[taler-deployment] branch master updated: new netjail

[gnunet]

This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository deployment.

The following commit(s) were added to refs/heads/master by this push:
     new 114060f  new netjail
114060f is described below

commit 114060fb686285de9dc9b39acbd739ea9c9d7e15
Author: Florian Dold <address@hidden>
AuthorDate: Mon Feb 17 14:08:07 2020 +0100

    new netjail
---
 netjail/netjail-privdrop.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++
 netjail/netjail.sh          | 38 +++++++++++++++---------------------
 2 files changed, 63 insertions(+), 22 deletions(-)

diff --git a/netjail/netjail-privdrop.sh b/netjail/netjail-privdrop.sh
new file mode 100755
index 0000000..4ea2a3e
--- /dev/null
+++ b/netjail/netjail-privdrop.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# This file is in the public domain.
+#
+# Shell script for to setup one instance of a network namespace.
+# Used by buildslaves to avoid port conflicts.
+#
+# First argument ($1) must be a unique number (unique amongst
+# all users of the script) between 2 and 254 to be used in
+# the IP address for routing the traffic of the network
+# namespace to the Internet.
+#
+# The remaining arguments are the command (and arguments to the
+# command) to be run in the network namespace (i.e. 'make check').
+
+# This script is executed by root and should *not* be in sudoers
+
+set -eu
+set -x
+
+N=$1
+shift 1
+
+NAME=buildernet-$N
+
+# Go to the root namespace to delete our network NS,
+# as we can't do it from inside when we use 'ip netns' to enter it.
+nsenter -m -t 1 -- ip netns del $NAME
+
+# Configure our network inside the namespace
+ip link set dev lo up
+ip link set dev "tap-$N" up
+dhclient --no-pid "tap-$N"
+
+# Finally, run whatever the user's command was
+ME=${SUDO_USER:?must run in sudo}
+
+# Execute target program as the original user.
+# We should already be in a PID namespace, but we still need to mount proc.
+unshare --mount-proc -- sudo -u "$ME" -- "$@"
+ret=$?
+
+# Release the lease
+dhclient --no-pid -r || false
+
+# Exit with the target program's exit status
+exit $ret
diff --git a/netjail/netjail.sh b/netjail/netjail.sh
index df4df1a..17dd095 100755
--- a/netjail/netjail.sh
+++ b/netjail/netjail.sh
@@ -15,6 +15,7 @@
 #
 
 set -eu
+set -x
 
 # Be extra safe, even though sudo should already do this.
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -22,30 +23,23 @@ export 
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # See netjail-init.sh
 BRIDGE=builderbridge
 
-# Make $N the first argument.
-N=$1
-shift 1
+# Generate random ID for namespace
+NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}')
 
-NAME=buildernet-$N
-
-# Delete previous bridge and netns
-brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
-ip netns del "$NAME" 2>/dev/null || true
+NSNAME=buildernet-$NSUID
 
 # Create network namespace
-ip netns add "$NAME"
-# Ensure loopback is up
-ip netns exec "$NAME" ip link set lo up
+ip netns add "$NSNAME"
+
+TAP=tap-$NSUID
+BRTAP=br-tap-$NSUID
 
 # Setup link to our bridge
-ip link add "tap$N" type veth peer name br-tap$N
-brctl addif "$BRIDGE" "br-tap$N"
-ip link set "tap$N" netns "$NAME"
-ip netns exec "$NAME" ip link set dev "tap$N" up
-ip link set dev "br-tap$N" up
-ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
-ip netns exec "$NAME" ip route add default via 10.42.42.1
-
-# Finally, run whatever the user's command was
-ME=${SUDO_USER:?must run in sudo}
-exec unshare -pf --mount-proc -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"
+ip link add "$TAP" type veth peer name "$BRTAP"
+brctl addif "$BRIDGE" "$BRTAP"
+ip link set "$TAP" netns "$NSNAME"
+ip link set dev "$BRTAP" up
+
+# Execute netjail-privdrop in a process namespace, but do not mount proc yet,
+# so that we can still "nsenter" the root NS to drop the 
+exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh 
"$NSUID" "$@"

-- 
To stop receiving notification emails like this one, please contact
address@hidden.