From b174c185f31bf14d430e68bb868ccf14ff7d4be3 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 3 Nov 2021 14:54:51 -0700 Subject: meta-google: gbmc-bridge: Implement DHCP This makes it possible for a BMC to acquire a public address via DHCP provisioning. None of the update processes are included yet. Change-Id: I51ca2aa4859bcd2b9e909dd5a0d9e66cfbd648af Signed-off-by: William A. Kennington III --- .../networking/gbmc-bridge/gbmc-br-dhcp.service | 13 +++ .../networking/gbmc-bridge/gbmc-br-dhcp.sh | 96 ++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service create mode 100644 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh (limited to 'meta-google/recipes-google/networking/gbmc-bridge') diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service new file mode 100644 index 000000000..145f84b93 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service @@ -0,0 +1,13 @@ +[Unit] +Description=gBMC DHCP Client +After=network.target +StartLimitIntervalSec=10 +StartLimitBurst=3 + +[Service] +Restart=always +RestartSec=5 +ExecStart=/usr/bin/udhcpc6 -f -q -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh new file mode 100644 index 000000000..beccc8658 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh @@ -0,0 +1,96 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A list of functions which get executed for each bound DHCP lease. +# These are configured by the files included below. +GBMC_BR_DHCP_HOOKS=() + +# Load configurations from a known location in the filesystem to populate +# hooks that are executed after each event. +shopt -s nullglob +for conf in /usr/share/gbmc-br-dhcp/*.sh; do + # SC doesn't like dynamic source loading + # shellcheck disable=SC1090 + source "$conf" +done + +gbmc_br_dhcp_run_hooks() { + local hook + for hook in "${GBMC_BR_DHCP_HOOKS[@]}"; do + "$hook" || continue + done +} + +# SC can't find this path during repotest +# shellcheck disable=SC1091 +source /usr/share/network/lib.sh || exit + +if [ "$1" = bound ]; then + # Variable is from the environment via udhcpc6 + # shellcheck disable=SC2154 + echo "DHCPv6(gbmcbr): $ipv6/128" >&2 + + pfx_bytes=() + ip_to_bytes pfx_bytes "$ipv6" + # Ensure we are a BMC and have a suffix nibble, the 0th index is reserved + if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then + echo "Invalid address" >&2 + exit + fi + # Ensure we don't have more than a /80 address + for (( i = 10; i < 16; ++i )); do + if (( pfx_bytes[i] != 0 )); then + echo "Invalid address" >&2 + exit + fi + done + + pfx="$(ip_bytes_to_str pfx_bytes)" + (( pfx_bytes[9] &= 0xf0 )) + stateless_pfx="$(ip_bytes_to_str pfx_bytes)" + read -r -d '' contents <"$file" + done + + # Ensure that systemd-networkd performs a reconfiguration as it doesn't + # currently check the mtime of drop-in files. + touch -c /lib/systemd/network/*-bmc-gbmcbr.network + + if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then + networkctl reload && networkctl reconfigure gbmcbr + fi + + gbmc_br_dhcp_run_hooks +fi -- cgit v1.2.3 From d1a214d0e2516524475ee45ae860d7aa0f2b3e10 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Mon, 6 Dec 2021 15:26:46 -0800 Subject: meta-google: gbmc-bridge: Request hostname via DHCP Change-Id: If3dacbfde966de337702b44b9b06b3eb21755546 Signed-off-by: William A. Kennington III --- .../recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service | 2 +- meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'meta-google/recipes-google/networking/gbmc-bridge') diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service index 145f84b93..7eb0ce075 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service @@ -7,7 +7,7 @@ StartLimitBurst=3 [Service] Restart=always RestartSec=5 -ExecStart=/usr/bin/udhcpc6 -f -q -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh +ExecStart=/usr/bin/udhcpc6 -f -q -O fqdn -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh [Install] WantedBy=multi-user.target diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh index beccc8658..42a077d09 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh @@ -92,5 +92,10 @@ EOF networkctl reload && networkctl reconfigure gbmcbr fi + if [ -n "${fqdn-}" ]; then + echo "Using hostname $fqdn" >&2 + hostnamectl set-hostname "$fqdn" || true + fi + gbmc_br_dhcp_run_hooks fi -- cgit v1.2.3 From 7356f8ebcb6b0e4c06018c748b7c5771b41e007e Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 15 Dec 2021 02:21:52 -0800 Subject: meta-google: nftables: Make rule loading atomic This ensures that all of the rules are processed and unexpected packets are not allowed or blocked by the kernel at any time. Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 +- meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 4 +--- .../recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh | 4 +--- meta-google/recipes-google/nftables/files/nft-configure.sh | 14 +++++++++----- meta-google/recipes-google/nftables/files/nftables.service | 1 + 5 files changed, 13 insertions(+), 12 deletions(-) (limited to 'meta-google/recipes-google/networking/gbmc-bridge') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 677ef28c3..9d9f7899e 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -88,7 +88,7 @@ EOF else printf '%s' "$nfcontents" >"$rfile" fi - systemctl reset-failed nftables && systemctl --no-block restart nftables || true + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_br_deprecated_ips_hook() { diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 30b2b65e4..074ec5785 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -46,9 +46,7 @@ gbmc_ncsi_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_nft_hook() { diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh index 980f7b6d6..ca4e15a1f 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh @@ -37,9 +37,7 @@ gbmc_br_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_br_nft_hook() { diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh index 05bb23d8b..8c8e058b7 100644 --- a/meta-google/recipes-google/nftables/files/nft-configure.sh +++ b/meta-google/recipes-google/nftables/files/nft-configure.sh @@ -8,10 +8,14 @@ for dir in /run/nftables /etc/nftables /usr/share/nftables; do done let i+=1 done -rc=0 -nft flush ruleset || rc=$? + +rules="" +trap 'rm -f -- "$rules"' TERM INT EXIT ERR +rules="$(mktemp)" || exit +echo 'flush ruleset' >"$rules" for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do - echo "Executing ${basemap[$key]}" >&2 - nft -f "${basemap[$key]}" || rc=$? + echo "Loading ${basemap[$key]}" >&2 + echo '' >>"$rules" + cat "${basemap[$key]}" >>"$rules" done -exit $rc +nft -f "$rules" || exit diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service index 770a3d3ac..1a93812b8 100644 --- a/meta-google/recipes-google/nftables/files/nftables.service +++ b/meta-google/recipes-google/nftables/files/nftables.service @@ -5,6 +5,7 @@ Before=network-pre.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/nft-configure.sh +ExecReload=/usr/libexec/nft-configure.sh ExecStop=/usr/sbin/nft flush ruleset [Install] -- cgit v1.2.3