{{beinhaltet Abweichungen von der Realität}}

[[Server/freebert]] is gone!

== Hardware ==

Virtualisiert durch [[Server/freebert/FreeBSD]]

== VIMAGE ==
Netzwerk Stack Virtualisierung unter FreeBSD

== Software ==

* Kernel mit VIMAGE Support

== Verwendungszweck ==

* eigener Network Stack für Jails

== Beispiel ==

[[Datei:Freebert_vimage.jpg]]

== VIMAGE Einrichtung ==

<source lang=bash>
cd /usr/ports/devel/subversion/ && make install clean
 
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
 
cd /usr
chflags -R noschg /usr/obj/*
rm -rfv /usr/obj/*
rm -rfv /usr/src/*
rm -rfv /usr/src/.svn
 
cd /usr/src
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
svn up /usr/src

cd /usr/src/sys/amd64/conf
mkdir /root/kernels
cp GENERIC /root/kernels/VIMAGE
ln -s /root/kernels/VIMAGE
vi /root/kernels/VIMAGE
</source>


<source lang=bash>
### ### ### VIMAGE ### ### ###
#
cpu             HAMMER
ident           VIMAGE
 
makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols
makeoptions     WITH_CTF=1              # Run ctfconvert(1) for DTrace support
 
### < --- --- --- >
 
###BUG###device          pf
###BUG###device          pflog
###BUG###device          pfsync
###BUG###device          carp
 
device          lagg
device          enc
device          gre
options         XBONEHACK
 
options         TCP_SIGNATURE           # include support for RFC 2385
 
options         VIMAGE                  # Network Stack Virtualization
options         NULLFS                  # NULL filesystem
 
### VIMAGE - if_bridge/epair virtualization // ###
device          if_bridge
device          epair
### // VIMAGE - if_bridge/epair virtualization ###
 
### VIMAGE - netgraph virtualization // ###
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_BRIDGE
options         NETGRAPH_EIFACE
options         NETGRAPH_SOCKET
### // VIMAGE - netgraph virtualization ###
 
options         ROUTETABLES=16          # max 16 FIB (Forward Information Base/multiple routing tables) support
device          tap                     # virtual link layer 2 device
 
options         ALTQ
options         KTR_ALQ
 
options         ALTQ_CBQ                # Class Based Queueing
options         ALTQ_RED                # Random Early Detection
options         ALTQ_RIO                # RED In/Out
options         ALTQ_HFSC               # Hierarchical Packet Scheduler
options         ALTQ_CDNR               # Traffic conditioner
options         ALTQ_PRIQ               # Priority Queueing
options         ALTQ_NOPCC              # Required if the TSC is unusable
 
options         VFS_AIO
 
### options         TCP_OFFLOAD             # TCP offload
 
options         RACCT
 
options         RCTL
 
device          crypto                  # core crypto support
device          cryptodev               # /dev/crypto for access to h/w
 
device          rndtest                 # FIPS 140-2 entropy tester
 
device          hifn                    # Hifn 7951, 7781, etc.
options         HIFN_DEBUG              # enable debugging support: hw.hifn.debug
options         HIFN_RNDTEST            # enable rndtest support
 
device          ubsec                   # Broadcom 5501, 5601, 58xx
options         UBSEC_DEBUG             # enable debugging support: hw.ubsec.debug
options         UBSEC_RNDTEST           # enable rndtest support
 
options         IPSEC                   # IP security (requires device crypto)
options         IPSEC_NAT_T             # NAT-T support, UDP encap of ESP
 
options         FDESCFS                 # File descriptor filesystem
#
### ### ### VIMAGE ### ### ###
</source>


<source lang=bash>
cd /usr/src
time make buildkernel KERNCONF=VIMAGE
time make installkernel KERNCONF=VIMAGE
 
reboot
</source>


<source lang=bash>
vi /etc/rc.conf
 
### VIMAGE // ###
cloned_interfaces="bridge0"
ifconfig_bridge0_name="vswitch0"
ifconfig_vswitch0="addm bge0"
### // VIMAGE ###
 
### EZJAIL // ###
ezjail_enable="YES"
jail_parameters="vnet=new"
### // EZJAIL ###

vi /etc/sysctl.conf
 
### EZJAIL // ###
security.jail.allow_raw_sockets=1
security.jail.param.allow.raw_sockets=1
#
net.add_addr_allfibs=4
### // EZJAIL ###

cd /usr/ports/sysutils/ezjail/ && make install clean
 
vi /usr/local/etc/ezjail.conf
 
### ### ### EZJAIL ### ### ###
# ezjail_sourcetree=/usr/src
  
ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="zroot/ezjail"
  
ezjail_zfs_properties="-o checksum=fletcher4 -o compression=lz4 -o atime=off"
### ### ### EZJAIL ### ### ###
# EOF
 
ezjail-admin install
ezjail-admin update -P

ezjail-admin create test01 0.0.0.0

vi /usr/local/etc/ezjail/test01
 
export jail_test01_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_test01_parameters="allow.raw_sockets=1 allow.sysvipc=1"
#export jail_test01_ip="0.0.0.0"
export jail_test01_exec_prestart0="ifconfig epair1 create up"
export jail_test01_exec_prestart1="ifconfig vswitch0 addm epair1a"
export jail_test01_exec_poststart0="ifconfig epair1b vnet test01"
export jail_test01_exec_poststart1="jexec test01 /sbin/ifconfig epair1b 192.168.0.101/24"
export jail_test01_exec_poststart2="jexec test01 /sbin/route add default 192.168.0.1"
export jail_test01_exec_poststop0="ifconfig epair1a destroy"

vi /usr/local/etc/ezjail/test01
 
export jail_test01_devfs_ruleset="20"

vi /etc/devfs.rules
 
### Jail - VIMAGE - // ###
[devfsrules_jail_vimage=20]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path mem unhide
add path kmem unhide
add path 'bpf*' unhide
add path 'tun*' unhide
### // Jail - VIMAGE - ###

vi /usr/local/etc/ezjail/test01
 
### OpenVPN // ###
export jail_test01_exec_prestart2="ifconfig tun0 create up"
export jail_test01_exec_poststart3="ifconfig tun0 vnet test01"
export jail_test01_exec_poststop1="ifconfig tun0 destroy"
### // OpenVPN ###

vi /usr/local/etc/ezjail/test01
 
export jail_test01_local_exec_poststart4="jexec test01_local /sbin/ifconfig epair1b inet6 ffff:ffff:ffff:ffff::ffff prefixlen 64"
export jail_test01_local_exec_poststart5="jexec test01_local /sbin/route add -inet6 default fe80::ffff:ffff:ffff:1dac%epair1b"

vi /etc/sysctl.conf
 
### VIMAGE // ###
net.link.tap.user_open=1
### // VIMAGE ###
 
vi /etc/devfs.rules
 
add path 'tap*' mode 0660 group operator
 
vi /etc/rc.conf
 
cloned_interfaces="bridge0 lagg0 tap0"
ifconfig_tap0="up"
ifconfig_vswitch0="addm lagg0 addm tap0"

VBoxManage modifyvm yourmachine --bridgeadapter1 tap0
</source>


== if_epair.c Patch ==

https://github.com/plitc/freebsd/blob/master/sys/net/if_epair.c

<source lang=bash>
 #include <sys/sockio.h>

 #include <sys/sysctl.h>

 #include <sys/types.h>

+#include <sys/libkern.h>

 

 #include <net/bpf.h>

 #include <net/ethernet.h>

@@ -719,8 +720,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)

 	if (params) {

 		scb = (struct epair_softc *)params;

 		ifp = scb->ifp;

-		/* Assign a hopefully unique, locally administered etheraddr. */

+		/* Assign a hopefully unique, locally administered etheraddr. -for epairNb- */

 		eaddr[0] = 0x02;

+                eaddr[1] = arc4random() & 0xff;

 		eaddr[3] = (ifp->if_index >> 8) & 0xff;

 		eaddr[4] = ifp->if_index & 0xff;

 		eaddr[5] = 0x0b;

@@ -814,8 +816,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)

 	ifp->if_ioctl = epair_ioctl;

 	ifp->if_init  = epair_init;

 	ifp->if_snd.ifq_maxlen = ifqmaxlen;

-	/* Assign a hopefully unique, locally administered etheraddr. */

+	/* Assign a hopefully unique, locally administered etheraddr. -for epairNa- */

 	eaddr[0] = 0x02;

+        eaddr[1] = arc4random() & 0xff;

 	eaddr[3] = (ifp->if_index >> 8) & 0xff;

 	eaddr[4] = ifp->if_index & 0xff;

 	eaddr[5] = 0x0a;
</source>

Quelle: https://github.com/plitc/freebsd/commit/9215c5850ff562a44d0347fa03be60bd3cdd4b9c

== Log ==
* 18.05.2014 freebert_vimage_picture

[[Kategorie:Infrastruktur]]