Bo.x0.rs

From Hack Manhattan Wiki
Revision as of 00:31, 13 April 2017 by Mz (Talk | contribs) (Created page with "= b0.x0.rs = b0.x0.rs could be Hack Manhattan's in-house minimalist bullshit Cloud running on an severely underpowered machine, probably without backups. But seriously… U...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

b0.x0.rs

b0.x0.rs could be Hack Manhattan's in-house minimalist bullshit Cloud running on an severely underpowered machine, probably without backups. But seriously…

Usecases: ease communal development of space projects (hmbot), trying out Linux software, run space related services like VPN, space webcam with logs, etc.

Management Container

  • Pull SSH keys from wiki users, filtered by a whitelist only editable on the host, expire password before first login so that on first login users have to set the password (kind of inspired by Noisebridge)
  • Users are allowed to create new minimal Debian Jessie[1] containers and can choose from four different network setups (default: IPv6 on)
    • Static IPv4 allocation
    • NAT
    • Static IPv4 allocation + Tor (IPv6 outgoing off)
    • Tor (IPv6 outgoing off)
    • Isolated (incoming IPv6 on, outgoing off)
  • Users can expire containers they have root access to, so they're automatically discarded. $ epoch >> ~root/discard
  • User created containers are allowed to nest containers (make it possible for people to use Docker if they really want to)
  • User created containers are automatically started/rebooted. If a container fails to boot a certain amount of times, the autostart flag is removed and reboot attempts will cease until Host Admins intervene.
  • The management container can reach every container on the network but does not see them in the file system, mainly to enable users to into isolated containers via ssh
  • $HOME on the Management Container is a tmpfs with the exception of ~/.ssh/ and ~/$(who).ovpn
  • Users can't give new mknod priviliges to containers, admins must intervene

Host

  • Runs Debian Jessie with the latest backports kernel, backports LXC and LXCFS and systemd.
  • Is full disk encrypted, password is shared with the HM board
  • Containers are located on a btrfs mount. Minimise hard disk space waste etc.
  • The host has an inotifywait process that checks for new configuration arrivals and puts the new unprivileged containers in place, generates new SSH host keys, adds the users' SSH keys to root@, creates a summary file in the users home on the management container
  • Runs a daily cron job at 4am to check for expiration
  • Might not be reachable via ssh directly. Local interfaces only

[1] Other container types like openwrt may be provided if someone provides this

Prerequisites

  • Allocate network block to b0.x0.rs containers for static IPs