Make it possible to use sysctl in the configuration file

[ejeandel]

Apologies if I'm using bad terminology, I'm not really familiar with the intrinsics of docker.

As you well know, sysctl does not work inside the container. However it is possible to fix some options when the container is launched. In particular you fix net.ipv4.ip_forward=1 for obvious reasons, and net.ipv4.icmp_ratelimit=0

I would like to have the possibility in the configuration file to fix some other sysctl (individually per machine or for all machines).

Typically, I would like to disable ip forwarding for some machines, and to disable tcp_sack (which I prefer when teaching TCP to students for the first time).

I actually did put a sysctl_parameters["net.ipv4.tcp_sack"] = 0 line in DockerMachine.py for my personal use, but it would be best if this was configurable.

It doesn't look too hard, and I could probably do it myself and give a patch, provided one agrees about which syntax to take for the configuration file.

Thanks,

E.

[Kidel]

@lorenzo93 if I'm not mistaken, lstart options are indirectly mapped to vstart parameters. For this reason I'd suggest a single word with no symbols.

If an option is the only way to achieve this result.

[lorenzo93]

Hi @ejeandel,

You can add sysctl parameters in a single machine even without modifications in the Kathara source. If you put them in the <machine_name>.startup file they will be executed inside the machine. To make this work you need to start your lab with the --privileged parameter that starts the container in privileged mode (allowing you to change the kernel parameters).

The only drawback in doing so is that with the privileged flag it is easy to exploit privilege excalation attacks on Docker so it is required to run lstart --privileged as root, to ensure you are an administrator so that you'll not do damage to the host machine.

In addiction, if you need to change a parameter in all the machines in a lab (or more generally if you need to run a command in all the lab machines) you can create a shared.startup file in your lab folder. That file will be executed like the <machine_name>.startup but on all lab machines, instead on just the machine_name machine.

If you have further questions don't hesitate, we are very happy that other universities are using our tool! :)

[rfrenken]

Hi,

We were using Netkit for some time at our university too and are enthousiast to use much leaner Kathara. However, when trying to set ipv6 forwarding I get the same error as described above. I've put the sysctl command in startup file. However, running kathara lstart in privileged mode doesn't help as when I do it the xterms in my lab are not opening anymore. I've got the following warning on my screen:

WARNING - Running devices with privileged capabilities, terminals won't open!

I didn't have the problem in the "previous" kathara, the one in which I just could use plain Netkit commands. Do you have any tips how to solve this? Thanks a lot in advance.

[lorenzo93]

Hi,

we've disabled the terminal opening on privilege mode due to a problem with Wayland (an X.org alternative). The devices went correctly up and running, that warning is just to remember this behaviour. You can still access the devices with the kathara connect command (man page.

Let me know if you still have problems :)

[ejeandel]

I'm not a big fan of using the privileged mode, tbh, especially when it is not technically necessary. I'm of the opinion that opening a subset of the sysctl to the public (notably the whole .net subspace should be safe) seems a better solution, especially as docker makes it possible.

[rfrenken]

Hi,

I do agree with @ejeandel concerning opening a subset of sysctl. If you want to experiment with networks, you should be able to change .net subspace easily. Also, we'd like to use Kathara for teaching (as we used Netkit) and here is ease of use also very important. If I have a lab with 6 nodes and then I have first start all of them in privileged mode and then connect to the one that I need to interact with Kathara connect, it's not going to be really easy in use... It's pity, as I really liked Kathara for its performance but also for the fact that it was pretty easy to extend image with the necessary functionality via docker (as opposed to netkit).

[Skazza94]

Hi @ejeandel and @rfrenken, and thanks for the issue.

For me, it is not clear what is the right idea to solve this problem. There are three solutions:

1. Put a setting into the kathara.json file. As example:

   {
   "sysctls": {
    "net.ipv4.tcp_sack": 0,
    // other `net.` stuff here
   }
   }

   Of course, the setting is applied on each Kathara device started.

2. Put an option for the machine in the lab.conf file. As example:

   pc1[0]="A"
   pc1[sysctl]="net.ipv4.tcp_sack=0"

   This gives the flexibility to choose on which device the sysctl is applied. This can be "boring" if you need to set a sysctl to all devices.

3. Leave it as it is and put the sysctls command in the .startup file and start the lab with --privileged flag. However, terminals don't open with this flag and this can be tricky when you want to interact with all of them.

Of course, solutions 1 and 2 require to check if the sysctl command starts with net.. In number 2 it is also required that an = sign is in the string.

Please tell me which option you prefer and why, so we can decide what's best for everyone :)

Thanks!

[ejeandel]

I much prefer something that can be done per machine (or per lab) rather than for all labs, ie solution 2.

[rfrenken]

I like the second solution (via configuration file) more, as it gives more flexibility.

[Skazza94]

Okay then.

@ejeandel can you open a pull request to implement the support for sysctl in the lab.conf file?

Thanks!

[Skazza94]

Hi, As a friendly reminder, this feature has been included in the latest Kathara release (v2.2.2).