From d8078ada43a1a2959591f7f1c4c3f15263ef2e1b Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Sun, 16 Feb 2020 19:16:36 +0100 Subject: netjail --- netjail/README | 1 + netjail/netjail-init.sh | 37 +++++++++++++++++++++++++++++++++++ netjail/netjail.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 netjail/README create mode 100755 netjail/netjail-init.sh create mode 100755 netjail/netjail.sh (limited to 'netjail') diff --git a/netjail/README b/netjail/README new file mode 100644 index 0000000..ad4cc60 --- /dev/null +++ b/netjail/README @@ -0,0 +1 @@ +The scripts in this folder are used to run a program in a PID and network namespace. diff --git a/netjail/netjail-init.sh b/netjail/netjail-init.sh new file mode 100755 index 0000000..a16eb82 --- /dev/null +++ b/netjail/netjail-init.sh @@ -0,0 +1,37 @@ +#!/bin/sh + +# This file is in the public domain. +# +# Shell script for the general setup of network namespaces. +# This script should be run once at boot time (as root). +# Afterwards, the netjail.sh can be used by anyone (with +# the right permissions) to create their own network namespace. +# +set -eu + +# Setup virtual bridge which we will use to connect all +# of the builder networks to. + +BRIDGE=builderbridge + +brctl addbr $BRIDGE +brctl stp $BRIDGE off +ip link set dev $BRIDGE up + +# Connect bridge to host network +ip link add tap0 type veth peer name br-tap0 +brctl addif $BRIDGE br-tap0 +ip link set dev tap0 up +ip link set dev br-tap0 up + +# Configure bridge on host +ip addr add 10.42.42.1/24 dev tap0 + +# Configure IP masquerading/NAT +# Obtain list of our network interfaces from /etc/network/interfaces +IFCS=`cat /etc/network/interfaces | grep iface | grep -v loopback | awk '{print $2}'` +for IFC in $IFCS +do + iptables --table nat --append POSTROUTING --out-interface $IFC -j MASQUERADE +done +echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/netjail/netjail.sh b/netjail/netjail.sh new file mode 100755 index 0000000..b07927b --- /dev/null +++ b/netjail/netjail.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# This file is in the public domain. +# +# Shell script for to setup one instance of a network namespace. +# Used by buildslaves to avoid port conflicts. +# +# First argument ($1) must be a unique number (unique amongst +# all users of the script) between 2 and 254 to be used in +# the IP address for routing the traffic of the network +# namespace to the Internet. +# +# The remaining arguments are the command (and arguments to the +# command) to be run in the network namespace (i.e. 'make check'). +# + +set -eu + +# Be extra safe, even though sudo should already do this. +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +# See netjail-init.sh +BRIDGE=builderbridge + +# Make $N the first argument. +N=$1 +shift 1 + +NAME=buildernet-$N + +# Delete previous bridge and netns +brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true +ip netns del "$NAME" 2>/dev/null || true + +# Create network namespace +ip netns add "$NAME" +# Ensure loopback is up +ip netns exec "$NAME" ip link set lo up + +# Setup link to our bridge +ip link add "tap$N" type veth peer name br-tap$N +brctl addif "$BRIDGE" "br-tap$N" +ip link set "tap$N" netns "$NAME" +ip netns exec "$NAME" ip link set dev "tap$N" up +ip link set dev "br-tap$N" up +ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N" +ip netns exec "$NAME" ip route add default via 10.42.42.1 + +# Finally, run whatever the user's command was +ME=${SUDO_USER:?must run in sudo} +exec unshare -pf -- ip netns exec "$NAME" sudo -u "$ME" -- "$@" -- cgit v1.2.3