From a8c177018ecad001cc909cc62f69c3fb9bab9b71 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Wed, 3 Nov 2021 12:23:32 -0400 Subject: [PATCH] 35coreos-network: add coreos-enable-iptables-legacy This implements the proposal agreed upon in: https://github.com/coreos/fedora-coreos-tracker/issues/676 On first boot and subsequent boots, we look for `/etc/fedora-coreos/iptables-legacy.stamp`. If found, we move the system back to iptables-legacy. If any modifications already exist to the configuration, we do nothing. --- .../coreos-enable-iptables-legacy.service | 19 ++++++ .../coreos-enable-iptables-legacy.sh | 62 +++++++++++++++++++ .../35coreos-network/module-setup.sh | 7 +++ tests/kola/firewall/iptables-legacy | 20 ------ tests/kola/firewall/iptables-legacy/config.bu | 28 +++++++++ tests/kola/firewall/iptables-legacy/test.sh | 23 +++++++ tests/kola/firewall/iptables-nft/test.sh | 18 ++++++ 7 files changed, 157 insertions(+), 20 deletions(-) create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh delete mode 100755 tests/kola/firewall/iptables-legacy create mode 100644 tests/kola/firewall/iptables-legacy/config.bu create mode 100755 tests/kola/firewall/iptables-legacy/test.sh create mode 100755 tests/kola/firewall/iptables-nft/test.sh diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service new file mode 100644 index 0000000000..95b78b13e1 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.service @@ -0,0 +1,19 @@ +[Unit] +Description=CoreOS Enable iptables-legacy +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +ConditionPathExists=/sysroot/etc/fedora-coreos/iptables-legacy.stamp +ConditionKernelCommandLine=!ignition.firstboot + +# On first boot, allow Ignition config to install stamp file. +After=ignition-files.service + +# On subsequent boots, just make sure the deployment is accessible. +After=ostree-prepare-root.service + +Before=initrd.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/sbin/coreos-enable-iptables-legacy diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh new file mode 100755 index 0000000000..8866cc4754 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-enable-iptables-legacy.sh @@ -0,0 +1,62 @@ +#!/bin/bash +set -euo pipefail + +declare -A SYMLINKS=( + [ip6tables]=ip6tables-legacy + [ip6tables-restore]=ip6tables-legacy-restore + [ip6tables-save]=ip6tables-legacy-save + [iptables]=iptables-legacy + [iptables-restore]=iptables-legacy-restore + [iptables-save]=iptables-legacy-save +) + +# sanity-check the stamp file is present +if [ ! -e /sysroot/etc/fedora-coreos/iptables-legacy.stamp ]; then + exit 0 +fi + +# if legacy doesn't exist on the host anymore, do nothing +for legacy in "${SYMLINKS[@]}"; do + path=/sysroot/usr/sbin/$legacy + if [ ! -e "$path" ]; then + echo "Executable $path no longer present; exiting." + exit 0 + fi +done + +symlink_is_default() { + local symlink=$1; shift + # check that the deployment is still using the symlink (i.e. the user didn't + # do something funky), and that the OSTree default is still symlink-based + # (i.e. that we didn't change strategy and forgot to update this script) + if [ ! -L "/sysroot/$symlink" ] || [ ! -L "/sysroot/usr/$symlink" ]; then + return 1 + fi + # compare symlink targets between deployment and OSTree default + if [ "$(readlink "/sysroot/$symlink")" != "$(readlink "/sysroot/usr/$symlink")" ]; then + return 1 + fi +} + +# If there are any modifications to the symlinks, do nothing. This is basically +# like `ostree admin config-diff` but more focused and lighter/safer than doing +# a bwrap call and grepping output. +for symlink in "${!SYMLINKS[@]}"; do + symlink=/etc/alternatives/$symlink + if ! symlink_is_default "$symlink"; then + echo "Symlink $symlink is not default; exiting without modifying." + exit 0 + fi +done + +# Update symlinks for legacy backend! +for symlink in "${!SYMLINKS[@]}"; do + target=${SYMLINKS[$symlink]} + symlink=/etc/alternatives/$symlink + ln -vsf "/usr/sbin/$target" "/sysroot/$symlink" + # symlink labels don't matter, but relabel to appease unlabeled_t scanners + coreos-relabel "$symlink" +done + +rm /sysroot/etc/fedora-coreos/iptables-legacy.stamp +echo "Updated /sysroot to use iptables-legacy." diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh index 7c910b1b74..c8c98986f1 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-network/module-setup.sh @@ -8,11 +8,18 @@ install_and_enable_unit() { } install() { + inst_simple readlink + inst_simple "$moddir/coreos-enable-network.sh" \ "/usr/sbin/coreos-enable-network" install_and_enable_unit "coreos-enable-network.service" \ "initrd.target" + inst_simple "$moddir/coreos-enable-iptables-legacy.sh" \ + "/usr/sbin/coreos-enable-iptables-legacy" + install_and_enable_unit "coreos-enable-iptables-legacy.service" \ + "initrd.target" + inst_simple "$moddir/coreos-copy-firstboot-network.sh" \ "/usr/sbin/coreos-copy-firstboot-network" # Only run this when ignition runs and only when the system diff --git a/tests/kola/firewall/iptables-legacy b/tests/kola/firewall/iptables-legacy deleted file mode 100755 index c21373026e..0000000000 --- a/tests/kola/firewall/iptables-legacy +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# kola: { "exclusive": false } -set -xeuo pipefail - -ok() { - echo "ok" "$@" -} - -fatal() { - echo "$@" >&2 - exit 1 -} - -# Make sure we're still on legacy iptables for now -# https://github.com/coreos/fedora-coreos-tracker/issues/676#issuecomment-928028451 -if ! iptables --version | grep legacy; then - iptables --version # output for logs - fatal "iptables version is not legacy" -fi -ok "iptables still in legacy mode" diff --git a/tests/kola/firewall/iptables-legacy/config.bu b/tests/kola/firewall/iptables-legacy/config.bu new file mode 100644 index 0000000000..b1048c1c98 --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/config.bu @@ -0,0 +1,28 @@ +variant: fcos +version: 1.3.0 +storage: + links: + - path: /etc/alternatives/iptables + target: /usr/sbin/iptables-legacy + overwrite: true + hard: false + - path: /etc/alternatives/iptables-restore + target: /usr/sbin/iptables-legacy-restore + overwrite: true + hard: false + - path: /etc/alternatives/iptables-save + target: /usr/sbin/iptables-legacy-save + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables + target: /usr/sbin/ip6tables-legacy + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables-restore + target: /usr/sbin/ip6tables-legacy-restore + overwrite: true + hard: false + - path: /etc/alternatives/ip6tables-save + target: /usr/sbin/ip6tables-legacy-save + overwrite: true + hard: false diff --git a/tests/kola/firewall/iptables-legacy/test.sh b/tests/kola/firewall/iptables-legacy/test.sh new file mode 100755 index 0000000000..e210116731 --- /dev/null +++ b/tests/kola/firewall/iptables-legacy/test.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# This test is currently scoped to only FCOS because the RHCOS version of `iptables` +# is using the `nf_tables` backend. +# TODO: modify this test to check for `nf_tables` backend when FCOS switches. +# See https://github.com/coreos/fedora-coreos-config/pull/1324 +# kola: { "distros": "fcos", "exclusive": true } +set -xeuo pipefail + +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +# Make sure we're on legacy iptables +if ! iptables --version | grep legacy; then + iptables --version # output for logs + fatal "iptables version is not legacy" +fi +ok "iptables in legacy mode" diff --git a/tests/kola/firewall/iptables-nft/test.sh b/tests/kola/firewall/iptables-nft/test.sh new file mode 100755 index 0000000000..89f75fcfb7 --- /dev/null +++ b/tests/kola/firewall/iptables-nft/test.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# kola: { "exclusive": false } +set -xeuo pipefail + +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +if ! iptables --version | grep nf_tables; then + iptables --version # output for logs + fatal "iptables version is not nft" +fi +ok "iptables in nft mode"