netjail

1 files changed, 51 insertions, 0 deletions

diff --git a/netjail/netjail.sh b/netjail/netjail.sh
new file mode 100755
index 0000000..b07927b
--- /dev/null
+++ b/netjail/netjail.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+# This file is in the public domain.
+#
+# Shell script for to setup one instance of a network namespace.
+# Used by buildslaves to avoid port conflicts.
+#
+# First argument ($1) must be a unique number (unique amongst
+# all users of the script) between 2 and 254 to be used in
+# the IP address for routing the traffic of the network
+# namespace to the Internet.
+#
+# The remaining arguments are the command (and arguments to the
+# command) to be run in the network namespace (i.e. 'make check').
+#
+
+set -eu
+
+# Be extra safe, even though sudo should already do this.
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# See netjail-init.sh
+BRIDGE=builderbridge
+
+# Make $N the first argument.
+N=$1
+shift 1
+
+NAME=buildernet-$N
+
+# Delete previous bridge and netns
+brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
+ip netns del "$NAME" 2>/dev/null || true
+
+# Create network namespace
+ip netns add "$NAME"
+# Ensure loopback is up
+ip netns exec "$NAME" ip link set lo up
+
+# Setup link to our bridge
+ip link add "tap$N" type veth peer name br-tap$N
+brctl addif "$BRIDGE" "br-tap$N"
+ip link set "tap$N" netns "$NAME"
+ip netns exec "$NAME" ip link set dev "tap$N" up
+ip link set dev "br-tap$N" up
+ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
+ip netns exec "$NAME" ip route add default via 10.42.42.1
+
+# Finally, run whatever the user's command was
+ME=${SUDO_USER:?must run in sudo}
+exec unshare -pf -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"