Ralph Rönnquist
ab7139047b
|
1 year ago | |
|---|---|---|
| asm | 2 years ago | |
| debian | 1 year ago | |
| src | 2 years ago | |
| .gitignore | 2 years ago | |
| Makefile | 1 year ago | |
| README.adoc | 1 year ago | |
| functions | 1 year ago | |
| overlay-boot | 1 year ago | |
| overlay-boot.8.adoc | 1 year ago | |
| overlay-diskfile | 2 years ago | |
| overlay-diskfile.8.adoc | 2 years ago | |
| overlay-go | 2 years ago | |
| overlay-go.8.adoc | 2 years ago | |
| overlay-init | 2 years ago | |
| overlay-postmount | 2 years ago | |
| overlay-premount | 2 years ago | |
| overlay-share | 1 year ago | |
| overlay-share.8.adoc | 1 year ago | |
| overlay-stop | 2 years ago | |
| overlay-stop.8.adoc | 2 years ago | |
| subhosts.conf | 2 years ago | |
| subhosts.sh | 2 years ago | |
README.adoc
The overlay-boot Project
The overlay-boot project implements a "minimalist approach" for dividing a single host into "subhosts" for administratively separated services. The project provides core support for "subhosts" that are independent operating system environments but using overlay root filesystems, and with their services executed with separated namespaces by a common kernel.
The concept is similar to "containers" and "virtual machines", but with much lighter touch that is aimed at light-weight technical separation of service environments within a common adminstration framework.
-
overlay-boot implements a simple and efficient networking principle where networking is achived via network namspaces and virtual cabling. There is an overarching adminstrative control at the host end while the subhosts are adminstrated separately as if they were alone.
-
overlay-boot includes support for overlay root filesystem with persistent individual overlays for the subhosts. This is scripted to be open for any storage solutions, including the sharing of file system subtrees, disk and partition image files and logical volume set ups.
-
overlay-boot includes a scripted service oriented "subhost init" procedure that is open for all kinds of service management, including the trivial case of "no services" (as is necessary for installing and configuring the service or services of a subhost).
A usage example (minimal)
A subhost is techincally defined as a directory that contains three mount points "work", "root" and "live", and a configuration file with at least a definition of the BASE variable with the pathname of the subhost directory. For convenience, the BASE pathname is understood as relative to its own directory, and thus, if the configuration resides in the subhost directory a simple "BASE=." assignment is a sufficient configuration.
Refer to the overlay-boot manpage for all the configuration options.
-
The minimal overlay subhost setup
# mkdir /ex1 /ex1/work /ex1/root /ex1/live # echo BASE=. > /ex1/ex1.conf
The minimal overlay subhost may then be started with
# overlay-boot /ex1/ex1.conf
and it may be stopped with:
# overlay-stop /ex1/ex1.conf
The subhost environment may be "entered" with
# overlay-go ex1
Another usage example (MTA)
This is an example setup at /opt/mta of a larger overlay subhost
for an MTA as primary service and with some additional useful
companion services.
$ sudo mkdir -p /opt/mta/{live,root,work}
# sudo tee /opt/mta/mta.conf <EOF
BASE=.
CABLES= =06:20:03:4e:a6:f2
START= hostname.sh rsyslog networking ssh saslauthd postfix dovecot
EOF
Note that this initial setup includes a MAC address for the subhost end of the (single) virtual cable, and an enumeration of (sysv) services to start "automatically" within the subhost. Of course those services might not be available on the first start, and then the initial admin task is to install them inside the subhost.
This example includes networking setup which is necessary for the subhost services. That setup includes both host end configurations and subhost end configurations.
# echo "source interfaces.d/mta.conf" >> /etc/network/interfaces
# echo "$MTANET.2 mta" >> /etc/hosts
# echo "mta" > /opt/mta/root/etc/hostname
# iptables -t nat -I PREROUTING -p tcp --dport 25 -j DNAT --to-destination $MTANET.2
# iptables -t nat -I POSTROUTING -s $MTANET.2 -j MASQUERADE
# cat > /etc/network/interfaces.d/mta.conf <EOF
iface mta0 inet static
address $MTANET.1/24
EOF
# cat > /opt/mta/root/etc/network/interfaces <EOF
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address $MTANET.2/24
gateway $MTANET.1
EOF
-
the host end cabling configuration is done in a separate file (
/etc/network/interfaces.d/mta.conf) that is explicitly sourced in/etc/network/interfaces -
the firewall rules direct incoming port 25 traffic onwards to the subhost, and provides NAT for its outbound traffic
-
host names are not necessarily used, but it may be convenient. The subhost has a separate UTS namespace and there might be an initial confusion about hostname.
-
the subhost cable end configuration is done directly into a "fresh" subhost
root/etc/network/interfaces. Note thatoverlay-bootwill itself prepare a minimal freshroot/etc/network/interfacesif there is none; that is done so as to avoid "accidental" use of the main host configuration in the subhost.
# overlay-boot /opt/mta/mta.conf
The subhost will start ssh service which may allow user to enter the
subhost via ssh. Since the subhost root filesystem is an overlay, it
will in particular "inherit" the /home tree as well as most of
/etc, and thus the main host user would be able to enter the subhost
via ssh in the same way as they enter the main host via ssh.
It is also possible to enter with overlay-go mta for administrative
purposes.
# overlay-stop /opt/mta/mta.conf