strongSwan

= Dynamic Uml Mesh Modeler =

''Dumm'' is a framework to set up a virtual network using user mode linux guests.

It cleverly glues together some nice technologies to build networks dynamically.

To change the network topology, hosts are not required to reboot, changes apply

instantly and configuration can be done on the host (no network connection

required to change anything).

== Status ==

''Dumm'' is currently highly experimental and [source:trunk/src/dumm incomplete]. A prototype is running 

and a proof of concept has shown that it works.

Along with the ''dumm'' library, a graphical GTK client is in developement to interactively set

up and reconfigure UML networks. The UML network of the old UML framework can be simulated with another tool.

The graphical client is incomplete. It is missing:

  * Removal of added switches

  * Disconnecting guests from switches

  * Scenario management

The framework itself is also missing some features:

  * Configuring addresses/routes in guests through hosts

  * Invoke commands on guests without ssh

  * Scenario scripting

== Why UML? ==

UML is a senior in vitualization technologies, and there is a lot of new

hyped stuff about virtualization around. However, UML is lightweight, easy to

set up and allows dynamic reconfiguration (e.g. add/remove interfaces at

runtime), allows access to the hosts filesystem through hostfs and has some

other neat features.

Performance is not critical for our needs, and maybe we get hardware

virtualization support soon in UML.

It is free and fits perfectly.

== Requirements ==

  * Host:

    * Kernel:

      * A recent 2.6 kernel

      * [http://www.user-mode-linux.org/~blaisorblade/patches/skas3-2.6/ SKAS3 patch] recommended

      * [http://fuse.sourceforge.net/ FUSE] enabled

      * support for TAP devices

    * Userland:

      * [source:trunk/src/libstrongswan libstrongswan]

      * libbridge from [http://linux-net.osdl.org/index.php/Bridge bridge-utils]

      * GTK+2 with developement headers

      * Gnome !VteTerminal with developement headers

  * Guest:

    * Kernel:

      * hostfs

      * tuntap networking

      * mcast networking

    * Userland:

      * none

== Architecture ==

=== Working set ===

Dumm needs a directory to store all its files, guest configurations and other

stuff. Inside that working directory, you'll find:

{{{

workingdir/      - root folder containing a set of hosts and scenarios

  guests/        - contains all created guests

    alice/       - subdirectory for host "alice"

      alice/     - UML created folder (named umid) containing UML runtime files

      mem        - memory configuration file (contains amount of guest memory in MB)

      linux      - symlinked UML kernel this host uses

      master/    - symlinked master root file system for this host

      diff/      - copy-on-write overlay to master this host uses

      union/     - mounted unified filesystem (master + diff + optional scenario)

    bob/

      ...        - same stuff as in alice

  scenarios/     - contains all scenarios

    test1/       - a scenario folder

      diff/      - copy-on-write overlays for each guest's union folder

        alice/   - COW for alice

        bob/     - COW for bob

      config     - network configuration file

}}}

=== Networking ===

Network connectivity is realized through tap devices. When creating a ''eth0''

network device on ''alice'', a ''alice-eth0'' tap device appears on the host. These

are directly connected, when ''alice'' sends traffic to ''eth0'', it appears on the

host at ''alice-eth0''. You can see that as a small network segment (or just a

cable), where these interfaces are attached directly.

To build larger network segments, linux bridging on the host comes into play.

Segments are created by creating a bridge (as with brctl), and then attaching

our tap devices to that bridge. Routing can be done on a UML guest, or even on

the host.

This setup has some advantages over the ''uml_switch'' solution. Bridging works

more reliable in the kernel, and as we see every network interface on the host,

we can sniff at every interface to get some clue what the guests are doing.

== Howto ==

In this mini-howto, we build and boot a minimalistic debian guest on a ubuntu host.

We do everything as root here to simplify things!

=== Host setup ===

  * install required packages:

{{{

aptitude install libfuse-dev libgtk2.0-dev libvte-dev

}}}

  * install libbridge:

{{{

git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git

cd bridge-utils

autoconf

./configure

cd libbridge

make

make install

}}}

  * Build and install strongSwan from SVN sources.

{{{

svn co www.strongswan.org/ikev2/trunk strongswan

cd strongswan

less HACKING

./autogen

./configure --enable-dumm [other options]

make

make install

}}}

  * Ubuntu kernels almost fit our needs, they have FUSE and TAP device support. However, 

    SKAS3 mode is missing. Build your own kernel based on the 

    [https://wiki.ubuntu.com/KernelCustomBuild Ubuntu Howto], patched with the

    [http://www.user-mode-linux.org/~blaisorblade/patches/skas3-2.6/ SKAS3 patch]. SKAS3 is

    not required, but guests run much faster with SKAS3 enabled on the host.

=== Guest master filesystem setup ===

  * create a clean directory and a directory for our master filesystem in it:

{{{

mkdir umldir

cd umldir

mkdir master

}}}

  * bootstrap a debian sid system into master:

{{{

debootstrap sid master http://mirror.switch.ch/ftp/pub/debian/

}}}

  * enter chroot

{{{

chroot master

}}}

  * enable login on tty0

{{{

echo "0:2345:respawn:/sbin/getty 38400 tty0" >> /etc/inittab

echo "tty0" >> /etc/securetty

}}}

  * Enable main repository

{{{

echo deb http://mirror.switch.ch/ftp/pub/debian sid main contrib > /etc/apt/sources.list

aptitude update

}}}

  * Install proper locales support

{{{

aptitude install locales

dpkg-reconfigure locales

}}}

  * Install some packages for strongSwan

{{{

aptitude install libgmp3c2 libsqlite3-0 libcurl3 dropbear gdb binutils

}}}

  * leave chroot

{{{

exit

}}}

  * build a vanilla UML kernel (using [http://trac.strongswan.org/attachment/wiki/DynamicUmlMeshModeler/.config my config]):

{{{

wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.1.tar.bz2

tar jxvf linux-2.6.22.1.tar.bz2

cd linux-2.6.22.1

make mrproper

wget http://trac.strongswan.org/attachment/wiki/DynamicUmlMeshModeler/.config?format=raw -O .config

ARCH=um make menuconfig

ARCH=um make

}}}

=== Start a network ===

You'll have to run the tools as root. Make sure you have a DISPLAY set, e.g. by starting it under ''sudo''.

  * Invoke the graphical client

{{{

sudo ipsec dumm

}}}

Add guests, select our master filesystem and the compiled kernel. Add a bridges and connect your guests to it.

Start your guests and configure them. 

  * The default strongSwan UML scenario is created by running

{{{

sudo ipsec testing

}}}

== Installing strongSwan on guests ==

As we have full access to the master filesystem on the host, we can build strongSwan on the host and install it to the guests

{{{

cd path/to/strongswan/

DESTDIR=/full/path/to/master make install

}}}