From 21e7e45b77e026689b72f182aca4ba2ffd5e0a36 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-bridge: Provision NCSI deprecated addresses This scans the gbmcbr interface for public addresses, and adds the relevant addresses to the NCSI interface of the BMC. This is required for neighbor discovery to work from prod over the NCSI link, when the addresses do not already exist (BMC DHCP will not have them). Change-Id: I27ff0cd3c4750b752b35399b8a0288db5ac9fe28 Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 118 +++++++++++++++++++++ .../ncsi/files/gbmc-ncsi-ip-from-ra.sh.in | 16 --- .../recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 25 ----- .../recipes-google/ncsi/gbmc-ncsi-config.bb | 4 + 4 files changed, 122 insertions(+), 41 deletions(-) create mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in new file mode 100644 index 000000000..da6f27a79 --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -0,0 +1,118 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return + +gbmc_ncsi_br_deprecated_ips_init= +gbmc_ncsi_br_deprecated_ips_confip= +gbmc_ncsi_br_deprecated_ips_lastip= + +gbmc_ncsi_br_deprecated_ips_update() { + [ -n "$gbmc_ncsi_br_deprecated_ips_init" ] || return + [ "$gbmc_ncsi_br_deprecated_ips_confip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ] || return + gbmc_ncsi_br_deprecated_ips_confip="$gbmc_ncsi_br_deprecated_ips_lastip" + + printf 'gBMC Bridge NCSI Deprecated Addrs: %s\n' \ + "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2 + + local contents= + if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + local pfx_bytes=() + ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" + + local pfx="$(ip_bytes_to_str pfx_bytes)" + pfx_bytes[8]=0 + pfx_bytes[9]=0 + local host_pfx="$(ip_bytes_to_str pfx_bytes)" + read -r -d '' contents <"$file" + fi + done + + # Ensure that systemd-networkd performs a reconfiguration as it doesn't + # currently check the mtime of drop-in files. + touch -c /etc/systemd/network/*-bmc-@NCSI_IF@.network + + if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then + networkctl reload && networkctl reconfigure @NCSI_IF@ + fi + + read -r -d '' contents <"$rfile" + systemctl reset-failed nftables && systemctl --no-block restart nftables || true +} + +gbmc_ncsi_br_deprecated_ips_hook() { + if [ "$change" = 'init' ]; then + gbmc_ncsi_br_deprecated_ips_init=1 + gbmc_ip_monitor_defer + elif [ "$change" = 'defer' ]; then + gbmc_ncsi_br_deprecated_ips_update + elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' ] && + [ "$scope" = 'global' -a "$fam" = 'inet6' ]; then + local pfx_bytes=() + ip_to_bytes pfx_bytes "$ip" || return + # No ULA Addresses + if (( pfx_bytes[0] & 0xfe == 0xfc )); then + return + fi + # We only want to allow a ::fd0x address, where x>0 + if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then + return + fi + for (( i = 10; i < 16; ++i )); do + if (( pfx_bytes[i] != 0 )); then + return + fi + done + if [ "$action" = 'add' -a "$ip" != "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + gbmc_ncsi_br_deprecated_ips_lastip="$ip" + gbmc_ip_monitor_defer + fi + if [ "$action" = 'del' -a "$ip" = "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then + gbmc_ncsi_br_deprecated_ips_lastip= + gbmc_ip_monitor_defer + fi + fi +} + +GBMC_IP_MONITOR_HOOKS+=(gbmc_ncsi_br_deprecated_ips_hook) + +gbmc_ncsi_br_deprecated_ips_lib=1 diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in index 80bd34f04..6144617d4 100755 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in @@ -70,7 +70,6 @@ EOF touch -c /lib/systemd/network/*-bmc-gbmcbr.network || true contents='[Network]'$'\n' - contents+="Address=$pfx/128"$'\n' contents+="Gateway=$rtr"$'\n' for file in /run/systemd/network/{00,}-bmc-"$NCSI_IF".network.d/49-public-ra.conf; do mkdir -p -m 755 "$(dirname "$file")" @@ -81,21 +80,6 @@ EOF if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then networkctl reload && networkctl reconfigure gbmcbr "$NCSI_IF" || true fi - - read -r -d '' contents <"$rfile" - systemctl reset-failed nftables && systemctl --no-block restart nftables || true } w=60 diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 7a630f5fe..30b2b65e4 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -35,35 +35,10 @@ gbmc_ncsi_nft_update() { fi local ip6="$gbmc_ncsi_nft_lastip6" - local pfx= if [ -n "$ip6" ]; then contents+=" ip6 daddr $ip6/128 goto ncsi_legacy_input"$'\n' - - local ip_bytes=() - ip_to_bytes ip_bytes "$ip6" - # If our address has enough spare bits for appending the BMC suffix - # then we add a rule that allows the BMC subnet. That is, we need a /64 - # as input. - local i - for (( i = 8; i < 16; i++ )); do - if (( ip_bytes[$i] != 0 )); then - ip_bytes=() - break - fi - done - if (( ${#ip_bytes[@]} != 0 )); then - ip_bytes[8]=0xfd - pfx="$(ip_bytes_to_str ip_bytes)" - contents+=" ip6 saddr != $pfx/76 ip6 daddr" - contents+=" $pfx/76 goto ncsi_gbmc_br_pub_input"$'\n' - fi fi - contents+=' }'$'\n' - contents+=' chain ncsi_forward {'$'\n' - if [ -n "$pfx" ]; then - contents+=" ip6 saddr != $pfx/76 ip6 daddr $pfx/76 accept"$'\n' - fi contents+=' }'$'\n' contents+='}'$'\n' diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index 10ef56a76..0074a3172 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -18,6 +18,7 @@ SRC_URI += " \ file://gbmc-ncsi-sslh.service \ file://gbmc-ncsi-nft.sh.in \ file://gbmc-ncsi-br-pub-addr.sh.in \ + file://gbmc-ncsi-br-deprecated-ips.sh.in \ file://gbmc-ncsi-set-nicenabled.service.in \ " @@ -100,6 +101,9 @@ do_install:append() { sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh.in \ >${WORKDIR}/gbmc-ncsi-br-pub-addr.sh install -m644 ${WORKDIR}/gbmc-ncsi-br-pub-addr.sh $mondir + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh.in \ + >${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh + install -m644 ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh $mondir sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-set-nicenabled.service.in \ >${D}${systemd_system_unitdir}/gbmc-ncsi-set-nicenabled.service -- cgit v1.2.3 From b174c185f31bf14d430e68bb868ccf14ff7d4be3 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 3 Nov 2021 14:54:51 -0700 Subject: meta-google: gbmc-bridge: Implement DHCP This makes it possible for a BMC to acquire a public address via DHCP provisioning. None of the update processes are included yet. Change-Id: I51ca2aa4859bcd2b9e909dd5a0d9e66cfbd648af Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-pub-addr.sh.in | 2 + .../ncsi/files/gbmc-ncsi-clear-ip.sh.in | 26 ++++++ .../recipes-google/ncsi/gbmc-ncsi-config.bb | 8 ++ .../recipes-google/networking/gbmc-bridge.bb | 9 +- .../networking/gbmc-bridge/gbmc-br-dhcp.service | 13 +++ .../networking/gbmc-bridge/gbmc-br-dhcp.sh | 96 ++++++++++++++++++++++ 6 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in create mode 100644 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service create mode 100644 meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-pub-addr.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-pub-addr.sh.in index 5adc41328..793403348 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-pub-addr.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-pub-addr.sh.in @@ -63,6 +63,8 @@ Destination=$stateless_pfx/76 Type=unreachable Metric=1024 EOF + # Delete DHCP configured addresses if we have a host published address + rm -f /etc/systemd/network/{00,}-bmc-gbmcbr.network.d/50-public.conf fi local file diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in new file mode 100644 index 000000000..e17a5e200 --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -z "${gbmc_ncsi_clear_ip-}" ] || exit + +source /usr/libexec/ncsid_lib.sh || exit + +gbmc_ncsi_clear_ip_hook() { + UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '0.0.0.0' '0' || true + UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '::' '0' || true +} + +GBMC_BR_DHCP_HOOKS+=(gbmc_ncsi_clear_ip_hook) + +gbmc_ncsi_clear_ip=1 diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index 0074a3172..6e2582495 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -20,6 +20,7 @@ SRC_URI += " \ file://gbmc-ncsi-br-pub-addr.sh.in \ file://gbmc-ncsi-br-deprecated-ips.sh.in \ file://gbmc-ncsi-set-nicenabled.service.in \ + file://gbmc-ncsi-clear-ip.sh.in \ " S = "${WORKDIR}" @@ -36,6 +37,7 @@ RDEPENDS:${PN} += " \ " FILES:${PN} += " \ + ${datadir}/gbmc-br-dhcp \ ${datadir}/gbmc-ip-monitor \ ${systemd_unitdir} \ " @@ -105,6 +107,12 @@ do_install:append() { >${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh install -m644 ${WORKDIR}/gbmc-ncsi-br-deprecated-ips.sh $mondir + dhcpdir=${D}${datadir}/gbmc-br-dhcp/ + install -d -m0755 $dhcpdir + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-clear-ip.sh.in \ + >${WORKDIR}/gbmc-ncsi-clear-ip.sh + install -m644 ${WORKDIR}/gbmc-ncsi-clear-ip.sh $dhcpdir + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-set-nicenabled.service.in \ >${D}${systemd_system_unitdir}/gbmc-ncsi-set-nicenabled.service diff --git a/meta-google/recipes-google/networking/gbmc-bridge.bb b/meta-google/recipes-google/networking/gbmc-bridge.bb index dea14f00b..5f79d468a 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge.bb +++ b/meta-google/recipes-google/networking/gbmc-bridge.bb @@ -20,6 +20,8 @@ SRC_URI += " \ file://gbmc-br-ensure-ra.service \ file://gbmc-br-gw-src.sh \ file://gbmc-br-nft.sh \ + file://gbmc-br-dhcp.sh \ + file://gbmc-br-dhcp.service \ " FILES:${PN}:append = " \ @@ -37,7 +39,10 @@ RDEPENDS:${PN}:append = " \ ndisc6-rdisc6 \ " -SYSTEMD_SERVICE:${PN} += "gbmc-br-ensure-ra.service" +SYSTEMD_SERVICE:${PN} += " \ + gbmc-br-ensure-ra.service \ + gbmc-br-dhcp.service \ + " GBMC_BR_MAC_ADDR ?= "" @@ -94,8 +99,10 @@ do_install() { install -d -m0755 ${D}${libexecdir} install -m0755 ${WORKDIR}/gbmc-br-ensure-ra.sh ${D}${libexecdir}/ + install -m0755 ${WORKDIR}/gbmc-br-dhcp.sh ${D}${libexecdir}/ install -d -m0755 ${D}${systemd_system_unitdir} install -m0755 ${WORKDIR}/gbmc-br-ensure-ra.service ${D}${systemd_system_unitdir}/ + install -m0755 ${WORKDIR}/gbmc-br-dhcp.service ${D}${systemd_system_unitdir}/ } do_rm_work:prepend() { diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service new file mode 100644 index 000000000..145f84b93 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service @@ -0,0 +1,13 @@ +[Unit] +Description=gBMC DHCP Client +After=network.target +StartLimitIntervalSec=10 +StartLimitBurst=3 + +[Service] +Restart=always +RestartSec=5 +ExecStart=/usr/bin/udhcpc6 -f -q -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh + +[Install] +WantedBy=multi-user.target diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh new file mode 100644 index 000000000..beccc8658 --- /dev/null +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh @@ -0,0 +1,96 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# A list of functions which get executed for each bound DHCP lease. +# These are configured by the files included below. +GBMC_BR_DHCP_HOOKS=() + +# Load configurations from a known location in the filesystem to populate +# hooks that are executed after each event. +shopt -s nullglob +for conf in /usr/share/gbmc-br-dhcp/*.sh; do + # SC doesn't like dynamic source loading + # shellcheck disable=SC1090 + source "$conf" +done + +gbmc_br_dhcp_run_hooks() { + local hook + for hook in "${GBMC_BR_DHCP_HOOKS[@]}"; do + "$hook" || continue + done +} + +# SC can't find this path during repotest +# shellcheck disable=SC1091 +source /usr/share/network/lib.sh || exit + +if [ "$1" = bound ]; then + # Variable is from the environment via udhcpc6 + # shellcheck disable=SC2154 + echo "DHCPv6(gbmcbr): $ipv6/128" >&2 + + pfx_bytes=() + ip_to_bytes pfx_bytes "$ipv6" + # Ensure we are a BMC and have a suffix nibble, the 0th index is reserved + if (( pfx_bytes[8] != 0xfd || pfx_bytes[9] & 0xf == 0 )); then + echo "Invalid address" >&2 + exit + fi + # Ensure we don't have more than a /80 address + for (( i = 10; i < 16; ++i )); do + if (( pfx_bytes[i] != 0 )); then + echo "Invalid address" >&2 + exit + fi + done + + pfx="$(ip_bytes_to_str pfx_bytes)" + (( pfx_bytes[9] &= 0xf0 )) + stateless_pfx="$(ip_bytes_to_str pfx_bytes)" + read -r -d '' contents <"$file" + done + + # Ensure that systemd-networkd performs a reconfiguration as it doesn't + # currently check the mtime of drop-in files. + touch -c /lib/systemd/network/*-bmc-gbmcbr.network + + if [ "$(systemctl is-active systemd-networkd)" != 'inactive' ]; then + networkctl reload && networkctl reconfigure gbmcbr + fi + + gbmc_br_dhcp_run_hooks +fi -- cgit v1.2.3 From e2e667473e93a48bee69722dea603418d0c60591 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 23 Nov 2021 12:00:36 -0800 Subject: meta-google: gbmc-ncsi-config: Rename address clear rules This ensures they are run prior to running other DHCP configuration logic. Change-Id: I0180414bbc291ea49e548a312cd2b713344613e1 Signed-off-by: William A. Kennington III --- .../ncsi/files/25-gbmc-ncsi-clear-ip.sh.in | 26 ++++++++++++++++++++++ .../ncsi/files/gbmc-ncsi-clear-ip.sh.in | 26 ---------------------- .../recipes-google/ncsi/gbmc-ncsi-config.bb | 8 +++---- 3 files changed, 30 insertions(+), 30 deletions(-) create mode 100644 meta-google/recipes-google/ncsi/files/25-gbmc-ncsi-clear-ip.sh.in delete mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/25-gbmc-ncsi-clear-ip.sh.in b/meta-google/recipes-google/ncsi/files/25-gbmc-ncsi-clear-ip.sh.in new file mode 100644 index 000000000..e17a5e200 --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/25-gbmc-ncsi-clear-ip.sh.in @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[ -z "${gbmc_ncsi_clear_ip-}" ] || exit + +source /usr/libexec/ncsid_lib.sh || exit + +gbmc_ncsi_clear_ip_hook() { + UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '0.0.0.0' '0' || true + UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '::' '0' || true +} + +GBMC_BR_DHCP_HOOKS+=(gbmc_ncsi_clear_ip_hook) + +gbmc_ncsi_clear_ip=1 diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in deleted file mode 100644 index e17a5e200..000000000 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-clear-ip.sh.in +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -[ -z "${gbmc_ncsi_clear_ip-}" ] || exit - -source /usr/libexec/ncsid_lib.sh || exit - -gbmc_ncsi_clear_ip_hook() { - UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '0.0.0.0' '0' || true - UpdateIP xyz.openbmc_project.Network '@NCSI_IF@' '::' '0' || true -} - -GBMC_BR_DHCP_HOOKS+=(gbmc_ncsi_clear_ip_hook) - -gbmc_ncsi_clear_ip=1 diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index 6e2582495..0312f0502 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -20,7 +20,7 @@ SRC_URI += " \ file://gbmc-ncsi-br-pub-addr.sh.in \ file://gbmc-ncsi-br-deprecated-ips.sh.in \ file://gbmc-ncsi-set-nicenabled.service.in \ - file://gbmc-ncsi-clear-ip.sh.in \ + file://25-gbmc-ncsi-clear-ip.sh.in \ " S = "${WORKDIR}" @@ -109,9 +109,9 @@ do_install:append() { dhcpdir=${D}${datadir}/gbmc-br-dhcp/ install -d -m0755 $dhcpdir - sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-clear-ip.sh.in \ - >${WORKDIR}/gbmc-ncsi-clear-ip.sh - install -m644 ${WORKDIR}/gbmc-ncsi-clear-ip.sh $dhcpdir + sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/25-gbmc-ncsi-clear-ip.sh.in \ + >${WORKDIR}/25-gbmc-ncsi-clear-ip.sh + install -m644 ${WORKDIR}/25-gbmc-ncsi-clear-ip.sh $dhcpdir sed "s,@NCSI_IF@,$if_name,g" ${WORKDIR}/gbmc-ncsi-set-nicenabled.service.in \ >${D}${systemd_system_unitdir}/gbmc-ncsi-set-nicenabled.service -- cgit v1.2.3 From 2f5e1695c9f967e8d11415502b1c08affd8955a4 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-ncsi-config: Fix missing include We use functions from the network-sh library and need to include it. Change-Id: I7f78b7dd37c4e5d38342c4625c26c4b583133bf5 Signed-off-by: William A. Kennington III --- meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index da6f27a79..796e40584 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -14,6 +14,8 @@ [ -z "${gbmc_ncsi_br_deprecated_ips_lib-}" ] || return +source /usr/share/network/lib.sh || exit + gbmc_ncsi_br_deprecated_ips_init= gbmc_ncsi_br_deprecated_ips_confip= gbmc_ncsi_br_deprecated_ips_lastip= -- cgit v1.2.3 From 3dbea9350f23bbf2a4b3909e1d6bab157edba7fc Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Fri, 5 Nov 2021 01:31:59 -0700 Subject: meta-google: gbmc-bridge: Add stateless deprecated addresses We were missing this address but we want neighbor discovery from outside the BMC to work against this range. Change-Id: I6ef139486f382df21596c460626bfe2f692c7236 Signed-off-by: William A. Kennington III --- .../recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 796e40584..7b0702570 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -34,6 +34,8 @@ gbmc_ncsi_br_deprecated_ips_update() { ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" local pfx="$(ip_bytes_to_str pfx_bytes)" + (( pfx_bytes[9] &= 0xf0 )) + local stateless_pfx="$(ip_bytes_to_str pfx_bytes)" pfx_bytes[8]=0 pfx_bytes[9]=0 local host_pfx="$(ip_bytes_to_str pfx_bytes)" @@ -42,6 +44,9 @@ gbmc_ncsi_br_deprecated_ips_update() { Address=$pfx/128 PreferredLifetime=0 [Address] +Address=$stateless_pfx/128 +PreferredLifetime=0 +[Address] Address=$host_pfx/128 PreferredLifetime=0 EOF -- cgit v1.2.3 From b823f89c8cd0da678c78e242bf12c25f414d0697 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 23 Nov 2021 20:54:56 -0800 Subject: meta-google: gbmc-ncsi-config: Fix deprecated address nft The nft rules were not deleted in cases where the public addresses are removed from the gbmc-br interface. This would create broken rules. Change-Id: I22a88f1fb15ccbea49e586061ea8e93bbbfb1bc1 Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 29 +++++++++++++--------- 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 7b0702570..677ef28c3 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -29,6 +29,7 @@ gbmc_ncsi_br_deprecated_ips_update() { "${gbmc_ncsi_br_deprecated_ips_lastip:-(deleted)}" >&2 local contents= + local nfcontents= if [ -n "$gbmc_ncsi_br_deprecated_ips_lastip" ]; then local pfx_bytes=() ip_to_bytes pfx_bytes "$gbmc_ncsi_br_deprecated_ips_lastip" @@ -49,6 +50,16 @@ PreferredLifetime=0 [Address] Address=$host_pfx/128 PreferredLifetime=0 +EOF + read -r -d '' nfcontents <"$rfile" + if [ -z "$nfcontents" ]; then + rm -f "$rfile" + else + printf '%s' "$nfcontents" >"$rfile" + fi systemctl reset-failed nftables && systemctl --no-block restart nftables || true } -- cgit v1.2.3 From d1a214d0e2516524475ee45ae860d7aa0f2b3e10 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Mon, 6 Dec 2021 15:26:46 -0800 Subject: meta-google: gbmc-bridge: Request hostname via DHCP Change-Id: If3dacbfde966de337702b44b9b06b3eb21755546 Signed-off-by: William A. Kennington III --- .../recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service | 2 +- meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service index 145f84b93..7eb0ce075 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.service @@ -7,7 +7,7 @@ StartLimitBurst=3 [Service] Restart=always RestartSec=5 -ExecStart=/usr/bin/udhcpc6 -f -q -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh +ExecStart=/usr/bin/udhcpc6 -f -q -O fqdn -O bootfile_url -O bootfile_param -i gbmcbr -s /usr/libexec/gbmc-br-dhcp.sh [Install] WantedBy=multi-user.target diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh index beccc8658..42a077d09 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-dhcp.sh @@ -92,5 +92,10 @@ EOF networkctl reload && networkctl reconfigure gbmcbr fi + if [ -n "${fqdn-}" ]; then + echo "Using hostname $fqdn" >&2 + hostnamectl set-hostname "$fqdn" || true + fi + gbmc_br_dhcp_run_hooks fi -- cgit v1.2.3 From 7843a81ebc3592ec45793964880328937305b8c2 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Thu, 9 Dec 2021 14:17:10 -0800 Subject: gbmc-ncsi-config: Stop ncsid if special RA is received The receipt of the RA is indicative of a non-NCSI configuration so we can shut down the daemon in this instance. Change-Id: Iff958be408cff853973bd335f2459cd3d9bca0e0 Signed-off-by: William A. Kennington III --- meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in | 3 +++ 1 file changed, 3 insertions(+) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in index 6144617d4..2788f7f19 100755 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-ip-from-ra.sh.in @@ -41,6 +41,9 @@ set_net() { echo "Found prefix $pfx from $rtr" >&2 + # We no longer need NCSId if we are in this configuration + systemctl stop --no-block ncsid@"$NCSI_IF" || true + # Delete any stale IP Addresses from the primary interface as we won't use them UpdateIP xyz.openbmc_project.Network "$NCSI_IF" '0.0.0.0' '0' || true UpdateIP xyz.openbmc_project.Network "$NCSI_IF" '::' '0' || true -- cgit v1.2.3 From 1985ad8758e779604e743ae5b545fb07e6232e99 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 10 Dec 2021 23:40:14 +0000 Subject: google-misc: srcrev bump 379b061ffd..ddf93d57c1 Patrick Williams (3): nemora-postd: fix compile fail sdbusplus: remove usage of deprecated alias MAINTAINERS: fix syntax William A. Kennington III (2): ncsid: Only log errors a single time ncsid: update_ra_gw: Fix SIGTERM handling Change-Id: I6af4e21f61b4e126979cac3042bfac72516f62e3 Signed-off-by: Andrew Geissler --- meta-google/recipes-google/google-misc/google-misc.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/google-misc/google-misc.inc b/meta-google/recipes-google/google-misc/google-misc.inc index 49535873b..cd2c37975 100644 --- a/meta-google/recipes-google/google-misc/google-misc.inc +++ b/meta-google/recipes-google/google-misc/google-misc.inc @@ -6,7 +6,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://../../LICENSE;md5=34400b68072d710fecd0a2940a0d1658" SRC_URI += "git://github.com/openbmc/google-misc" -SRCREV = "379b061ffdd797d00c07acf0b5cb81e1f6513bca" +SRCREV = "ddf93d57c15ad453ba1498ab8553302c0361dfbe" S = "${WORKDIR}/git/subprojects/${GOOGLE_MISC_PROJ}" inherit meson -- cgit v1.2.3 From bdccd86cc18f9dba43fb488797f91d941035254f Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 15 Dec 2021 13:51:55 -0800 Subject: meta-google: gbmc-bridge: Fix service permissions Change-Id: I5fc6db2510b9c27d8d2ce27304e0a5e821015fb3 Signed-off-by: William A. Kennington III --- meta-google/recipes-google/networking/gbmc-bridge.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/networking/gbmc-bridge.bb b/meta-google/recipes-google/networking/gbmc-bridge.bb index 5f79d468a..509d871d9 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge.bb +++ b/meta-google/recipes-google/networking/gbmc-bridge.bb @@ -101,8 +101,8 @@ do_install() { install -m0755 ${WORKDIR}/gbmc-br-ensure-ra.sh ${D}${libexecdir}/ install -m0755 ${WORKDIR}/gbmc-br-dhcp.sh ${D}${libexecdir}/ install -d -m0755 ${D}${systemd_system_unitdir} - install -m0755 ${WORKDIR}/gbmc-br-ensure-ra.service ${D}${systemd_system_unitdir}/ - install -m0755 ${WORKDIR}/gbmc-br-dhcp.service ${D}${systemd_system_unitdir}/ + install -m0644 ${WORKDIR}/gbmc-br-ensure-ra.service ${D}${systemd_system_unitdir}/ + install -m0644 ${WORKDIR}/gbmc-br-dhcp.service ${D}${systemd_system_unitdir}/ } do_rm_work:prepend() { -- cgit v1.2.3 From 7356f8ebcb6b0e4c06018c748b7c5771b41e007e Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 15 Dec 2021 02:21:52 -0800 Subject: meta-google: nftables: Make rule loading atomic This ensures that all of the rules are processed and unexpected packets are not allowed or blocked by the kernel at any time. Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 +- meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 4 +--- .../recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh | 4 +--- meta-google/recipes-google/nftables/files/nft-configure.sh | 14 +++++++++----- meta-google/recipes-google/nftables/files/nftables.service | 1 + 5 files changed, 13 insertions(+), 12 deletions(-) (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 677ef28c3..9d9f7899e 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -88,7 +88,7 @@ EOF else printf '%s' "$nfcontents" >"$rfile" fi - systemctl reset-failed nftables && systemctl --no-block restart nftables || true + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_br_deprecated_ips_hook() { diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 30b2b65e4..074ec5785 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -46,9 +46,7 @@ gbmc_ncsi_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_nft_hook() { diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh index 980f7b6d6..ca4e15a1f 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh @@ -37,9 +37,7 @@ gbmc_br_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_br_nft_hook() { diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh index 05bb23d8b..8c8e058b7 100644 --- a/meta-google/recipes-google/nftables/files/nft-configure.sh +++ b/meta-google/recipes-google/nftables/files/nft-configure.sh @@ -8,10 +8,14 @@ for dir in /run/nftables /etc/nftables /usr/share/nftables; do done let i+=1 done -rc=0 -nft flush ruleset || rc=$? + +rules="" +trap 'rm -f -- "$rules"' TERM INT EXIT ERR +rules="$(mktemp)" || exit +echo 'flush ruleset' >"$rules" for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do - echo "Executing ${basemap[$key]}" >&2 - nft -f "${basemap[$key]}" || rc=$? + echo "Loading ${basemap[$key]}" >&2 + echo '' >>"$rules" + cat "${basemap[$key]}" >>"$rules" done -exit $rc +nft -f "$rules" || exit diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service index 770a3d3ac..1a93812b8 100644 --- a/meta-google/recipes-google/nftables/files/nftables.service +++ b/meta-google/recipes-google/nftables/files/nftables.service @@ -5,6 +5,7 @@ Before=network-pre.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/nft-configure.sh +ExecReload=/usr/libexec/nft-configure.sh ExecStop=/usr/sbin/nft flush ruleset [Install] -- cgit v1.2.3 From 2696b0a16ced82722525754d241b5fb5f80790fd Mon Sep 17 00:00:00 2001 From: Willy Tu Date: Sat, 14 Aug 2021 18:38:58 -0700 Subject: meta-google: Add new system.conf for gbmc-systemd-config Add systemd.conf options for watchdog to replace watchdog-conf ``` // interval is 60s by default interval = 10 watchdog-device = /dev/watchdog // The value is in pages. They are presently 4KiB each. // Reset the BMC if it goes below 3MiB min-memory = 768 ``` Tested: ``` $ cat /lib/systemd/system.conf.d/40-system.conf [Manager] DefaultMemoryAccounting=yes RuntimeWatchdogSec=10s WatchdogDevice=/dev/watchdog ``` Change-Id: I51171746669dfeb1efe6c09952efa3457e33c86b Signed-off-by: Willy Tu --- meta-google/recipes-google/systemd/files/40-system.conf | 4 ++++ meta-google/recipes-google/systemd/gbmc-systemd-config.bb | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 meta-google/recipes-google/systemd/files/40-system.conf (limited to 'meta-google/recipes-google') diff --git a/meta-google/recipes-google/systemd/files/40-system.conf b/meta-google/recipes-google/systemd/files/40-system.conf new file mode 100644 index 000000000..5f770d01f --- /dev/null +++ b/meta-google/recipes-google/systemd/files/40-system.conf @@ -0,0 +1,4 @@ +[Manager] +DefaultMemoryAccounting=yes +RuntimeWatchdogSec=10s +WatchdogDevice=/dev/watchdog diff --git a/meta-google/recipes-google/systemd/gbmc-systemd-config.bb b/meta-google/recipes-google/systemd/gbmc-systemd-config.bb index 6e26fc99d..843053bc8 100644 --- a/meta-google/recipes-google/systemd/gbmc-systemd-config.bb +++ b/meta-google/recipes-google/systemd/gbmc-systemd-config.bb @@ -11,11 +11,13 @@ SRC_URI:append = " \ file://firmware-updates.target \ file://firmware-updates-pre.target \ file://40-gbmc-forward.conf \ + file://40-system.conf \ " FILES:${PN}:append = " \ ${systemd_unitdir}/coredump.conf.d/40-gbmc-coredump.conf \ ${systemd_unitdir}/resolved.conf.d/40-gbmc-nomdns.conf \ + ${systemd_unitdir}/system.conf.d/40-system.conf \ ${libdir}/sysctl.d/40-gbmc-forward.conf \ " @@ -44,6 +46,9 @@ do_install() { install -d -m0755 ${D}${libdir}/sysctl.d install -m 0644 ${WORKDIR}/40-gbmc-forward.conf ${D}${libdir}/sysctl.d/ + + install -d -m 0755 ${D}${systemd_unitdir}/system.conf.d/ + install -D -m0644 ${WORKDIR}/40-system.conf ${D}${systemd_unitdir}/system.conf.d/ } do_install:append:dev() { -- cgit v1.2.3