User Tools

Site Tools



Node / research device (RD) management

Obtaining the RD image

There are two possibilities to obtain an RD image. Either it is built from the testing branch from Git sources according to the instructions of the wiki or the latest or a recent precompiled binary image is downloaded for the desired architecture here (use testing branch).

Installing the image to the RD

The image may be written directly to the permanent memory of the RD (e.g. using dd CONFINE-owrt-current.img.gz of=/dev/sdX BS=1M) or it may be installed using an USB installer (see instructions).

For flashing confine-dist ext4 images from inside the RD via the via management network sysupgrade may be used (this is an example for Community-Lab):

# cd /tmp
# wget http://[fdf5:5351:1dfd::2]/media/firmwares/openwrt-x86-generic-combined-ext4-barebones_01-atom.img.gz
# sysupgrade -n /tmp/openwrt-x86-generic-combined-ext4-barebones_01-atom.img.gz

Node Config

The following config and key files are required to set testbed, server, and node specific attributes:

  • /etc/config/confine (see example below)
  • /etc/tinc/confine/tinc.conf
  • /etc/tinc/confine/hosts/server (there might be several and should be reflected in tinc.conf)
  • /etc/tinc/confine/hosts/default
  • /etc/tinc/confine/rsa_key.priv
  • /etc/tinc/confine/ (optional)
  • /etc/tinc/confine/hosts/node_<NODE_ID> (NODE_ID as a decimal value)
  • /etc/dropbear/dropbear_rsa_host_key (optional)
  • /etc/uhttpd.crt.pem
  • /etc/uhttpd.key.pem
  • /etc/confine/registry-server.crt

Typically, CONFINE config templates are hardcoded into the image that is deployed in a testbed. In the following, this config file is described with an example from the deployment at


config 'testbed' 'testbed'
        option 'mgmt_ipv6_prefix48' 'fdf5:5351:1dfd'             # First 48 bits for IPv6 maganement address calculation

config registry 'registry'
        option cert '/etc/confine/registry-server.crt'
        option base_uri 'https://[fd65:fc41:c50f::2]/api/'

config node 'node'
        option id 'd012'                                         # NODE_ID of this RD. MUST be a 4-digit hexadecimal lowercase value!
        option mac_prefix16 '54:c0'                              # First 16 bits to be used for sliver MAC address creation
        option priv_ipv4_prefix24 '192.168.241'                  # First 24 bits for IPv4 internal/recovery address calculation
        option local_ifname 'eth0'                               # Interface to be linked into local bridge
        option public_ipv4_avail '12'                            # Amount of available IP addresses for slivers
        option rd_public_ipv4_proto 'dhcp'                       # Protocol used for the RD to obtain a CN IPv4 from the CD (currently only dhcp supported)
        option sl_public_ipv4_proto 'dhcp'                       # Protocol used for slivers to obtain a CN IPv4 from the CD (currently only dhcp supported)
        option rd_if_iso_parents 'eth1 eth2'                     # Interfaces that can be used for isolated sliver traffic
        option disk_dflt_per_sliver '1000'                       # Optional default disk space in MB per sliver
        option disk_max_per_sliver '2000'                        # Optional maximum disk space in MB per sliver
        option state 'unprepared'                                # Change this to 'prepared' and call: /etc/init.d/confine-{configure|start} start
                                                                 # This field MUST only be changed manually to the state 'prepared'
                                                                 # The following CNS node.states exist: unprepared (disabled), prepared, applied, started, error
        option interval '60'                                     # Optional pull interval in seconds to server
        option base_path '/confine/api'                          # Optional alternative base-path for node RestAPI
        option logfile '/var/log/confine.log'                    # Optional path to alternative logfile
        option start_daemon '1'                                  # Enable to auto start RestAPI deamon (default enabled)
        option chron_daemon '0'                                  # Enable to restart RestAPI deamon by chron job if crashed (default disabled)
        option sync_node_admins '1'                              # Optional to let CNS continuously synchronize ssh authorized keys (default enabled)
        option tinc_gateway 'server'                             # Primary tinc gateway to connect to (default server)

Recovering a node from FAILURE

To get a node out of the FAILURE set state manual intervention is needed. Please run the following commands as root in the RD:

# uci set confine.node.state=prepared
# uci commit confine
# /etc/init.d/confine-start start

Daemon execution and command line options

/usr/lib/lua/confine/confine.lua --help
usage: /usr/lib/lua/confine/confine.lua
              [--count=<max iterations>]
              [--interval=<seconds per iteration>]
              [--retry==<max failure retries>]
              [--logfile=<path to logfile>

Relevant system files

Relevant status, log, and debug files

  • /var/run/confine/system_state: the CONFINE system config used by last iteration
  • /var/run/confine/server_state: the CONFINE server state pulled during last iteration
  • /var/run/confine/node_state: the resulting node state, as the outcome of processing the system and server during last iteration
  • /var/run/confine/pid: the process id of the currently running CONFINE daemon
  • /var/log/confine.log: a logfile reporting actions of recent pull iteration
  • /tmp/confine/index.html: Base REST API content
  • /tmp/confine/node/index.html: Node's REST API content
  • /tmp/confine/slivers/: Node's slivers REST PI content
  • /tmp/confine/templates/: Node's templates REST API content

Experiment preparation

Experiments are executed in a virtualized environments (technically LXC containers, slivers in CONFINE terminology) hosted by nodes (research devices) as specified for each slice.

The template specified for a slice/sliver provides an link (image_uri) to the base sliver (LXC container) system. For example the following two image URIs provide Debian or OpenWrt-based environments:

A researcher simply selects one of the offered template images when creating the slice/sliver via the controller portal.

In addition, a researcher may provide a link (exp_data_uri) to an experiment data archive file that is extracted on top its sliver root file system. Two examples of such experiment data archives are given for Debian and OpenWrt-based slivers respectively: * * The contained directoy structure is rather simple and can be further dissected by reviewing the contained tgz.

The OpenWrt-based experimentation archive is discussed further here:

The archive should provide at least an init script and links to start the related init function in the corresponding OS format. For example for OpenWrt this may be:

  • ./etc/rc.d/S94confine-experiment (which is a link to ../init.d/confine-experiment)
  • ./etc/init.d/confine-experiment
    • start() function
    • stop() function

WARNING: SLIVER_DESCRIPTION data is NOT available natively in the Bare bones version. Instead additional services or tools may be used to retrieve slice and sliver information for example by browsing the REST API provided by the hosting RD (via the private interface) and the controller (via the management interface). For example using:

  * wget -O-  http://[fdbd:e804:6aa9::1]/confine/api/ # using RD's private IPv6 address (always like this)
  * wget -O-  http://[fdbd:e804:6aa9::1]/confine/api/node
  * wget -O-  http://[fd65:fc41:c50f::2]/api/slivers/ # using the mgmt_ipv6_prefix obtained via the RD's REST API (first wget example)

The output comes in JSON syntax and should look like:

root@00000000000a_0001:~# wget -O-  http://[fdbd:e804:6aa9::1]/confine/api/
--2013-05-08 09:39:35--  http://[fdbd:e804:6aa9::1]/confine/api/
Connecting to fdbd:e804:6aa9::1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 589 [text/html]
Saving to: `STDOUT'

 0% [                                                                                                                    ] 0           --.-K/s              {
    "confine_params": {
        "debug_ipv6_prefix": "fd5f:eee5:e6ad::/48", 
        "priv_ipv6_prefix": "fdbd:e804:6aa9::/48"
    "node_uri": "http://[fd65:fc41:c50f:1::2]/confine/api/node", 
    "slivers_uri": "http://[fd65:fc41:c50f:1::2]/confine/api/slivers", 
    "templates_uri": "http://[fd65:fc41:c50f:1::2]/confine/api/templates", 
    "testbed_params": {
        "mgmt_ipv6_prefix": "fd65:fc41:c50f::/48", 
        "priv_ipv4_prefix_dflt": "", 
        "sliver_mac_prefix_dflt": "0x54c0"
    "uri": "http://[fd65:fc41:c50f:1::2]/confine/api/"
100%[===================================================================================================================>] 589         --.-K/s   in 0s      

2013-05-08 09:39:35 (22.6 MB/s) - written to stdout [589/589]

The remainder of this Section is outdated and should be fixed:

During livetime of the sliver, all slice attributes could be 
accessed either in uci format or bash environment variables:
  * /root/confine/uci/confine-slice-attributes
  * /root/confine/bash/confine-slice-attributes (not supported yet)

The SLIVER_DESCRIPTION field exp_data_url defines the URL of the experimentation archieve.
A simple hello world example is given by the following URL:

This example experiment simply pings the public IP of all other slivers of its slice and stores measured round trip times in the directory /root/confine/data/ .
It contains of two files:
  * ./etc/rc.d/S94confine-experiment (which is a link to ../init.d/confine-experiment)
  * ./etc/init.d/confine-experiment

The file ./etc/init.d/confine-experiment starts the experiment:

#!/bin/sh /etc/rc.common


start_ping() {
    local IP=$1
    local PING_MAX=100
    local INIT_MAX=40
    local CNT=0
    local DATA=/root/confine/data/ping-$$-$IP.log
    echo "logging data to $DATA"

    date > $DATA    
    echo "First probing for $INIT_MAX seconds for valid route to $IP ..." >> $DATA
    while [ $CNT -le $INIT_MAX ] ; do
        ping -c 1 -W 2 -w 2 $IP >> $DATA 2>&1 && break
        CNT=$(( $CNT + 1 ))
        sleep 1

    date >> $DATA
    echo "Now sending $PING_MAX ping requests to $IP ..." >> $DATA
    ping -c $PING_MAX $IP >> $DATA 2>&1

start() {   
    local IPS="$( uci show -c /root/confine/uci confine-slice-attributes | grep if01_ipv4= | awk -F'=' '{print $2'} | awk -F'/' '{print $1}' )"
    local IP=
    for IP in $IPS; do 
        start_ping $IP &

stop() {
    killall ping

Sliver deployment procedure

Miscellaneous management and debug tools


  • Community Container


soft/node-system-bare-bones.txt · Last modified: 2015/05/22 11:55 by ivilata