309 lines
7.8 KiB
Plaintext
309 lines
7.8 KiB
Plaintext
[[Kategorie:Infrastruktur]]
|
|
|
|
== VIMAGE ==
|
|
Netzwerk Stack Virtualisierung unter FreeBSD
|
|
|
|
== Hardware Info ==
|
|
Virtualisiert durch [[intern:Freebert]]
|
|
|
|
== Software Info ==
|
|
* Kernel mit VIMAGE Support
|
|
|
|
== Verwendungszweck ==
|
|
* eigener Network Stack für Jails
|
|
|
|
== Beispiel ==
|
|
[[Datei:Freebert_vimage.jpg]]
|
|
|
|
== VIMAGE Einrichtung ==
|
|
|
|
<source lang=bash>
|
|
cd /usr/ports/devel/subversion/ && make install clean
|
|
|
|
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
|
|
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
|
|
|
|
cd /usr
|
|
chflags -R noschg /usr/obj/*
|
|
rm -rfv /usr/obj/*
|
|
rm -rfv /usr/src/*
|
|
rm -rfv /usr/src/.svn
|
|
|
|
cd /usr/src
|
|
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
|
|
svn up /usr/src
|
|
|
|
cd /usr/src/sys/amd64/conf
|
|
mkdir /root/kernels
|
|
cp GENERIC /root/kernels/VIMAGE
|
|
ln -s /root/kernels/VIMAGE
|
|
vi /root/kernels/VIMAGE
|
|
</source>
|
|
|
|
|
|
<source lang=bash>
|
|
### ### ### VIMAGE ### ### ###
|
|
#
|
|
cpu HAMMER
|
|
ident VIMAGE
|
|
|
|
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
|
|
makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
|
|
|
|
### < --- --- --- >
|
|
|
|
###BUG###device pf
|
|
###BUG###device pflog
|
|
###BUG###device pfsync
|
|
###BUG###device carp
|
|
|
|
device lagg
|
|
device enc
|
|
device gre
|
|
options XBONEHACK
|
|
|
|
options TCP_SIGNATURE # include support for RFC 2385
|
|
|
|
options VIMAGE # Network Stack Virtualization
|
|
options NULLFS # NULL filesystem
|
|
|
|
### VIMAGE - if_bridge/epair virtualization // ###
|
|
device if_bridge
|
|
device epair
|
|
### // VIMAGE - if_bridge/epair virtualization ###
|
|
|
|
### VIMAGE - netgraph virtualization // ###
|
|
options NETGRAPH
|
|
options NETGRAPH_ETHER
|
|
options NETGRAPH_BRIDGE
|
|
options NETGRAPH_EIFACE
|
|
options NETGRAPH_SOCKET
|
|
### // VIMAGE - netgraph virtualization ###
|
|
|
|
options ROUTETABLES=16 # max 16 FIB (Forward Information Base/multiple routing tables) support
|
|
device tap # virtual link layer 2 device
|
|
|
|
options ALTQ
|
|
options KTR_ALQ
|
|
|
|
options ALTQ_CBQ # Class Based Queueing
|
|
options ALTQ_RED # Random Early Detection
|
|
options ALTQ_RIO # RED In/Out
|
|
options ALTQ_HFSC # Hierarchical Packet Scheduler
|
|
options ALTQ_CDNR # Traffic conditioner
|
|
options ALTQ_PRIQ # Priority Queueing
|
|
options ALTQ_NOPCC # Required if the TSC is unusable
|
|
|
|
options VFS_AIO
|
|
|
|
### options TCP_OFFLOAD # TCP offload
|
|
|
|
options RACCT
|
|
|
|
options RCTL
|
|
|
|
device crypto # core crypto support
|
|
device cryptodev # /dev/crypto for access to h/w
|
|
|
|
device rndtest # FIPS 140-2 entropy tester
|
|
|
|
device hifn # Hifn 7951, 7781, etc.
|
|
options HIFN_DEBUG # enable debugging support: hw.hifn.debug
|
|
options HIFN_RNDTEST # enable rndtest support
|
|
|
|
device ubsec # Broadcom 5501, 5601, 58xx
|
|
options UBSEC_DEBUG # enable debugging support: hw.ubsec.debug
|
|
options UBSEC_RNDTEST # enable rndtest support
|
|
|
|
options IPSEC # IP security (requires device crypto)
|
|
options IPSEC_NAT_T # NAT-T support, UDP encap of ESP
|
|
|
|
options FDESCFS # File descriptor filesystem
|
|
#
|
|
### ### ### VIMAGE ### ### ###
|
|
</source>
|
|
|
|
|
|
<source lang=bash>
|
|
cd /usr/src
|
|
time make buildkernel KERNCONF=VIMAGE
|
|
time make installkernel KERNCONF=VIMAGE
|
|
|
|
reboot
|
|
</source>
|
|
|
|
|
|
<source lang=bash>
|
|
vi /etc/rc.conf
|
|
|
|
### VIMAGE // ###
|
|
cloned_interfaces="bridge0"
|
|
ifconfig_bridge0_name="vswitch0"
|
|
ifconfig_vswitch0="addm bge0"
|
|
### // VIMAGE ###
|
|
|
|
### EZJAIL // ###
|
|
ezjail_enable="YES"
|
|
jail_parameters="vnet=new"
|
|
### // EZJAIL ###
|
|
|
|
vi /etc/sysctl.conf
|
|
|
|
### EZJAIL // ###
|
|
security.jail.allow_raw_sockets=1
|
|
security.jail.param.allow.raw_sockets=1
|
|
#
|
|
net.add_addr_allfibs=4
|
|
### // EZJAIL ###
|
|
|
|
cd /usr/ports/sysutils/ezjail/ && make install clean
|
|
|
|
vi /usr/local/etc/ezjail.conf
|
|
|
|
### ### ### EZJAIL ### ### ###
|
|
# ezjail_sourcetree=/usr/src
|
|
|
|
ezjail_use_zfs="YES"
|
|
ezjail_use_zfs_for_jails="YES"
|
|
ezjail_jailzfs="zroot/ezjail"
|
|
|
|
ezjail_zfs_properties="-o checksum=fletcher4 -o compression=lz4 -o atime=off"
|
|
### ### ### EZJAIL ### ### ###
|
|
# EOF
|
|
|
|
ezjail-admin install
|
|
ezjail-admin update -P
|
|
|
|
ezjail-admin create test01 0.0.0.0
|
|
|
|
vi /usr/local/etc/ezjail/test01
|
|
|
|
export jail_test01_exec_stop="/bin/sh /etc/rc.shutdown"
|
|
export jail_test01_parameters="allow.raw_sockets=1 allow.sysvipc=1"
|
|
#export jail_test01_ip="0.0.0.0"
|
|
export jail_test01_exec_prestart0="ifconfig epair1 create up"
|
|
export jail_test01_exec_prestart1="ifconfig vswitch0 addm epair1a"
|
|
export jail_test01_exec_poststart0="ifconfig epair1b vnet test01"
|
|
export jail_test01_exec_poststart1="jexec test01 /sbin/ifconfig epair1b 192.168.0.101/24"
|
|
export jail_test01_exec_poststart2="jexec test01 /sbin/route add default 192.168.0.1"
|
|
export jail_test01_exec_poststop0="ifconfig epair1a destroy"
|
|
|
|
vi /usr/local/etc/ezjail/test01
|
|
|
|
export jail_test01_devfs_ruleset="20"
|
|
|
|
vi /etc/devfs.rules
|
|
|
|
### Jail - VIMAGE - // ###
|
|
[devfsrules_jail_vimage=20]
|
|
add include $devfsrules_hide_all
|
|
add include $devfsrules_unhide_basic
|
|
add include $devfsrules_unhide_login
|
|
add path mem unhide
|
|
add path kmem unhide
|
|
add path 'bpf*' unhide
|
|
add path 'tun*' unhide
|
|
### // Jail - VIMAGE - ###
|
|
|
|
vi /usr/local/etc/ezjail/test01
|
|
|
|
### OpenVPN // ###
|
|
export jail_test01_exec_prestart2="ifconfig tun0 create up"
|
|
export jail_test01_exec_poststart3="ifconfig tun0 vnet test01"
|
|
export jail_test01_exec_poststop1="ifconfig tun0 destroy"
|
|
### // OpenVPN ###
|
|
|
|
vi /usr/local/etc/ezjail/test01
|
|
|
|
export jail_test01_local_exec_poststart4="jexec test01_local /sbin/ifconfig epair1b inet6 ffff:ffff:ffff:ffff::ffff prefixlen 64"
|
|
export jail_test01_local_exec_poststart5="jexec test01_local /sbin/route add -inet6 default fe80::ffff:ffff:ffff:1dac%epair1b"
|
|
|
|
vi /etc/sysctl.conf
|
|
|
|
### VIMAGE // ###
|
|
net.link.tap.user_open=1
|
|
### // VIMAGE ###
|
|
|
|
vi /etc/devfs.rules
|
|
|
|
add path 'tap*' mode 0660 group operator
|
|
|
|
vi /etc/rc.conf
|
|
|
|
cloned_interfaces="bridge0 lagg0 tap0"
|
|
ifconfig_tap0="up"
|
|
ifconfig_vswitch0="addm lagg0 addm tap0"
|
|
|
|
VBoxManage modifyvm yourmachine --bridgeadapter1 tap0
|
|
</source>
|
|
|
|
|
|
== if_epair.c Patch ==
|
|
|
|
https://github.com/plitc/freebsd/blob/master/sys/net/if_epair.c
|
|
|
|
<source lang=bash>
|
|
#include <sys/sockio.h>
|
|
|
|
#include <sys/sysctl.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
+#include <sys/libkern.h>
|
|
|
|
|
|
|
|
#include <net/bpf.h>
|
|
|
|
#include <net/ethernet.h>
|
|
|
|
@@ -719,8 +720,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
|
|
|
|
if (params) {
|
|
|
|
scb = (struct epair_softc *)params;
|
|
|
|
ifp = scb->ifp;
|
|
|
|
- /* Assign a hopefully unique, locally administered etheraddr. */
|
|
|
|
+ /* Assign a hopefully unique, locally administered etheraddr. -for epairNb- */
|
|
|
|
eaddr[0] = 0x02;
|
|
|
|
+ eaddr[1] = arc4random() & 0xff;
|
|
|
|
eaddr[3] = (ifp->if_index >> 8) & 0xff;
|
|
|
|
eaddr[4] = ifp->if_index & 0xff;
|
|
|
|
eaddr[5] = 0x0b;
|
|
|
|
@@ -814,8 +816,9 @@ epair_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params)
|
|
|
|
ifp->if_ioctl = epair_ioctl;
|
|
|
|
ifp->if_init = epair_init;
|
|
|
|
ifp->if_snd.ifq_maxlen = ifqmaxlen;
|
|
|
|
- /* Assign a hopefully unique, locally administered etheraddr. */
|
|
|
|
+ /* Assign a hopefully unique, locally administered etheraddr. -for epairNa- */
|
|
|
|
eaddr[0] = 0x02;
|
|
|
|
+ eaddr[1] = arc4random() & 0xff;
|
|
|
|
eaddr[3] = (ifp->if_index >> 8) & 0xff;
|
|
|
|
eaddr[4] = ifp->if_index & 0xff;
|
|
|
|
eaddr[5] = 0x0a;
|
|
</source>
|
|
|
|
Quelle: https://github.com/plitc/freebsd/commit/9215c5850ff562a44d0347fa03be60bd3cdd4b9c
|
|
|
|
== Log ==
|
|
* 18.05.2014 freebert_vimage_picture
|