diff --git a/admin/workspace-management/cvms/management.md b/admin/workspace-management/cvms/management.md index 2d87de265..5aab64d23 100644 --- a/admin/workspace-management/cvms/management.md +++ b/admin/workspace-management/cvms/management.md @@ -9,7 +9,14 @@ a site manager must enable CVMs. To do so: 1. Go to **Manage > Admin > Infrastructure**. 1. Toggle the **Enable Container-Based Virtual Machines** option to **Enable**. -## Cached CVMs +This section also describes the customization features that Coder offers for +CVMs: + +![CVM Settings](../../../assets/admin/cvm-settings.png) + +These settings will apply to workspaces **after** they have been rebuilt. + +## Caching > Cached CVMs are currently an **alpha** feature. @@ -18,7 +25,7 @@ To improve the startup time for CVM-based workspaces, you can enable caching. Cached CVMs require the `shiftfs` kernel to be present on the node. Some distributions (such as Ubuntu) include `shiftfs`. If you're unsure if `shiftfs` is present on your nodes, you can check by running `modinfo shiftfs`. If no -output is returned, then you do not have `shiftfs` installed. +output is returned, you do not have `shiftfs` installed. If you don't want to install `shiftfs` yourself, you can have Coder install the module automatically for you. **It is important that you do not have secure boot @@ -27,4 +34,78 @@ install `shiftfs` on your behalf.** > GPUs are not supported with cached CVMs at this time. -![Cached CVMs](../../../assets/admin/cached-cvms.png) +## Self-contained workspace builds + +> Self-contained workspace builds are currently an **alpha** feature. + +By default, Coder initializes workspaces by running commands inside the +container. Workspaces, however, control the initialization sequence instead when +you enable [self-contained workspace builds]. This enables cluster operations +that restrict command execution inside containers using the Kubernetes API, such +as the `kubectl exec` command. + +[self-contained workspace builds]: ../self-contained-builds.md + +## Workspace process logging + +> Workspace process logging is currently an **alpha** feature. + +[Workspace process logging] enables auditing of commands executed inside the +workspace container. + +[workspace process logging]: ../process-logging.md + +## TUN device + +> TUN devices currently an **alpha** feature. + +Coder allows the creation of custom network interfaces using the Linux TUN +device. When using the **Enable TUN device** setting, Coder workspaces will have +a `/dev/net/tun` device mounted into the workspace at build time. VPN usage +often requires a TUN device. + +Users may need root (or `sudo`) access within their workspace to use the TUN +device and start a VPN client. + +> At this time, Coder does not support TUN devices for non-Kubernetes workspace +> types, such as EC2 or Docker. +> +> If you're working with EC2 workspaces, we recommend enabling privileged mode +> in the workspace provider settings, which will allow users to create their own +> TUN device. + +We've tested this feature using the [Tailscale](https://tailscale.com/) VPN +within Coder. Remember that you may have to change your VPN settings to keep any +persistent files (such as configuration/identity) files in your home volume, as +any data outside the home volume is cleared when the workspace is rebuilt. + +## FUSE device + +> FUSE devices are currently an **alpha** feature. + +Coder allows the creation of custom filesystems using the Linux FUSE userspace +filesystem device. By enabling the **Enable FUSE device** setting, Coder +workspaces will have a `/dev/fuse` device mounted into the workspace at build +time. These devices are often used to mount specialized filesystems, such as +Google Cloud Storage buckets, to your workspace. + +Users may need root (or `sudo`) access within their workspace to use the FUSE +device and start a FUSE filesystem. + +> At this time, Coder does not support FUSE devices for non-Kubernetes workspace +> types, such as EC2 or Docker. +> +> If you're working with EC2 workspaces, we recommend enabling privileged mode +> in the workspace provider settings, which will allow users to create their own +> FUSE device. + +For example, you can mount a directory from a remote SSH server using `sshfs`: + +```console +mkdir /tmp/mnt +sshfs user@host:/ /tmp/mnt +``` + +Then, in a second terminal, run `ls /tmp/mnt` to list the files from the remote +host. You should also be able to see a `fuse.sshfs` entry in the output from the +`mount` command. diff --git a/admin/workspace-management/tun-device.md b/admin/workspace-management/tun-device.md deleted file mode 100644 index 72de5d085..000000000 --- a/admin/workspace-management/tun-device.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: TUN device enablement -description: Learn how to enable TUN devices for VPN usage within Coder. -state: alpha ---- - -By default, Coder workspaces do not contain a TUN device, making it difficult to -run a VPN. However, Coder offers an admin configuration setting that, when -enabled, automatically creates a TUN device within all Kubernetes [CVM-enabled -workspaces](cvms/index.md). - -> At this time, Coder does not support TUN devices for other workspace types -> (such as EC2 or Docker). -> -> If you're working with EC2 workspaces, we recommend enabling privileged mode -> in the workspace provider settings, which will allow users to create their own -> TUN device. - -## Enable TUN devices in Coder - -To enable TUN devices for Kubernetes [CVM-enabled workspaces](cvms/index.md): - -1. Log into Coder, and go to **Manage** > **Admin**. -1. On the **Infrastructure** page, scroll down to the **Workspace container - runtime** section. -1. Under **Enable TUN device**, click the toggle to switch this feature **On**. -1. Click **Save workspaces**. - -![Enabling TUN devices](../../assets/admin/tun.png) - -The new setting will apply to workspaces **after** you rebuild them. - -Users running workspaces with TUN devices should be able to run VPN clients -within their workspace as long as they have root (or `sudo`) access within their -workspace. - -> We've tested this feature using the [Tailscale](https://tailscale.com/) VPN -> within Coder. diff --git a/assets/admin/cached-cvms.png b/assets/admin/cached-cvms.png deleted file mode 100644 index fd82b2a4c..000000000 Binary files a/assets/admin/cached-cvms.png and /dev/null differ diff --git a/assets/admin/cvm-settings.png b/assets/admin/cvm-settings.png new file mode 100644 index 000000000..f6f7f783b Binary files /dev/null and b/assets/admin/cvm-settings.png differ diff --git a/assets/admin/tun.png b/assets/admin/tun.png deleted file mode 100644 index f7440a0cd..000000000 Binary files a/assets/admin/tun.png and /dev/null differ diff --git a/manifest.json b/manifest.json index f7ea007ce..a541ef765 100644 --- a/manifest.json +++ b/manifest.json @@ -312,9 +312,6 @@ { "path": "./admin/workspace-management/ssh-access.md" }, - { - "path": "./admin/workspace-management/tun-device.md" - }, { "path": "./admin/workspace-management/process-logging.md" }