User Tools

Site Tools


soft:confine-dist-overview

Objectives

  • fully support current node-architecture design (CD and CC option)
  • support parallel experiments, given a fixed number of network interfaces (even just one)
  • achieve the virtualisation with limited tradeoffs for researchers
  • stable distro (compiles without errors, executes without crashes,…)
  • easy to update tools without dependency issues (wait for next release)

Why OpenWrt trunk

  • backport from trunk to stable is also difficult
  • Updated Linux kernel (for LXC support)
  • Trunk in confine-dist is quite stable
  • default backfire eGlibc versions are old and difficult to use (many compilation crashes)

(Uclibc: too limited for tools like lxc, libcap, openVSwitch / Glibc: too big)

  • kernel 3.2.9 (requirements: lxc-attach, cgroup management, container cpu usage)
  • OpenWRT will announce the next release soon (¿?)
  • Open for new hardware architectures
  • More hardware support (MIPS compilation not fully tested)

Enabled features

  • kernel 3.2.9
  • eGlibc
  • compatiblity with most of WiFi cards, USB stuff, etc. (to be able to be used in most of devices)

Developed features

  • lxc (including lxc-attach,…)
  • debian in openwrt
  • openVSwitch (currently use only as bridge replacement)
  • VCT (virtual confine testbed) environment

Desired features

To be discussed

Development infrastructure

    1. confine-dist (branches: master, testing, …)
    2. openwrt (branches: trunk, testing, trunk, …)
    3. packages (branches: master, testing, …)
    4. confine binary opkg repository (TBD)
  • SDK for confine-dist (confine-dist project)
    1. GNU-Make based
    2. All you need to do is: “make”
    3. Easy to modify, easy to commit changes
  • SDK diectory structure
    1. configs/: Confine specific OpenWRT and Kernel config files
    2. dl/: Download files
    3. files/: These files will be copied to system root
    4. images/: Output images to install in devices
    5. openwrt/: Source tree of OpenWRT (frozen openwrt trunk)
    6. packages/: Confine and frozen Openwrt package directory
    7. utils/: Some useful tools

Testing and discussion

  • GitHub Wiki/Issues
  • Mailing List
  • Wiki

Confine config files

  • confine-dist: /etc/uci-defaults
    1. network.sh
    2. disable-bridge-module.sh
    3. disable-firewall.sh
  • confine-research-devices: /etc/config/
    1. confine
    2. lxc
    3. network

Confine HW requirements and recommendations

  • mac80211 compatible (better ath9k compatible)
  • x86 (future: Atheros MIPS)

Open Design & Implementation Questions

  • openVSwitch (next steps beyond bridge replacement)
    1. layer 2 experimentation architecture
    2. traffic shaping
    3. providing virtual links via overlay network
  • wireless interface issues:
  1. non-ap mode can not be added to bridge
  2. difficult to emulate (VCT)
  • from: network Isolation requirements
  1. real-time traffic filtering/anonymization on passive interfaces
  2. ditributed rate limiting
  • firewall
    1. hard to manage
    2. openwrt default very limited scope (SNAT not supported for instance)

Dissemination of configs/updates

  • configuration syntax (uci, json, xml,…?)
  • transport protocol
    1. Requirements: robust, delay-tolerant,
    2. Centralized (each node directly contacting the server)
    3. Decentralized (spread of updates among nodes)
    4. Candidates: xmpp, something like bmx6 sms plugin, …
  • confine node manager daemon
    1. control: sliver life-cycles, network access/isolation, sliver isolation (cpu limits)
    2. language: bash, lua, python ?

Hands On Session

  1. Real HW CD, RD (pau
  2. VCT (confine network in a suitcase)
soft/confine-dist-overview.txt · Last modified: 2013/04/11 10:47 by santiago