Skip to content

Commit

Permalink
Updated docs for Ubuntu Eoan support; improved distro compatiblity text.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ctalledo @rodnymolina
ctalledo authored and rodnymolina committed Feb 4, 2020
1 parent 8841e93 commit cb61549
Show file tree
Hide file tree
Showing 5 changed files with 191 additions and 98 deletions.
65 changes: 24 additions & 41 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@
## Contents

- [Introduction](#introduction)
- [Support](#support)
- [Download](#download)
- [Supported Linux Distros](#supported-linux-distros)
- [Supported Distros](#supported-distros)
- [Host Requirements](#host-requirements)
- [Installation](#installation)
- [Usage](#usage)
Expand All @@ -15,7 +16,6 @@
- [Security and Isolation](#security-and-isolation)
- [Documentation](#documentation)
- [Integration with Container Managers](#integration-with-container-managers)
- [Production Readiness](#production-readiness)
- [Troubleshooting](#troubleshooting)
- [Issues](#issues)
- [Roadmap](#roadmap)
Expand Down Expand Up @@ -58,47 +58,21 @@ The latest release of Sysbox is [here](https://github.com/nestybox/sysbox-extern

Installation instructions are below.

## Supported Linux Distros
## Supported Distros

Sysbox relies on functionality that is only present in very recent
Ubuntu kernels:
Sysbox relies on functionality that is currently only present in
Ubuntu.

- Ubuntu 19.04 "Disco" (kernel >= 5.0.0-21.22)
- Ubuntu 18.04 "Bionic" (with 5.0+ kernel upgrade)

If you need to upgrade your kernel in order to match requirements
stated above, see [here](docs/troubleshoot.md#upgrading-the-ubuntu-kernel)
for suggestions on how to do this.

Alternatively it's possible to use Sysbox with slightly older Ubuntu
kernels, but doing so requires using system containers in [Docker userns-remap isolation mode](docs/usage.md#system-container-isolation-modes).
In this case you can run Sysbox on the following distros (without
needing to upgrade the kernel):

- Ubuntu 19.04 "Disco"
- Ubuntu 18.10 "Cosmic"
- Ubuntu 18.04 "Bionic"
See the [distro compatibility doc](docs/distro-compat.md) for
information on what versions of Ubuntu kernels are supported.

We plan to add support for more distros in the future.

Here is a summary of the distro requirements:

| System Container Isolation Mode | Required Distro & Kernel |
| ---------------------------------| ----------------------------------- |
| Exclusive userns-remap (default) | Ubuntu 19.04 Disco (>= 5.0.0-21.22) |
| | Ubuntu 18.04 Bionic (5.0+ kernel) |
| Docker userns-remap | Ubuntu 19.04 Disco |
| | Ubuntu 18.10 Cosmic |
| | Ubuntu 18.04 Bionic |

See [here](docs/usage.md#system-container-isolation-modes) for info on
Sysbox isolation modes and how to configure them.

## Host Requirements

The Linux host on which Sysbox runs must meet the following requirements:

1) It must have one of the Linux distros listed in the prior section.
1) It must have one of the supported Linux distros.

2) Systemd must be the system's process-manager (the default in the supported distros).

Expand Down Expand Up @@ -158,13 +132,19 @@ $ docker run --runtime=sysbox-runc --rm -it --hostname my_cont debian:latest
root@my_cont:/#
```

If you omit the `--runtime` option, Docker will use its default `runc`
runtime to launch regular application containers (rather than system
containers).
If you see an error such as:

It's perfectly fine to run system containers launched with Docker +
Sysbox along side regular Docker application containers; they won't
conflict.
docker: Error response from daemon: OCI runtime create failed: container requires user-ID shifting but error was found: shiftfs module is not loaded in the kernel. Update your kernel to include shiftfs module or enable Docker with userns-remap. Refer to the Sysbox troubleshooting guide for more info: unknown

it means that your kernel version is a bit older than needed by Sysbox.
Refer to the [distro compatibility doc](docs/distro-compat.md) for
more info on how to overcome this problem.

Note that if you omit the `--runtime` option, Docker will use its
default `runc` runtime to launch regular application containers
(rather than system containers). It's perfectly fine to run system
containers launched with Docker + Sysbox alongside regular Docker
application containers; they won't conflict.

The [Sysbox Quickstart Guide](docs/quickstart.md) and the [Nestybox Blog Site](https://blog.nestybox.com) have
more usage examples.
Expand Down Expand Up @@ -260,6 +240,10 @@ system containers.
- Provides many examples for using system containers. New users
should start here.

- [Sysbox Distro Compatilibity Doc](docs/distro-compat.md)

- Distro compatibility requirements.

- [Sysbox User's Guide](docs/usage.md)

- Provides more detail information on Sysbox features.
Expand Down Expand Up @@ -396,5 +380,4 @@ Your trust in us is very much appreciated.

\-- _The Nestybox Team_


[slack]: https://join.slack.com/t/nestybox-support/shared_invite/enQtOTA0NDQwMTkzMjg2LTAxNGJjYTU2ZmJkYTZjNDMwNmM4Y2YxNzZiZGJlZDM4OTc1NGUzZDFiNTM4NzM1ZTA2NDE3NzQ1ODg1YzhmNDQ
14 changes: 1 addition & 13 deletions docs/design.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ kernel is required.
When Sysbox is configured in exclusive userns-remap mode (it's
default isolation mode), it makes use of the Ubuntu shiftfs module,
which is included in recent Ubuntu kernels (see the list of
[supported Linux distros](../README.md#supported-linux-distros) for more info on this).
[supported Linux distros](distro-compat.md) for more info on this).

The purpose of this module is to perform filesystem user-ID and
group-ID "shifting" between the a container's Linux user namespace and
Expand Down Expand Up @@ -339,18 +339,6 @@ The main goals for this are:

2) Increase isolation between the container and the host.

Currently, Sysbox does virtualization of the following procfs resources:

- `/proc/uptime`

- Shows the uptime of the system container, not the host.

- `/proc/sys/net/netfilter/nf_conntrack_max`

- Sysbox emulates this resource independently per system
container, and sets appropriate values in the host kernel's
`nf_conntrack_max`.

Note also that by virtue of enabling the Linux user namespace in all
system containers, kernel resources under `/proc/sys` that are not
namespaced by Linux (e.g., `/proc/sys/kernel/*`) can't be changed from
Expand Down
141 changes: 141 additions & 0 deletions docs/distro-compat.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# Sysbox Distro Compatibility

## Contents

- [Supported Linux Distros](#supported-linux-distros)
- [Ubuntu Support](#ubuntu-support)
- [Sysbox on Older Ubuntu Kernels](#sysbox-on-older-ubuntu-kernels)
- [Distro Compatibility Summary](#distro-compatibility-summary)
- [Upgrading the Ubuntu Kernel](#upgrading-the-ubuntu-kernel)
- [Bionic Beaver](#bionic-beaver)
- [Disco Dingo](#disco-dingo)

## Supported Linux Distros

Sysbox relies on functionality that is currently only present in
Ubuntu kernels. Thus, Ubuntu is the only distro supported at this
time.

## Ubuntu Support

Sysbox requires very recent Ubuntu kernels:

- Ubuntu 19.10 "Eoan"
- Ubuntu 19.04 "Disco" (kernel upgrade >= 5.0.0-21.22)
- Ubuntu 18.04 "Bionic" (kernel upgrade >= 5.0)

If your kernel is not one of these, you can still use Sysbox
using the alternative approach described in the next section.

**NOTES:**

1) Canonical generates flavors of these kernels for desktop, server,
and cloud. The [cloud images](https://cloud-images.ubuntu.com/) do
not yet include the kernel functionality required by Sysbox
(unfortunately). Thus, if you want to use Sysbox on a cloud VM, you
must install the Ubuntu desktop or server flavors on the VM, or use
the alternative approach described in the next section.

2) If you have a Ubuntu desktop or server image but need to upgrade
the kernel in order to meet the requirements listed above, see
[here](#upgrading-the-ubuntu-kernel) for suggestions on how to do this.

3) If you launch a system container with Docker + Sysbox, and you get
an error such as

```console
# docker run --runtime=sysbox-runc -it debian:latest
docker: Error response from daemon: OCI runtime create failed: container requires user-ID shifting but error was found: shiftfs module is not loaded in the kernel. Update your kernel to include shiftfs module or enable Docker with userns-remap. Refer to the Sysbox troubleshooting guide for more info: unknown
```

it means that your kernel does not meet the requirements listed above
(specifically your distro does not have the `shiftfs` module that is
present in recent Ubuntu desktop and server kernels). In this case you
must either upgrade your kernel or use the alternative approach
described in the next section.

### Sysbox on Older Ubuntu Kernels

If your distro is Ubuntu but the kernel version is not as recent as
those listed in the prior section, it's still possible to use
Sysbox. However, doing so requires two things:

1) You must have Ubuntu Bionic or later (e.g., Ubuntu Bionic, Disco,
Cosmic, or Eoan). Any kernel version of these releases will do.

2) You must change the configuration of the Docker daemon:

- After installing Sysbox, add the `userns-remap` line to the
`/etc/docker/daemon.json` file as shown below:

```console
# cat /etc/docker/daemon.json
{
"userns-remap": "sysbox",
"runtimes": {
"sysbox-runc": {
"path": "/usr/local/sbin/sysbox-runc"
}
}
}
```

This tells Docker to enable the user namespace in all containers
and map the root user in the container to the subid range of
user `sysbox`, as defined in the `/etc/subuid` and `/etc/subgid` files.

- Restart the Docker daemon:

```console
# sudo systemctl restart docker.service
```

- Note that both of the actions above require `root` privileges on
the host.

When Docker is configured this way, Sysbox works in what we call
"Docker userns-remap mode". It's a mode that offers strong container
isolation, but not as strong as when using the latest Ubuntu kernels
with the shiftfs module as described in the prior section (where
Sysbox works in "Exclusive userns-remap mode". See
[here](usage.md#system-container-isolation-modes) for more info on
Sysbox isolation modes.

### Distro Compatibility Summary

Here is a summary of the distro requirements:

| Distro Name | Kernel | Requires Docker in Userns-Remap Mode |
| ------------------- | ---------------- | ------------------------------------ |
| Ubuntu 19.10 Eoan | Any | No |
| Ubuntu 19.04 Disco | >= 5.0.0-21.22 | No |
| | < 5.0.0-21.22 | Yes |
| Ubuntu 18.10 Cosmic | Any | Yes |
| Ubuntu 18.04 Bionic | >= 5.0 | No |
| | < 5.0 | Yes |

### Upgrading the Ubuntu Kernel

In case you need to upgrade your machine's Linux kernel to meet Sysbox
kernel version requirements, here are some suggestions. Refer to the
Ubuntu documentation online for further info.

#### Bionic Beaver

For Bionic Beaver, we recommend using Ubuntu's [LTS-enablement](https://wiki.ubuntu.com/Kernel/LTSEnablementStack)
package:

```console
$ sudo apt-get update && sudo apt install --install-recommends linux-generic-hwe-18.04 -y
```

#### Disco Dingo

For Disco Dingo, we recommend simply upgrading the distro:

```console
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ reboot
```
47 changes: 8 additions & 39 deletions docs/troubleshoot.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,6 @@

## Contents

- [Upgrading the Ubuntu Kernel](#upgrading-the-ubuntu-kernel)
- [Bionic Beaver](#bionic-beaver)
- [Disco Dingo](#disco-dingo)
- [Sysbox Installation Problems](#sysbox-installation-problems)
- [Ubuntu Shiftfs Module Not Present](#ubuntu-shiftfs-module-not-present)
- [Unprivileged User Namespace Creation Error](#unprivileged-user-namespace-creation-error)
Expand All @@ -17,31 +14,6 @@
- [sysbox-mgr and sysbox-fs](#sysbox-mgr-and-sysbox-fs)
- [sysbox-runc](#sysbox-runc)

## Upgrading the Ubuntu Kernel

In case you need to upgrade your machine's Linux kernel to meet Sysbox [distro requirements](../README.md#supported-linux-distros),
here are some suggestions. Refer to the Ubuntu documentation online for further info.

### Bionic Beaver

For Bionic Beaver, we recommend using Ubuntu's [LTS-enablement](https://wiki.ubuntu.com/Kernel/LTSEnablementStack)
package:

```console
$ sudo apt-get update && sudo apt install --install-recommends linux-generic-hwe-18.04 -y
```

### Disco Dingo

For Disco Dingo, we recommend simply upgrading the distro:

```console
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get dist-upgrade
$ reboot
```

## Sysbox Installation Problems

When installing the Sysbox package with the `dpkg` command
Expand Down Expand Up @@ -120,23 +92,20 @@ docker: Error response from daemon: OCI runtime create failed: container require
```

The error likely means you are running Sysbox on an older Ubuntu
kernel, as newer Ubuntu kernels come with shiftfs.

The Ubuntu shiftfs module is required when Sysbox is configured in
[exclusive userns-remap mode](usage.md#exclusive-userns-remap-mode)
(it's default operating mode).
kernel, as newer Ubuntu kernels come with shiftfs. Or maybe you
are using a Ubuntu image meant for cloud VM instances, rather
than Ubuntu Desktop or Server.

You can work-around this error by either:

- Updating your Linux distro. See [here](../README.md#supported-linux-distros)
for the list of Linux distros supported by Sysbox, and
[here](#upgrading-the-ubuntu-kernel) for recommendations on how to
update the distro.
- Updating your Linux distro. See the [distro compatibility](distro-compat.md)
document for the list of Linux distros supported by Sysbox, and
recommendations on how to update the distro.

or

- Configuring Sysbox in docker userns-remap mode, as described
[here](usage.md#system-container-isolation-modes). This
- Configuring Docker in userns-remap mode, as described
[here](distro-compat.md#sysbox-on-older-ubuntu-kernels). This
mode does not require use of shiftfs.

## Unprivileged User Namespace Creation Error
Expand Down
Loading

0 comments on commit cb61549

Please sign in to comment.