Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'andrew/update-icos-readmes' into 'master'
Update IC-OS documentation This readme includes a lot of deleting, reorganizing, and editing. The main changes are: - Remove duplication in hostOS/setupOS readmes (and delete outdated or unnecessary documentation in both) - Move common documentation to the IC-OS readme - Creation of a top-level docs folder along with the following docs: Services, Network-Configuration, Rootfs, SELinux. See merge request dfinity-lab/public/ic!11521
- Loading branch information
Showing
15 changed files
with
448 additions
and
779 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
= Network Configuration | ||
|
||
== Basic network information | ||
|
||
Network configuration details for each IC-OS: | ||
|
||
* SetupOS | ||
** Basic network connectivity is checked via pinging nns.ic0.app and the default gateway. Virtually no network traffic goes through SetupOS. | ||
* HostOS | ||
** The br6 bridge network interface is set up and passed to the GuestOS VM through qemu (refer to hostos/rootfs/opt/ic/share/guestos.xml.template). | ||
* GuestOS | ||
** An internet connection is received via the br6 bridge interface from qemu. | ||
|
||
== Deterministic MAC Address | ||
|
||
Each IC-OS node must have a unique but deterministic MAC address. To solve this, a schema has been devised. | ||
|
||
=== Schema | ||
|
||
* *The first 8-bits:* | ||
** IPv4 interfaces: 4a | ||
** IPv6 interfaces: 6a | ||
|
||
* *The second 8-bits:* | ||
** We reserve the following hexadecimal numbers for each IC-OS: | ||
*** SetupOS: 0f | ||
*** HostOS: 00 | ||
*** GuestOS: 01 | ||
*** Boundary-GuestOS: 02 | ||
|
||
** Note: any additional virtual machine on the same physical machine gets the next higher hexadecimal number. | ||
|
||
* *The remaining 32-bits:* | ||
** Deterministically generated | ||
|
||
=== Example MAC addresses | ||
|
||
* SetupOS: `{4a,6a}:0f:<deterministically-generated-part>` | ||
* HostOS: `{4a,6a}:00:<deterministically-generated-part>` | ||
* GuestOS: `{4a,6a}:01:<deterministically-generated-part>` | ||
* BoundaryOS: `{4a,6a}:02:<deterministically-generated-part>` | ||
* Next Virtual Machine: `{4a,6a}:03:<deterministically-generated-part>` | ||
|
||
Note that the MAC address is expected to be lower-case and to contain colons between the octets. | ||
|
||
=== Deterministically Generated Part | ||
|
||
The deterministically generated part is generated using the following inputs: | ||
|
||
1. IPMI MAC address (the MAC address of the BMC) | ||
a. Obtained via `$ ipmitool lan print | grep 'MAC Address'`` | ||
2. Deployment name | ||
a. Ex: `mainnet` | ||
|
||
The concatenation of the IPMI MAC address and deployment name is hashed: | ||
|
||
$ sha256sum "<IPMI MAC ADDRESS><DEPLOYMENT NAME>" | ||
# Example: | ||
$ sha256sum "3c:ec:ef:6b:37:99mainnet" | ||
|
||
The first 32-bits of the sha256 checksum are then used as the deterministically generated part of the MAC address. | ||
|
||
# Checksum | ||
f409d72aa8c98ea40a82ea5a0a437798a67d36e587b2cc49f9dabf2de1cedeeb | ||
|
||
# Deterministically Generated Part | ||
f409d72a | ||
|
||
==== Deployment name | ||
|
||
The deployment name is added to the MAC address generation to further increase its uniqueness. The deployment name *mainnet* is reserved for production. Testnets must use other names to avoid any chance of a MAC address collision in the same data center. | ||
|
||
The deployment name is retrieved from the +deployment.json+ configuration file, generated as part of the SetupOS: | ||
|
||
{ | ||
"deployment": { | ||
"name": "mainnet" | ||
} | ||
} | ||
|
||
== IPv6 Address | ||
|
||
The IP address can be derived from the MAC address and vice versa: As every virtual machine ends in the same MAC address, the IPv6 address of each node on the same physical machine can be derived, including the hypervisor itself. | ||
In other words, the prefix of the EUI-64 formatted IPv6 SLAAC address is swapped to get to the IPv6 address of the next node. | ||
|
||
When the corresponding IPv6 address is assigned, the IEEE’s 64-bit Extended Unique Identifier (EUI-64) format is followed. In this convention, the interface’s unique 48-bit MAC address is reformatted to match the EUI-64 specifications. | ||
|
||
The network part (i.e. +ipv6_prefix+) of the IPv6 address is retrieved from the +config.json+ configuration file. The host part is the EUI-64 formatted address. | ||
|
||
== Active backup | ||
|
||
[NOTE] | ||
This feature is currently under development. See ticket https://dfinity.atlassian.net/browse/NODE-869#[NODE-869]. | ||
|
||
In order to simplify the physical cabling of the machine, Linux's active-backup bonding technique is utilized. This operating mode also improves redundancy when more than one 10-gigabit ethernet network interface is connected to the switch. A node operator can decide to either just use one or all of the 10GbE network interfaces in the bond. The handling of the uplink and connectivity is taken care of by the Linux operating system. | ||
|
||
Details can be found in: | ||
|
||
ic/ic-os/setupos/rootfs/opt/ic/bin/generate-network-config.sh | ||
|
||
Note that this mode does not increase the bandwidth/throughput. Only one link will be active at the same time. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
= IC-OC docs | ||
|
||
Refer to detailed documentation on: | ||
|
||
* link:Services{outfilesuffix}[Services] | ||
* link:Network-Configuration{outfilesuffix}[Network-Configuration] | ||
* link:Rootfs{outfilesuffix}[Rootfs] | ||
* link:SELinux{outfilesuffix}[SELinux security policy] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
== SELinux | ||
|
||
SELinux is currently configured to run in enforcing mode for the sandbox and in permissive mode for the rest of the replica (Note: Technically, SELinux is running in enforcing mode, but only the sandbox has a written-out policy. Most other domains are marked as "permissive"). | ||
|
||
This means that the SELinux policy is enforced only for the sandbox, and just used to monitor and log access requests on the rest of the replica. | ||
This approach allows us to secure the sandbox while observing how SELinux would behave under enforcing mode on the rest of the replica without actually denying access. | ||
|
||
To develop a robust SELinux policy, we need to understand all the actions a service may require and include the necessary permissions in the policy. | ||
Over time, we will continue refining the SELinux policy until no services violate it. | ||
Once achieved, we will run the entire replica in enforcing mode. | ||
|
||
== Technical details | ||
|
||
The system will (eventually) run SELinux in enforcing mode for security. This | ||
requires that all system objects including all files on filesystems are | ||
labelled appropriately. The "usual" way of setting up such a system is | ||
to run it in "permissive" mode first on top of an (SELinux-less) base | ||
install, however this would not work for our cases as we never want the | ||
system to be in anything else than "enforcing" mode (similarly as for | ||
embedded systems in general). | ||
|
||
Instead, SELinux is installed using docker into the target system, but | ||
without applying any file labels (which would not be possible in docker | ||
anyways). The labelling is then applied when extracting the docker image | ||
into a regular filesystem image, with labels applied as per | ||
+/etc/selinux/default/contexts/files/file_contexts+ in the file system | ||
tree. | ||
|
||
Since the system has never run, some files that would have "usually" been | ||
created do not exist yet and are not labelled -- to account for this, | ||
a small number of additional permissions not foreseen in the reference | ||
policy are required -- this is contained in module +fixes.te+ and set | ||
up as part of the +prep.sh+ script called in docker. |
Oops, something went wrong.