README: updates, remove outdated instructions
This commit is contained in:
parent
a9c32d7801
commit
be783a6803
242
README.md
242
README.md
|
@ -2,188 +2,80 @@
|
||||||
|
|
||||||
[![Build Status](https://travis-ci.org/hannesm/albatross.svg?branch=master)](https://travis-ci.org/hannesm/albatross)
|
[![Build Status](https://travis-ci.org/hannesm/albatross.svg?branch=master)](https://travis-ci.org/hannesm/albatross)
|
||||||
|
|
||||||
A set of binaries to manage, provision, and deploy MirageOS unikernels.
|
The goal of albatross is robust deployment of [MirageOS](https://mirage.io)
|
||||||
Some daemons are supposed to run in the host system, communicating via Unix domain sockets:
|
unikernels using [Solo5](https://github.com/solo5/solo5), including precise
|
||||||
- `vmmd`: privileged to create and destroy unikernels (also creates tap devices and attaches these to bridges)
|
error handling of failures. The code running under superuser privileges is
|
||||||
- `vmmd_console`: reads the console output of unikernels (via a fifo passed from `vmmd`)
|
minimimal. Albatross is supposed to be run on a machine in the dom0, next to the
|
||||||
|
hypervisor. Albatross keeps track of unikernel resource usage (memory, CPUs,
|
||||||
|
bridges, block storage and active block devices). Policies restricting these
|
||||||
|
resources for administrative domains are available. Local and remote deployments
|
||||||
|
are supported, remote ones are authenticated and encrypted via a mutually
|
||||||
|
authenticated TLS connection using X.509 client certificates. Multi-tenancy
|
||||||
|
deployments are possible, tenants do not need any other access to the machine:
|
||||||
|
console output and statistics gathered by the host are accessible via TLS.
|
||||||
|
Albatross keeps the information of running unikernels persistently, and starts
|
||||||
|
these unikernels when the albatross daemon is started. This means that whenever
|
||||||
|
a unikernel was started, it keeps running until it crashes or an explicit
|
||||||
|
destroy command is issued.
|
||||||
|
|
||||||
|
The administrative domain is similar to DNS: each unikernel has a name (e.g.
|
||||||
|
`foo.hello`), which consists of labels separated by dots. Policies and
|
||||||
|
access is done on a name basis - if access to `foo` is granted, `foo.hello`,
|
||||||
|
`foo.bar.hello`, etc. can be accessed, but not `bar` or `bar.hello`.
|
||||||
|
|
||||||
|
## Components
|
||||||
|
|
||||||
|
Albatross consists of a set of binaries. Several daemons, which communicate in a
|
||||||
|
request-response style over Unix domain sockets, are run in the host system:
|
||||||
|
- `vmmd`: privileged to create and destroy unikernels
|
||||||
|
- `vmmd_console`: reads the console output of unikernels
|
||||||
- `vmmd_log`: event log
|
- `vmmd_log`: event log
|
||||||
- `vmmd_stats`: statistics (`getrusage`, ifstat, BHyve debug counters) gathering
|
- `vmmd_stats`: statistics gathering (rusage, ifstat, BHyve debug counters)
|
||||||
- `vmmd_tls`: opens a TCP socket which authenticates (TLS with client certificate) and proxies to local unix domain sockets
|
- `vmmd_tls`: remote deployment via TLS with client certificate, and proxies to local daemons
|
||||||
- `vmmd_tls_inetd`: authenticates (TLS with client certificate via stdin) and proxies commands carried by a client certificate, to be used by inetd
|
- `vmmd_tls_inetd`: remote deployment via TLS and inetd (alternative to `vmmd_tls`)
|
||||||
- `vmmd_influx`: reports statistics from stats to influx listener
|
- `vmmd_influx`: statistic reporting from `vmmd_stats` to influx
|
||||||
|
|
||||||
Command-line applications for local and remote management are provided as well
|
The main daemon is the privileged `vmmd`, which supervises unikernels. It opens
|
||||||
- `vmmc_local`: executes a command locally via Unix domain sockets
|
a listening Unix domain socket, reads the persisted unikernel configuration,
|
||||||
- `vmmc_remote`: connects to `vmm_tls_endpoint` and executes command
|
starts these unikernels, and awaits commands. Access can be regulated by Unix
|
||||||
|
file permissions, only those users who can write to that socket can send
|
||||||
|
commands.
|
||||||
|
|
||||||
|
`Vmmd_console` does not keep any persistent state, but a ring buffer of console
|
||||||
|
output from each unikernel. These messages can be retrieved by a client, as a
|
||||||
|
stream of messages (history, and whenever a new line is output, it is send to
|
||||||
|
the interested client). Each unikernel output can only be read by a single
|
||||||
|
client, to avoid amplification of traffic if lots of clients are connected.
|
||||||
|
`Vmmd` sends a message to `vmmd_console` whenever a new unikernel is started,
|
||||||
|
upon reception `Vmmd_console` opens and reads the fifo which the unikernel will
|
||||||
|
write their standard output to.
|
||||||
|
|
||||||
|
`Vmmd_log` keeps a persistent event log for albatross, can be read by clients.
|
||||||
|
|
||||||
|
`Vmmd_stats` gathers periodically statistics (memory, CPU, network, hypervisor)
|
||||||
|
from all running unikernels.
|
||||||
|
|
||||||
|
`Vmmd_tls` and `vmmd_tls_inetd` listen on a TCP port, and proxy requests from
|
||||||
|
remote clients to the respective daemons described above. They enforce client
|
||||||
|
authentication, and use the commen names of the client certificate chain as
|
||||||
|
administrative domain. The policies are embedded in CA certificates, the command
|
||||||
|
is embedded in the leaf certificate.
|
||||||
|
|
||||||
|
The following command-line applications for local and remote management are provided:
|
||||||
|
- `vmmc_local`: sends a command locally to the Unix domain sockets
|
||||||
|
- `vmmc_remote`: connects to a remote TLS endpoint and sends a command
|
||||||
- `vmmp_request`: creates a certificate signing request containing a command
|
- `vmmp_request`: creates a certificate signing request containing a command
|
||||||
- `vmmp_ca`: certificate authority operations: sign, generate (and revoke)
|
- `vmmp_ca`: certificate authority operations: sign, generate, and revoke (NYI)
|
||||||
- `vmmc_bistro`: command line utility to execute a command remotely: request, sign, remote (do not use in production, requires CA key on host)
|
- `vmmc_bistro`: command line utility to execute a command remotely: request, sign, remote (do not use in production, requires CA key locally)
|
||||||
|
|
||||||
TODO: from here on, this documentation is not up to date.
|
## Installation
|
||||||
|
|
||||||
Please read [the (outdated) blog article](https://hannes.nqsb.io/Posts/VMM) for motivation
|
|
||||||
and an overview.
|
|
||||||
|
|
||||||
The implementation uses explicit errors (no exceptions), and make mostly use of
|
|
||||||
the (blocking!) Bos library for operating system commands. A thin layer of Lwt
|
|
||||||
is used on top to (more gracefully) handle multiple connection, and to have a
|
|
||||||
watching thread (in `waitpid(2)`) for every virtual machine started by vmmd.
|
|
||||||
|
|
||||||
To install Albatross, run `opam pin add albatross
|
To install Albatross, run `opam pin add albatross
|
||||||
https://github.com/hannesm/albatross`.
|
https://github.com/hannesm/albatross`.
|
||||||
|
|
||||||
The following elaborates on how to get the software up and running, following by
|
Init scripts for FreeBSD are provided in the `packaging/rc.d` subdirectory.
|
||||||
provisioning and deploying some unikernels. There is a *server* (`SRV`)
|
|
||||||
component which needs six binaries: vmm_console, vmm_log, vmm_stats_lwt, vmmd,
|
|
||||||
solo5-hvt.none, solo5-hvt.net, solo5-hvt.block and solo5-hvt.block-net; a `CA` machine (which should be air-gapped, or
|
|
||||||
at least use some hardware token) for provisioning which needs vmm_sign, and
|
|
||||||
vmm_gen_ca; and a *development* (`DEV`) machine which has a fully featured OCaml
|
|
||||||
and MirageOS environment. Each step is prefixed with the machine it is supposed
|
|
||||||
to be executed on. Of course you can conflate everything into a single
|
|
||||||
development system or your server, all up to you and your security scenario.
|
|
||||||
|
|
||||||
Exact file transfer operations between these machines is not in scope of this
|
TODO: from here on, this documentation is not up to date.
|
||||||
document, but kept abstract as `COPY`. Some commands require superuser
|
|
||||||
privileges (use `sudo`, `su`, or `doas`), I prefixed them with `#`.
|
|
||||||
|
|
||||||
File endings used in this document:
|
It may help to read [the _outdated_ blog article](https://hannes.nqsb.io/Posts/VMM)
|
||||||
- `.db` for CA databases
|
for motivation of albatross and an overview over its functionality.
|
||||||
- `.pem` for (PEM-encoded) signed certificates
|
|
||||||
- `.key` for (PEM-encoded) private keys
|
|
||||||
- `.req` for (PEM-encoded) certificate signing requests
|
|
||||||
|
|
||||||
## Setup a certificate authority
|
|
||||||
|
|
||||||
The first step is to setup a certificate authority (private key and CA
|
|
||||||
certificate). The CA private key can sign and revoke everything, you should
|
|
||||||
better keep it in a safe place (air-gapped machine etc.) - not on the server!
|
|
||||||
|
|
||||||
```
|
|
||||||
CA> vmm_gen_ca ca ca.db [--days 3650] [--server "server"] [--server-days 365]
|
|
||||||
```
|
|
||||||
|
|
||||||
This generated five files:
|
|
||||||
- `ca.key` which is the CA private key
|
|
||||||
- `cacert.pem` which is the CA certificate
|
|
||||||
- `ca.db` which contains a map between serial number and name of issued certificates
|
|
||||||
- `server.pem` is the server certificate
|
|
||||||
- `server.key` is the private key of the server
|
|
||||||
|
|
||||||
## Server setup
|
|
||||||
|
|
||||||
If you have installed this package on your development machine, follow some more
|
|
||||||
steps to produce the remaining required binaries:
|
|
||||||
|
|
||||||
```
|
|
||||||
CA> COPY cacert.pem server.pem server.key SRV:
|
|
||||||
DEV> git clone https://github.com/mirage/mirage-skeleton.git
|
|
||||||
DEV> cd mirage-skeleton/tutorial/hello
|
|
||||||
DEV> mirage configure -t hvt
|
|
||||||
DEV> mirage build
|
|
||||||
DEV> mv solo5-hvt /tmp/solo5-hvt.none
|
|
||||||
DEV> cd ../../device-usage/network
|
|
||||||
DEV> mirage configure -t hvt
|
|
||||||
DEV> mirage build
|
|
||||||
DEV> mv solo5-hvt /tmp/solo5-hvt.net
|
|
||||||
DEV> cd ../../..
|
|
||||||
DEV> COPY /tmp/solo5-hvt.none /tmp/solo5-hvt.net SRV:/var/db/albatross
|
|
||||||
DEV> COPY vmm_console vmm_log vmm_stats_lwt vmmd SRV:/opt/bin/
|
|
||||||
```
|
|
||||||
|
|
||||||
```
|
|
||||||
SRV> vmm_console -vv &
|
|
||||||
SRV> vmm_log -vv &
|
|
||||||
SRV> vmm_stats_lwt -vv & #optional
|
|
||||||
SRV# vmmd -vv cacert.pem server.pem server.key
|
|
||||||
```
|
|
||||||
|
|
||||||
Some setup for network interfaces is needed, depending on your operating system.
|
|
||||||
You can also add NAT to allow your virtual machines to talk to the outside
|
|
||||||
world, or add your external interface to the bridge directly, or just keep your
|
|
||||||
VMs local.
|
|
||||||
|
|
||||||
```
|
|
||||||
# FreeBSD
|
|
||||||
SRV# ifconfig bridge create #should output bridge0
|
|
||||||
SRV# ifconfig bridge0 name ext
|
|
||||||
SRV# sysctl net.link.tap.up_on_open=1
|
|
||||||
# Linux
|
|
||||||
SRV# brctl addbr ext
|
|
||||||
```
|
|
||||||
|
|
||||||
At least on FreeBSD, in order to monitor unikernels write permissions to
|
|
||||||
`/dev/vmm/<vm>` are needed. To achieve this (otherwise `vmm_stats` won't be
|
|
||||||
able to collect statistics unless running as a privileged user, the following
|
|
||||||
`devfs` ruleset can be used in `/etc/devfs.rules` (in case you created an
|
|
||||||
`albatross` group):
|
|
||||||
|
|
||||||
```
|
|
||||||
[albatross=10]
|
|
||||||
add path 'vmm/solo5*' mode 0660 group albatross
|
|
||||||
```
|
|
||||||
|
|
||||||
Also need to activate by adding `devfs_system_ruleset="albatross"` to
|
|
||||||
`/etc/rc.conf` and `service devd restart` on the host system.
|
|
||||||
|
|
||||||
## Provision our first virtual machine
|
|
||||||
|
|
||||||
We will delegate some resource to a certificate and key we keep on our
|
|
||||||
development machine.
|
|
||||||
|
|
||||||
```
|
|
||||||
DEV> vmm_req_delegation dev 2 1024 --cpu 1 --bridge ext/10.0.0.2/10.0.0.5/10.0.0.1/24
|
|
||||||
DEV> COPY dev.req CA:
|
|
||||||
```
|
|
||||||
|
|
||||||
This produced two files, dev.req and dev.key. Keep the key in a safe place!
|
|
||||||
|
|
||||||
```
|
|
||||||
CA> vmm_sign ca.db cacert.pem ca.key dev.req [--days 10]
|
|
||||||
CA> COPY dev.pem DEV:
|
|
||||||
```
|
|
||||||
|
|
||||||
Now, our DEV machine can use its delegation certificate for issuing other
|
|
||||||
certificates. We'll create a certificate for interactive use, and one
|
|
||||||
containing the hello unikernel.
|
|
||||||
|
|
||||||
```
|
|
||||||
DEV> vmm_req_permissions admin --permission all
|
|
||||||
DEV> vmm_sign dev.db dev.pem dev.key admin.req
|
|
||||||
```
|
|
||||||
|
|
||||||
This produced in the first step two files, `admin.req` and `admin.key`, and in
|
|
||||||
the second step two more files, `dev.db` and `admin.pem`.
|
|
||||||
|
|
||||||
```
|
|
||||||
DEV> vmm_req_vm hello mirage-skeleton/tutorial/hello/hello.hvt 12 1
|
|
||||||
DEV> vmm_sign dev.db dev.pem dev.key hello.req
|
|
||||||
```
|
|
||||||
|
|
||||||
This generates a private key `hello.key` and a certificate signing request named
|
|
||||||
`hello.req` including the virtual machine image `hello.hvt`, which gets 12MB
|
|
||||||
memory and CPU id 1. The second command used the `dev.key` to sign the signing
|
|
||||||
request and output a `hello.pem`.
|
|
||||||
|
|
||||||
The flag `--force` can be passed to `vmm_req_vm`. This means: if there already
|
|
||||||
exists a running virtual machine with the same name, kill it and start the new
|
|
||||||
one provided in the certificate.
|
|
||||||
|
|
||||||
To actually deploy anything, the server needs the chain (i.e. the vm certificate
|
|
||||||
and the delegation certificate). Our client needs the main CA certificate to
|
|
||||||
authenticate the server itself.
|
|
||||||
|
|
||||||
```
|
|
||||||
CA> COPY cacert.pem DEV:
|
|
||||||
DEV> cat admin.pem dev.pem > admin.bundle
|
|
||||||
DEV> cat hello.pem dev.pem > hello.bundle
|
|
||||||
```
|
|
||||||
|
|
||||||
And deploying (watch the output of the processes started on the server above!):
|
|
||||||
|
|
||||||
```
|
|
||||||
DEV> vmm_client cacert.pem hello.bundle hello.key SRV:1025
|
|
||||||
DEV> vmm_client cacert.pem admin.bundle admin.key SRV:1025 --db dev.db
|
|
||||||
```
|
|
||||||
|
|
||||||
Commands are at the moment `info`, `statistics`, `destroy`, `attach`, `detach`,
|
|
||||||
and `log`.
|
|
||||||
|
|
Loading…
Reference in a new issue