gitolite/c3d2-wiki
gitolite
/
c3d2-wiki
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
c3d2-wiki/Freebsd_vimage.mw

317 lines
7.9 KiB
Plaintext
Raw Permalink Blame History

{{beinhaltet Abweichungen von der Realität}}
[[Server/freebert]] is gone!
== Hardware ==
Virtualisiert durch [[Server/freebert/FreeBSD]]
== VIMAGE ==
Netzwerk Stack Virtualisierung unter FreeBSD
== Software ==
* Kernel mit VIMAGE Support
== Verwendungszweck ==
* eigener Network Stack für Jails
== Beispiel ==
[[Datei:Freebert_vimage.jpg]]
== VIMAGE Einrichtung ==
<source lang=bash>
cd /usr/ports/devel/subversion/ && make install clean
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
cd /usr
chflags -R noschg /usr/obj/*
rm -rfv /usr/obj/*
rm -rfv /usr/src/*
rm -rfv /usr/src/.svn
cd /usr/src
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
svn up /usr/src
cd /usr/src/sys/amd64/conf
mkdir /root/kernels
cp GENERIC /root/kernels/VIMAGE
ln -s /root/kernels/VIMAGE
vi /root/kernels/VIMAGE
</source>
<source lang=bash>
### ### ### VIMAGE ### ### ###
#
cpu HAMMER
ident VIMAGE
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
### < --- --- --- >
###BUG###device pf
###BUG###device pflog
###BUG###device pfsync
###BUG###device carp
device lagg
device enc
device gre
options XBONEHACK
options TCP_SIGNATURE # include support for RFC 2385
options VIMAGE # Network Stack Virtualization
options NULLFS # NULL filesystem
### VIMAGE - if_bridge/epair virtualization // ###
device if_bridge
device epair
### // VIMAGE - if_bridge/epair virtualization ###
### VIMAGE - netgraph virtualization // ###
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_BRIDGE
options NETGRAPH_EIFACE
options NETGRAPH_SOCKET
### // VIMAGE - netgraph virtualization ###
options ROUTETABLES=16 # max 16 FIB (Forward Information Base/multiple routing tables) support
device tap # virtual link layer 2 device
options ALTQ
options KTR_ALQ
options ALTQ_CBQ # Class Based Queueing
options ALTQ_RED # Random Early Detection
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Priority Queueing
options ALTQ_NOPCC # Required if the TSC is unusable
options VFS_AIO
### options TCP_OFFLOAD # TCP offload
options RACCT
options RCTL
device crypto # core crypto support
device cryptodev # /dev/crypto for access to h/w
device rndtest # FIPS 140-2 entropy tester
device hifn # Hifn 7951, 7781, etc.
options HIFN_DEBUG # enable debugging support: hw.hifn.debug
options HIFN_RNDTEST # enable rndtest support
device ubsec # Broadcom 5501, 5601, 58xx
options UBSEC_DEBUG # enable debugging support: hw.ubsec.debug
options UBSEC_RNDTEST # enable rndtest support
options IPSEC # IP security (requires device crypto)
options IPSEC_NAT_T # NAT-T support, UDP encap of ESP
options FDESCFS # File descriptor filesystem
#
### ### ### VIMAGE ### ### ###
</source>
<source lang=bash>
cd /usr/src
time make buildkernel KERNCONF=VIMAGE
time make installkernel KERNCONF=VIMAGE
reboot
</source>
<source lang=bash>
vi /etc/rc.conf
### VIMAGE // ###
cloned_interfaces="bridge0"
ifconfig_bridge0_name="vswitch0"
ifconfig_vswitch0="addm bge0"
### // VIMAGE ###
### EZJAIL // ###
ezjail_enable="YES"
jail_parameters="vnet=new"
### // EZJAIL ###
vi /etc/sysctl.conf
### EZJAIL // ###
security.jail.allow_raw_sockets=1
security.jail.param.allow.raw_sockets=1
#
net.add_addr_allfibs=4
### // EZJAIL ###
cd /usr/ports/sysutils/ezjail/ && make install clean
vi /usr/local/etc/ezjail.conf
### ### ### EZJAIL ### ### ###
# ezjail_sourcetree=/usr/src
ezjail_use_zfs="YES"
ezjail_use_zfs_for_jails="YES"
ezjail_jailzfs="zroot/ezjail"
ezjail_zfs_properties="-o checksum=fletcher4 -o compression=lz4 -o atime=off"
### ### ### EZJAIL ### ### ###
# EOF
ezjail-admin install
ezjail-admin update -P
ezjail-admin create test01 0.0.0.0
vi /usr/local/etc/ezjail/test01
export jail_test01_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_test01_parameters="allow.raw_sockets=1 allow.sysvipc=1"
#export jail_test01_ip="0.0.0.0"
export jail_test01_exec_prestart0="ifconfig epair1 create up"
export jail_test01_exec_prestart1="ifconfig vswitch0 addm epair1a"
export jail_test01_exec_poststart0="ifconfig epair1b vnet test01"
export jail_test01_exec_poststart1="jexec test01 /sbin/ifconfig epair1b 192.168.0.101/24"
export jail_test01_exec_poststart2="jexec test01 /sbin/route add default 192.168.0.1"
export jail_test01_exec_poststop0="ifconfig epair1a destroy"
vi /usr/local/etc/ezjail/test01
export jail_test01_devfs_ruleset="20"
vi /etc/devfs.rules
### Jail - VIMAGE - // ###
[devfsrules_jail_vimage=20]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path mem unhide
add path kmem unhide
add path 'bpf*' unhide
add path 'tun*' unhide
### // Jail - VIMAGE - ###
vi /usr/local/etc/ezjail/test01
### OpenVPN // ###
export jail_test01_exec_prestart2="ifconfig tun0 create up"
export jail_test01_exec_poststart3="ifconfig tun0 vnet test01"
export jail_test01_exec_poststop1="ifconfig tun0 destroy"
### // OpenVPN ###
vi /usr/local/etc/ezjail/test01
export jail_test01_local_exec_poststart4="jexec test01_local /sbin/ifconfig epair1b inet6 ffff:ffff:ffff:ffff::ffff prefixlen 64"
export jail_test01_local_exec_poststart5="jexec test01_local /sbin/route add -inet6 default fe80::ffff:ffff:ffff:1dac%epair1b"
vi /etc/sysctl.conf
### VIMAGE // ###
net.link.tap.user_open=1
### // VIMAGE ###
vi /etc/devfs.rules
add path 'tap*' mode 0660 group operator
vi /etc/rc.conf
cloned_interfaces="bridge0 lagg0 tap0"
ifconfig_tap0="up"
ifconfig_vswitch0="addm lagg0 addm tap0"
VBoxManage modifyvm yourmachine --bridgeadapter1 tap0
</source>
== if_epair.c Patch ==
https://github.com/plitc/freebsd/blob/master/sys/net/if_epair.c
<source lang=bash>
#include <sys/sockio.h>
#include <sys/sysctl.h>
#include <sys/types.h>
+#include <sys/libkern.h>
#include <net/bpf.h>
#include <net/ethernet.h>
@@ -719,8 +720,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
if (params) {
scb = (struct epair_softc *)params;
ifp = scb->ifp;
- /* Assign a hopefully unique, locally administered etheraddr. */
+ /* Assign a hopefully unique, locally administered etheraddr. -for epairNb- */
eaddr[0] = 0x02;
+ eaddr[1] = arc4random() & 0xff;
eaddr[3] = (ifp->if_index >> 8) & 0xff;
eaddr[4] = ifp->if_index & 0xff;
eaddr[5] = 0x0b;
@@ -814,8 +816,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
ifp->if_ioctl = epair_ioctl;
ifp->if_init = epair_init;
ifp->if_snd.ifq_maxlen = ifqmaxlen;
- /* Assign a hopefully unique, locally administered etheraddr. */
+ /* Assign a hopefully unique, locally administered etheraddr. -for epairNa- */
eaddr[0] = 0x02;
+ eaddr[1] = arc4random() & 0xff;
eaddr[3] = (ifp->if_index >> 8) & 0xff;
eaddr[4] = ifp->if_index & 0xff;
eaddr[5] = 0x0a;
</source>
Quelle: https://github.com/plitc/freebsd/commit/9215c5850ff562a44d0347fa03be60bd3cdd4b9c
== Log ==
* 18.05.2014 freebert_vimage_picture
[[Kategorie:Infrastruktur]]
Reference in New Issue View Git Blame Copy Permalink