From d8078ada43a1a2959591f7f1c4c3f15263ef2e1b Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Sun, 16 Feb 2020 19:16:36 +0100 Subject: netjail --- netjail/netjail.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100755 netjail/netjail.sh (limited to 'netjail/netjail.sh') diff --git a/netjail/netjail.sh b/netjail/netjail.sh new file mode 100755 index 0000000..b07927b --- /dev/null +++ b/netjail/netjail.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# This file is in the public domain. +# +# Shell script for to setup one instance of a network namespace. +# Used by buildslaves to avoid port conflicts. +# +# First argument ($1) must be a unique number (unique amongst +# all users of the script) between 2 and 254 to be used in +# the IP address for routing the traffic of the network +# namespace to the Internet. +# +# The remaining arguments are the command (and arguments to the +# command) to be run in the network namespace (i.e. 'make check'). +# + +set -eu + +# Be extra safe, even though sudo should already do this. +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# See netjail-init.sh +BRIDGE=builderbridge + +# Make $N the first argument. +N=$1 +shift 1 + +NAME=buildernet-$N + +# Delete previous bridge and netns +brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true +ip netns del "$NAME" 2>/dev/null || true + +# Create network namespace +ip netns add "$NAME" +# Ensure loopback is up +ip netns exec "$NAME" ip link set lo up + +# Setup link to our bridge +ip link add "tap$N" type veth peer name br-tap$N +brctl addif "$BRIDGE" "br-tap$N" +ip link set "tap$N" netns "$NAME" +ip netns exec "$NAME" ip link set dev "tap$N" up +ip link set dev "br-tap$N" up +ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N" +ip netns exec "$NAME" ip route add default via 10.42.42.1 + +# Finally, run whatever the user's command was +ME=${SUDO_USER:?must run in sudo} +exec unshare -pf -- ip netns exec "$NAME" sudo -u "$ME" -- "$@" -- cgit v1.2.3