Support for bridge-based veth networking

2018-03-06 13:52:07 -05:00 · 2018-03-06 13:52:07 -05:00 · 3baad3bd05
commit 3baad3bd05
parent 2488cb356f
9 changed files with 110 additions and 1 deletions
--- a/meta-citadel/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-citadel/recipes-core/base-files/base-files_%.bbappend
@ -6,6 +6,9 @@ SRC_URI += "\
    file://environment.sh \
    file://fstab \
    file://99-grsec-debootstrap.conf \
+    file://90-citadel-sysctl.conf \
+    file://citadel-network.rules \
+    file://citadel-ifconfig.sh \
    file://00-storage-tmpfiles.conf \
    file://NetworkManager.conf \
    file://zram-swap.service \
@ -19,11 +22,16 @@ volatiles = ""
 inherit systemd
 SYSTEMD_SERVICE_${PN} = "zram-swap.service"

+# for citadel-ifconfig.sh
+RDEPENDS_${PN} = "bash"
+
 do_install_append () {
    install -m 0755 -d ${D}/storage
    install -d ${D}${libdir}/sysctl.d
+    install -m 0755 -d ${D}${libexecdir}
    install -m 0755 -d ${D}${sysconfdir}/profile.d
    install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d
+    install -m 0755 -d ${D}${sysconfdir}/udev/rules.d
    install -m 0755 -d ${D}${sysconfdir}/NetworkManager
    install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
    install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
@ -41,6 +49,11 @@ do_install_append () {
    # this should be removed later
    install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/

+    install -m 0644 ${WORKDIR}/90-citadel-sysctl.conf ${D}${libdir}/sysctl.d/
+
+    install -m 0644 ${WORKDIR}/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/
+    install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir}
+
    ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf
    ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf
    ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf
--- a/meta-citadel/recipes-core/base-files/files/90-citadel-sysctl.conf
+++ b/meta-citadel/recipes-core/base-files/files/90-citadel-sysctl.conf
@ -0,0 +1 @@
+net.ipv4.ip_forward = 1
--- a/meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh
+++ b/meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Called from /etc/udev/rules.d/citadel-network.rules to configure
+# external network interfaces and the vz-clear bridge which is created
+# automatically by systemd-nspawn when --network-zone=clear (or Zone=clear)
+# option is used to launch a container.
+# 
+# Both the bridge device and external interfaces are masqueraded so that
+# container veth instances added to the bridge will work.
+#
+# TODO: External interfaces need to have a set of filering rules applied.  
+# The filtering rules should go in a separate script file in a more visible
+# location such as /usr/share/citadel/citadel-firewall.sh
+#
+
+VZ_CLEAR_ADDRESS="172.17.0.1/24"
+
+# add NAT rule for external interfaces and also for vz-clear bridge
+
+iptables -t nat -A POSTROUTING -o ${1} -j MASQUERADE
+
+if [[ ${1} == "vz-clear" ]]; then
+    ip addr add ${VZ_CLEAR_ADDRESS} dev vz-clear
+    ip link set vz-clear up
+    exit 0
+fi
+
--- a/meta-citadel/recipes-core/base-files/files/citadel-network.rules
+++ b/meta-citadel/recipes-core/base-files/files/citadel-network.rules
@ -0,0 +1,11 @@
+#
+# udev rule which matches all network interfaces except loopback and veth host devices created by systemd-nspawn.
+# nspawn always names these interfaces with the prefix 'vb-' when they are created for a bridge-mode option. 
+#
+# The citadel-ifconfig.sh script:
+#
+#  1) configures vz-clear bridge with a fixed IP address 
+#  2) enables ip masquerading on every interface
+#  3) applies iptables filter rules on each external interface
+#
+ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|vb-*", RUN+="/usr/libexec/citadel-ifconfig.sh $name"
--- a/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn
+++ b/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn
@ -1,5 +1,7 @@
 [Exec]
 Boot=true
+Environment=IFCONFIG_IP=172.17.0.2/24
+Environment=IFCONFIG_GW=172.17.0.1

 [Files]
 BindReadOnly=/usr/share/themes/Adapta
@ -16,7 +18,10 @@ BindReadOnly=/storage/citadel-state/resolv.conf:/etc/resolv.conf
 #
 Bind=/dev/snd
 Bind=/dev/shm
-Bind=/run/user/1000/pulse:/run/user/host/pulse
+BindReadOnly=/run/user/1000/pulse:/run/user/host/pulse
+
+BindReadOnly=/tmp/.X11-unix
+BindReadOnly=/run/user/1000/wayland-0:/run/user/host/wayland-0

 #
 # Uncomment to enable kvm access in container
@ -28,3 +33,5 @@ Bind=/run/user/1000/pulse:/run/user/host/pulse
 #
 #Bind=/dev/dri/renderD128

+[Network]
+Zone=clear
--- a/scripts/appimg-files/configure-host0.service
+++ b/scripts/appimg-files/configure-host0.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Run script to configure host0 interface
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/configure-host0.sh
+
+[Install]
+WantedBy=sysinit.target
--- a/scripts/appimg-files/configure-host0.sh
+++ b/scripts/appimg-files/configure-host0.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+# inspired by last section of
+# 
+#     https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
+#
+SYSTEMD_ENV=$(xargs -a /proc/1/environ --null echo)
+
+process_var() {
+    case ${1} in
+        "IFCONFIG_IP")
+            echo "IP: ${2}"
+            ip addr add ${2} dev host0
+            ip link set host0 up
+            ;;
+        "IFCONFIG_GW")
+            echo "GW: ${2}"
+            ip route add default via ${2}
+            ;;
+    esac
+}
+
+for var in ${SYSTEMD_ENV}; do
+    IFS="=" read -a PAIR <<< ${var}
+    if [[ ${#PAIR[@]} -eq 2 ]]; then
+        process_var ${PAIR[0]} ${PAIR[1]}
+    fi
+done
--- a/scripts/build-user-rootfs-stage-one
+++ b/scripts/build-user-rootfs-stage-one
@ -26,6 +26,9 @@ run_chroot_stage() {
    mount chproc ${DBS_ROOT}/proc -t proc
    mount chsys ${DBS_ROOT}/sys -t sysfs

+    mkdir -p ${CACHE_DIR}/appimg-files
+    cp ${SCRIPT_DIR}/appimg-files/* ${CACHE_DIR}/appimg-files/
+
    cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh

    DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR}
--- a/scripts/build-user-rootfs-stage-two
+++ b/scripts/build-user-rootfs-stage-two
@ -3,6 +3,9 @@

 PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip"

+# appimg-files are stored here because we're already bind mounting the parent directory
+APPIMG_FILES="/var/cache/apt/archives/appimg-files"
+
 setup_locale() {
    echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
    locale-gen
@ -67,6 +70,10 @@ post_install_packages() {
    # see 'enable-linger' in loginctl(1)
    mkdir /var/lib/systemd/linger
    touch /var/lib/systemd/linger/user
+
+    install -m 0755 ${APPIMG_FILES}/configure-host0.sh /usr/libexec
+    install -m 0644 ${APPIMG_FILES}/configure-host0.service /usr/lib/systemd/system
+    systemctl enable configure-host0.service
 }

 set -u
@ -81,3 +88,4 @@ write_launch_script
 setup_etc
 create_user
 install_packages
+post_install_packages