You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

169 lines
5.2 KiB

The overlay-boot Project
The *overlay-boot* project implements a "minimalist approach" for
dividing a single host into "subhosts" for administratively separated
services. The project provides core support for "subhosts" that are
independent operating system environments but using overlay root
filesystems, and with their services executed with separated
namespaces by a common kernel.
The concept is similar to "containers" and "virtual machines", but
with much lighter touch that is aimed at light-weight technical
separation of service environments within a common adminstration
* *overlay-boot* implements a simple and efficient networking
principle where networking is achived via network namspaces and
virtual cabling. There is an overarching adminstrative control at
the host end while the subhosts are adminstrated separately as if
they were alone.
* *overlay-boot* includes support for overlay root filesystem with
persistent individual overlays for the subhosts. This is scripted
to be open for any storage solutions, including the sharing of file
system subtrees, disk and partition image files and logical volume
set ups.
* *overlay-boot* includes a scripted service oriented "subhost init"
procedure that is open for all kinds of service management,
including the trivial case of "no services" (as is necessary for
installing and configuring the service or services of a subhost).
A usage example (minimal)
A subhost is techincally defined as a directory that contains three
3 months ago
mount points "work", "root" and "live", and a configuration file with
at least a definition of the BASE variable with the pathname of the
subhost directory. For convenience, the BASE pathname is understood as
relative to its own directory, and thus, if the configuration resides
in the subhost directory a simple "BASE=." assignment is a sufficient
Refer to the overlay-boot manpage for all the configuration options.
. The minimal overlay subhost setup
# mkdir /ex1 /ex1/work /ex1/root /ex1/live
# echo BASE=. > /ex1/ex1.conf
8 months ago
The minimal overlay subhost may then be started with
8 months ago
# overlay-boot /ex1/ex1.conf
8 months ago
8 months ago
and it may be stopped with:
# overlay-stop /ex1/ex1.conf
8 months ago
The subhost environment may be "entered" with
# overlay-go ex1
Another usage example (MTA)
This is an example setup at +/opt/mta+ of a larger overlay subhost
for an MTA as primary service and with some additional useful
companion services.
.Initial setup for /opt/mta
$ sudo mkdir -p /opt/mta/{live,root,work}
# sudo tee /opt/mta/mta.conf <EOF
CABLES= =06:20:03:4e:a6:f2
START= rsyslog networking ssh saslauthd postfix dovecot
Note that this initial setup includes a MAC address for the subhost
end of the (single) virtual cable, and an enumeration of (sysv)
services to start "automatically" within the subhost. Of course those
services might not be available on the first start, and then the
initial admin task is to install them inside the subhost.
This example includes networking setup which is necessary for the
subhost services. That setup includes both host end configurations and
subhost end configurations.
.Initial networking setup (ifupdown, and e.g. MTANET=192.168.0)
# echo "source interfaces.d/mta.conf" >> /etc/network/interfaces
# echo "$MTANET.2 mta" >> /etc/hosts
# echo "mta" > /opt/mta/root/etc/hostname
# iptables -t nat -I PREROUTING -p tcp --dport 25 -j DNAT --to-destination $MTANET.2
# iptables -t nat -I POSTROUTING -s $MTANET.2 -j MASQUERADE
# cat > /etc/network/interfaces.d/mta.conf <EOF
iface mta0 inet static
address $MTANET.1/24
# cat > /opt/mta/root/etc/network/interfaces <EOF
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address $MTANET.2/24
gateway $MTANET.1
* the host end cabling configuration is done in a separate file
(+/etc/network/interfaces.d/mta.conf+) that is explicitly sourced in
* the firewall rules direct incoming port 25 traffic onwards to the
subhost, and provides NAT for its outbound traffic
* host names are not necessarily used, but it may be convenient. The
subhost has a separate UTS namespace and there might be an initial
confusion about hostname.
* the subhost cable end configuration is done directly into a "fresh"
subhost +root/etc/network/interfaces+. Note that +overlay-boot+ will
itself prepare a minimal fresh +root/etc/network/interfaces+ if there
is none; that is done so as to avoid "accidental" use of the main
host configuration in the subhost.
.Starting the subhost
# overlay-boot /opt/mta/mta.conf
The subhost will start +ssh+ service which may allow user to enter the
subhost via +ssh+. Since the subhost root filesystem is an overlay, it
will in particular "inherit" the +/home+ tree as well as most of
+/etc+, and thus the main host user would be able to enter the subhost
via +ssh+ in the same way as they enter the main host via +ssh+.
It is also possible to enter with +overlay-go mta+ for administrative
.Stopping the subhost
# overlay-stop /opt/mta/mta.conf