Make it possible to use sysctl in the configuration file about kathara HOT 11 CLOSED

@lorenzo93 if I'm not mistaken, lstart options are indirectly mapped to vstart parameters. For this reason I'd suggest a single word with no symbols.

If an option is the only way to achieve this result.

from kathara.

Hi @ejeandel,

You can add sysctl parameters in a single machine even without modifications in the Kathara source.
If you put them in the <machine_name>.startup file they will be executed inside the machine. To make this work you need to start your lab with the --privileged parameter that starts the container in privileged mode (allowing you to change the kernel parameters).

The only drawback in doing so is that with the privileged flag it is easy to exploit privilege excalation attacks on Docker so it is required to run lstart --privileged as root, to ensure you are an administrator so that you'll not do damage to the host machine.

In addiction, if you need to change a parameter in all the machines in a lab (or more generally if you need to run a command in all the lab machines) you can create a shared.startup file in your lab folder. That file will be executed like the <machine_name>.startup but on all lab machines, instead on just the machine_name machine.

If you have further questions don't hesitate, we are very happy that other universities are using our tool! :)

from kathara.

Hi,

We were using Netkit for some time at our university too and are enthousiast to use much leaner Kathara. However, when trying to set ipv6 forwarding I get the same error as described above.
I've put the sysctl command in startup file.
However, running kathara lstart in privileged mode doesn't help as when I do it the xterms in my lab are not opening anymore.
I've got the following warning on my screen:

WARNING - Running devices with privileged capabilities, terminals won't open!

I didn't have the problem in the "previous" kathara, the one in which I just could use plain Netkit commands.
Do you have any tips how to solve this?
Thanks a lot in advance.

from kathara.

Hi,

we've disabled the terminal opening on privilege mode due to a problem with Wayland (an X.org alternative).
The devices went correctly up and running, that warning is just to remember this behaviour.
You can still access the devices with the kathara connect command (man page.

Let me know if you still have problems :)

from kathara.

I'm not a big fan of using the privileged mode, tbh, especially when it is not technically necessary. I'm of the opinion that opening a subset of the sysctl to the public (notably the whole .net subspace should be safe) seems a better solution, especially as docker makes it possible.

from kathara.

Hi,

I do agree with @ejeandel concerning opening a subset of sysctl. If you want to experiment with networks, you should be able to change .net subspace easily. Also, we'd like to use Kathara for teaching (as we used Netkit) and here is ease of use also very important. If I have a lab with 6 nodes and then I have first start all of them in privileged mode and then connect to the one that I need to interact with Kathara connect, it's not going to be really easy in use... It's pity, as I really liked Kathara for its performance but also for the fact that it was pretty easy to extend image with the necessary functionality via docker (as opposed to netkit).

from kathara.

Hi @ejeandel and @rfrenken,
and thanks for the issue.

For me, it is not clear what is the right idea to solve this problem.
There are three solutions:

1. Put a setting into the kathara.json file. As example:

{
   "sysctls": {
     "net.ipv4.tcp_sack": 0,
     // other `net.` stuff here
   }
}

Of course, the setting is applied on each Kathara device started.
2. Put an option for the machine in the lab.conf file. As example:

pc1[0]="A"
pc1[sysctl]="net.ipv4.tcp_sack=0"

This gives the flexibility to choose on which device the sysctl is applied. This can be "boring" if you need to set a sysctl to all devices.
3. Leave it as it is and put the sysctls command in the .startup file and start the lab with --privileged flag. However, terminals don't open with this flag and this can be tricky when you want to interact with all of them.

Of course, solutions 1 and 2 require to check if the sysctl command starts with net.. In number 2 it is also required that an = sign is in the string.

Please tell me which option you prefer and why, so we can decide what's best for everyone :)

Thanks!

from kathara.

I much prefer something that can be done per machine (or per lab) rather than for all labs, ie solution 2.

from kathara.

I like the second solution (via configuration file) more, as it gives more flexibility.

from kathara.

Okay then.

@ejeandel can you open a pull request to implement the support for sysctl in the lab.conf file?

Thanks!

from kathara.

Hi,
As a friendly reminder, this feature has been included in the latest Kathara release (v2.2.2).

from kathara.