User Tools

Site Tools


Some of the information in this document is outdated. Please refer to Using the Virtual CONFINE Testbed for more up-to-date information on the usage of VCT.

The Virtual Confine Testbed

This document describes how to run the Virtual Confine Testbed (VCT) on Debian.


Container Setup for Isolated Local Environment

Execute the following steps on the Debian hosts system that is supposed to run the VCT.

Mount Control Group Filesystem
mkdir -p /cgroup 
mount none -t cgroup /cgroup

Add cgroup file system to file /etc/fstab

none /cgroup cgroup defaults 0 0

Remount everything

mount -a
Install Linux Containers (LXC)
aptitude install lxc 
aptitude install bridge-utils libvirt-bin debootstrap

Check LXC configuration

Install Network Bridge
apt-get install bridge-utils udhcpd

Add interface configuration to file /etc/network/interfaces

iface vmbr inet static 
bridge_ports  none 
up  sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1  # not undone 
up  iptables -t filter -P FORWARD ACCEPT  # not undone 
up  iptables -t nat -N vmbr-nat 
up  iptables -t nat -I vmbr-nat -o $(ip r g|sed -nr 's/.*\bdev (\S*).*/\1/p') -j MASQUERADE 
up  iptables -t nat -I POSTROUTING -j vmbr-nat 
up  iptables -t filter -N vmbr-dhcp 
up  iptables -t filter -I vmbr-dhcp -i $IFACE -p udp -m udp --dport 67 -j ACCEPT 
up  iptables -t filter -I INPUT -j vmbr-dhcp 
up  udhcpd /root/udhcpd,vmbr.conf 
down  kill $(cat /var/run/udhcpd, 
down  iptables -t filter -D INPUT -j vmbr-dhcp 
down  iptables -t filter -F vmbr-dhcp 
down  iptables -t filter -X vmbr-dhcp 
down  iptables -t nat -D POSTROUTING -j vmbr-nat 
down  iptables -t nat -F vmbr-nat 
down  iptables -t nat -X vmbr-nat

Create file /root/udhcpd,vmbr.conf with content (no modifications required, file is referenced above)

interface vmbr 
option  subnet 
option  router 
option  dns
Enable the Interface, NAT and DHCP Server

(Run as root)

ifup vmbr

To stop everything run

ifdown vmbr

Delete iptable chain if problems occur

iptables -F 
iptables -X 
iptables -t nat -F 
iptables -t nat -X 
iptables -t mangle -F 
iptables -t mangle -X 
iptables -P INPUT ACCEPT 
Prepare Virtual CONFINE Testbed (VCT) Container

Download newest container from

Unpack (replace container version string)

sudo su 
tar -C /var/lib/lxc --numeric-owner -xJf vct-container,2013061400.tar.xz

Comment line in file /var/lib/lxc/vct/config

// lxc.aa_profile
Start Container

Make sure adapter is up with correct IP address

ifup vmbr

Start container

  • User: vct
  • Password: confine
lxc-start -n vct

Open extra console

lxc-console -n vct

VCT Setup

Install Required Packages
apt-get install git subversion g++ ncurses-dev zlib1g-dev gawk flex unzip bzip2 gettext build-essential libncurses5-dev libncursesw5-dev binutils cpp gcc make psmisc linux-headers-$(uname -r) docbook-to-man
To stop container
lxc-stop -n vct
Clean and Update Container
cd ~/confine-dist/utils/vct 
sudo rm -rf /var/lib/vct 
cd ~/confine-dist 
git checkout testing 
git pull
Container File Structure
/files             contains config files that will be copied to the OpenWrt image
/openwrt           OpenWrt source, cloned from our Redmine git repository
/packagescontains  CONFINE-specific packages related with slices/slivers initialization and deployment
/utilscontains     some cmd line utilities for researchers and developers
/utils/vct         contains the VCT itself
/dlwill            downloaded libraries necessary to compile the SDK
/images            will contain the compiled OpenWrt image itself
Install VCT Dependencies and Initialize
cd ~/confine-dist/utils/vct 
Get IP Address and access WebUI from Browser
ip addr

Interface is eth0

  • User: vct
  • Password: vct

Nodes, Slices and Slivers

Create Nodes

In WebUI do:

  • Nodes → Add node → Set Name → Save
  • Node → VM Management → Build Firmare (default settings) → Create VM (LXC)

No such file error is ok

Start / Stop Nodes
./vct_node_start 0001
./vct_node_stop 0001
Get Node Info

The rtt value is <sliceID>_<nodeID>

Create Slice

WebUI → Slices → Add Slice

Create Slivers
  • WebUI → Slice → Add Sliver
  • Select Create Public Network Interface (IPv4/IPv6; for SSH)
  • Or create public interface manually in interface configuration section of sliver
Node, Slice and Sliver Setup from Command Line
./vct_node_start fd01-fd03
./vct_node_customize fd01-fd03
./vct_node_ssh fd01
./vct_sliver_allocate 0123456789ab fd01-fd03 debian
./vct_slice_attributes update all
./vct_sliver_deploy 0123456789ab fd01-fd03
./vct_slice_attributes update all
./vct_sliver_start 0123456789ab fd01-fd03
./vct_slice_attributes update all

Sliver hostname is equal to sliverID

Node State
  • WebUI → Debug → Safe → Production; Failure (must be PRODUCTION to host Slivers)
  • Nodes have to be started manually from console
  • WebUI → Sliver
    • alloc → deploy → start (must be START to autostart)
Get Slice Info
./vct_slice_attributes show
SSH Sliver

Get puplic sliver IP from Sliver State screen (AJAX)

ssh -i /var/lib/vct/keys/id_rsa root@PUBLIC_SLIVER_IP


  • User: root
  • Password: root

If host key changes, remove hosts key or delete file

rm /home/vct/.ssh/known_hosts

Open Multiple Terminals to Access Testbed

lxc-console -n vct
bestpractice/experiences-confidentiality-vct.txt · Last modified: 2014/07/18 16:08 by ivilata