summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-08-28 13:03:51 -0700
committerGitHub <noreply@github.com>2019-08-28 13:03:51 -0700
commit9926a299f72474e456ed3f0bb51d19613e195c8d (patch)
tree1dcc47d32093242f0798d0c9788e92ec8ed10103
parentbdf9e568134c37f02f662080cfe32f7ca98710c9 (diff)
parente06f17f58030a925c7d175dfccd09b2b3cff55e2 (diff)
downloadpodman-9926a299f72474e456ed3f0bb51d19613e195c8d.tar.gz
podman-9926a299f72474e456ed3f0bb51d19613e195c8d.tar.bz2
podman-9926a299f72474e456ed3f0bb51d19613e195c8d.zip
Merge pull request #3892 from cevich/google_vpc
Cirrus: Block CNI use of google VPCs
-rw-r--r--contrib/cirrus/99-do-not-use-google-subnets.conflist21
-rw-r--r--contrib/cirrus/lib.sh16
-rwxr-xr-xcontrib/cirrus/setup_environment.sh5
3 files changed, 33 insertions, 9 deletions
diff --git a/contrib/cirrus/99-do-not-use-google-subnets.conflist b/contrib/cirrus/99-do-not-use-google-subnets.conflist
new file mode 100644
index 000000000..e9ab638ed
--- /dev/null
+++ b/contrib/cirrus/99-do-not-use-google-subnets.conflist
@@ -0,0 +1,21 @@
+{
+ "cniVersion": "0.4.0",
+ "name": "do-not-use-google-subnets",
+ "plugins": [
+ {
+ "type": "bridge",
+ "name": "do-not-use-google-subnets",
+ "bridge": "do-not-use-google-subnets",
+ "ipam": {
+ "type": "host-local",
+ "ranges": [
+ [
+ {
+ "subnet": "10.128.0.0/9"
+ }
+ ]
+ ]
+ }
+ }
+ ]
+}
diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh
index a20ee5a62..47fee878a 100644
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@@ -321,13 +321,15 @@ EOF
install_test_configs(){
echo "Installing cni config, policy and registry config"
- req_env_var GOSRC
- sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \
- /etc/cni/net.d/87-podman-bridge.conflist
- sudo install -D -m 755 $GOSRC/test/policy.json \
- /etc/containers/policy.json
- sudo install -D -m 755 $GOSRC/test/registries.conf \
- /etc/containers/registries.conf
+ req_env_var GOSRC SCRIPT_BASE
+ cd $GOSRC
+ install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/
+ # This config must always sort last in the list of networks (podman picks first one
+ # as the default). This config prevents allocation of network address space used
+ # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges
+ install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/
+ install -v -D -m 644 ./test/policy.json /etc/containers/
+ install -v -D -m 644 ./test/registries.conf /etc/containers/
}
# Remove all files (except conmon, for now) provided by the distro version of podman.
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index 416a96c4e..463647d2f 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -61,8 +61,7 @@ esac
# Reload to incorporate any changes from above
source "$SCRIPT_BASE/lib.sh"
-install_test_configs
-
+# Must execute before possible setup_rootless()
make install.tools
case "$SPECIALMODE" in
@@ -97,3 +96,5 @@ case "$SPECIALMODE" in
*)
die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE"
esac
+
+install_test_configs