Tag: linux

overlay2 for Docker within an unprivileged LXC container

For my Jenkins installation I use a Docker agent inside an LXC container. I want this container to be unprivileged, so that the host is somewhat protected from misconfiguration (not deliberate attacks). The default setup works fine, but after a bit of experimenting, I noticed that I was soon running out of disk-space. The reason for that turned out that Docker had fallen back to using the vfs storage backend instead of overlay2, which basically creates a copy for every layer and every running container.

# docker info | grep Storage
 Storage Driver: vfs

Further investigation showed, that this was due to the fact that the container was unprivileged. Short experiments with making the container privileged also yielded issues with cgroup management of the outer docker container on the host. So what was the reason for the issues? It seems that the ID mapping / shifting of the user IDs prevented the overlay2 driver from working.

Therefore I decided to try to mount a host directory as a “device” into the container’s /var/lib/docker. But using the shift=true option, this again fails, since this way the underlying filesystem is shiftfs and not plain ext4 (see supported filesystems for various storage drivers). So a solution without “shift” is required.

Shifting UIDs is done by a fixed offset for a container, in my case it’s 1,000,000. You need to figure this out for your system, but likely it’s the same. So by creating the external storage directory with this as owner and then mounting it inside the container without shifting, things start to get working.

export CONTAINER_NAME=mycontainer
export DOCKER_STORAGE_DIRECTORY=/mnt/pool/mycontainer/var-lib-docker

mkdir -p "$DOCKER_STORAGE_DIRECTORY"
chown 1000000:1000000 "$DOCKER_STORAGE_DIRECTORY"

lxc config device add "$CONTAINER_NAME" var-lib-docker disk source="$DOCKER_STORAGE_DIRECTORY" path=/var/lib/docker

# important, security.nesting is required for nested containers to work!
lxc config set "$CONTAINER_NAME" security.nesting=true

After this docker info | grep Storage finally showed what I wanted:

# docker info | grep Storage
 Storage Driver: overlay2

HOWTO: Fully encrypted vServer with Ubuntu 12.04

Update 2022-05-16: Today I learned that there are two official tutorials by Hetzner for Ubuntu 20.04. You might want to follow them instead:

In this blog post I am going to demonstrate how to easily setup a virtual server at Hetzner. This setup will work for most other vServer operators as well, but some adjustments may be required. Prerequisite is that you are able to access the console of  the server while booting, as you need to be able to enter the passphrase. You also need to be able to boot into some sort of “Rescue System” for the setup. This is no in-place setup. In Hetzner’s “Robot” this is pretty easy.

One thing to consider regarding security: fully encrypting a vServer might seem… senseless, as the host operator can easily copy the whole memory of the VM while running and extract the key this way. True. There is no way around this fact. My reason for wanting a fully encrypted system is more of the way that I want to be sure that the data is encrypted on the storage system. I want to protect from being unable to ever fully wipe the persistent data from disk in case I cancel the VM, the VM gets moved to a new host, or a failed disk is sent in to the manufacturer. For me, this is a compromise I can accept. YMMV.

You can also try this HOWTO under VirtualBox with the System Rescue CD ISO images. Actually, that’s where I verified all steps are working.

So, let’s dive into the fun of the HOWTO. BEWARE! THIS TUTORIAL WILL WIPE ALL DATA ON YOUR VSERVER! I TAKE NO RESPONSIBILITY IF YOU LOSE DATA!  IT MIGHT ALSO NOT WORK FOR YOU. USE THIS AT YOUR OWN RISK!

The following steps will partition the disk, setup LVM and LUKS, install Ubuntu 12.04 and prepare the system for reboot. Most parts can be copied line-by-line. Please beware that there are some parts in this tutorial that needs to be adjusted: UUIDs of partitions, hostname, username, and most important: network setup.

Continue reading “HOWTO: Fully encrypted vServer with Ubuntu 12.04”

Fix two Ubuntu 10.04 window manager annoyances

When upgrading to Ubuntu 10.04 I noticed two annoyances (which actually are just a matter of personal taste):

  • The OSX-like positioning of the close, minimize and maximize buttons on the left instead of the right of the window.
  • The fade-out (invisibility) of other windows when using Alt-Tab for tabbing through the available windows on the current desktop.

As I tend to forget and need to Google every time I encounter a newly setup 10.04 system, I now jot down the settings to change.

For changing the window buttons:

  1. Start gconf-editor.
  2. Find /apps/metacity/general/button_layout.
  3. Change its value to menu:minimize,maximize,close.

For changing the opacity of inactive windows during Alt+Tab window switching:

  1. Start gconf-editor.
  2. Find /apps/compiz/plugins/staticswitcher/screen0/options/opacity.
  3. Change it to any value you like, where 100 is fully visible and 0 is totally invisible.

OCZ Vertex2, Linux, and ancient nForce 430 chipset

Today I finally received my brand-new Ocz Vertex2 OCZSSD2-2VTXE120G 120GB and eagerly wanted to install it in my 4-year-old HP workstation which currently is running Ubuntu 10.10 exclusively.

After setting up the alignment according to some tutorials I found online, I started the setup process. Shortly after starting the copy step of the installation, the whole process came to a grinding halt with filesystem errors. Looking into the kernel debug messages it seemed like SATA commands were causing errors. After checking hardware, cables and switching SATA ports, I began researching the issue and soon found that the issue might be fixed in the next firmware version of the drive. So I wanted to upgrade from 1.23 to 1.24, which could only be done in Windows…

After installing a trial of Windows 7, I finally wanted to upgrade the firmware, but the drive was not detected, but was accessible. The release notes indicated that I would need to switch to AHCI mode. After several attempts, includig a BIOS update, I realized that there was no way to do this with my old hardware, as my nForce 430 chipset simply doesn’t support it.

So my only remaining option was to simply try the kernel arguments I read to be the fix for 1.24 with the 1.23 hardware.

So, if you add the following kernel option during installation and afterwards for every boot, the disk seems to work quite well (source):

libata.force=norst

Actually, this forces the ATA driver in Linux to not issue any reset commands on the bus. I really don’t understand why this improves/fixes the problem, but it seems the device has issues when being reset on my chipset. I can also notice this that in 2 out of 3 attempts if I reboot the PC the disk is not recognized any more before I reboot again.

Despite these issues, the SSD now runs with astonishing performance with the suggested 32 head / 32 sector alignment, and a 512kB partition alignment scheme. After an initial TRIM with hdparm‘s wiper.sh I enabled -o discard for my ext4 partition and could also verify using hdparm that this results in the sectors being trimmed. Please note, that you need to manually compile and install the latest hdparm version on Ubuntu 10.10, as the included version fails with the very long free block list and doesn’t handle splitting the sectors in multiple requests. The latest version doesn’t have this issue any more.

Nice to know – Volume 2

udev renames you network interfaces

Sometimes udev renames your devices. This happened to me when upgrading a server, eth0 suddenly became eth1 and vice-versa. Of course, this broke nearly all firewall scripts on the server… There is a nice explanation how to get udev to name your devices the way you want.

Visual Studio 2005 Service Pack 1 on Microsoft Windows Server 2003

When installing Visual Studio Service Pack 1 under Windows Server 2003, it might fail because it cannot verify the signature. You should take time and visit the link provided in the error message, because it will take you to a hotfix that will correct the problem.

(via Mark Caroll’s Blog)

VMWare Server on Ubuntu 8.04

A nice tutorial for getting free VMWare Server 1.0.5 running on Ubuntu 8.04.

Nice to know – Volume 1

As I definitely should post more on my blog, I now try to start a new series: “Nice to know”. It will be a collection of interesting things I consider memorable but which don’t deserve their own blog-post.

Trickle

Tricke allows you to limit bandwith for processes that do not support bandwith limitation out-of-the-box. It works by preloading and simulating the socket API. You use it as a wrapper when starting the process, like trickle -d 80 someapp.

You can use it to limit rsync speed for instance (thanks to http://www.yak.net/fqa/404.html): rsync -auvPe “trickle -d 80 ssh” user@host:/src/ /dst/

VMWare Tools and Kernel 2.6.24

VMWare Tools out of the box do not install on kernel 2.6.24 (as used in Ubuntu 8.04 for instance). A possible solution is described here. It is based on using the open-source version of the VMWare tools (open-vm-tools).

TrueCrypt 5 is out!

ImageAfter quite some time, a new version of my favorite encryption tool is out: TrueCrypt developers have released version 5 of their product, introducing a new killer feature (among others): System Volume Encryption with pre-boot authentification (only Windows 2000/XP/Vista). This means, that TrueCrypt will encrypt everything on your system drive, including page- and hibernation file, finally making hibernation a safe and easy possibility.

I am going to look into this next week, as I need my notebook on Saturday (just in case anything goes wrong).

Update 2007-02-08: As my first commenter below points out, it seems hibernation is disabled by TrueCrypt while having your system partition encrypted. I don’t really understand why at the moment, but I will investigate further. For me this is a primary show-stopper, as this was the long-awaited functionality I was waiting for.

Nitpickers Corner¹: Of course I am aware why encryption and hibernation in general are no-goes together, but I don’t understand why this is an issue when full-system encryption is enabled.

Update 2007-02-08 (again): Ok, in this TrueCrypt forum thread they explain why they cannot support it at the moment: Windows treats the hibernation file differently, it seems to bypass the TrueCrypt driver and therefore would still write keys to disk without encryption. Ok, still get to wait for my dream feature then, but I still refuse to buy PGP 🙂 Thanks to the developers for their great work anyhow!

¹ a tribute to Raymond Chen 🙂

[tags]security, encryption, truecrypt, windows, linux, osx[/tags]

Waiting for WLAN and UMTS for OpenMoko

I am currently thinking a lot about the OpenMoko project. Unfortunately OpenMoko at the moment provides hardware which is limited to GPRS, Bluetooth, and/or USB 1.0 for connectivity. In autumn there should be the next generation which should include a WLAN (and maybe even UMTS?) support. It will be called Neo 1973 – GTA02.

Together with Austrian-based one “H.U.I. Starter” rate (250MB @ UMTS, reduction to 56kBit/s above, 10€/month) this would be a nice package. However, if I could have UMTS, well, that would be better. Personally, WLAN is even more important for me, I could use it in the office or in my home, where I have WLAN access available and fall back to GPRS while being “on the road”.

For me this means: standby for autumn, because I can’t afford to invest US-$300 now and another US-$450 in a couple of month. Still, I am really, really interested in OpenMoko (and normally I wouldn’t invest that amount of money into a hobby of mine). Which means, I am standing by and waiting for news from the OpenMoko community…

In the meantime, if you understand German, you could listen to this very interesting Chaosradio Express Podcast.

On YouTube there are some very interesting videos about the Neo 1973.

OpenMoko – the Open Mobile Phone

This is cool! If you want to have a mobile phone based on Linux and pure OpenSource software, OpenMoko might be the right thing for you! I’m not so much in mobile development, but I find this almost more appealing than the iPhone, which at the moment is a very closed platform. If I find some time for a hobby like this, this US-$ 300 would be a nice investment. I hope this becomes a success to reward the company and the idea to explictly invite hackers/developers (both software & hardware) to improve a phone. A nice contrast to the usual anti-reverse-engineering and “hacking” philosophy most companies go along with.

Edit 2007-07-18: I accidentially misspelled OpenMoko as OpenMonko in the inital release, both in the title and in the text. I corrected this and the URL of the article to reflect the real name of the project: OpenMoko.

Ubuntu 7.04 cryptsetup problem

I am using cryptsetup LUKS for storing encrypted office data on my USB memory stick (just in case I lose it). I recently installed Ubuntu 7.04 on one of my machines and wanted to open the encrypted partition using cryptsetup luksOpen, which failed with a rather strange

Unable to make device node for ‘temporary-cryptsetup-32733’

While searching around the net I found a lot of people asking the same question but hardly any answer, until I finally read this article
on the Ubuntu forum.

The solution to the whole problem is rather simple:

sudo mkdir /dev/.static/dev/mapper

With a little bit more verbose error message of cryptsetup I might have figured this out myself…