settings.network: add new proxy settings

Add new settings for configuring HTTPS_PROXY/https_proxy and
NO_PROXY/no_proxy environment variables.

These environment variables will only be exposed to a limited set
of services that need them.

README.md

@@ -344,6 +344,27 @@ These settings can be changed at any time.
 * `settings.updates.version-lock`: Controls the version that will be selected when you issue an update request.  Can be locked to a specific version like `v1.0.0`, or `latest` to take the latest available version.  Defaults to `latest`.
 * `settings.updates.ignore-waves`: Updates are rolled out in waves to reduce the impact of issues.  For testing purposes, you can set this to `true` to ignore those waves and update immediately.
 
+#### Network settings
+
+##### Proxy settings
+
+These settings will configure the proxying behavior of the following services:
+* For all variants:
+    * [containerd.service](packages/containerd/containerd.service)
+    * [host-containerd.service](packages/host-ctr/host-containerd.service)
+* For Kubernetes variants:
+    * [kubelet.service](packages/kubernetes-1.18/kubelet.service)
+* For the ECS variant:
+    * [docker.service](packages/docker-engine/docker.service)
+    * [ecs.service](packages/ecs-agent/ecs.service)
+
+* `settings.network.https-proxy`: The HTTPS proxy server to be used by services listed above.
+* `settings.network.no-proxy`: A list of hosts that are excluded from proxying.
+
+The no-proxy list will automatically include entries for localhost.
+
+If you're running a Kubernetes variant, the no-proxy list will automatically include the Kubernetes API server endpoint and other commonly used Kubernetes DNS suffixes to facilitate intra-cluster networking.
+
 #### Time settings
 
 * `settings.ntp.time-servers`: A list of NTP servers used to set and verify the system time.

packages/containerd/containerd.service

@@ -5,6 +5,7 @@ After=network-online.target configured.target
 Wants=network-online.target configured.target
 
 [Service]
+EnvironmentFile=/etc/network/proxy.env
 ExecStart=/usr/bin/containerd
 Type=notify
 Delegate=yes

packages/docker-engine/docker.service

@@ -10,6 +10,7 @@ StartLimitIntervalSec=60s
 
 [Service]
 Type=notify
+EnvironmentFile=/etc/network/proxy.env
 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
 ExecReload=/bin/kill -s HUP $MAINPID
 Delegate=yes

packages/ecs-agent/ecs.service

@@ -11,6 +11,7 @@ Restart=on-failure
 RestartPreventExitStatus=5
 RestartSec=1s
 EnvironmentFile=-/etc/ecs/ecs.config
+EnvironmentFile=/etc/network/proxy.env
 Environment=ECS_CHECKPOINT=true
 ExecStartPre=/sbin/iptables -t nat -A PREROUTING -d 169.254.170.2/32 \
  -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:51679

packages/host-ctr/host-containerd.service

@@ -5,6 +5,7 @@ After=network-online.target configured.target
 Wants=network-online.target configured.target
 
 [Service]
+EnvironmentFile=/etc/network/proxy.env
 ExecStart=/usr/bin/containerd --config /etc/host-containerd/config.toml
 Type=notify
 Delegate=yes

packages/kubernetes-1.15/kubelet.service

@@ -7,6 +7,7 @@ BindsTo=containerd.service
 
 [Service]
 Type=notify
+EnvironmentFile=/etc/network/proxy.env
 EnvironmentFile=/etc/kubernetes/kubelet/env
 ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
 # Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to

packages/kubernetes-1.16/kubelet.service

@@ -7,6 +7,7 @@ BindsTo=containerd.service
 
 [Service]
 Type=notify
+EnvironmentFile=/etc/network/proxy.env
 EnvironmentFile=/etc/kubernetes/kubelet/env
 ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
 # Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to

packages/kubernetes-1.17/kubelet.service

@@ -7,6 +7,7 @@ BindsTo=containerd.service
 
 [Service]
 Type=notify
+EnvironmentFile=/etc/network/proxy.env
 EnvironmentFile=/etc/kubernetes/kubelet/env
 ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
 # Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to

packages/kubernetes-1.18/kubelet.service

@@ -7,6 +7,7 @@ BindsTo=containerd.service
 
 [Service]
 Type=notify
+EnvironmentFile=/etc/network/proxy.env
 EnvironmentFile=/etc/kubernetes/kubelet/env
 ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
 # Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to

packages/release/proxy-env

@@ -0,0 +1,6 @@
+{{#if settings.network.https-proxy}}
+HTTPS_PROXY={{settings.network.https-proxy}}
+https_proxy={{settings.network.https-proxy}}
+{{/if}}
+NO_PROXY={{#each settings.network.no-proxy}}{{this}},{{/each}}localhost,127.0.0.1{{#if settings.kubernetes.api-server}},{{host settings.kubernetes.api-server}}{{/if}}{{#if settings.kubernetes.cluster-domain}},.{{settings.kubernetes.cluster-domain}}{{/if}}
+no_proxy={{#each settings.network.no-proxy}}{{this}},{{/each}}localhost,127.0.0.1{{#if settings.kubernetes.api-server}},{{host settings.kubernetes.api-server}}{{/if}}{{#if settings.kubernetes.cluster-domain}},.{{settings.kubernetes.cluster-domain}}{{/if}}

packages/release/release.spec

@@ -13,6 +13,7 @@ Source98: release-systemd-system.conf
 Source99: release-tmpfiles.conf
 
 Source200: motd.template
+Source201: proxy-env
 
 Source1000: eth0.xml
 Source1002: configured.target
@@ -122,6 +123,7 @@ install -p -m 0644 ${LICENSEPATH}.mount %{buildroot}%{_cross_unitdir}
 
 install -d %{buildroot}%{_cross_templatedir}
 install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd
+install -p -m 0644 %{S:201} %{buildroot}%{_cross_templatedir}/proxy-env
 
 %files
 %{_cross_factorydir}%{_cross_sysconfdir}/hosts
@@ -142,5 +144,6 @@ install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd
 %{_cross_unitdir}/var-lib-bottlerocket.mount
 %dir %{_cross_templatedir}
 %{_cross_templatedir}/motd
+%{_cross_templatedir}/proxy-env
 
 %changelog

sources/models/defaults.toml

@@ -22,7 +22,7 @@ template-path = "/usr/share/templates/motd"
 # Container runtime.
 
 [services.containerd]
-configuration-files = ["containerd-config-toml"]
+configuration-files = ["containerd-config-toml", "proxy-env"]
 restart-commands = ["/bin/systemctl try-restart containerd.service"]
 
 [configuration-files.containerd-config-toml]
@@ -32,7 +32,7 @@ template-path = "/usr/share/templates/containerd-config-toml"
 # Host-container runtime
 
 [services.host-containerd]
-configuration-files = []
+configuration-files = ["proxy-env"]
 restart-commands = ["/bin/systemctl try-restart host-containerd.service"]
 
 # Updates.
@@ -83,6 +83,15 @@ restart-commands = ["/usr/bin/host-containers"]
 [metadata.settings.host-containers]
 affected-services = ["host-containers"]
 
+# Network
+
+[configuration-files.proxy-env]
+path = "/etc/network/proxy.env"
+template-path = "/usr/share/templates/proxy-env"
+
+[metadata.settings.network]
+affected-services = ["containerd", "host-containerd"]
+
 # NTP
 
 [settings.ntp]

sources/models/src/aws-dev/mod.rs

@@ -3,7 +3,9 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 
 use crate::modeled_types::Identifier;
-use crate::{AwsSettings, ContainerImage, KernelSettings, NtpSettings, UpdatesSettings};
+use crate::{
+    AwsSettings, ContainerImage, KernelSettings, NetworkSettings, NtpSettings, UpdatesSettings,
+};
 
 // Note: we have to use 'rename' here because the top-level Settings structure is the only one
 // that uses its name in serialization; internal structures use the field name that points to it
@@ -13,6 +15,7 @@ struct Settings {
     updates: UpdatesSettings,
     host_containers: HashMap<Identifier, ContainerImage>,
     ntp: NtpSettings,
+    network: NetworkSettings,
     kernel: KernelSettings,
     aws: AwsSettings,
 }

sources/models/src/aws-dev/override-defaults.toml

@@ -5,4 +5,8 @@ template-path = "/usr/share/templates/containerd-config-toml_aws-dev"
 # Docker
 [services.docker]
 restart-commands = ["/bin/systemctl try-restart docker.service"]
-configuration-files = []
+configuration-files = ["proxy-env"]
+
+# Network
+[metadata.settings.network]
+affected-services = ["containerd", "docker", "host-containerd"]

sources/models/src/aws-ecs-1/mod.rs

@@ -4,7 +4,7 @@ use std::collections::HashMap;
 
 use crate::modeled_types::Identifier;
 use crate::{
-    AwsSettings, ContainerImage, ECSSettings, KernelSettings, NtpSettings, UpdatesSettings,
+    AwsSettings, ContainerImage, ECSSettings, KernelSettings, NetworkSettings, NtpSettings, UpdatesSettings,
 };
 
 // Note: we have to use 'rename' here because the top-level Settings structure is the only one
@@ -15,6 +15,7 @@ struct Settings {
     updates: UpdatesSettings,
     host_containers: HashMap<Identifier, ContainerImage>,
     ntp: NtpSettings,
+    network: NetworkSettings,
     kernel: KernelSettings,
     aws: AwsSettings,
     ecs: ECSSettings,

sources/models/src/aws-ecs-1/override-defaults.toml

@@ -5,7 +5,7 @@ template-path = "/usr/share/templates/containerd-config-toml_aws-ecs-1"
 # Docker
 [services.docker]
 restart-commands = ["/bin/systemctl try-restart docker.service"]
-configuration-files = []
+configuration-files = ["proxy-env"]
 
 # ECS
 [services.ecs]
@@ -23,3 +23,7 @@ affected-services = ["ecs"]
 allow-privileged-containers = false
 logging-drivers = ["json-file", "awslogs", "none"]
 loglevel = "info"
+
+# Network
+[metadata.settings.network]
+affected-services = ["containerd", "docker", "ecs", "host-containerd"]

sources/models/src/aws-k8s-1.15/mod.rs

@@ -4,7 +4,8 @@ use std::collections::HashMap;
 
 use crate::modeled_types::Identifier;
 use crate::{
-    AwsSettings, ContainerImage, KernelSettings, KubernetesSettings, NtpSettings, UpdatesSettings,
+    AwsSettings, ContainerImage, KernelSettings, KubernetesSettings, NetworkSettings, NtpSettings,
+    UpdatesSettings,
 };
 
 // Note: we have to use 'rename' here because the top-level Settings structure is the only one
@@ -16,6 +17,7 @@ struct Settings {
     updates: UpdatesSettings,
     host_containers: HashMap<Identifier, ContainerImage>,
     ntp: NtpSettings,
+    network: NetworkSettings,
     kernel: KernelSettings,
     aws: AwsSettings,
 }

sources/models/src/aws-k8s-1.15/override-defaults.toml

@@ -5,7 +5,7 @@ template-path = "/usr/share/templates/containerd-config-toml_aws-k8s"
 # Kubernetes.
 
 [services.kubernetes]
-configuration-files = ["kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt"]
+configuration-files = ["kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt", "proxy-env"]
 restart-commands = ["/bin/systemctl try-restart kubelet.service"]
 
 [configuration-files.kubelet-env]
@@ -36,3 +36,8 @@ affected-services = ["kubernetes", "containerd"]
 
 [settings.kubernetes]
 cluster-domain = "cluster.local"
+
+
+# Network
+[metadata.settings.network]
+affected-services = ["containerd", "kubernetes", "host-containerd"]

sources/models/src/lib.rs

@@ -140,6 +140,14 @@ struct ContainerImage {
     superpowered: bool,
 }
 
+// Network settings. These settings will affect host service components' network behavior
+#[model]
+struct NetworkSettings {
+    https_proxy: Url,
+    // We allow some flexibility in NO_PROXY values because different services support different formats.
+    no_proxy: Vec<SingleLineString>,
+}
+
 // NTP settings
 #[model]
 struct NtpSettings {

sources/models/src/modeled_types/shared.rs

@@ -240,6 +240,9 @@ mod test_url {
             "http://localhost",
             "localhost/path",
             "localhost",
+            "localhost:8080",
+            ".internal",
+            ".cluster.local"
         ] {
             Url::try_from(*ok).unwrap();
         }