diff --git a/meta-citadel/recipes-core/base-files/base-files_%.bbappend b/meta-citadel/recipes-core/base-files/base-files_%.bbappend index 6cca0d9..5531826 100644 --- a/meta-citadel/recipes-core/base-files/base-files_%.bbappend +++ b/meta-citadel/recipes-core/base-files/base-files_%.bbappend @@ -6,6 +6,9 @@ SRC_URI += "\ file://environment.sh \ file://fstab \ file://99-grsec-debootstrap.conf \ + file://90-citadel-sysctl.conf \ + file://citadel-network.rules \ + file://citadel-ifconfig.sh \ file://00-storage-tmpfiles.conf \ file://NetworkManager.conf \ file://zram-swap.service \ @@ -19,11 +22,16 @@ volatiles = "" inherit systemd SYSTEMD_SERVICE_${PN} = "zram-swap.service" +# for citadel-ifconfig.sh +RDEPENDS_${PN} = "bash" + do_install_append () { install -m 0755 -d ${D}/storage install -d ${D}${libdir}/sysctl.d + install -m 0755 -d ${D}${libexecdir} install -m 0755 -d ${D}${sysconfdir}/profile.d install -m 0755 -d ${D}${sysconfdir}/tmpfiles.d + install -m 0755 -d ${D}${sysconfdir}/udev/rules.d install -m 0755 -d ${D}${sysconfdir}/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager install -m 0700 -d ${D}${localstatedir}/lib/NetworkManager/system-connections @@ -41,6 +49,11 @@ do_install_append () { # this should be removed later install -m 0644 ${WORKDIR}/99-grsec-debootstrap.conf ${D}${libdir}/sysctl.d/ + install -m 0644 ${WORKDIR}/90-citadel-sysctl.conf ${D}${libdir}/sysctl.d/ + + install -m 0644 ${WORKDIR}/citadel-network.rules ${D}${sysconfdir}/udev/rules.d/ + install -m 0755 ${WORKDIR}/citadel-ifconfig.sh ${D}${libexecdir} + ln -s /storage/citadel-state/resolv.conf ${D}${sysconfdir}/resolv.conf ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/etc.conf ln -s /dev/null ${D}${sysconfdir}/tmpfiles.d/home.conf diff --git a/meta-citadel/recipes-core/base-files/files/90-citadel-sysctl.conf b/meta-citadel/recipes-core/base-files/files/90-citadel-sysctl.conf new file mode 100644 index 0000000..bd3ce76 --- /dev/null +++ b/meta-citadel/recipes-core/base-files/files/90-citadel-sysctl.conf @@ -0,0 +1,10 @@ + +net.ipv4.ip_forward = 1 +# disable some pax and grsecurity features so that debootstrap will work +# this should be removed later + +kernel.grsecurity.chroot_caps = 0 +kernel.grsecurity.chroot_deny_chmod = 0 +kernel.grsecurity.chroot_deny_mknod = 0 +kernel.grsecurity.chroot_deny_mount = 0 +kernel.pax.softmode = 1 diff --git a/meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh b/meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh new file mode 100755 index 0000000..ac87da1 --- /dev/null +++ b/meta-citadel/recipes-core/base-files/files/citadel-ifconfig.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Called from /etc/udev/rules.d/citadel-network.rules to configure +# external network interfaces and the vz-clear bridge which is created +# automatically by systemd-nspawn when --network-zone=clear (or Zone=clear) +# option is used to launch a container. +# +# Both the bridge device and external interfaces are masqueraded so that +# container veth instances added to the bridge will work. +# +# TODO: External interfaces need to have a set of filering rules applied. +# The filtering rules should go in a separate script file in a more visible +# location such as /usr/share/citadel/citadel-firewall.sh +# + +VZ_CLEAR_ADDRESS="172.17.0.1/24" + +# add NAT rule for external interfaces and also for vz-clear bridge + +iptables -t nat -A POSTROUTING -o ${1} -j MASQUERADE + +if [[ ${1} == "vz-clear" ]]; then + ip addr add ${VZ_CLEAR_ADDRESS} dev vz-clear + ip link set vz-clear up + exit 0 +fi + diff --git a/meta-citadel/recipes-core/base-files/files/citadel-network.rules b/meta-citadel/recipes-core/base-files/files/citadel-network.rules new file mode 100644 index 0000000..ff6dce0 --- /dev/null +++ b/meta-citadel/recipes-core/base-files/files/citadel-network.rules @@ -0,0 +1,11 @@ +# +# udev rule which matches all network interfaces except loopback and veth host devices created by systemd-nspawn. +# nspawn always names these interfaces with the prefix 'vb-' when they are created for a bridge-mode option. +# +# The citadel-ifconfig.sh script: +# +# 1) configures vz-clear bridge with a fixed IP address +# 2) enables ip masquerading on every interface +# 3) applies iptables filter rules on each external interface +# +ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|vb-*", RUN+="/usr/libexec/citadel-ifconfig.sh $name" diff --git a/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn b/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn index 9f50033..0e75caf 100644 --- a/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn +++ b/meta-citadel/recipes-core/primary-user-appimg/files/primary.nspawn @@ -1,5 +1,7 @@ [Exec] Boot=true +Environment=IFCONFIG_IP=172.17.0.2/24 +Environment=IFCONFIG_GW=172.17.0.1 [Files] BindReadOnly=/usr/share/themes/Adapta @@ -16,7 +18,10 @@ BindReadOnly=/storage/citadel-state/resolv.conf:/etc/resolv.conf # Bind=/dev/snd Bind=/dev/shm -Bind=/run/user/1000/pulse:/run/user/host/pulse +BindReadOnly=/run/user/1000/pulse:/run/user/host/pulse + +BindReadOnly=/tmp/.X11-unix +BindReadOnly=/run/user/1000/wayland-0:/run/user/host/wayland-0 # # Uncomment to enable kvm access in container @@ -28,3 +33,5 @@ Bind=/run/user/1000/pulse:/run/user/host/pulse # #Bind=/dev/dri/renderD128 +[Network] +Zone=clear diff --git a/scripts/appimg-files/configure-host0.service b/scripts/appimg-files/configure-host0.service new file mode 100644 index 0000000..b392001 --- /dev/null +++ b/scripts/appimg-files/configure-host0.service @@ -0,0 +1,11 @@ +[Unit] +Description=Run script to configure host0 interface +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/configure-host0.sh + +[Install] +WantedBy=sysinit.target diff --git a/scripts/appimg-files/configure-host0.sh b/scripts/appimg-files/configure-host0.sh new file mode 100755 index 0000000..8ed8d57 --- /dev/null +++ b/scripts/appimg-files/configure-host0.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# inspired by last section of +# +# https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/ +# +SYSTEMD_ENV=$(xargs -a /proc/1/environ --null echo) + +process_var() { + case ${1} in + "IFCONFIG_IP") + echo "IP: ${2}" + ip addr add ${2} dev host0 + ip link set host0 up + ;; + "IFCONFIG_GW") + echo "GW: ${2}" + ip route add default via ${2} + ;; + esac +} + +for var in ${SYSTEMD_ENV}; do + IFS="=" read -a PAIR <<< ${var} + if [[ ${#PAIR[@]} -eq 2 ]]; then + process_var ${PAIR[0]} ${PAIR[1]} + fi +done diff --git a/scripts/build-user-rootfs-stage-one b/scripts/build-user-rootfs-stage-one index 3e18baf..b30786a 100755 --- a/scripts/build-user-rootfs-stage-one +++ b/scripts/build-user-rootfs-stage-one @@ -26,6 +26,9 @@ run_chroot_stage() { mount chproc ${DBS_ROOT}/proc -t proc mount chsys ${DBS_ROOT}/sys -t sysfs + mkdir -p ${CACHE_DIR}/appimg-files + cp ${SCRIPT_DIR}/appimg-files/* ${CACHE_DIR}/appimg-files/ + cp --preserve=mode ${SCRIPT_DIR}/build-user-rootfs-stage-two ${DBS_ROOT}/root/install.sh DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true LC_ALL=C LANGUAGE=C LANG=C chroot ${DBS_ROOT} /root/install.sh ${DEBIAN_RELEASE} ${DEBIAN_MIRROR} diff --git a/scripts/build-user-rootfs-stage-two b/scripts/build-user-rootfs-stage-two index 22c8aa4..c20c044 100755 --- a/scripts/build-user-rootfs-stage-two +++ b/scripts/build-user-rootfs-stage-two @@ -3,6 +3,9 @@ PACKAGES="man manpages vim less xz-utils sudo tmux dbus libpam-systemd vifm openssh-client gnome-terminal packagekit-gtk3-module libcanberra-gtk3-module libpulse0 firefox fonts-roboto-hinted nautilus eog evince unzip" +# appimg-files are stored here because we're already bind mounting the parent directory +APPIMG_FILES="/var/cache/apt/archives/appimg-files" + setup_locale() { echo "en_US.UTF-8 UTF-8" > /etc/locale.gen locale-gen @@ -67,6 +70,10 @@ post_install_packages() { # see 'enable-linger' in loginctl(1) mkdir /var/lib/systemd/linger touch /var/lib/systemd/linger/user + + install -m 0755 ${APPIMG_FILES}/configure-host0.sh /usr/libexec + install -m 0644 ${APPIMG_FILES}/configure-host0.service /usr/lib/systemd/system + systemctl enable configure-host0.service } set -u @@ -81,3 +88,4 @@ write_launch_script setup_etc create_user install_packages +post_install_packages