From 278b6057d32a4ac44cc27ff49753f30681c240e9 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Wed, 3 Nov 2021 12:23:32 -0400 Subject: [PATCH] 35coreos-network: add coreos-enable-iptables-legacy This implements the proposal agreed upon in: https://github.com/coreos/fedora-coreos-tracker/issues/676 On first boot and subsequent boots, we look for `/etc/fedora-coreos/iptables-legacy.stamp`. If found, we move the system back to iptables-legacy. If any modifications already exist to the configuration, we do nothing. --- .../coreos-enable-iptables-legacy.service | 18 ++++++ .../coreos-enable-iptables-legacy.sh | 62 +++++++++++++++++++ .../35coreos-network/module-setup.sh | 7 +++ tests/kola/firewall/iptables-legacy/config.bu | 9 +++ .../test.sh} | 7 +-- tests/kola/firewall/iptables-nft/test.sh | 18 ++++++ 6 files changed, 117 insertions(+), 4 deletions(-) create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh create mode 100644 tests/kola/firewall/iptables-legacy/config.bu rename tests/kola/firewall/{iptables-legacy => iptables-legacy/test.sh} (53%) create mode 100755 tests/kola/firewall/iptables-nft/test.sh diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service new file mode 100644 index 0000000000..df8ac1d2f9 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service @@ -0,0 +1,18 @@ +[Unit] +Description=CoreOS Enable iptables-legacy +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +ConditionPathExists=/sysroot/etc/fedora-coreos/iptables-legacy.stamp + +# On first boot, allow Ignition config to install stamp file. +After=ignition-files.service + +# On subsequent boots, just make sure the deployment is accessible. +After=ostree-prepare-root.service + +Before=initrd.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/sbin/coreos-enable-iptables-legacy diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh new file mode 100755 index 0000000000..8866cc4754 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh @@ -0,0 +1,62 @@ +#!/bin/bash +set -euo pipefail + +declare -A SYMLINKS=( + [ip6tables]=ip6tables-legacy + [ip6tables-restore]=ip6tables-legacy-restore + [ip6tables-save]=ip6tables-legacy-save + [iptables]=iptables-legacy + [iptables-restore]=iptables-legacy-restore + [iptables-save]=iptables-legacy-save +) + +# sanity-check the stamp file is present +if [ ! -e /sysroot/etc/fedora-coreos/iptables-legacy.stamp ]; then + exit 0 +fi + +# if legacy doesn't exist on the host anymore, do nothing +for legacy in "${SYMLINKS[@]}"; do + path=/sysroot/usr/sbin/$legacy + if [ ! -e "$path" ]; then + echo "Executable $path no longer present; exiting." + exit 0 + fi +done + +symlink_is_default() { + local symlink=$1; shift + # check that the deployment is still using the symlink (i.e. the user didn't + # do something funky), and that the OSTree default is still symlink-based + # (i.e. that we didn't change strategy and forgot to update this script) + if [ ! -L "/sysroot/$symlink" ] || [ ! -L "/sysroot/usr/$symlink" ]; then + return 1 + fi + # compare symlink targets between deployment and OSTree default + if [ "$(readlink "/sysroot/$symlink")" != "$(readlink "/sysroot/usr/$symlink")" ]; then + return 1 + fi +} + +# If there are any modifications to the symlinks, do nothing. This is basically +# like `ostree admin config-diff` but more focused and lighter/safer than doing +# a bwrap call and grepping output. +for symlink in "${!SYMLINKS[@]}"; do + symlink=/etc/alternatives/$symlink + if ! symlink_is_default "$symlink"; then + echo "Symlink $symlink is not default; exiting without modifying." + exit 0 + fi +done + +# Update symlinks for legacy backend! +for symlink in "${!SYMLINKS[@]}"; do + target=${SYMLINKS[$symlink]} + symlink=/etc/alternatives/$symlink + ln -vsf "/usr/sbin/$target" "/sysroot/$symlink" + # symlink labels don't matter, but relabel to appease unlabeled_t scanners + coreos-relabel "$symlink" +done + +rm /sysroot/etc/fedora-coreos/iptables-legacy.stamp +echo "Updated /sysroot to use iptables-legacy." diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh index 7c910b1b74..c8c98986f1 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh @@ -8,11 +8,18 @@ install_and_enable_unit() { } install() { + inst_simple readlink + inst_simple "$moddir/coreos-enable-network.sh" \ "/usr/sbin/coreos-enable-network" install_and_enable_unit "coreos-enable-network.service" \ "initrd.target" + inst_simple "$moddir/coreos-enable-iptables-legacy.sh" \ + "/usr/sbin/coreos-enable-iptables-legacy" + install_and_enable_unit "coreos-enable-iptables-legacy.service" \ + "initrd.target" + inst_simple "$moddir/coreos-copy-firstboot-network.sh" \ "/usr/sbin/coreos-copy-firstboot-network" # Only run this when ignition runs and only when the system diff --git a/tests/kola/firewall/iptables-legacy/config.bu b/tests/kola/firewall/iptables-legacy/config.bu new file mode 100644 index 0000000000..e87ba90d42 --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/config.bu @@ -0,0 +1,9 @@ +variant: fcos +version: 1.3.0 +storage: + directories: + - path: /etc/fedora-coreos + mode: 0755 + files: + - path: /etc/fedora-coreos/iptables-legacy.stamp + mode: 0644 diff --git a/tests/kola/firewall/iptables-legacy b/tests/kola/firewall/iptables-legacy/test.sh similarity index 53% rename from tests/kola/firewall/iptables-legacy rename to tests/kola/firewall/iptables-legacy/test.sh index c21373026e..125369ae25 100755 --- a/tests/kola/firewall/iptables-legacy +++ b/tests/kola/firewall/iptables-legacy/test.sh @@ -1,5 +1,5 @@ #!/bin/bash -# kola: { "exclusive": false } +# kola: { "exclusive": true, "distros": "fcos" } set -xeuo pipefail ok() { @@ -11,10 +11,9 @@ fatal() { exit 1 } -# Make sure we're still on legacy iptables for now -# https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 +# Make sure we're on legacy iptables if ! iptables --version | grep legacy; then iptables --version # output for logs fatal "iptables version is not legacy" fi -ok "iptables still in legacy mode" +ok "iptables in legacy mode" diff --git a/tests/kola/firewall/iptables-nft/test.sh b/tests/kola/firewall/iptables-nft/test.sh new file mode 100755 index 0000000000..89f75fcfb7 --- /dev/null +++ b/tests/kola/firewall/iptables-nft/test.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# kola: { "exclusive": false } +set -xeuo pipefail + +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +if ! iptables --version | grep nf_tables; then + iptables --version # output for logs + fatal "iptables version is not nft" +fi +ok "iptables in nft mode"