aleph-vm icon indicating copy to clipboard operation
aleph-vm copied to clipboard
verified publisher icon aleph-im

VM Networking improvements

Open hoh opened this issue 3 years ago • 4 comments

With contributions from @tomribbens

  • [x] 1. IP ranges used by VMs should be updated because they are not following RFC1918

  • [ ] 2. Network configuration commands are changed from iptables to nft

  • [ ] Port forwarding - from a public IPv4 port on the host to a port on the guest Dedicated issue: https://github.com/aleph-im/aleph-vm/issues/148 Related: https://github.com/aleph-im/aleph-message/pull/30

  • [ ] IPv6 access to every virtual machine Dedicated issue: https://github.com/aleph-im/aleph-vm/issues/221

  • [ ] A Wireguard VPN between virtual machines from the same user, across hosts.

Notes

  • Using the same IPv4 range inside VMs on all tap networks might be possible.
  • Using the same Tap interface for all VMs of a user’s cluster would be ideal.

Include (and improve) the cleanup of network configuration on VM stop and on supervisor crash/start.

hoh avatar Oct 04 '22 16:10 hoh

Solving this issue as well would be handy: https://github.com/aleph-im/aleph-vm/issues/18

hoh avatar Oct 05 '22 23:10 hoh

I've been looking at point 1, on making the ip addresses RFC1918 compliant. The easy way obviously would be to limit the vm_id generated to be limited to 4096 (assigning /24 networks out of 172.16.0.0/12 gives 12 bits to work with) and then modifying the guest_ip and host_ip functions in firecracker/microvm.py to f"172.{16 + self.vm_id // 256}.{self.vm_id % 256}.1".

There are 2 issues with that:

  • This puts a hard limit on amount of VMs at 4096, which I understand is bordering on potentially not enough
  • This is not flexible at all if in the future a change to another address pool is wanted

I would propose as a solution to make two new settings, VM_ADDRESS_POOL and VM_NETWORK_SIZE. This would make everything more flexible on a host per host basis.

However, this would mean passing those settings to the MicroVM class, which doesn't seem to be cleanest either. Therefor I would propose to move the calculation of the ip addresses out of firecracker/microvm.py and into functions called by the create_a_vm() function. This seems cleaner as the VM logic itself has no business determining the IP addresses, but should be a function in the supervisor anyway.

Additionally, this would make it easier in the future when looking at using a single tap interface per user, as at that point more knowledge about other VMs is required to determine which IP address to hand out, which is clearly a supervisor task.

tomribbens avatar Oct 06 '22 14:10 tomribbens

That reads like the right way to go ! :+1:

hoh avatar Oct 06 '22 15:10 hoh

Did some research into sharing the tap interface between multiple hosts. As I understand it currently, this would require the tap interface to be set with the option multi_queue, but this currently is not supported by Firecracker:

https://github.com/firecracker-microvm/firecracker/issues/750

tomribbens avatar Oct 31 '22 22:10 tomribbens