* 18.05.2014 freebert_vimage_picture
|