35coreos-network: add coreos-enable-iptables-legacy

This implements the proposal agreed upon in: coreos/fedora-coreos-tracker#676 On first boot and subsequent boots, we look for `/etc/fedora-coreos/iptables-legacy.stamp`. If found, we move the system back to iptables-legacy. If any modifications already exist to the configuration, we do nothing.
coreos · Nov 9, 2021 · 278b605 · 278b605
1 parent d874265
commit 278b605
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 4 deletions.
diff --git a/....d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service b/....d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=CoreOS Enable iptables-legacy
+ConditionPathExists=/etc/initrd-release
+DefaultDependencies=false
+ConditionPathExists=/sysroot/etc/fedora-coreos/iptables-legacy.stamp
+
+# On first boot, allow Ignition config to install stamp file.
+After=ignition-files.service
+
+# On subsequent boots, just make sure the deployment is accessible.
+After=ostree-prepare-root.service
+
+Before=initrd.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-enable-iptables-legacy
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+set -euo pipefail
+
+declare -A SYMLINKS=(
+    [ip6tables]=ip6tables-legacy
+    [ip6tables-restore]=ip6tables-legacy-restore
+    [ip6tables-save]=ip6tables-legacy-save
+    [iptables]=iptables-legacy
+    [iptables-restore]=iptables-legacy-restore
+    [iptables-save]=iptables-legacy-save
+)
+
+# sanity-check the stamp file is present
+if [ ! -e /sysroot/etc/fedora-coreos/iptables-legacy.stamp ]; then
+    exit 0
+fi
+
+# if legacy doesn't exist on the host anymore, do nothing
+for legacy in "${SYMLINKS[@]}"; do
+    path=/sysroot/usr/sbin/$legacy
+    if [ ! -e "$path" ]; then
+        echo "Executable $path no longer present; exiting."
+        exit 0
+    fi
+done
+
+symlink_is_default() {
+    local symlink=$1; shift
+    # check that the deployment is still using the symlink (i.e. the user didn't
+    # do something funky), and that the OSTree default is still symlink-based
+    # (i.e. that we didn't change strategy and forgot to update this script)
+    if [ ! -L "/sysroot/$symlink" ] || [ ! -L "/sysroot/usr/$symlink" ]; then
+        return 1
+    fi
+    # compare symlink targets between deployment and OSTree default
+    if [ "$(readlink "/sysroot/$symlink")" != "$(readlink "/sysroot/usr/$symlink")" ]; then
+        return 1
+    fi
+}
+
+# If there are any modifications to the symlinks, do nothing. This is basically
+# like `ostree admin config-diff` but more focused and lighter/safer than doing
+# a bwrap call and grepping output.
+for symlink in "${!SYMLINKS[@]}"; do
+    symlink=/etc/alternatives/$symlink
+    if ! symlink_is_default "$symlink"; then
+        echo "Symlink $symlink is not default; exiting without modifying."
+        exit 0
+    fi
+done
+
+# Update symlinks for legacy backend!
+for symlink in "${!SYMLINKS[@]}"; do
+    target=${SYMLINKS[$symlink]}
+    symlink=/etc/alternatives/$symlink
+    ln -vsf "/usr/sbin/$target" "/sysroot/$symlink"
+    # symlink labels don't matter, but relabel to appease unlabeled_t scanners
+    coreos-relabel "$symlink"
+done
+
+rm /sysroot/etc/fedora-coreos/iptables-legacy.stamp
+echo "Updated /sysroot to use iptables-legacy."
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh
@@ -8,11 +8,18 @@ install_and_enable_unit() {
 }
 
 install() {
+    inst_simple readlink
+
     inst_simple "$moddir/coreos-enable-network.sh" \
         "/usr/sbin/coreos-enable-network"
     install_and_enable_unit "coreos-enable-network.service" \
         "initrd.target"
 
+    inst_simple "$moddir/coreos-enable-iptables-legacy.sh" \
+        "/usr/sbin/coreos-enable-iptables-legacy"
+    install_and_enable_unit "coreos-enable-iptables-legacy.service" \
+        "initrd.target"
+
     inst_simple "$moddir/coreos-copy-firstboot-network.sh" \
         "/usr/sbin/coreos-copy-firstboot-network"
     # Only run this when ignition runs and only when the system

diff --git a/tests/kola/firewall/iptables-legacy/config.bu b/tests/kola/firewall/iptables-legacy/config.bu
@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.3.0
+storage:
+  directories:
+    - path: /etc/fedora-coreos
+      mode: 0755
+  files:
+    - path: /etc/fedora-coreos/iptables-legacy.stamp
+      mode: 0644
diff --git a/tests/kola/firewall/iptables-legacy → tests/kola/firewall/iptables-legacy/test.sh b/tests/kola/firewall/iptables-legacy → tests/kola/firewall/iptables-legacy/test.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# kola: { "exclusive": false }
+# kola: { "exclusive": true, "distros": "fcos" }
 set -xeuo pipefail
 
 ok() {
@@ -11,10 +11,9 @@ fatal() {
     exit 1
 }
 
-# Make sure we're still on legacy iptables for now
-# https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451
+# Make sure we're on legacy iptables
 if ! iptables --version | grep legacy; then
     iptables --version # output for logs
     fatal "iptables version is not legacy"
 fi
-ok "iptables still in legacy mode"
+ok "iptables in legacy mode"
diff --git a/tests/kola/firewall/iptables-nft/test.sh b/tests/kola/firewall/iptables-nft/test.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# kola: { "exclusive": false }
+set -xeuo pipefail
+
+ok() {
+    echo "ok" "$@"
+}
+
+fatal() {
+    echo "$@" >&2
+    exit 1
+}
+
+if ! iptables --version | grep nf_tables; then
+    iptables --version # output for logs
+    fatal "iptables version is not nft"
+fi
+ok "iptables in nft mode"