From ca3303fd4d3685f5bc3bd333be8b0e739ea648b8 Mon Sep 17 00:00:00 2001 From: PythonLinks <34622952+PythonLinks@users.noreply.github.com> Date: Wed, 21 Sep 2022 19:27:47 +0200 Subject: [PATCH 1/3] Updating the Docs for Coulds with IPV6 networking. I hope I got this all correct. I did get the containers networked correctly on vultr, but I am not a networking guy so I hope I did not misstate anything. Any edits I am happy to fix. And now I have to run, I am late for the multi lingual meetup. But this stuff is way more fun. --- docs/chapters/networking.rst | 70 +++++++++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 17 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index ad44615b..698ee03f 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -1,13 +1,14 @@ Network Requirements ==================== Here's the scenario. You've installed Bastille at home or in the cloud and want -to get started putting applications in secure little containers, but how do I -get these containers on the network? +to get started putting applications in secure little containers, but how do you +get these containers on the network? There are two parts to this problem. Being +able to reach the network from your container, and being able to reach the container +from the network. (Please note that the ping command is disabled within the containers. ) Bastille tries to be flexible about how to network containerized applications. Three methods are described here. Consider each options when deciding -which design work best for your needs. One of the methods works better in the -cloud while the others are simpler if used in local area networks. +which design work best for your needs. **Note: if you are running in the cloud and only have a single public IP you may want the Public Network option. See below.** @@ -16,21 +17,22 @@ may want the Public Network option. See below.** Local Area Network ================== I will cover the local area network (LAN) method first. This method is simpler -to get going and works well in a home network (or similar) where adding alias -IP addresses is no problem. +to get going and works well in an environment where adding alias +IP addresses is no problem. So it works well on your `private home network `, +or at an ISP like +`vultr.com ` which gives you 1 IPV4 address, and lots of IPV6 addresses. -Shared Interface (IP alias) ---------------------------- +Shared Interface on Home Network(IP alias) +----------------------------------------- In FreeBSD network interfaces have different names, but look something like -`em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the -idea... +`em0`, `bge0`, `re0`, etc. Bastille allows you to define the interface you want the IP attached to when you create it. An example: .. code-block:: shell - bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0 + bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0 When the `alcatraz` container is started it will add `192.168.1.50` as an IP alias to the `em0` interface. It will then simply be another member of the @@ -43,6 +45,39 @@ interface and a free IP on your current network. Bastille tries to verify that the interface name you provide it is a valid interface. It also checks for a valid syntax IP4 or IP6 address. +Shared Interface on IPV6 network (vultr.com) +------------------------------- +This is much like the home network described above. +So first read the above section. + +On a virtual machine such as vultr.com the virtual interface may be `vtnet0`. +So we issue the command: + +.. code-block:: shell + + bastille create alcatraz 13.1-RELEASE vtnet0 + +We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100 + +The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit +hexadecimal characters. At vultr they said: + +Your server was assigned the following six section subnet: + +2001:19f0:6c01:114c:: / 64 + +We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 + +Where the /64 basicaly means that the first 5 4 digit hexadecimals values define the network, and the last set, we can assign as we want to the Bastille Container. In the actual bastille create command given above, it was defined to be 100. But we also have to tell vultr that we are now using this address. This is done on freebsd with the following command + +.. code-block:: shell + + ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64" + +At that point your container can talk to the world, and the world can ping your container. Just remember you cannot ping out from the container. Of course when you reboot the machine, that command will be forgotten To make it permanent, +you have to add it to the file /etc/rc.conf + + Virtual Network (VNET) ---------------------- (Added in 0.6.x) VNET is supported on FreeBSD 12+ only. @@ -124,17 +159,18 @@ The bridge needs to be created/enabled before creating and starting the jail. Public Network ============== -In this section I'll describe how to network containers in a public network -such as a cloud hosting provider (AWS, digital ocean, vultr, etc) +In this section we describe how to network containers in a public network +such as a cloud hosting provider who only provides you with a single ip address. +(AWS, digital ocean, etc) (The exception is vultr.com, which does +provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!) -In the public cloud you don't often have access to multiple private IP -addresses for your virtual machines. This means if you want to create multiple -containers and assign them all IP addresses, you'll need to create a new +So if you only have a single IP address and if you want to create multiple +containers and assign them all unique IP addresses, you'll need to create a new network. loopback (bastille0) -------------------- -What I recommend is creating a cloned loopback interface (`bastille0`) and +What we recommend is creating a cloned loopback interface (`bastille0`) and assigning all the containers private (rfc1918) addresses on that interface. The setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address range. I have the ability to use whatever address I want within that range From 64fcda2533d7cd1b162515fdc1d16ba757653518 Mon Sep 17 00:00:00 2001 From: PythonLinks <34622952+PythonLinks@users.noreply.github.com> Date: Fri, 30 Sep 2022 07:38:46 +0200 Subject: [PATCH 2/3] Update networking.rst Polished up this Document. --- docs/chapters/networking.rst | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 698ee03f..41dc1656 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -4,19 +4,20 @@ Here's the scenario. You've installed Bastille at home or in the cloud and want to get started putting applications in secure little containers, but how do you get these containers on the network? There are two parts to this problem. Being able to reach the network from your container, and being able to reach the container -from the network. (Please note that the ping command is disabled within the containers. ) +from the network. (Please note that the ping command is disabled within the containers, +because raw socket access is a security hole. ) Bastille tries to be flexible about how to network containerized applications. Three methods are described here. Consider each options when deciding which design work best for your needs. **Note: if you are running in the cloud and only have a single public IP you -may want the Public Network option. See below.** +may want to skip down to the Public Network option. See below.** Local Area Network ================== -I will cover the local area network (LAN) method first. This method is simpler +The local area network (LAN) method is covered first. This method is simpler to get going and works well in an environment where adding alias IP addresses is no problem. So it works well on your `private home network `, or at an ISP like @@ -42,7 +43,7 @@ reach services at that address. This method is the simplest. All you need to know is the name of your network interface and a free IP on your current network. -Bastille tries to verify that the interface name you provide it is a valid +Bastille tries to verify that the interface name you provided is a valid interface. It also checks for a valid syntax IP4 or IP6 address. Shared Interface on IPV6 network (vultr.com) @@ -55,7 +56,7 @@ So we issue the command: .. code-block:: shell - bastille create alcatraz 13.1-RELEASE vtnet0 + bastille create alcatraz 13.1-RELEASE 2001:19f0:6c01:114c::100 vtnet0 We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100 @@ -66,6 +67,8 @@ Your server was assigned the following six section subnet: 2001:19f0:6c01:114c:: / 64 +The `vultr ipv6 subnet calculator ` is helpful in making sense of that ipv6 address. + We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 Where the /64 basicaly means that the first 5 4 digit hexadecimals values define the network, and the last set, we can assign as we want to the Bastille Container. In the actual bastille create command given above, it was defined to be 100. But we also have to tell vultr that we are now using this address. This is done on freebsd with the following command @@ -74,9 +77,19 @@ Where the /64 basicaly means that the first 5 4 digit hexadecimals values define ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64" -At that point your container can talk to the world, and the world can ping your container. Just remember you cannot ping out from the container. Of course when you reboot the machine, that command will be forgotten To make it permanent, +At that point your container can talk to the world, and the world can ping your container. Of course when you reboot the machine, that command will be forgotten To make it permanent, you have to add it to the file /etc/rc.conf +Just remember you cannot ping out from the container. Instead I used wget to test the connectivity. + +Use the bastille pkg command to install wget. + +.. code-block:: shell + + bastille pkg alcatraz install wget + + + Virtual Network (VNET) ---------------------- From 2f35d07e58176c34db1e33cdbc647cd00df077e9 Mon Sep 17 00:00:00 2001 From: PythonLinks <34622952+PythonLinks@users.noreply.github.com> Date: Tue, 4 Oct 2022 15:58:52 +0200 Subject: [PATCH 3/3] Update networking.rst Vultr supports FreeBSD and gives us both a single ipv4 and a range of ipv6 addresses. So the simple thing to do is to give each container its own public ipv6 address. No need to mess with vnet. At least that is the theory. Wish me luck in getting this working. Am I really the first person to be using this approach? --- docs/chapters/networking.rst | 65 +++++++++++++++++------------------- 1 file changed, 31 insertions(+), 34 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 41dc1656..55d7cab4 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -2,54 +2,52 @@ Network Requirements ==================== Here's the scenario. You've installed Bastille at home or in the cloud and want to get started putting applications in secure little containers, but how do you -get these containers on the network? There are two parts to this problem. Being -able to reach the network from your container, and being able to reach the container -from the network. (Please note that the ping command is disabled within the containers, -because raw socket access is a security hole. ) +get these containers on the network? Bastille tries to be flexible about how to +network containerized applications. Four methods are described here. -Bastille tries to be flexible about how to network containerized applications. -Three methods are described here. Consider each options when deciding -which design work best for your needs. +1. Home or Small Office -**Note: if you are running in the cloud and only have a single public IP you -may want to skip down to the Public Network option. See below.** +2. Cloud with IPV4 and multiple IPV6 + +3. Could with single IPV4 (internatl bridge) + +4. Cloud with a single IPV4 (external bridge) -Local Area Network -================== -The local area network (LAN) method is covered first. This method is simpler -to get going and works well in an environment where adding alias -IP addresses is no problem. So it works well on your `private home network `, -or at an ISP like -`vultr.com ` which gives you 1 IPV4 address, and lots of IPV6 addresses. +Please choose the option which is most appropriate for your environment. -Shared Interface on Home Network(IP alias) ------------------------------------------ -In FreeBSD network interfaces have different names, but look something like -`em0`, `bge0`, `re0`, etc. -Bastille allows you to define the interface you want the IP attached to when -you create it. An example: +First a few notes. Bastille tries to verify that the interface name you provide is a valid +interface. In FreeBSD network interfaces have different names, but look something like +`em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig commend will tell you the name +of your existing interfaces. Bastille also checks for a valid syntax IP4 or IP6 address. +When you are testing calling out from your containers, please note that the ping command is disabled within the containers, because raw socket access are a security hole. Instead I install and test with wget instead. + +Shared Interface on Home or Small Office Network +================================================ +If you have just one computer, or a home or small office network, +where you are separated from the rest of the internet by a router. So you are free to use +`private IP addresses `. + +In this environment, to use Bastille, just create the container, give it a unique private ip address, and attach its ip address to your primary interface. .. code-block:: shell bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0 +You may have to change em0 + When the `alcatraz` container is started it will add `192.168.1.50` as an IP alias to the `em0` interface. It will then simply be another member of the hosts network. Other networked systems (firewall permitting) should be able to reach services at that address. This method is the simplest. All you need to know is the name of your network -interface and a free IP on your current network. - -Bastille tries to verify that the interface name you provided is a valid -interface. It also checks for a valid syntax IP4 or IP6 address. +interface and a free IP on your local network. Shared Interface on IPV6 network (vultr.com) -------------------------------- -This is much like the home network described above. -So first read the above section. +======================================= +Some ISP's, such as `vultr.com `, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container. On a virtual machine such as vultr.com the virtual interface may be `vtnet0`. So we issue the command: @@ -71,7 +69,7 @@ The `vultr ipv6 subnet calculator