diff options
Diffstat (limited to 'meta-google')
11 files changed, 148 insertions, 5 deletions
diff --git a/meta-google/recipes-connectivity/avahi/files/avahi-daemon.conf b/meta-google/recipes-connectivity/avahi/files/avahi-daemon.conf index 9688ffb39..57520df7f 100644 --- a/meta-google/recipes-connectivity/avahi/files/avahi-daemon.conf +++ b/meta-google/recipes-connectivity/avahi/files/avahi-daemon.conf @@ -1,5 +1,5 @@ [server] -allow-interfaces=mgmt +allow-interfaces=mgmt,gbmcbr [publish] disable-user-service-publishing=yes diff --git a/meta-google/recipes-core/dropbear/dropbear_%.bbappend b/meta-google/recipes-core/dropbear/dropbear_%.bbappend index e93eba8b6..0b4349e00 100644 --- a/meta-google/recipes-core/dropbear/dropbear_%.bbappend +++ b/meta-google/recipes-core/dropbear/dropbear_%.bbappend @@ -5,13 +5,13 @@ SYSTEMD_AUTO_ENABLE_${PN}_prod = "disable" FILESEXTRAPATHS_remove_gbmc_bandaid := "${THISDIR}/${PN}:" SYSTEMD_AUTO_ENABLE_${PN}_bandaid_prod = "enable" -# Allow SSH to the mgmt node on DEV builds +# Allow SSH to the gbmc-bridge node on DEV builds do_install_append_gbmc_dev() { nftables_dir=${D}${sysconfdir}/nftables rules=$nftables_dir/50-dropbear-dev.rules install -d -m0755 $nftables_dir echo 'table inet filter {' >"$rules" - echo ' chain mgmt_pub_input {' >>"$rules" + echo ' chain gbmc_br_pub_input {' >>"$rules" echo ' tcp dport 22 accept' >>"$rules" echo ' }' >>"$rules" echo '}' >>"$rules" diff --git a/meta-google/recipes-google/networking/gbmc-bridge.bb b/meta-google/recipes-google/networking/gbmc-bridge.bb new file mode 100644 index 000000000..1358ac543 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge.bb @@ -0,0 +1,75 @@ +SUMMARY = "Configures the gbmc bridge and filter rules" +PR = "r1" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +inherit systemd + +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += " \ + file://-bmc-gbmcbr.netdev.in \ + file://-bmc-gbmcbr.network \ + file://-bmc-gbmcbrdummy.netdev \ + file://-bmc-gbmcbrdummy.network \ + file://+-bmc-gbmcbrusb.network \ + file://ipmi.service.in \ + file://50-gbmc-br.rules \ + " + +FILES_${PN}_append = " \ + ${systemd_unitdir}/network \ + ${sysconfdir}/nftables \ + ${sysconfdir}/avahi/services \ + " + +RDEPENDS_${PN}_append = " \ + mstpd-mstpd \ + " + +GBMC_BR_MAC_ADDR ?= "" + +# Generated via https://cd34.com/rfc4193/ based on a MAC from a machine I own +# and we allocated it downstream. Intended to only be used within a complete +# system of multiple network endpoints. +GBMC_ULA_PREFIX = "fdb5:0481:10ce:0" + +def mac_to_eui64(mac): + if not mac: + return '' + b = [int(c, 16) for c in mac.split(':')] + b[0] ^= 2 + b.insert(3, 0xfe) + b.insert(3, 0xff) + idx = range(0, len(b)-1, 2) + return ':'.join([format((b[i] << 8) + b[i+1], '04x') for i in idx]) + +do_install() { + netdir=${D}${systemd_unitdir}/network + install -d -m0755 $netdir + + if [ ! -z "${GBMC_BR_MAC_ADDR}" ]; then + sed -i 's,@MAC@,MACAddress=${GBMC_BR_MAC_ADDR},' ${WORKDIR}/-bmc-gbmcbr.netdev.in + addr=${GBMC_ULA_PREFIX}:${@mac_to_eui64(GBMC_BR_MAC_ADDR)}/64 + sed -i "s,@ADDR@,Address=$addr," ${WORKDIR}/-bmc-gbmcbr.netdev.in + else + sed -i '/@MAC@/d' ${WORKDIR}/-bmc-gbmcbr.netdev.in + sed -i '/@ADDR@/d' ${WORKDIR}/-bmc-gbmcbr.netdev.in + fi + + install -m0644 ${WORKDIR}/-bmc-gbmcbr.netdev.in $netdir/-bmc-gbmcbr.netdev + install -m0644 ${WORKDIR}/-bmc-gbmcbr.network $netdir/ + install -m0644 ${WORKDIR}/-bmc-gbmcbrdummy.netdev $netdir/ + install -m0644 ${WORKDIR}/-bmc-gbmcbrdummy.network $netdir/ + install -m0644 ${WORKDIR}/+-bmc-gbmcbrusb.network $netdir/ + + nftables_dir=${D}${sysconfdir}/nftables + install -d -m0755 "$nftables_dir" + install -m0644 ${WORKDIR}/50-gbmc-br.rules $nftables_dir/ + + avahi_dir=${D}${sysconfdir}/avahi/services + install -d -m 0755 "$avahi_dir" + sed -i 's,@MACHINE@,${MACHINE},g' ${WORKDIR}/ipmi.service.in + sed -i 's,@EXTRA_ATTRS@,,g' ${WORKDIR}/ipmi.service.in + sed 's,@NAME@,bmc,g' ${WORKDIR}/ipmi.service.in >${avahi_dir}/bmc.ipmi.service + sed 's,@NAME@,${MACHINE}-bmc,g' ${WORKDIR}/ipmi.service.in >${avahi_dir}/${MACHINE}-bmc.ipmi.service +} diff --git a/meta-google/recipes-google/networking/gbmc-bridge/+-bmc-gbmcbrusb.network b/meta-google/recipes-google/networking/gbmc-bridge/+-bmc-gbmcbrusb.network new file mode 100644 index 000000000..e403334b4 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/+-bmc-gbmcbrusb.network @@ -0,0 +1,8 @@ +[Match] +Name=usb* +[Network] +Bridge=gbmcbr +[Bridge] +# USB speeds tend to be better than 100mbit (100 cost) but worse +# than 1gbit (10 cost). Generally around 200mbit. +Cost=85 diff --git a/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.netdev.in b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.netdev.in new file mode 100644 index 000000000..a7e91332c --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.netdev.in @@ -0,0 +1,7 @@ +[NetDev] +Name=gbmcbr +Kind=bridge +@MAC@ +@ADDR@ +[Bridge] +STP=true diff --git a/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.network b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.network new file mode 100644 index 000000000..18d208a3b --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbr.network @@ -0,0 +1,8 @@ +[Match] +Name=gbmcbr +[Network] +DHCP=false +IPv6AcceptRA=false +LLMNR=true +MulticastDNS=true +LinkLocalAddressing=ipv6 diff --git a/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.netdev b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.netdev new file mode 100644 index 000000000..97c725812 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.netdev @@ -0,0 +1,3 @@ +[NetDev] +Name=gbmcbrdummy +Kind=dummy diff --git a/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.network b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.network new file mode 100644 index 000000000..7d3f07197 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/-bmc-gbmcbrdummy.network @@ -0,0 +1,4 @@ +[Match] +Name=gbmcbrdummy +[Network] +Bridge=gbmcbr diff --git a/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules new file mode 100644 index 000000000..1a5e6331d --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/50-gbmc-br.rules @@ -0,0 +1,27 @@ +table bridge filter { + chain gbmc_br_prerouting { + type filter hook prerouting priority 0; + iifname != gbmcbr accept + # Sometimes our links are over NCSI and we don't want to broadcast + # those packets over the entire bridge. They are only relevant P2P. + ether type 0x88F8 drop + } +} + +table inet filter { + chain gbmc_br_input { + type filter hook input priority 0; policy drop; + iifname != gbmcbr accept + jump gbmc_br_int_input + jump gbmc_br_pub_input + reject + } + chain gbmc_br_int_input { + ip6 daddr ff00::/8 accept + ip6 daddr fe80::/64 accept + ip6 daddr fdb5:0481:10ce::/64 accept + } + chain gbmc_br_pub_input { + ip6 nexthdr icmpv6 accept + } +} diff --git a/meta-google/recipes-google/networking/gbmc-bridge/ipmi.service.in b/meta-google/recipes-google/networking/gbmc-bridge/ipmi.service.in new file mode 100644 index 000000000..0b940fa2d --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/ipmi.service.in @@ -0,0 +1,11 @@ +<?xml version="1.0" ?> +<!DOCTYPE service-group SYSTEM "avahi-service.dtd"> +<service-group> + <name>@NAME@</name> + <service> + <type>_ipmi._udp</type> + <port>623</port> + <txt-record>Machine=@MACHINE@</txt-record> + @EXTRA_ATTRS@ + </service> +</service-group> diff --git a/meta-google/recipes-google/networking/gbmc-iperf3.bb b/meta-google/recipes-google/networking/gbmc-iperf3.bb index 5044e418b..27ebdb7e0 100644 --- a/meta-google/recipes-google/networking/gbmc-iperf3.bb +++ b/meta-google/recipes-google/networking/gbmc-iperf3.bb @@ -17,13 +17,13 @@ do_install() { install -m 0644 ${WORKDIR}/iperf3.service ${D}${systemd_system_unitdir} } -# Allow IPERF3 to the mgmt node on DEV builds +# Allow IPERF3 to run on the gbmcbr node on DEV builds do_install_append_dev() { nftables_dir=${D}${sysconfdir}/nftables rules=$nftables_dir/50-gbmc-iperf3-dev.rules install -d -m0755 $nftables_dir echo 'table inet filter {' >"$rules" - echo ' chain mgmt_pub_input {' >>"$rules" + echo ' chain gbmc_br_pub_input {' >>"$rules" echo ' tcp dport 5201 accept' >>"$rules" echo ' }' >>"$rules" echo '}' >>"$rules" |