Skip to content

Latest commit

 

History

History
20 lines (11 loc) · 2.77 KB

deploy-to-unsupported-cloud.md

File metadata and controls

20 lines (11 loc) · 2.77 KB

Unsupported Cloud Providers

Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support:

  1. the base operating system image that Algo uses (Ubuntu 16.04), and
  2. a minimum of certain kernel modules required for the strongSwan IPsec server.

Please see the Required Kernel Modules documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.

If you want Algo to officially support your new cloud provider then it must have an Ansible cloud module available. If no module is available for your provider, search Ansible's open issues and pull requests for existing efforts to add it. If none are available, then you may want to develop the module yourself. Reference the Ansible module developer documentation and the API documentation for your hosting provider.

IPsec in userland

Hosting providers that rely on OpenVZ or Docker cannot be used by Algo since they cannot load the required kernel modules or access the required network interfaces. For more information, see the strongSwan documentation on Cloud Platforms.

In order to address this issue, strongSwan has developed the kernel-libipsec plugin which provides an IPsec backend that works entirely in userland. libipsec bundles its own IPsec implementation and uses TUN devices to route packets. For example, libipsec is used by the Android strongSwan app to address Android's lack of a functional IPsec stack.

Use of libipsec is not supported by Algo. It has known performance issues since it buffers each packet in memory. On certain systems with insufficient processor power, such as many cloud hosting providers, using libipsec can lead to an out of memory condition, crash the charon daemon, or lock up the entire host.

Further, libipsec introduces unknown security risks. The code in libipsec has not been scrutinized to the same level as the code in the Linux or FreeBSD kernel that it replaces. This additional code introduces new complexity to the Algo server that we want to avoid at this time. We recommend moving to a hosting provider that does not require libipsec and can load the required kernel modules.