[taler-deployment] branch master updated: netjail

[gnunet]

This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository deployment.

The following commit(s) were added to refs/heads/master by this push:
     new d8078ad  netjail
d8078ad is described below

commit d8078ada43a1a2959591f7f1c4c3f15263ef2e1b
Author: Florian Dold <address@hidden>
AuthorDate: Sun Feb 16 19:16:36 2020 +0100

    netjail
---
 netjail/README          |  1 +
 netjail/netjail-init.sh | 37 +++++++++++++++++++++++++++++++++++
 netjail/netjail.sh      | 51 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 89 insertions(+)

diff --git a/netjail/README b/netjail/README
new file mode 100644
index 0000000..ad4cc60
--- /dev/null
+++ b/netjail/README
@@ -0,0 +1 @@
+The scripts in this folder are used to run a program in a PID and network 
namespace.
diff --git a/netjail/netjail-init.sh b/netjail/netjail-init.sh
new file mode 100755
index 0000000..a16eb82
--- /dev/null
+++ b/netjail/netjail-init.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+# This file is in the public domain.
+#
+# Shell script for the general setup of network namespaces.
+# This script should be run once at boot time (as root).
+# Afterwards, the netjail.sh can be used by anyone (with
+# the right permissions) to create their own network namespace.
+#
+set -eu
+
+# Setup virtual bridge which we will use to connect all
+# of the builder networks to.
+
+BRIDGE=builderbridge
+
+brctl addbr $BRIDGE
+brctl stp $BRIDGE off
+ip link set dev $BRIDGE up
+
+# Connect bridge to host network
+ip link add tap0 type veth peer name br-tap0
+brctl addif $BRIDGE br-tap0
+ip link set dev tap0 up
+ip link set dev br-tap0 up
+
+# Configure bridge on host
+ip addr add 10.42.42.1/24 dev tap0
+
+# Configure IP masquerading/NAT
+# Obtain list of our network interfaces from /etc/network/interfaces
+IFCS=`cat /etc/network/interfaces | grep iface | grep -v loopback | awk 
'{print $2}'`
+for IFC in $IFCS
+do
+    iptables --table nat --append POSTROUTING --out-interface $IFC -j 
MASQUERADE
+done
+echo 1 > /proc/sys/net/ipv4/ip_forward
diff --git a/netjail/netjail.sh b/netjail/netjail.sh
new file mode 100755
index 0000000..b07927b
--- /dev/null
+++ b/netjail/netjail.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# This file is in the public domain.
+#
+# Shell script for to setup one instance of a network namespace.
+# Used by buildslaves to avoid port conflicts.
+#
+# First argument ($1) must be a unique number (unique amongst
+# all users of the script) between 2 and 254 to be used in
+# the IP address for routing the traffic of the network
+# namespace to the Internet.
+#
+# The remaining arguments are the command (and arguments to the
+# command) to be run in the network namespace (i.e. 'make check').
+#
+
+set -eu
+
+# Be extra safe, even though sudo should already do this.
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# See netjail-init.sh
+BRIDGE=builderbridge
+
+# Make $N the first argument.
+N=$1
+shift 1
+
+NAME=buildernet-$N
+
+# Delete previous bridge and netns
+brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
+ip netns del "$NAME" 2>/dev/null || true
+
+# Create network namespace
+ip netns add "$NAME"
+# Ensure loopback is up
+ip netns exec "$NAME" ip link set lo up
+
+# Setup link to our bridge
+ip link add "tap$N" type veth peer name br-tap$N
+brctl addif "$BRIDGE" "br-tap$N"
+ip link set "tap$N" netns "$NAME"
+ip netns exec "$NAME" ip link set dev "tap$N" up
+ip link set dev "br-tap$N" up
+ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
+ip netns exec "$NAME" ip route add default via 10.42.42.1
+
+# Finally, run whatever the user's command was
+ME=${SUDO_USER:?must run in sudo}
+exec unshare -pf -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"

-- 
To stop receiving notification emails like this one, please contact
address@hidden.