Add support for building for DO Debian, DO Ubuntu, Dockerfile debian-slim

[gobengo]

You can now provision remote linux hosts over SSH using ./build/bin/remote <user>@<ip>

exit_node_ip=165.227.241.194
./build/remote root@$exit_node_ip
# will provision the exitnode on that host, then reboot it and wait for it to come back

I tested this on Digital Ocean: Ubuntu 16.04, 17.10

--

There is also now a Dockerfile in here, so the following should start to be useful.

Note: It doesn't work all the way now. Opening this PR to illustrate blockers.

docker build -t exitnode .
docker run exitnode

...

+ make install
rm -f /usr/local/bin/babeld
mkdir -p /usr/local/bin
cp -f babeld /usr/local/bin
mkdir -p /usr/local/man/man8
cp -f babeld.man /usr/local/man/man8/babeld.8
+ REQUIRED_MODULES='nf_conntrack_netlink nf_conntrack nfnetlink l2tp_netlink l2tp_core l2tp_eth'
+ for module in '$REQUIRED_MODULES'
+ grep -q nf_conntrack_netlink /etc/modules
+ echo '\nnf_conntrack_netlink'
+ modprobe nf_conntrack_netlink
modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.9.49-moby/modules.dep.bin'
The command '/bin/sh -c ./build/docker/docker-build' returned a non-zero code: 1

[gobengo]

Full output of docker build .
https://travis-ci.org/gobengo/exitnode/builds/344650136

[gobengo]

@jhpoelen

Well the good news is that travis-ci actually seems like it's running the tunneldigger broker just fine? https://travis-ci.org/gobengo/exitnode/builds/344651270 . It runs until I cancel it.

The bad news is:
When I run locally on my mac:

ben@bengo-air ~/dev/sudomesh/exitnode travis ⚡ docker run --privileged -it -e IP=1.2.3.4 exitnode
Starting in fungible mode
[INFO/tunneldigger.broker] Initializing the tunneldigger broker.
[INFO/tunneldigger.broker] Registered script '/opt/tunneldigger/broker/scripts/up_hook.sh' for hook 'session.up'.
[INFO/tunneldigger.broker] Registered script '/opt/tunneldigger/broker/scripts/down_hook.sh' for hook 'session.down'.
Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/opt/tunneldigger/broker/main.py", line 78, in <module>
    tunnel_manager.initialize()
  File "broker/broker.py", line 145, in initialize
    self.netlink = l2tp.NetlinkInterface()
  File "broker/l2tp.py", line 68, in __init__
    self.family_id = controller.get_family_id(L2TP_GENL_NAME)
  File "broker/genetlink.py", line 82, in get_family_id
    return m.attrs[CTRL_ATTR_FAMILY_ID].u16()
KeyError: 1

Update: This would have happened if the OS doesn't support L2TP.
I think, since "Docker for Mac" actually involves running a Linux VM, that in my case that VM just doesn't have the right kernel modules. So when this container is sharing same kernel and running on that VM, it can't L2TP. "Docker for Mac" keeps that Linux VM pretty opaque.

[jhpoelen]

suggest to include expected output

[gobengo]

Added

[jhpoelen]

what is the use case for running an exit node in docker? Does this allow for connecting physical home node to a docker container? If so that would be awesome! Suggest to document how to do this, if you haven't already.

[gobengo]

what is the use case for running an exit node in docker?

• I am willing/eager to host an exitnode on my existing cluster, but don't want to pay more $/month for a dedicated VM if I don't have to. My existing cluster dynamically schedules containers across it, as long as I can build the workload into a docker container.
• Even if I didn't have an existing cluster, if I wanted to run other apps on the same server, I'd want to isolate them in separate linux containers so they can use different system deps, and docker/Dockerfiles are one of the easier ways to build/distribute/run lxc containers.

Does this allow for connecting physical home node to a docker container? If so that would be awesome! Suggest to document how to do this, if you haven't already.

• That's the idea. Will document further when I actually get it working. Next steps
  • - Determine why docker run ... won't work on my mac, but does on Travis-CI
  • - See if the container works on my k8s cluster, since it works on Travis-CI

[jhpoelen]

Thanks for taking the time to elaborate! The docker case sounds really cool - and I'd like to suggest to add it as part of a separate pull request after you get it working and with examples of how to use it. Perhaps @bennlich and @paidforby have some ideas about this.

[paidforby]

Sounds useful and practical to me. I was hoping to run nginx and host some webpages on my exit node eventually, but I would want to give access to other contributors. I could create separate UNIX users or run a CMS (like wordpress), still I would worry about potential conflicts or unintended side effects. Wrapping the exitnode up in a docker container would put my mind at ease.

[jhpoelen]

very much agree with @gobengo and @paidforby about the benefits of docker. I was making an argument for making sure it works / examples before introduce it. Won't block it, but am weary of introducing functionality that can't be tested / used.

[bennlich]

A dockerized exit node sounds super awesome 👍

[gobengo]

@bennlich @jhpoelen FWIW I did diagnose and resolve the above issues, and got it running in Docker and in my Kubernetes cluster (container requires --privileged flag, I think because L2TP requires privileged syscalls?, but that's fine). I have not tested the exitnode yet from a home node.

So I have three things to test, and will do so in this order:

1. exitnode in digitalocean as created by ./build/remote
2. exitnode in docker in digitalocean - just to prove docker does{,n't} create problems
3. exitnode in docker in my kubernetes cluster (on AWS FWIW) - I may never test this, or at least if it doesn't work I'm not in a rush to debug this. No one else needs this setup. Though if the mesh need more exitnodes this is the cheapest place for me to run one (.... or a dozen) because it can be packed into my exiting EC2 Instances.

[jhpoelen]

is this upgrading the kernel or installing extra modules?

[jhpoelen]

nice! By "would NOT work" you mean something like would not be executed correct?

[jhpoelen]

why are you using PUBLIC_IP if you are not using it?

[gobengo]

It's used below on line 27. e.g. you can provide it if the PUBLIC_IP is different from the ip/hostname you are SSHing to.

But it doesn't really need to be in this usage note. That's from before I made it use your SSH host as IP if no env var is provided.

[jhpoelen]

jhpoelen/exitnode --> sudomesh/exitnode

[jhpoelen]

suggest to remove commented command

[bennlich]

This PR was superceded by #11