1
0
forked from brl/citadel

Support for bridge-based veth networking

This commit is contained in:
Bruce Leidl 2018-03-06 13:52:07 -05:00
parent 2488cb356f
commit 3baad3bd05
9 changed files with 110 additions and 1 deletions

View File

@ -6,6 +6,9 @@ SRC_URI += "\
file://environment.sh \ file://environment.sh \
file://fstab \ file://fstab \
file://99-grsec-debootstrap.conf \ file://99-grsec-debootstrap.conf \
file://90-citadel-sysctl.conf \
file://citadel-network.rules \
file://citadel-ifconfig.sh \
file://00-storage-tmpfiles.conf \ file://00-storage-tmpfiles.conf \
file://NetworkManager.conf \ file://NetworkManager.conf \
file://zram-swap.service \ file://zram-swap.service \
@ -19,11 +22,16 @@ volatiles = ""
inherit systemd inherit systemd
SYSTEMD_SERVICE_${PN} = "zram-swap.service" SYSTEMD_SERVICE_${PN} = "zram-swap.service"
# for citadel-ifconfig.sh
RDEPENDS_${PN} = "bash"
do_install_append () { do_install_append () {
install -m 0755 -d ${D}/storage install -m 0755 -d ${D}/storage
install -d ${D}${libdir}/sysctl.d install -d ${D}${libdir}/sysctl.d
install -m 0755 -d ${D}${libexecdir}
install -m 0755 -d ${D}${sysconfdir}/profile.d install -m 0755 -d ${D}${sysconfdir}/profile.d
install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d
install -m 0755 -d ${D}${sysconfdir}/udev/rules.d
install -m 0755 -d ${D}${sysconfdir}/NetworkManager install -m 0755 -d ${D}${sysconfdir}/NetworkManager
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager
install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections
@ -41,6 +49,11 @@ do_install_append () {
# this should be removed later # this should be removed later
install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/ install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/
install -m 0644 ${WORKDIR}/90-citadel-sysctl.conf ${D}${libdir}/sysctl.d/
install -m 0644 ${WORKDIR}/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/
install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir}
ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf
ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf

View File

@ -0,0 +1 @@
net.ipv4.ip_forward = 1

View File

@ -0,0 +1,27 @@
#!/bin/bash
#
# Called from /etc/udev/rules.d/citadel-network.rules to configure
# external network interfaces and the vz-clear bridge which is created
# automatically by systemd-nspawn when --network-zone=clear (or Zone=clear)
# option is used to launch a container.
#
# Both the bridge device and external interfaces are masqueraded so that
# container veth instances added to the bridge will work.
#
# TODO: External interfaces need to have a set of filering rules applied.
# The filtering rules should go in a separate script file in a more visible
# location such as /usr/share/citadel/citadel-firewall.sh
#
VZ_CLEAR_ADDRESS="172.17.0.1/24"
# add NAT rule for external interfaces and also for vz-clear bridge
iptables -t nat -A POSTROUTING -o ${1} -j MASQUERADE
if [[ ${1} == "vz-clear" ]]; then
ip addr add ${VZ_CLEAR_ADDRESS} dev vz-clear
ip link set vz-clear up
exit 0
fi

View File

@ -0,0 +1,11 @@
#
# udev rule which matches all network interfaces except loopback and veth host devices created by systemd-nspawn.
# nspawn always names these interfaces with the prefix 'vb-' when they are created for a bridge-mode option.
#
# The citadel-ifconfig.sh script:
#
# 1) configures vz-clear bridge with a fixed IP address
# 2) enables ip masquerading on every interface
# 3) applies iptables filter rules on each external interface
#
ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|vb-*", RUN+="/usr/libexec/citadel-ifconfig.sh $name"

View File

@ -1,5 +1,7 @@
[Exec] [Exec]
Boot=true Boot=true
Environment=IFCONFIG_IP=172.17.0.2/24
Environment=IFCONFIG_GW=172.17.0.1
[Files] [Files]
BindReadOnly=/usr/share/themes/Adapta BindReadOnly=/usr/share/themes/Adapta
@ -16,7 +18,10 @@ BindReadOnly=/storage/citadel-state/resolv.conf:/etc/resolv.conf
# #
Bind=/dev/snd Bind=/dev/snd
Bind=/dev/shm Bind=/dev/shm
Bind=/run/user/1000/pulse:/run/user/host/pulse BindReadOnly=/run/user/1000/pulse:/run/user/host/pulse
BindReadOnly=/tmp/.X11-unix
BindReadOnly=/run/user/1000/wayland-0:/run/user/host/wayland-0
# #
# Uncomment to enable kvm access in container # Uncomment to enable kvm access in container
@ -28,3 +33,5 @@ Bind=/run/user/1000/pulse:/run/user/host/pulse
# #
#Bind=/dev/dri/renderD128 #Bind=/dev/dri/renderD128
[Network]
Zone=clear

View File

@ -0,0 +1,11 @@
[Unit]
Description=Run script to configure host0 interface
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/configure-host0.sh
[Install]
WantedBy=sysinit.target

View File

@ -0,0 +1,28 @@
#!/bin/bash
# inspired by last section of
#
# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
#
SYSTEMD_ENV=$(xargs -a /proc/1/environ --null echo)
process_var() {
case ${1} in
"IFCONFIG_IP")
echo "IP: ${2}"
ip addr add ${2} dev host0
ip link set host0 up
;;
"IFCONFIG_GW")
echo "GW: ${2}"
ip route add default via ${2}
;;
esac
}
for var in ${SYSTEMD_ENV}; do
IFS="=" read -a PAIR <<< ${var}
if [[ ${#PAIR[@]} -eq 2 ]]; then
process_var ${PAIR[0]} ${PAIR[1]}
fi
done

View File

@ -26,6 +26,9 @@ run_chroot_stage() {
mount chproc ${DBS_ROOT}/proc -t proc mount chproc ${DBS_ROOT}/proc -t proc
mount chsys ${DBS_ROOT}/sys -t sysfs mount chsys ${DBS_ROOT}/sys -t sysfs
mkdir -p ${CACHE_DIR}/appimg-files
cp ${SCRIPT_DIR}/appimg-files/* ${CACHE_DIR}/appimg-files/
cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR} DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR}

View File

@ -3,6 +3,9 @@
PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip" PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip"
# appimg-files are stored here because we're already bind mounting the parent directory
APPIMG_FILES="/var/cache/apt/archives/appimg-files"
setup_locale() { setup_locale() {
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen locale-gen
@ -67,6 +70,10 @@ post_install_packages() {
# see 'enable-linger' in loginctl(1) # see 'enable-linger' in loginctl(1)
mkdir /var/lib/systemd/linger mkdir /var/lib/systemd/linger
touch /var/lib/systemd/linger/user touch /var/lib/systemd/linger/user
install -m 0755 ${APPIMG_FILES}/configure-host0.sh /usr/libexec
install -m 0644 ${APPIMG_FILES}/configure-host0.service /usr/lib/systemd/system
systemctl enable configure-host0.service
} }
set -u set -u
@ -81,3 +88,4 @@ write_launch_script
setup_etc setup_etc
create_user create_user
install_packages install_packages
post_install_packages