aetherscale

[unmaintained] code for a cloud provider tutorial
Log | Files | Refs | README | LICENSE

commit 86f921adfa15bfe90d01cb2f7c913651b6640c29
parent 371a6e8e77a0e3887a50d3d4338f85aba3f15229
Author: Stefan Koch <programming@stefan-koch.name>
Date:   Sun, 20 Dec 2020 19:18:48 +0100

update readme to sudo approach

Diffstat:
MREADME.md | 61++++++++++++-------------------------------------------------
Dbin/setup-vpn-tap-vde.sh | 47-----------------------------------------------
2 files changed, 12 insertions(+), 96 deletions(-)

diff --git a/README.md b/README.md @@ -51,27 +51,21 @@ bin/setup-tap-vde.sh -u username -i 192.168.0.10/24 -g 192.168.0.1 -e eth0 It's possible to connect different VMs on possibly different hosts with a VPN. For each virtual network a tinc instance is started. -This means that we have to create an unknown number of networks dynamically -upon user request. To somehow solve the problem that as a standard user we -cannot modify network devices without the `CAP_NET_ADMIN` capability, we -create a pre-defined number of unconfigured network devices `net-vpn-1` to -`net-vpn-k`. -The mapping between the dummy VPN devices and user-chosen VPN names is then -done by aetherscale. +In order to allow dynamic creation of network device entries we use `sudo` +calls to the `ip` utility. To auto-configure IPv6 addresses of VPNs inside +the guest VM we use IPv6 Router Advertisement messages. We run a `radvd` +server that sends out the prefixes for IPv6 addresses. `radvd` also requires +root permissions (or to be exact `CAP_NET_RAW` permissions). -To create the dummy VPN interfaces (including bridging) run: +To allow these calls you have to enable passwordless sudo permissions with +the following entry in `visudo`: -```bash -bin/setup-vpn-tap-vde.sh -u username -n 10 -p 2001:db8:85a3 +``` +youruser ALL=(ALL) NOPASSWD: /usr/bin/ip, /usr/bin/radvd ``` -`-p` defines the IPv6 prefix from which submasks for private subnets will be -chosen. It must be a `/48` prefix from which each VPN will receive a `/64` -prefix. - -This is not a nice solution and ideally network interfaces should be -created on-the-fly, but Linux capabilities inheritance to subprocesses -seems quite complicated, and without inheritance we'd have to grant +This is not a perfect solution but Linux capabilities inheritance to +subprocesses seems quite complicated, and without inheritance we'd have to grant `CAP_NET_ADMIN` to both `ip` and `tincd`. This might be undesired, because then any user can change network devices. Another option could be to assign `CAP_NET_ADMIN` to the user running aetherscale, but this seems to @@ -81,38 +75,6 @@ binary that is to be executed. While this in my opinion would be a reasonable choice for a production program, it feels too heavy for a proof-of-concept tool. -For IPv6 auto-configuration you must have a program for router -advertisement running, e.g. radvd. Since radvd requires `CAP_NET_RAW`, -you'll have to run it externally from aetherscale, aetherscale cannot -autostart it. - -An example configuration file for two pre-configured subnets could look like: - -``` -interface aeth-vpnbr-1 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - prefix ::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; - }; -}; - -interface aeth-vpnbr-2 { - AdvSendAdvert on; - MinRtrAdvInterval 3; - MaxRtrAdvInterval 10; - prefix ::/64 { - AdvOnLink on; - AdvAutonomous on; - AdvRouterAddr off; - }; -}; -``` - - ## Usage The server can be started with: @@ -200,6 +162,7 @@ Stuff I use for computing (and thus have learnt something about so far): - VDE could also be relevant, but currently out of scope - layer-2 VPN with tinc - `libguestfs` for analyzing and changing images +- IPv6, radvd ## Contribution diff --git a/bin/setup-vpn-tap-vde.sh b/bin/setup-vpn-tap-vde.sh @@ -1,47 +0,0 @@ -#!/usr/bin/env bash - -usage() { - echo "Usage: $0 -u USER -n NUM-DEVICES -p IPv6-48-PREFIX" -} - -while getopts ":hu:n:p:" opt; do - case "$opt" in - h|\?) - usage - exit 0 - ;; - u) user=$OPTARG - ;; - n) num_devices=$OPTARG - ;; - p) prefix=$OPTARG - ;; - esac -done - -if [[ -z $user || -z $num_devices || -z $prefix]]; then - usage - echo - echo "Please specify all required arguments" - exit 1 -fi - -for i in $(seq 1 $num_devices); do - bridge_name=aeth-vpnbr-$i - tinc_name=aeth-vpntnc-$i - vde_name=aeth-vpnvde-$i - - ip link add $bridge_name type bridge - ip link set $bridge_name up - - ip tuntap add dev $tinc_name mode tap user $user - ip link set $tinc_name up - ip link set $tinc_name master $bridge_name - ip addr flush dev $tinc_name - - ip tuntap add dev $vde_name mode tap user $user - ip link set dev $vde_name up - ip link set $vde_name master $bridge_name - - ip addr add $prefix:$i::1/64 dev $bridge_name -done