by pan » Thu Sep 09, 2021 7:00 am
from tomas too: [quote]Re: Different hypervisor/virtualization software is used for at home use and in ECS 360 lab implementation of PicoLab - why?
KVM is native to Ubuntu, where MacOS doesn't support it and has its own hypervisor implementation.
Multipass was used for the at-home PicoLab setup because it abstracts from a specific hypervisor across platforms (mac/linux, but windows with compications).
This is not necessary on the lab machines as we know exactly what OS they are running and multipass would be an unnecessary added layer of abstraction.
So, there is no need to mention Multipass in the context of the ECS 360 lab implementation of PicoLab.
In both cases, there are two layers of virtualization where the first one is a fully fledged (KVM or other) virtual machine running Ubuntu with Docker installed in it.
Inside that VM, Docker container (lightweight virtualization for isolation and speed of startup) has the four PicoNet namespaces ...
custom namespaces h1, h2, r and the default (unnamed) namespace.
(run 'ip netns list' and 'ip netns id' in each terminal - perhaps use sudo with the commands in terminal 4)
Most significantly, in each of the four namespaces, any programs/processes running there, 'see' the different network devices and configuration as
configured by the PicoNet scripts.
(e.g. run 'ip a' in each terminal).
Re: Is terminal 4 “jovyan” inside the container running by docker or outside, but still inside VM?
As explained above, the 4th terminal shell is not configured for any custom namespace and is the PicoNet Docker container's default namespace with the network interface directly assigned to the container by Docker. In contrast, h1, h2 and r namespaces and their interfaces were created solely by the PicoNet scripts. So, that terminal provides access to the 'machine' (container) that 'hosts' the three custom namespaces. In that sense, we have a third layer of virtualization (or abstraction, at least) for network only. And h1, h2, r are the individual custom 'machines' and terminal 4 shows the 'hosting' machine for them.
For example, iptables is set up for NAT in the default network namespace, and not in the other namespaces. (try 'iptables-save' in each terminal, use sudo in 4)
Re: At terminal 4 “jovyan”, it read and write to picolab file server. How about the three namespaces (h1, h2 and r)? By default, where does it write to?
The namespaces are configured only for networking and all of the four containers are using the same storage (namespace).
(run 'df -h' in all terminals with the same result)
One significant difference in terminal 4 is that the shell is run as a regular (unprivileged) user named jovyan, while h1, h2 and r are run as the all-privileged 'root' user. So, files created in the 'root' shells will be owned by 'root', while files created by 'jovyan' in terminal 4 will be owned by that user. The 'sudo' mechanism is used here to allow 'jovyan' to run commands as root in the default namespace of the container.
File ownership - differs in terminal 4, because runs as a different user:
files created as 'root' in h1,h2,r terminals may not be readable or deletable by 'jovyan' in terminal 4 because they are owned by 'root'.
Either change the ownership to match with jovyan's files in one of the root terminals, or use one of the root shells to manipulate the 'root' owned files directly.
Permanent/ephemeral storage:
The /home/jovyan directory is owned by 'jovyan' and (on the lab machine implementation) is backed by a Docker volume, which in turn points at a directory on our department NAS (network attached storage) , (run 'df -h' in in any terminal) Thus, anything stored there is permanent and will be there next PicoLab run on any machine in the lab. For security reasons (we give root access in PicoLab!) that storage is independent of the regular department home directory mounted on the lab workstation.
Anything stored outside of that directory is saved in the container and is not permanent between sessions - fresh container is used every time you start PicoLab.
Downloads from PicoLab on the lab workstations:
Temporary files, such as captures, can be created in the /tmp directory and then copied in terminal 4 to /home/jovyan for download to the lab workstation to be examined by Wireshark. On the lab machines, such a download typically ends up in the ~/Downloads directory in your department home directory (aka H:\ drive in the Windows labs).[/quote]
from tomas too: [quote]Re: Different hypervisor/virtualization software is used for at home use and in ECS 360 lab implementation of PicoLab - why?
----
KVM is native to Ubuntu, where MacOS doesn't support it and has its own hypervisor implementation.
Multipass was used for the at-home PicoLab setup because it abstracts from a specific hypervisor across platforms (mac/linux, but windows with compications).
This is not necessary on the lab machines as we know exactly what OS they are running and multipass would be an unnecessary added layer of abstraction.
So, there is no need to mention Multipass in the context of the ECS 360 lab implementation of PicoLab.
In both cases, there are two layers of virtualization where the first one is a fully fledged (KVM or other) virtual machine running Ubuntu with Docker installed in it.
Inside that VM, Docker container (lightweight virtualization for isolation and speed of startup) has the four PicoNet namespaces ...
custom namespaces h1, h2, r and the default (unnamed) namespace.
(run 'ip netns list' and 'ip netns id' in each terminal - perhaps use sudo with the commands in terminal 4)
Most significantly, in each of the four namespaces, any programs/processes running there, 'see' the different network devices and configuration as
configured by the PicoNet scripts.
(e.g. run 'ip a' in each terminal).
Re: Is terminal 4 “jovyan” inside the container running by docker or outside, but still inside VM?
---
As explained above, the 4th terminal shell is not configured for any custom namespace and is the PicoNet Docker container's default namespace with the network interface directly assigned to the container by Docker. In contrast, h1, h2 and r namespaces and their interfaces were created solely by the PicoNet scripts. So, that terminal provides access to the 'machine' (container) that 'hosts' the three custom namespaces. In that sense, we have a third layer of virtualization (or abstraction, at least) for network only. And h1, h2, r are the individual custom 'machines' and terminal 4 shows the 'hosting' machine for them.
For example, iptables is set up for NAT in the default network namespace, and not in the other namespaces. (try 'iptables-save' in each terminal, use sudo in 4)
Re: At terminal 4 “jovyan”, it read and write to picolab file server. How about the three namespaces (h1, h2 and r)? By default, where does it write to?
---
The namespaces are configured only for networking and all of the four containers are using the same storage (namespace).
(run 'df -h' in all terminals with the same result)
One significant difference in terminal 4 is that the shell is run as a regular (unprivileged) user named jovyan, while h1, h2 and r are run as the all-privileged 'root' user. So, files created in the 'root' shells will be owned by 'root', while files created by 'jovyan' in terminal 4 will be owned by that user. The 'sudo' mechanism is used here to allow 'jovyan' to run commands as root in the default namespace of the container.
File ownership - differs in terminal 4, because runs as a different user:
files created as 'root' in h1,h2,r terminals may not be readable or deletable by 'jovyan' in terminal 4 because they are owned by 'root'.
Either change the ownership to match with jovyan's files in one of the root terminals, or use one of the root shells to manipulate the 'root' owned files directly.
Permanent/ephemeral storage:
The /home/jovyan directory is owned by 'jovyan' and (on the lab machine implementation) is backed by a Docker volume, which in turn points at a directory on our department NAS (network attached storage) , (run 'df -h' in in any terminal) Thus, anything stored there is permanent and will be there next PicoLab run on any machine in the lab. For security reasons (we give root access in PicoLab!) that storage is independent of the regular department home directory mounted on the lab workstation.
Anything stored outside of that directory is saved in the container and is not permanent between sessions - fresh container is used every time you start PicoLab.
Downloads from PicoLab on the lab workstations:
Temporary files, such as captures, can be created in the /tmp directory and then copied in terminal 4 to /home/jovyan for download to the lab workstation to be examined by Wireshark. On the lab machines, such a download typically ends up in the ~/Downloads directory in your department home directory (aka H:\ drive in the Windows labs).[/quote]