diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-08-28 13:03:51 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-28 13:03:51 -0700 |
commit | 9926a299f72474e456ed3f0bb51d19613e195c8d (patch) | |
tree | 1dcc47d32093242f0798d0c9788e92ec8ed10103 /contrib | |
parent | bdf9e568134c37f02f662080cfe32f7ca98710c9 (diff) | |
parent | e06f17f58030a925c7d175dfccd09b2b3cff55e2 (diff) | |
download | podman-9926a299f72474e456ed3f0bb51d19613e195c8d.tar.gz podman-9926a299f72474e456ed3f0bb51d19613e195c8d.tar.bz2 podman-9926a299f72474e456ed3f0bb51d19613e195c8d.zip |
Merge pull request #3892 from cevich/google_vpc
Cirrus: Block CNI use of google VPCs
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/cirrus/99-do-not-use-google-subnets.conflist | 21 | ||||
-rw-r--r-- | contrib/cirrus/lib.sh | 16 | ||||
-rwxr-xr-x | contrib/cirrus/setup_environment.sh | 5 |
3 files changed, 33 insertions, 9 deletions
diff --git a/contrib/cirrus/99-do-not-use-google-subnets.conflist b/contrib/cirrus/99-do-not-use-google-subnets.conflist new file mode 100644 index 000000000..e9ab638ed --- /dev/null +++ b/contrib/cirrus/99-do-not-use-google-subnets.conflist @@ -0,0 +1,21 @@ +{ + "cniVersion": "0.4.0", + "name": "do-not-use-google-subnets", + "plugins": [ + { + "type": "bridge", + "name": "do-not-use-google-subnets", + "bridge": "do-not-use-google-subnets", + "ipam": { + "type": "host-local", + "ranges": [ + [ + { + "subnet": "10.128.0.0/9" + } + ] + ] + } + } + ] +} diff --git a/contrib/cirrus/lib.sh b/contrib/cirrus/lib.sh index a20ee5a62..47fee878a 100644 --- a/contrib/cirrus/lib.sh +++ b/contrib/cirrus/lib.sh @@ -321,13 +321,15 @@ EOF install_test_configs(){ echo "Installing cni config, policy and registry config" - req_env_var GOSRC - sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \ - /etc/cni/net.d/87-podman-bridge.conflist - sudo install -D -m 755 $GOSRC/test/policy.json \ - /etc/containers/policy.json - sudo install -D -m 755 $GOSRC/test/registries.conf \ - /etc/containers/registries.conf + req_env_var GOSRC SCRIPT_BASE + cd $GOSRC + install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/ + # This config must always sort last in the list of networks (podman picks first one + # as the default). This config prevents allocation of network address space used + # by default in google cloud. https://cloud.google.com/vpc/docs/vpc#ip-ranges + install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/ + install -v -D -m 644 ./test/policy.json /etc/containers/ + install -v -D -m 644 ./test/registries.conf /etc/containers/ } # Remove all files (except conmon, for now) provided by the distro version of podman. diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index 416a96c4e..463647d2f 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -61,8 +61,7 @@ esac # Reload to incorporate any changes from above source "$SCRIPT_BASE/lib.sh" -install_test_configs - +# Must execute before possible setup_rootless() make install.tools case "$SPECIALMODE" in @@ -97,3 +96,5 @@ case "$SPECIALMODE" in *) die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE" esac + +install_test_configs |