ERROR: Cannot open TUN/TAP dev /dev/net/tun

To allow this for a specific container in Proxmox, we need to make a few tweaks to allow this interface to work in a specific container (we don’t want to allow all containers to be able to setup a tunnel – hackers can hide their tracks using it).

How to do this:

ADD these lines to /etc/pve/lxc/<container-id>.conf


lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

The problem with creating a directory for something before is mounted is that when zfs-mount.service runs and attempts to mount the zfs mount points you will get these kind of errors:

root@pve:~# systemctl status zfs-mount.service
● zfs-mount.service - Mount ZFS filesystems
Loaded: loaded (/lib/systemd/system/zfs-mount.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2017-06-30 18:10:21 PDT; 21s ago
Process: 6590 ExecStart=/sbin/zfs mount -a (code=exited, status=1/FAILURE)
Main PID: 6590 (code=exited, status=1/FAILURE)

Jun 30 18:10:19 pve systemd[1]: Starting Mount ZFS filesystems...
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-102-disk-1': directory is not empty
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-106-disk-1': directory is not empty
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-109-disk-1': directory is not empty
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Main process exited, code=exited, status=1/FAILURE
Jun 30 18:10:21 pve systemd[1]: Failed to start Mount ZFS filesystems.
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Unit entered failed state.
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Failed with result 'exit-code'.

Fixing the root of the problem: change how proxmox deals with mounts by editing /etc/pve/storage.cfg – you need to add “mkdir 0” and “is_mountpoint” to the directory mount. Example:

dir: gdata-dump
path /gdata/vz
content iso,vztmpl,backup
maxfiles 0
shared 0
mkdir 0
is_mountpoint 1

Now we need to do some system cleanup before we reboot and confirm the problem is fixed.

Let’s check which mount points have failed:
root@pve:~# zfs list -r -o name,mountpoint,mounted

Now let’s umount all zfs mount points (except rpool of course – assuming the rootfs is zfs)

# zfs umount -a

After making sure ZFS mount points are unmounted, now we can delete the empty folders. Recall the failed mount points that the zfs list command gave you and one by one delete them like so:

# rm -rf /gdata/pve/subvol-102-disk-1

Do this for each folder that showed issues mounting. You have a choice to remount everything with zfs mount -O -a — or better… reboot the system and check its fixed. I like the later better. So reboot.

After it boots back up check that service was able to mount zfs without issues:

# systemctl status zfs-mount.service
# zfs list -r -o name,mountpoint,mounted

That’s all folks… if you made the edit to storage.cfg and added the two variables this should not occur again. This was an annoying bug to deal with but good to have found a better solution than a startup script doing some dirty tricks!

In *nix any usage of well-known ports (aka 1024 or less) requires special privileges or a kernel setting. In FreeBSD a simple sysctl net.inet.ip.portrange.reservedhigh =1 was enough to allow the BSD jail to use any port on the jail.

On LXC, I had to figure out how to do the same thing and its quite different. My environment is a debian stretch LXC container but should work on other linux versions.

# apt-get install libcap2-bin
# setcap 'cap_net_bind_service=+ep' /usr/bin/transmission-daemon

In the example above, the binary /usr/bin/transmission-daemon is now able to open any port, or port 80 http in my case all while running a service as a non-root user.

Hopefully these helps folks out there, the answer took some digging but I already had an idea on what was needed thanks to my FreeBSD experience in zones

I have a pair of Samsung 840 Pro 256GB SSDs that I wanted to use for my new homelab that I am currently building (moving from vmware to proxmox). You may be wondering why I want to install the operating system on a partition instead of an entire disk. Several reasons:

1. Proxmox (ZFS-on-Linux) does not yet support SSD TRIM, FreeBSD does support it so migrating from FreeNAS into Proxmox I should be aware of it.
2. Data redundancy for the root filesystem does not need to be large. Even if I do RAID1 with my two SSDs I won’t be storing my critical data or VMs in the rpool – I want a smaller sized root pool that has fault-tolerance (RAID1). A partition of 60GB mirrored in two SSDs should fit the bill here.
3. ZIL Intent Log experimentation, I also want to experiment by using the same two SSDs to speed up my ZFS writes. I want a small partition in a stripe (RAID0) for performance, 45GB total (22.5gb per ssd) is plenty for this.
4. The left over unused space will be left untouched so that the SSD will have more available blocks during the controller’s built-in garbage collection (not the same as TRIM)

I don’t have enough time to go into a lot of details (it’s past 4am), so I will get to how to do it. If you are trying to follow my same steps, you will need at least 3 hard drives.

1. On a hard drive or device you don’t care to use in the final outcome, install Proxmox as you would normally. Wipe the entire partition table and let it install RAID0 on the whole disk.
2. Boot into your new installation, have the two new disks you want to keep attached to the system and ensure linux sees them fdisk should help with this.
3. You will now need to create the partitions on the new disks (not rpool):

You will need to know how to calculate hard disk sectors and multiply by your block size. I don’t have time to go over it but I will do a quick TL;DR example to give you an idea:

We want 25GB slice so that is around 25000000000 bytes / 512 (block size) = 48828125 total sectors to allocate this storage amount.

Take a look at the partition table to make sure you create something similar, fdisk -l /dev/sd$ (your rpool disk). We will leave 8MB disk at the end of the partition, Proxmox by default creates 3 partitions: GRUB_BOOT, ZFS data, Solaris 8MB.

This command creates the partitions for my new array, I’ve described them for you by the -c command. It should be self-explanatory.

# sgdisk -z /dev/sdb
# sgdisk -a1 -n1:34:2047 -t1:EF02 -c1:”BIOS boot” -n2:2048:156252048 -t2:BF01 -c2:”mirror” -n3:156252049:205080174 -t3:BF01 -c3:”stripe” -n4:205080175:205096559 -t4:BF0 /dev/sda

# sgdisk -a1 -n1:34:2047 -t1:EF02 -c1:”BIOS boot” -n2:2048:156252048 -t2:BF01 -c2:”mirror” -n3:156252049:205080174 -t3:BF01 -c3:”stripe” -n4:205080175:205096559 -t4:BF0 /dev/sdc
# zpool create -f stripe -o ashift=13 /dev/sda3 /dev/sdc3
# zpool create -f newroot -o ashift=13 mirror /dev/sda2 /dev/sdc2
# grub-install /dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSADB46090M
# grub-install /dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S12RNEACC59063B

Backup & moving stuff.
# zfs snapshot -r rpool@fullbackup
# zfs list -t snapshot
# zfs send -R rpool@fullbackup | zfs recv -vFd newroot
root@pve:/# zpool get bootfs
NAME PROPERTY VALUE SOURCE
newroot bootfs – default
rpool bootfs rpool/ROOT/pve-1 local
stripe bootfs – default
root@pve:/# zpool set bootfs=newroot/ROOT/pve-1 newroot
zpool export newroot
zpool import -o altroot=/mnt newroot
— rebooted with freenas live cd, enter shell, import newroot with new name rpool. rebooted
— boot into proxmox recovery — once it boots, do recovery
grub-install /dev/sdb
grub-install /dev/sda
update-grub2
update-initramfs -u

#zpool set bootfs=newroot rpool could also work without renaming via FreeNAS but didn’t try.

My needs for more CPU power and memory is driven by the idea of hyperconvergence. Which means I use a single machine to be my router/firewall, VPN gateway, network storage as well as virtual machine host.

Those themes have been part of my home network design since 2010 or so, today’s hot technologies are focusing on containers (LXC), Docker, etc. So I need a more powerful server in order to be able to expand my playground into those technologies. The 32gb maximum on my old server is simply not enough when you have 5 different VMs that consume almost all your memory resources (windows 10 VM, OSX one and my FreeNAS one being the top users of 75%+).

On my new machine I have decided to move towards the Xeon E5 v4 CPU series and DDR4 which has lower memory consumption than my current LPDDR3 (1.2v vs 1.35v per ram stick).

The components of choice is a Supermicro X10SRL-F with remote management (IPKVM), and 64gb DDR4 to start.

For server chassis I’ll be reusing my Lenovo TS440, but first I’ll assemble and test my new server on a different chassis as to not impact my home router/network design.

Since I will most likely be moving away from VMware ESXi into Proxmox or another open source alternative this means that there will be a steep learning curve as I try to do the initial configuration of the network to run on a single node (hyperconverged). I will have to learn OpenVswitch with is a virtual switch that runs on unix.

On servers with more than two network interfaces Debian/Proxmox renames all interfaces and does not properly detect eth0 as the on-board ethernet as many other linux flavors. This may cause a mild headache if you just installed Proxmox with static IP addresses using the installer and upon reboot you can’t access any network resources.

I already explained the cause and you could argue that on the Proxmox installer they could add a built-in network detection check to properly label eth0 as eth0 as the device is named in many other linux distros. That currently does not exist so I will walk you around the troubleshooting.

Upon reboot or first boot after the installation is complete:
# ip link

The bridge interface (vmbr0) should read “NO-CARRIER, MULTICAST, UP” as well as “state down” a few words further to the left of the results.

# dmesg | grep eth

Read the entries in the dmesg logs, it tells you the name of network interfaces on your system.

“NO-CARRIER” indicates it does not detect an uplink, the interface is configured but none of its bridge members have a network cable or connection being detected.

To fix this you will want to run the following commands:
# ifdown -a
# vi /etc/network/interfaces

By default the installer sets up “eth0” as your only bridge member since the network card numbering got setup differently, the logical name on proxmox for eth0 is actually eth2.

Edit the single instance of eth0 with eth2 – save the file and exit the editor.

# ifup -a
should try to bring back up your interfaces. Trying pinging your network gateway, it should be working now. Cheers.

Given the amount of information that is out there on the internet and that I spent quite a few hours trying to find other open source projects / cloud platforms that could be other alternatives, I thought why not make a post linking to all the platforms I have come across during my search, this way it will help someone else to simply click thru opening new tabs.

The hypervisors (they only support VMs):

• vmware ESXi
• XenServer
• Oracle VM (based off Xen server project above)
• Microsoft Hyper-V

The hybrids (allows VMs and containers at the same time under the same host – no need to spin up VMs for containers)

• SmartOS
• Proxmox VE
• Apache Mesos
• Mesosphere DC/OS Open source

Obviously you can also run containers on linux without using a bare-metal hypervisor like the options above. All you need to do is install Docker. But how are you going to manage/monitor/deploy your containers? command line is an option but there’s tools out there.

Container orchestration tools

• Cloudslang
• Kubernetes (the 500lb gorilla of orchestration tools)
• Kontena
• Apache CloudStack (this seems to manage only hypervisors and not containers)
• Marathon (for Mesos and DC/OS)
• Portainer
• Shipyard
• Panamax
• Rancher (a complete platform for running containers – highly complex)

Kubernetes addons:

• Cockpit (multi-server web management)

An interesting platform seems to be Mirantis OpenStack – if you are willing to put in the effort and deploy several of its plugins it looks like you would be able to host VMs, containers and have a web front-end to manage them all. Since this is not a single solution and it requires you to deploy several plugins I am leaving this uncategorized for now.

Personally, I have been using virtualization circa 2004. It all took off after 2006 when chip manufacturer’s started bundling virtualization technologies in their processors (Intel VT-x or AMD-v). The reason why “cloud” computing is so popular can also be attributed to virtualization.

In a container world…

However, in the past couple of years a new technology has been making making the rounds everywhere, the words “containers”, “docker”, “orchestration” is picking up steam in the past year. They say that containers are changing the landscape for system administrators and application developers.

Claims that containers can be built and deployed in seconds, share a common storage layer and allow you to resize the container in real-time when you need more performance or capacity are really exciting concepts and I think the time is now for me to jump in and learn a thing of two about this new technology when its hot a new.

Time to ditch vmware ESXi for a hybrid hypervisor?

You may remember my blog entry building a low-power sandy bridge ESXi server with ZFS – now 5 years later it is time to find a new platform that will allow me to keep my legacy virtual machines (VMs) as well as allow me to host containers using Docker.

The process of finding a suitable replacement for ESXi may take awhile and more than just a single entry on my blog. This is the first entry on my journey.

Before replacing something that works with a new platform I think it is good to point out the strengths and weaknesses of vmware ESXi (which has been my platform of choice for 6 years)

Strengths of ESXi

• awesome windows GUI vSphere client that allows you to manage your hypervisor without the need for console or ssh
• a web-interface to manage it too if you install a plugin
• virtual switch with VLAN support
• support for PCI passthrough (Intel VT-d) allowing you to assign PCI devices to virtual guests

Weaknesses

• does not support docker containers (unless you wish to create a virtual machine and run docker from there – but I prefer a central platform if possible)
• vmware continues to remove features from the free version of ESX – vSphere client interface is no longer availabel in their latest release
• Nothing exciting has been released by vmware in the past 2 years (in terms of ESXi) and they push esxi users into paid licensees

The alternatives?

SmartOS is a fork off OpenIndiana/OpenSolaris, it seems to have a lot of great security features and features from Solaris that enjoy (you may have read of my love for the ZFS filesystem which is native to SmartOS). Joyent has recently open-sourced their SmartDataCenter “SDC” or they are now calling it Triton Enterprise.

What I like about it other than the fact it uses native Solaris and it uses the ZFS filesystem for storage is the fact that it is a hybrid hypervisor. It can host containers and VMs (using technology similar to virtualbox since virtualbox is also from solaris).

The downside of this platform seems to be the complexity needed to deploy containers with this tool. You need to have a “head node” to be the brains of the platform, the “head node” does a lot of critical things. It monitors the network, the other compute nodes (where you host your vms/containers), it also hosts the database for all the nodes. In dev mode you can force the head node to also be able to host VMs but this is not recommended or good practice.

The web interface (SmartDataCenter) to manage your containers and VMs is also very rudementary, there is no built-in console to your guests. You need to run a lot of commands in the head node’s shell to make JSON queries to grab the data you want like the VNC server and port address for your guests.

Honestly I have not dug much deeper into SmartOS but I probably should, it looks like an awesome project. I am sure for people that want to use their platform for scalable container/hypervisor deployments it makes sense, but to replace my single server at home doing virtualization it does not look very likely this may be a good choice given the complexity.

Proxmox is another platform I am looking at, you may recall that 7 years ago I discovered proxmox virtual environment and started using it on my lab. That was Proxmox VE 1.5 I think and I recently discovered they have made a lot of strides in the right direction.

Just a few weeks ago they released their latest PVE 4.4 and they are now supporting ZFS data pools (via FUSE/zfsonlinux), not to mention that they have replaced OpenVZ with LXC (linux containers). It may be worth it for me to download their latest release and check out their platform again.

Other than Proxmox or SmartOS, I have not come across any other ‘hybrid’ hypervisors. Please share in the comments if there is something else I should check out.

route add -net 10.5.0.0 netmask 255.255.255.0 dev vmbr0

if it works, add the following to your /etc/network/interfaces file

iface vmbr0 inet static
…
bridge_fd 0
up route add -net 10.5.0.0 netmask 255.255.255.0 dev vmbr0
down route del -net 10.5.0.0 netmask 255.255.255.0 dev vmbr0
…

did not work? Remove route with:

route del -net 10.5.0.0 netmask 255.255.255.0 dev vmbr0