From 81d612e3520788f1f329981572a075380ff3a0d3 Mon Sep 17 00:00:00 2001 From: "Patrick J.P. Culp" Date: Mon, 7 Nov 2022 18:54:11 +0000 Subject: [PATCH 1/3] selinux-policy: Add control_t to network_s Allows bootstrap containers to manage network configuration. --- packages/selinux-policy/subject.cil | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/selinux-policy/subject.cil b/packages/selinux-policy/subject.cil index 6520b0ec47a..0223a9bc4e8 100644 --- a/packages/selinux-policy/subject.cil +++ b/packages/selinux-policy/subject.cil @@ -134,7 +134,7 @@ ; Subjects that are allowed to manage network interfaces. (typeattribute network_s) -(typeattributeset network_s (network_t system_t super_t)) +(typeattributeset network_s (network_t system_t super_t control_t)) ; Subjects that are allowed to control system files. (typeattribute control_s) From 4fc866d1bddc841489e6e55922851f99358c224b Mon Sep 17 00:00:00 2001 From: "Patrick J.P. Culp" Date: Mon, 7 Nov 2022 19:03:54 +0000 Subject: [PATCH 2/3] netdog: Add alternative `net.toml` location Allows bootstrap containers to override network configuration by writing `net.toml` to an alternative location, `/var/lib/netdog/`, which takes precedence over the default `/var/lib/bottlerocket/net.toml`. --- sources/api/netdog/src/cli/generate_net_config.rs | 11 +++++++++-- sources/api/netdog/src/main.rs | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/sources/api/netdog/src/cli/generate_net_config.rs b/sources/api/netdog/src/cli/generate_net_config.rs index 2d239d6fd2a..7e0923d0e7d 100644 --- a/sources/api/netdog/src/cli/generate_net_config.rs +++ b/sources/api/netdog/src/cli/generate_net_config.rs @@ -1,5 +1,8 @@ use super::{error, Result}; -use crate::{net_config, DEFAULT_NET_CONFIG_FILE, KERNEL_CMDLINE, PRIMARY_INTERFACE}; +use crate::{ + net_config, DEFAULT_NET_CONFIG_FILE, KERNEL_CMDLINE, OVERRIDE_NET_CONFIG_FILE, + PRIMARY_INTERFACE, +}; use argh::FromArgs; use snafu::{OptionExt, ResultExt}; use std::{fs, path::Path}; @@ -11,7 +14,11 @@ pub(crate) struct GenerateNetConfigArgs {} /// Generate configuration for network interfaces. pub(crate) fn run() -> Result<()> { - let maybe_net_config = if Path::exists(Path::new(DEFAULT_NET_CONFIG_FILE)) { + let maybe_net_config = if Path::exists(Path::new(OVERRIDE_NET_CONFIG_FILE)) { + net_config::from_path(OVERRIDE_NET_CONFIG_FILE).context(error::NetConfigParseSnafu { + path: OVERRIDE_NET_CONFIG_FILE, + })? + } else if Path::exists(Path::new(DEFAULT_NET_CONFIG_FILE)) { net_config::from_path(DEFAULT_NET_CONFIG_FILE).context(error::NetConfigParseSnafu { path: DEFAULT_NET_CONFIG_FILE, })? diff --git a/sources/api/netdog/src/main.rs b/sources/api/netdog/src/main.rs index 7b77bc22540..2318dac264a 100644 --- a/sources/api/netdog/src/main.rs +++ b/sources/api/netdog/src/main.rs @@ -50,6 +50,7 @@ static CURRENT_IP: &str = "/var/lib/netdog/current_ip"; static KERNEL_CMDLINE: &str = "/proc/cmdline"; static PRIMARY_INTERFACE: &str = "/var/lib/netdog/primary_interface"; static DEFAULT_NET_CONFIG_FILE: &str = "/var/lib/bottlerocket/net.toml"; +static OVERRIDE_NET_CONFIG_FILE: &str = "/var/lib/netdog/net.toml"; static PRIMARY_SYSCTL_CONF: &str = "/etc/sysctl.d/90-primary_interface.conf"; static SYSTEMD_SYSCTL: &str = "/usr/lib/systemd/systemd-sysctl"; static LEASE_DIR: &str = "/run/wicked"; From 962bf0d4c515b718c639e3b6f0b1cff865b3f0c6 Mon Sep 17 00:00:00 2001 From: "Patrick J.P. Culp" Date: Tue, 8 Nov 2022 18:58:11 +0000 Subject: [PATCH 3/3] netdog: Fix clippy warnings --- sources/api/netdog/src/interface_name.rs | 10 ++-------- sources/api/netdog/src/wicked/mod.rs | 5 +++-- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/sources/api/netdog/src/interface_name.rs b/sources/api/netdog/src/interface_name.rs index f273806d176..ba938386449 100644 --- a/sources/api/netdog/src/interface_name.rs +++ b/sources/api/netdog/src/interface_name.rs @@ -110,7 +110,7 @@ mod tests { #[test] fn invalid_interface_name() { let bad_str = [ - &std::iter::repeat("a").take(16).collect::(), + &"a".repeat(16), "", ".", "..", @@ -132,13 +132,7 @@ mod tests { #[test] fn valid_interface_name() { - let ok_str = [ - &std::iter::repeat("a").take(15).collect::(), - "eno1", - "eth0", - "enp5s0", - "enx0eb36944b633", - ]; + let ok_str = [&"a".repeat(15), "eno1", "eth0", "enp5s0", "enx0eb36944b633"]; for ok in ok_str { assert!(InterfaceName::try_from(ok).is_ok()) } diff --git a/sources/api/netdog/src/wicked/mod.rs b/sources/api/netdog/src/wicked/mod.rs index ad2f13a8986..19ff91bf8bc 100644 --- a/sources/api/netdog/src/wicked/mod.rs +++ b/sources/api/netdog/src/wicked/mod.rs @@ -149,7 +149,7 @@ mod tests { "eno8:dhcp4?,dhcp6?", ]; for ok_str in ok { - let net_config = NetConfigV1::from_str(&ok_str).unwrap(); + let net_config = NetConfigV1::from_str(ok_str).unwrap(); let wicked_interfaces = net_config.as_wicked_interfaces(); for interface in wicked_interfaces { @@ -166,13 +166,14 @@ mod tests { // Test the end to end trip: "net config -> wicked -> serialized XML" #[test] + #[allow(clippy::to_string_in_format_args)] fn net_config_to_interface_config() { let net_config_path = wicked_config().join("net_config.toml"); for version in NET_CONFIG_VERSIONS { let temp_config = tempfile::NamedTempFile::new().unwrap(); - render_config_template(&net_config_path, &temp_config, &version); + render_config_template(&net_config_path, &temp_config, version); let net_config = net_config::from_path(&temp_config).unwrap().unwrap(); let wicked_interfaces = net_config.as_wicked_interfaces(); for interface in wicked_interfaces {