Dimitri and Erik have been talking about Photon and the integration into vRealize Automation, but how do you go about creating a container host with Photon OS, for example for OTNSX?

Deploying Photon OS

For deployment of Photon OS you basically have two options:

  • download a pre-build Photon OS virtual machine for your hypervisor.
  • Install Photon from the ISO image.

If you download a pre-built virtual machine with Photon OS, you get the minimal installation. That means that the virtual machine is easy to download and deploy, light on resources, but it might not behave as you would expect. For example, the ‘ping’ command is missing from the virtual machine. That’s no problem though since you can install those things quite easily with tdnf install <package>.

If you install from the ISO, you have the choice to install the minimal or the full version. Full means that everything is installed. Well, everything is a lot, but at least most things you would need are installed. And even then you are free to install additional packages with tdnf.

Creating a user for remote access

Photon OS is installed with only one account: root. If you want to log on remotely with SSH on this machine you could force SSH to accept root access, but I don’t think that’s a good idea, not only for logging/accountability but also from an access perspective. You don’t want to give out the root passwords for systems, right?

In my opinion, it is better to create a separate account that has the option to execute commands as a superuser:

useradd -m -G sudo testuser

-m creates the home directory, while -G adds the user to the sudo group.

The last step is to edit the sudoers file with visudo. Search for %sudo and remove the ‘#’ from that line. After that, you can log in with that account and run commands like a boss with ’sudo <command>’.

Enabling ping

If you want to check your machine if it is up-and-running, it is useful to do a ping. Unfortunately, ping doesn’t work out of the box. Response to ICMP echo (ping) is by default disabled. I know, if it isn’t visible, it might be harder to hack. But then again, the troubleshooting is also harder.

If you want your host to respond to ICMP, you have to set up a couple of firewall rules:

iptables -A INPUT -p ICMP -j ACCEPT
iptables -A OUTPUT -p ICMP -j ACCEPT

I’m not sure about the last one though, it seemed to work with only the first one. Various guides on internet gave both. One might conclude that you need to define the output as well as the input, but since it is a session I don’t think it is necessary.

If you want that the rules survive a reboot you can save the lines with

iptables-save > /etc/systemd/scripts/ip4save

I don’t have to tell you to create a backup of that file before you start your save action.

I saw that you can also add it to /etc/systemd/scripts/iptables, which is executed at the start of iptables, but since iptables-save is the ’normal’ course of action I would suggest you don’t edit the script, but save it with iptables-save. Just make sure you do this directly after installing, so other processes like Docker containers didn’t create any firewall rules.

There are times that you want to troubleshoot networking connections from within Photon OS itself. Then you need ping. However, if you deployed the minimal version, you have to install it yourself with:

tdnf install iputils

The same goes for troubleshooting DNS from Photon OS:

tdnf bindutils

More information about tdnf you will find on https://github.com/vmware/tdnf/wiki

Setting a static IP address

Photon OS uses the systemd-networkd daemon for configuration, the same method as Arch Linux uses (https://wiki.archlinux.org/index.php/Systemd-networkd).
Files are processed in order. The process ends after the first match. The only file now is 99-dhcp-en.network, which is a ‘chatchall’, so that all interfaces get an DHCP address if no rules match for a specific interface.

To set a static IP address, create a file in /etc/systemd/network. Name it something logical, 10-static-en.network with the following content:

[Match]
Name=eth0

[Network]
DHCP=no
Address=192.168.1.10/24
Gateway=192.168.1.1
Domains=domain.local
DNS=192.168.1.71

Change the permissions of that file, so that is only writable by root and readable by group and other:

chmod 644 10-static-en.network

Of course, change the IP setting to your own.

Adding a second IP address to the interface is straightforward: Only add another Address line:

[Match]
Name=eth0

[Network]
DHCP=no
Address=192.168.1.10/24
Address=192.168.1.11/24

Gateway=192.168.1.1
Domains=domain.local
DNS=192.168.1.71

The same goes for IPv6 addresses, you can add them with an Address line. If you added another interface to the virtual machine, you can create another file, for example, 20-static-en.network with the relevant information for that interface.

[Match]
Name=eth1

[Network]
Address=192.168.2.10/24
Gateway=192.168.2.1
Domains=domain.local

Update
The last step is to update your virtual machine with tdnf update

Conclusion
Now you are able to configure your Photon OS virtual machine, give it a static IP address and connect to it with a non-root account via SSH. Now you can start using it as a container host, but that is something for another post.