Support for bridge-based veth networking
This commit is contained in:
parent
2488cb356f
commit
be1fcf1df4
@ -6,6 +6,9 @@ SRC_URI += "\
|
|||||||
file://environment.sh \
|
file://environment.sh \
|
||||||
file://fstab \
|
file://fstab \
|
||||||
file://99-grsec-debootstrap.conf \
|
file://99-grsec-debootstrap.conf \
|
||||||
|
file://90-citadel-sysctl.conf \
|
||||||
|
file://citadel-network.rules \
|
||||||
|
file://citadel-ifconfig.sh \
|
||||||
file://00-storage-tmpfiles.conf \
|
file://00-storage-tmpfiles.conf \
|
||||||
file://NetworkManager.conf \
|
file://NetworkManager.conf \
|
||||||
file://zram-swap.service \
|
file://zram-swap.service \
|
||||||
@ -19,11 +22,16 @@ volatiles = ""
|
|||||||
inherit systemd
|
inherit systemd
|
||||||
SYSTEMD_SERVICE_${PN} = "zram-swap.service"
|
SYSTEMD_SERVICE_${PN} = "zram-swap.service"
|
||||||
|
|
||||||
|
# for citadel-ifconfig.sh
|
||||||
|
RDEPENDS_${PN} = "bash"
|
||||||
|
|
||||||
do_install_append () {
|
do_install_append () {
|
||||||
install -m 0755 -d ${D}/storage
|
install -m 0755 -d ${D}/storage
|
||||||
install -d ${D}${libdir}/sysctl.d
|
install -d ${D}${libdir}/sysctl.d
|
||||||
|
install -m 0755 -d ${D}${libexecdir}
|
||||||
install -m 0755 -d ${D}${sysconfdir}/profile.d
|
install -m 0755 -d ${D}${sysconfdir}/profile.d
|
||||||
install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d
|
install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d
|
||||||
|
install -m 0755 -d ${D}${sysconfdir}/udev/rules.d
|
||||||
install -m 0755 -d ${D}${sysconfdir}/NetworkManager
|
install -m 0755 -d ${D}${sysconfdir}/NetworkManager
|
||||||
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
|
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
|
||||||
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
|
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
|
||||||
@ -41,6 +49,11 @@ do_install_append () {
|
|||||||
# this should be removed later
|
# this should be removed later
|
||||||
install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/
|
install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/
|
||||||
|
|
||||||
|
install -m 0644 ${WORKDIR}/90-citadel-sysctl.conf ${D}${libdir}/sysctl.d/
|
||||||
|
|
||||||
|
install -m 0644 ${WORKDIR}/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/
|
||||||
|
install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir}
|
||||||
|
|
||||||
ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf
|
ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf
|
||||||
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf
|
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf
|
||||||
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf
|
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf
|
||||||
|
@ -0,0 +1,10 @@
|
|||||||
|
|
||||||
|
net.ipv4.ip_forward = 1
|
||||||
|
# disable some pax and grsecurity features so that debootstrap will work
|
||||||
|
# this should be removed later
|
||||||
|
|
||||||
|
kernel.grsecurity.chroot_caps = 0
|
||||||
|
kernel.grsecurity.chroot_deny_chmod = 0
|
||||||
|
kernel.grsecurity.chroot_deny_mknod = 0
|
||||||
|
kernel.grsecurity.chroot_deny_mount = 0
|
||||||
|
kernel.pax.softmode = 1
|
27
meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh
Executable file
27
meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh
Executable file
@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Called from /etc/udev/rules.d/citadel-network.rules to configure
|
||||||
|
# external network interfaces and the vz-clear bridge which is created
|
||||||
|
# automatically by systemd-nspawn when --network-zone=clear (or Zone=clear)
|
||||||
|
# option is used to launch a container.
|
||||||
|
#
|
||||||
|
# Both the bridge device and external interfaces are masqueraded so that
|
||||||
|
# container veth instances added to the bridge will work.
|
||||||
|
#
|
||||||
|
# TODO: External interfaces need to have a set of filering rules applied.
|
||||||
|
# The filtering rules should go in a separate script file in a more visible
|
||||||
|
# location such as /usr/share/citadel/citadel-firewall.sh
|
||||||
|
#
|
||||||
|
|
||||||
|
VZ_CLEAR_ADDRESS="172.17.0.1/24"
|
||||||
|
|
||||||
|
# add NAT rule for external interfaces and also for vz-clear bridge
|
||||||
|
|
||||||
|
iptables -t nat -A POSTROUTING -o ${1} -j MASQUERADE
|
||||||
|
|
||||||
|
if [[ ${1} == "vz-clear" ]]; then
|
||||||
|
ip addr add ${VZ_CLEAR_ADDRESS} dev vz-clear
|
||||||
|
ip link set vz-clear up
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
@ -0,0 +1,11 @@
|
|||||||
|
#
|
||||||
|
# udev rule which matches all network interfaces except loopback and veth host devices created by systemd-nspawn.
|
||||||
|
# nspawn always names these interfaces with the prefix 'vb-' when they are created for a bridge-mode option.
|
||||||
|
#
|
||||||
|
# The citadel-ifconfig.sh script:
|
||||||
|
#
|
||||||
|
# 1) configures vz-clear bridge with a fixed IP address
|
||||||
|
# 2) enables ip masquerading on every interface
|
||||||
|
# 3) applies iptables filter rules on each external interface
|
||||||
|
#
|
||||||
|
ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|vb-*", RUN+="/usr/libexec/citadel-ifconfig.sh $name"
|
@ -1,5 +1,7 @@
|
|||||||
[Exec]
|
[Exec]
|
||||||
Boot=true
|
Boot=true
|
||||||
|
Environment=IFCONFIG_IP=172.17.0.2/24
|
||||||
|
Environment=IFCONFIG_GW=172.17.0.1
|
||||||
|
|
||||||
[Files]
|
[Files]
|
||||||
BindReadOnly=/usr/share/themes/Adapta
|
BindReadOnly=/usr/share/themes/Adapta
|
||||||
@ -16,7 +18,10 @@ BindReadOnly=/storage/citadel-state/resolv.conf:/etc/resolv.conf
|
|||||||
#
|
#
|
||||||
Bind=/dev/snd
|
Bind=/dev/snd
|
||||||
Bind=/dev/shm
|
Bind=/dev/shm
|
||||||
Bind=/run/user/1000/pulse:/run/user/host/pulse
|
BindReadOnly=/run/user/1000/pulse:/run/user/host/pulse
|
||||||
|
|
||||||
|
BindReadOnly=/tmp/.X11-unix
|
||||||
|
BindReadOnly=/run/user/1000/wayland-0:/run/user/host/wayland-0
|
||||||
|
|
||||||
#
|
#
|
||||||
# Uncomment to enable kvm access in container
|
# Uncomment to enable kvm access in container
|
||||||
@ -28,3 +33,5 @@ Bind=/run/user/1000/pulse:/run/user/host/pulse
|
|||||||
#
|
#
|
||||||
#Bind=/dev/dri/renderD128
|
#Bind=/dev/dri/renderD128
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Zone=clear
|
||||||
|
11
scripts/appimg-files/configure-host0.service
Normal file
11
scripts/appimg-files/configure-host0.service
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run script to configure host0 interface
|
||||||
|
Before=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/libexec/configure-host0.sh
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sysinit.target
|
28
scripts/appimg-files/configure-host0.sh
Executable file
28
scripts/appimg-files/configure-host0.sh
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# inspired by last section of
|
||||||
|
#
|
||||||
|
# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
|
||||||
|
#
|
||||||
|
SYSTEMD_ENV=$(xargs -a /proc/1/environ --null echo)
|
||||||
|
|
||||||
|
process_var() {
|
||||||
|
case ${1} in
|
||||||
|
"IFCONFIG_IP")
|
||||||
|
echo "IP: ${2}"
|
||||||
|
ip addr add ${2} dev host0
|
||||||
|
ip link set host0 up
|
||||||
|
;;
|
||||||
|
"IFCONFIG_GW")
|
||||||
|
echo "GW: ${2}"
|
||||||
|
ip route add default via ${2}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
for var in ${SYSTEMD_ENV}; do
|
||||||
|
IFS="=" read -a PAIR <<< ${var}
|
||||||
|
if [[ ${#PAIR[@]} -eq 2 ]]; then
|
||||||
|
process_var ${PAIR[0]} ${PAIR[1]}
|
||||||
|
fi
|
||||||
|
done
|
@ -26,6 +26,9 @@ run_chroot_stage() {
|
|||||||
mount chproc ${DBS_ROOT}/proc -t proc
|
mount chproc ${DBS_ROOT}/proc -t proc
|
||||||
mount chsys ${DBS_ROOT}/sys -t sysfs
|
mount chsys ${DBS_ROOT}/sys -t sysfs
|
||||||
|
|
||||||
|
mkdir -p ${CACHE_DIR}/appimg-files
|
||||||
|
cp ${SCRIPT_DIR}/appimg-files/* ${CACHE_DIR}/appimg-files/
|
||||||
|
|
||||||
cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh
|
cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR}
|
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR}
|
||||||
|
@ -3,6 +3,9 @@
|
|||||||
|
|
||||||
PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip"
|
PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip"
|
||||||
|
|
||||||
|
# appimg-files are stored here because we're already bind mounting the parent directory
|
||||||
|
APPIMG_FILES="/var/cache/apt/archives/appimg-files"
|
||||||
|
|
||||||
setup_locale() {
|
setup_locale() {
|
||||||
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
||||||
locale-gen
|
locale-gen
|
||||||
@ -67,6 +70,10 @@ post_install_packages() {
|
|||||||
# see 'enable-linger' in loginctl(1)
|
# see 'enable-linger' in loginctl(1)
|
||||||
mkdir /var/lib/systemd/linger
|
mkdir /var/lib/systemd/linger
|
||||||
touch /var/lib/systemd/linger/user
|
touch /var/lib/systemd/linger/user
|
||||||
|
|
||||||
|
install -m 0755 ${APPIMG_FILES}/configure-host0.sh /usr/libexec
|
||||||
|
install -m 0644 ${APPIMG_FILES}/configure-host0.service /usr/lib/systemd/system
|
||||||
|
systemctl enable configure-host0.service
|
||||||
}
|
}
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
@ -81,3 +88,4 @@ write_launch_script
|
|||||||
setup_etc
|
setup_etc
|
||||||
create_user
|
create_user
|
||||||
install_packages
|
install_packages
|
||||||
|
post_install_packages
|
||||||
|
Loading…
Reference in New Issue
Block a user