You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+22-3Lines changed: 22 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -218,12 +218,30 @@ For a deep dive into RunCVM's internals, see the section on [Developing RunCVM](
218
218
219
219
RunCVM should run on any amd64 (x86_64) hardware (or VM) running Linux Kernel >= 5.10, and that supports [KVM](https://www.linux-kvm.org/page/Main_Page) and [Docker](https://docker.com). So if your host can already run [KVM](https://www.linux-kvm.org/page/Main_Page) VMs and [Docker](https://docker.com) then it should run RunCVM.
220
220
221
-
RunCVM has no other host dependencies, apart from Docker (or experimentally, Podman) and the `kvm` and `tun` kernel modules.
222
-
223
-
Apart from the above, RunCVM comes packaged with all binaries and libraries it needs to run (including its own QEMU binary).
221
+
RunCVM has no other host dependencies, apart from Docker (or experimentally, Podman) and the `kvm` and `tun` kernel modules. RunCVM comes packaged with all binaries and libraries it needs to run (including its own QEMU binary).
224
222
225
223
RunCVM is tested on Debian Bullseye and [GitHub Codespaces](https://github.com/codespaces/new?hide_repo_select=true&ref=main&repo=514606231).
226
224
225
+
### rp_filter sysctl settings
226
+
227
+
For RunCVM to support Docker DNS within Container/VMs, the following condition on `/proc/sys/net/ipv4/conf/` must be met:
228
+
- the max of `all/rp_filter` and `<bridge>/rp_filter` should be 0 ('No Source Validation') or 2 (Loose mode as defined in RFC3704 Loose Reverse Path)
229
+
(where `<bridge>` is any bridge underpinning a Docker network to which RunCVM Container/VMs will be attached)
230
+
231
+
This means that:
232
+
- if `all/rp_filter` will be set to 0, then `<bridge>/rp_filter` must be set to 0 or 2
233
+
(or, if `<bridge>` is not yet or might not yet have been created, then `default/rp_filter` must be set to 0 or 2)
234
+
- if `all/rp_filter` will be set to 1, then `<bridge>/rp_filter` must be set to 2
235
+
(or, if `<bridge>` is not yet or might not yet have been created, then `default/rp_filter` must be set to 2)
236
+
- if `all/rp_filter` will be set to 2, then no further action is needed
237
+
238
+
At time of writing:
239
+
- the Debian default is `0`;
240
+
- the Ubuntu default is `2`;
241
+
- the Google Cloud Debian image has default `1` and `rp_filter` settings in `/etc/sysctl.d/60-gce-network-security.conf` must be modified or overridden to support RunCVM.
242
+
243
+
We recommend `all/rp_filter` be set to 2, as this is the simplest change and provides a good balance of security.
244
+
227
245
## Installation
228
246
229
247
Run:
@@ -240,6 +258,7 @@ This will:
240
258
- Verify that RunCVM is recognised via `docker info`
241
259
- For Podman support (experimental)
242
260
- Display instructions on patching `/etc/containers/containers.conf`
261
+
- Check your system and default network device `rp_filter` settings
243
262
244
263
Following installation, launch a basic test RunCVM container/VM:
0 commit comments