Updated docs for Ubuntu Eoan support; improved distro compatiblity text.

Author: ctalledo

README.md

@@ -3,8 +3,9 @@
 ## Contents
 
 -   [Introduction](#introduction)
+-   [Support](#support)
 -   [Download](#download)
--   [Supported Linux Distros](#supported-linux-distros)
+-   [Supported Distros](#supported-distros)
 -   [Host Requirements](#host-requirements)
 -   [Installation](#installation)
 -   [Usage](#usage)
@@ -15,7 +16,6 @@
     -   [Security and Isolation](#security-and-isolation)
 -   [Documentation](#documentation)
 -   [Integration with Container Managers](#integration-with-container-managers)
--   [Production Readiness](#production-readiness)
 -   [Troubleshooting](#troubleshooting)
 -   [Issues](#issues)
 -   [Roadmap](#roadmap)
@@ -58,47 +58,21 @@ The latest release of Sysbox is [here](https://github.com/nestybox/sysbox-extern
 
 Installation instructions are below.
 
-## Supported Linux Distros
+## Supported Distros
 
-Sysbox relies on functionality that is only present in very recent
-Ubuntu kernels:
+Sysbox relies on functionality that is currently only present in
+Ubuntu.
 
--   Ubuntu 19.04 "Disco" (kernel >= 5.0.0-21.22)
--   Ubuntu 18.04 "Bionic" (with 5.0+ kernel upgrade)
-
-If you need to upgrade your kernel in order to match requirements
-stated above, see [here](docs/troubleshoot.md#upgrading-the-ubuntu-kernel)
-for suggestions on how to do this.
-
-Alternatively it's possible to use Sysbox with slightly older Ubuntu
-kernels, but doing so requires using system containers in [Docker userns-remap isolation mode](docs/usage.md#system-container-isolation-modes).
-In this case you can run Sysbox on the following distros (without
-needing to upgrade the kernel):
-
--   Ubuntu 19.04 "Disco"
--   Ubuntu 18.10 "Cosmic"
--   Ubuntu 18.04 "Bionic"
+See the [distro compatibility doc](docs/distro-compat.md) for
+information on what versions of Ubuntu kernels are supported.
 
 We plan to add support for more distros in the future.
 
-Here is a summary of the distro requirements:
-
-| System Container Isolation Mode  | Required Distro & Kernel            |
-| ---------------------------------| ----------------------------------- |
-| Exclusive userns-remap (default) | Ubuntu 19.04 Disco (>= 5.0.0-21.22) |
-|                                  | Ubuntu 18.04 Bionic (5.0+ kernel)   |
-| Docker userns-remap              | Ubuntu 19.04 Disco                  |
-|                                  | Ubuntu 18.10 Cosmic                 |
-|                                  | Ubuntu 18.04 Bionic                 |
-
-See [here](docs/usage.md#system-container-isolation-modes) for info on
-Sysbox isolation modes and how to configure them.
-
 ## Host Requirements
 
 The Linux host on which Sysbox runs must meet the following requirements:
 
-1) It must have one of the Linux distros listed in the prior section.
+1) It must have one of the supported Linux distros.
 
 2) Systemd must be the system's process-manager (the default in the supported distros).
 
@@ -158,13 +132,19 @@ $ docker run --runtime=sysbox-runc --rm -it --hostname my_cont debian:latest
 root@my_cont:/#
 ```
 
-If you omit the `--runtime` option, Docker will use its default `runc`
-runtime to launch regular application containers (rather than system
-containers).
+If you see an error such as:
 
-It's perfectly fine to run system containers launched with Docker +
-Sysbox along side regular Docker application containers; they won't
-conflict.
+    docker: Error response from daemon: OCI runtime create failed: container requires user-ID shifting but error was found: shiftfs module is not loaded in the kernel. Update your kernel to include shiftfs module or enable Docker with userns-remap. Refer to the Sysbox troubleshooting guide for more info: unknown
+
+it means that your kernel version is a bit older than needed by Sysbox.
+Refer to the [distro compatibility doc](docs/distro-compat.md) for
+more info on how to overcome this problem.
+
+Note that if you omit the `--runtime` option, Docker will use its
+default `runc` runtime to launch regular application containers
+(rather than system containers). It's perfectly fine to run system
+containers launched with Docker + Sysbox alongside regular Docker
+application containers; they won't conflict.
 
 The [Sysbox Quickstart Guide](docs/quickstart.md) and the [Nestybox Blog Site](https://blog.nestybox.com) have
 more usage examples.
@@ -260,6 +240,10 @@ system containers.
     -   Provides many examples for using system containers. New users
         should start here.
 
+-   [Sysbox Distro Compatilibity Doc](docs/distro-compat.md)
+
+    -   Distro compatibility requirements.
+
 -   [Sysbox User's Guide](docs/usage.md)
 
     -   Provides more detail information on Sysbox features.
@@ -396,5 +380,4 @@ Your trust in us is very much appreciated.
 
 \-- _The Nestybox Team_
 
-
 [slack]: https://join.slack.com/t/nestybox-support/shared_invite/enQtOTA0NDQwMTkzMjg2LTAxNGJjYTU2ZmJkYTZjNDMwNmM4Y2YxNzZiZGJlZDM4OTc1NGUzZDFiNTM4NzM1ZTA2NDE3NzQ1ODg1YzhmNDQ

docs/design.md

@@ -183,7 +183,7 @@ kernel is required.
 When Sysbox is configured in exclusive userns-remap mode (it's
 default isolation mode), it makes use of the Ubuntu shiftfs module,
 which is included in recent Ubuntu kernels (see the list of
-[supported Linux distros](../README.md#supported-linux-distros) for more info on this).
+[supported Linux distros](distro-compat.md) for more info on this).
 
 The purpose of this module is to perform filesystem user-ID and
 group-ID "shifting" between the a container's Linux user namespace and
@@ -339,18 +339,6 @@ The main goals for this are:
 
 2) Increase isolation between the container and the host.
 
-Currently, Sysbox does virtualization of the following procfs resources:
-
--   `/proc/uptime`
-
-    -   Shows the uptime of the system container, not the host.
-
--   `/proc/sys/net/netfilter/nf_conntrack_max`
-
-    -   Sysbox emulates this resource independently per system
-        container, and sets appropriate values in the host kernel's
-        `nf_conntrack_max`.
-
 Note also that by virtue of enabling the Linux user namespace in all
 system containers, kernel resources under `/proc/sys` that are not
 namespaced by Linux (e.g., `/proc/sys/kernel/*`) can't be changed from

docs/distro-compat.md

@@ -0,0 +1,141 @@
+# Sysbox Distro Compatibility
+
+## Contents
+
+-   [Supported Linux Distros](#supported-linux-distros)
+-   [Ubuntu Support](#ubuntu-support)
+    -   [Sysbox on Older Ubuntu Kernels](#sysbox-on-older-ubuntu-kernels)
+    -   [Distro Compatibility Summary](#distro-compatibility-summary)
+    -   [Upgrading the Ubuntu Kernel](#upgrading-the-ubuntu-kernel)
+        -   [Bionic Beaver](#bionic-beaver)
+        -   [Disco Dingo](#disco-dingo)
+
+## Supported Linux Distros
+
+Sysbox relies on functionality that is currently only present in
+Ubuntu kernels. Thus, Ubuntu is the only distro supported at this
+time.
+
+## Ubuntu Support
+
+Sysbox requires very recent Ubuntu kernels:
+
+-   Ubuntu 19.10 "Eoan"
+-   Ubuntu 19.04 "Disco" (kernel upgrade >= 5.0.0-21.22)
+-   Ubuntu 18.04 "Bionic" (kernel upgrade >= 5.0)
+
+If your kernel is not one of these, you can still use Sysbox
+using the alternative approach described in the next section.
+
+**NOTES:**
+
+1) Canonical generates flavors of these kernels for desktop, server,
+and cloud. The [cloud images](https://cloud-images.ubuntu.com/) do
+not yet include the kernel functionality required by Sysbox
+(unfortunately). Thus, if you want to use Sysbox on a cloud VM, you
+must install the Ubuntu desktop or server flavors on the VM, or use
+the alternative approach described in the next section.
+
+2) If you have a Ubuntu desktop or server image but need to upgrade
+the kernel in order to meet the requirements listed above, see
+[here](#upgrading-the-ubuntu-kernel) for suggestions on how to do this.
+
+3) If you launch a system container with Docker + Sysbox, and you get
+an error such as
+
+```console
+# docker run --runtime=sysbox-runc -it debian:latest
+docker: Error response from daemon: OCI runtime create failed: container requires user-ID shifting but error was found: shiftfs module is not loaded in the kernel. Update your kernel to include shiftfs module or enable Docker with userns-remap. Refer to the Sysbox troubleshooting guide for more info: unknown
+```
+
+it means that your kernel does not meet the requirements listed above
+(specifically your distro does not have the `shiftfs` module that is
+present in recent Ubuntu desktop and server kernels). In this case you
+must either upgrade your kernel or use the alternative approach
+described in the next section.
+
+### Sysbox on Older Ubuntu Kernels
+
+If your distro is Ubuntu but the kernel version is not as recent as
+those listed in the prior section, it's still possible to use
+Sysbox. However, doing so requires two things:
+
+1) You must have Ubuntu Bionic or later (e.g., Ubuntu Bionic, Disco,
+   Cosmic, or Eoan). Any kernel version of these releases will do.
+
+2) You must change the configuration of the Docker daemon:
+
+-   After installing Sysbox, add the `userns-remap` line to the
+    `/etc/docker/daemon.json` file as shown below:
+
+    ```console
+    # cat /etc/docker/daemon.json
+    {
+      "userns-remap": "sysbox",
+      "runtimes": {
+        "sysbox-runc": {
+          "path": "/usr/local/sbin/sysbox-runc"
+        }
+      }
+    }
+    ```
+
+    This tells Docker to enable the user namespace in all containers
+    and map the root user in the container to the subid range of
+    user `sysbox`, as defined in the `/etc/subuid` and `/etc/subgid` files.
+
+-   Restart the Docker daemon:
+
+    ```console
+    # sudo systemctl restart docker.service
+    ```
+
+-   Note that both of the actions above require `root` privileges on
+    the host.
+
+When Docker is configured this way, Sysbox works in what we call
+"Docker userns-remap mode". It's a mode that offers strong container
+isolation, but not as strong as when using the latest Ubuntu kernels
+with the shiftfs module as described in the prior section (where
+Sysbox works in "Exclusive userns-remap mode". See
+[here](usage.md#system-container-isolation-modes) for more info on
+Sysbox isolation modes.
+
+### Distro Compatibility Summary
+
+Here is a summary of the distro requirements:
+
+| Distro Name         | Kernel           | Requires Docker in Userns-Remap Mode |
+| ------------------- | ---------------- | ------------------------------------ |
+| Ubuntu 19.10 Eoan   | Any              | No                                   |
+| Ubuntu 19.04 Disco  | >= 5.0.0-21.22   | No                                   |
+|                     | < 5.0.0-21.22 | Yes                                  |
+| Ubuntu 18.10 Cosmic | Any              | Yes                                  |
+| Ubuntu 18.04 Bionic | >= 5.0           | No                                   |
+|                     | < 5.0         | Yes                                  |
+
+### Upgrading the Ubuntu Kernel
+
+In case you need to upgrade your machine's Linux kernel to meet Sysbox
+kernel version requirements, here are some suggestions. Refer to the
+Ubuntu documentation online for further info.
+
+#### Bionic Beaver
+
+For Bionic Beaver, we recommend using Ubuntu's [LTS-enablement](https://wiki.ubuntu.com/Kernel/LTSEnablementStack)
+package:
+
+```console
+$ sudo apt-get update && sudo apt install --install-recommends linux-generic-hwe-18.04 -y
+```
+
+#### Disco Dingo
+
+For Disco Dingo, we recommend simply upgrading the distro:
+
+```console
+$ sudo apt-get update
+$ sudo apt-get upgrade
+$ sudo apt-get dist-upgrade
+$ reboot
+```

docs/troubleshoot.md

@@ -2,9 +2,6 @@
 
 ## Contents
 
--   [Upgrading the Ubuntu Kernel](#upgrading-the-ubuntu-kernel)
-    -   [Bionic Beaver](#bionic-beaver)
-    -   [Disco Dingo](#disco-dingo)
 -   [Sysbox Installation Problems](#sysbox-installation-problems)
 -   [Ubuntu Shiftfs Module Not Present](#ubuntu-shiftfs-module-not-present)
 -   [Unprivileged User Namespace Creation Error](#unprivileged-user-namespace-creation-error)
@@ -17,31 +14,6 @@
     -   [sysbox-mgr and sysbox-fs](#sysbox-mgr-and-sysbox-fs)
     -   [sysbox-runc](#sysbox-runc)
 
-## Upgrading the Ubuntu Kernel
-
-In case you need to upgrade your machine's Linux kernel to meet Sysbox [distro requirements](../README.md#supported-linux-distros),
-here are some suggestions. Refer to the Ubuntu documentation online for further info.
-
-### Bionic Beaver
-
-For Bionic Beaver, we recommend using Ubuntu's [LTS-enablement](https://wiki.ubuntu.com/Kernel/LTSEnablementStack)
-package:
-
-```console
-$ sudo apt-get update && sudo apt install --install-recommends linux-generic-hwe-18.04 -y
-```
-
-### Disco Dingo
-
-For Disco Dingo, we recommend simply upgrading the distro:
-
-```console
-$ sudo apt-get update
-$ sudo apt-get upgrade
-$ sudo apt-get dist-upgrade
-$ reboot
-```
-
 ## Sysbox Installation Problems
 
 When installing the Sysbox package with the `dpkg` command
@@ -120,23 +92,20 @@ docker: Error response from daemon: OCI runtime create failed: container require
 ```
 
 The error likely means you are running Sysbox on an older Ubuntu
-kernel, as newer Ubuntu kernels come with shiftfs.
-
-The Ubuntu shiftfs module is required when Sysbox is configured in
-[exclusive userns-remap mode](usage.md#exclusive-userns-remap-mode)
-(it's default operating mode).
+kernel, as newer Ubuntu kernels come with shiftfs. Or maybe you
+are using a Ubuntu image meant for cloud VM instances, rather
+than Ubuntu Desktop or Server.
 
 You can work-around this error by either:
 
--   Updating your Linux distro. See [here](../README.md#supported-linux-distros)
-    for the list of Linux distros supported by Sysbox, and
-    [here](#upgrading-the-ubuntu-kernel) for recommendations on how to
-    update the distro.
+-   Updating your Linux distro. See the [distro compatibility](distro-compat.md)
+    document for the list of Linux distros supported by Sysbox, and
+    recommendations on how to update the distro.
 
 or
 
--   Configuring Sysbox in docker userns-remap mode, as described
-    [here](usage.md#system-container-isolation-modes). This
+-   Configuring Docker in userns-remap mode, as described
+    [here](distro-compat.md#sysbox-on-older-ubuntu-kernels). This
     mode does not require use of shiftfs.
 
 ## Unprivileged User Namespace Creation Error