User Tools

Site Tools


bestpractice:experiences-confidentiality-vct

Some of the information in this document is outdated. Please refer to Using the Virtual CONFINE Testbed for more up-to-date information on the usage of VCT.

The Virtual Confine Testbed

This document describes how to run the Virtual Confine Testbed (VCT) on Debian.

Setup

Container Setup for Isolated Local Environment

Execute the following steps on the Debian hosts system that is supposed to run the VCT.

Mount Control Group Filesystem
mkdir -p /cgroup 
mount none -t cgroup /cgroup

Add cgroup file system to file /etc/fstab

none /cgroup cgroup defaults 0 0

Remount everything

mount -a
Install Linux Containers (LXC)
aptitude install lxc 
aptitude install bridge-utils libvirt-bin debootstrap

Check LXC configuration

lxc-checkconfig
Install Network Bridge
apt-get install bridge-utils udhcpd

Add interface configuration to file /etc/network/interfaces

iface vmbr inet static 
bridge_ports  none 
address  172.24.42.1 
netmask  255.255.255.0 
up  sysctl net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1  # not undone 
up  iptables -t filter -P FORWARD ACCEPT  # not undone 
up  iptables -t nat -N vmbr-nat 
up  iptables -t nat -I vmbr-nat -o $(ip r g 192.0.2.1|sed -nr 's/.*\bdev (\S*).*/\1/p') -j MASQUERADE 
up  iptables -t nat -I POSTROUTING -j vmbr-nat 
up  iptables -t filter -N vmbr-dhcp 
up  iptables -t filter -I vmbr-dhcp -i $IFACE -p udp -m udp --dport 67 -j ACCEPT 
up  iptables -t filter -I INPUT -j vmbr-dhcp 
up  udhcpd /root/udhcpd,vmbr.conf 
down  kill $(cat /var/run/udhcpd,vmbr.pid) 
down  iptables -t filter -D INPUT -j vmbr-dhcp 
down  iptables -t filter -F vmbr-dhcp 
down  iptables -t filter -X vmbr-dhcp 
down  iptables -t nat -D POSTROUTING -j vmbr-nat 
down  iptables -t nat -F vmbr-nat 
down  iptables -t nat -X vmbr-nat

Create file /root/udhcpd,vmbr.conf with content (no modifications required, file is referenced above)

interface vmbr 
pidfile/var/run/udhcpd,vmbr.pid 
start  172.24.42.10 
end 172.24.42.254 
option  subnet  255.255.255.0 
option  router  172.24.42.1 
option  dns  77.109.138.45 77.109.139.29 87.118.85.241
Enable the Interface, NAT and DHCP Server

(Run as root)

ifup vmbr

To stop everything run

ifdown vmbr

Delete iptable chain if problems occur

iptables -F 
iptables -X 
iptables -t nat -F 
iptables -t nat -X 
iptables -t mangle -F 
iptables -t mangle -X 
iptables -P INPUT ACCEPT 
iptables -P FORWARD ACCEPT 
iptables -P OUTPUT ACCEPT
Prepare Virtual CONFINE Testbed (VCT) Container

Download newest container from

https://media.confine-project.eu/vct-container

Unpack (replace container version string)

sudo su 
tar -C /var/lib/lxc --numeric-owner -xJf vct-container,2013061400.tar.xz

Comment line in file /var/lib/lxc/vct/config

// lxc.aa_profile
Start Container

Make sure adapter is up with correct IP address

ifup vmbr

Start container

  • User: vct
  • Password: confine
lxc-start -n vct

Open extra console

lxc-console -n vct

VCT Setup

Install Required Packages
apt-get install git subversion g++ ncurses-dev zlib1g-dev gawk flex unzip bzip2 gettext build-essential libncurses5-dev libncursesw5-dev binutils cpp gcc make psmisc linux-headers-$(uname -r) docbook-to-man
To stop container
lxc-stop -n vct
Clean and Update Container
cd ~/confine-dist/utils/vct 
./vct_system_cleanup 
sudo rm -rf /var/lib/vct 
cd ~/confine-dist 
git checkout testing 
git pull
Container File Structure
/files             contains config files that will be copied to the OpenWrt image
/openwrt           OpenWrt source, cloned from our Redmine git repository
/packagescontains  CONFINE-specific packages related with slices/slivers initialization and deployment
/utilscontains     some cmd line utilities for researchers and developers
/utils/vct         contains the VCT itself
/dlwill            downloaded libraries necessary to compile the SDK
/images            will contain the compiled OpenWrt image itself
Install VCT Dependencies and Initialize
cd ~/confine-dist/utils/vct 
./vct_system_install 
./vct_system_init
Get IP Address and access WebUI from Browser
ip addr

Interface is eth0

  • User: vct
  • Password: vct

Nodes, Slices and Slivers

Create Nodes

In WebUI do:

  • Nodes → Add node → Set Name → Save
  • Node → VM Management → Build Firmare (default settings) → Create VM (LXC)

No such file error is ok

Start / Stop Nodes
./vct_node_start 0001
./vct_node_stop 0001
Get Node Info
./vct_node_info

The rtt value is <sliceID>_<nodeID>

Create Slice

WebUI → Slices → Add Slice

Create Slivers
  • WebUI → Slice → Add Sliver
  • Select Create Public Network Interface (IPv4/IPv6; for SSH)
  • Or create public interface manually in interface configuration section of sliver
Node, Slice and Sliver Setup from Command Line
./vct_node_start fd01-fd03
./vct_node_customize fd01-fd03
./vct_node_ssh fd01
./vct_sliver_allocate 0123456789ab fd01-fd03 debian
./vct_slice_attributes update all
./vct_sliver_deploy 0123456789ab fd01-fd03
./vct_slice_attributes update all
./vct_sliver_start 0123456789ab fd01-fd03
./vct_slice_attributes update all

Sliver hostname is equal to sliverID

Node State
  • WebUI → Debug → Safe → Production; Failure (must be PRODUCTION to host Slivers)
  • Nodes have to be started manually from console
  • WebUI → Sliver
    • alloc → deploy → start (must be START to autostart)
Get Slice Info
./vct_slice_info 
./vct_slice_attributes show
SSH Sliver

Get puplic sliver IP from Sliver State screen (AJAX)

ssh -i /var/lib/vct/keys/id_rsa root@PUBLIC_SLIVER_IP

Login

  • User: root
  • Password: root

If host key changes, remove hosts key or delete file

rm /home/vct/.ssh/known_hosts

Open Multiple Terminals to Access Testbed

lxc-list
lxc-console -n vct
bestpractice/experiences-confidentiality-vct.txt · Last modified: 2014/07/18 16:08 by ivilata