diff options
| author | esendjer <esendjer@gmail.com> | 2022-02-11 02:58:53 +0500 |
|---|---|---|
| committer | esendjer <esendjer@gmail.com> | 2022-02-12 21:24:15 +0500 |
| commit | a8928a3caa432c9523070f790eb15b733ab44753 (patch) | |
| tree | 53f1eba5226d2aa9b0455201ad99b799fb7f7bd3 /pkg/machine/ignition.go | |
| parent | 12836a5610ea6d4f6844d4fbdc222b439ccbc746 (diff) | |
| download | podman-a8928a3caa432c9523070f790eb15b733ab44753.tar.gz podman-a8928a3caa432c9523070f790eb15b733ab44753.tar.bz2 podman-a8928a3caa432c9523070f790eb15b733ab44753.zip | |
ignition: propagate proxy settings from a host into a vm
Set proxy settings (such as `HTTP_PROXY`, and others)
for the whole guest OS with setting up `DefaultEnvironment`
with a `systemd` configuration file `default-env.conf`,
a `profile.d` scenario file - `default-env.sh` and
a `environment.d` configuration file `default-env.conf`
The **actual** environment variables are read by podman
at a start, then they are encrypted with base64 into
a single string and after are provided into a VM through
QEMU Firmware Configuration (fw_cfg) Device
Inside a VM a systemd service `envset-fwcfg.service`
reads the providead encrypted string from fw_cfg, decrypts
and then adds to the files
- `/etc/systemd/system.conf.d/default-env.conf`
- `/etc/profile.d/default-env.sh`
- `/etc/environment.d/default-env.conf`
At the end this service execute `systemctl daemon-reload`
to propagate new variables for systemd manager
[NO NEW TESTS NEEDED]
Closes #13168
Signed-off-by: esendjer <esendjer@gmail.com>
Diffstat (limited to 'pkg/machine/ignition.go')
| -rw-r--r-- | pkg/machine/ignition.go | 85 |
1 files changed, 63 insertions, 22 deletions
diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index 206c9144f..47b1836f0 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -145,7 +145,42 @@ ExecStartPost=/bin/touch /var/lib/%N.stamp [Install] WantedBy=default.target - ` +` + // This service gets environment variables that are provided + // through qemu fw_cfg and then sets them into systemd/system.conf.d, + // profile.d and environment.d files + // + // Currently, it is used for propagating + // proxy settings e.g. HTTP_PROXY and others, on a start avoiding + // a need of re-creating/re-initiating a VM + envset := `[Unit] +Description=Environment setter from QEMU FW_CFG +[Service] +Type=oneshot +RemainAfterExit=yes +Environment=FWCFGRAW=/sys/firmware/qemu_fw_cfg/by_name/opt/com.coreos/environment/raw +Environment=SYSTEMD_CONF=/etc/systemd/system.conf.d/default-env.conf +Environment=ENVD_CONF=/etc/environment.d/default-env.conf +Environment=PROFILE_CONF=/etc/profile.d/default-env.sh +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} &&\ + echo "[Manager]\n#Got from QEMU FW_CFG\nDefaultEnvironment=$(/usr/bin/base64 -d ${FWCFGRAW} | sed -e "s+|+ +g")\n" > ${SYSTEMD_CONF} ||\ + echo "[Manager]\n#Got nothing from QEMU FW_CFG\n#DefaultEnvironment=\n" > ${SYSTEMD_CONF}' +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\ + echo "#Got from QEMU FW_CFG"> ${ENVD_CONF};\ + IFS="|";\ + for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\ + echo "$iprxy" >> ${ENVD_CONF}; done ) || \ + echo "#Got nothing from QEMU FW_CFG"> ${ENVD_CONF}' +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\ + echo "#Got from QEMU FW_CFG"> ${PROFILE_CONF};\ + IFS="|";\ + for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\ + echo "export $iprxy" >> ${PROFILE_CONF}; done ) || \ + echo "#Got nothing from QEMU FW_CFG"> ${PROFILE_CONF}' +ExecStartPost=/usr/bin/systemctl daemon-reload +[Install] +WantedBy=sysinit.target +` _ = ready ignSystemd := Systemd{ Units: []Unit{ @@ -173,6 +208,11 @@ WantedBy=default.target Name: "remove-moby.service", Contents: &deMoby, }, + { + Enabled: boolToPtr(true), + Name: "envset-fwcfg.service", + Contents: &envset, + }, }} ignConfig := Config{ Ignition: ignVersion, @@ -226,6 +266,25 @@ func getDirs(usrName string) []Directory { DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, }) + // The directory is used by envset-fwcfg.service + // for propagating environment variables that got + // from a host + dirs = append(dirs, Directory{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/systemd/system.conf.d", + User: getNodeUsr("root"), + }, + DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, + }, Directory{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/environment.d", + User: getNodeUsr("root"), + }, + DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, + }) + return dirs } @@ -363,24 +422,6 @@ Delegate=memory pids cpu io }, }) - setProxyOpts := getProxyVariables() - if setProxyOpts != "" { - files = append(files, File{ - Node: Node{ - Group: getNodeGrp("root"), - Path: "/etc/profile.d/proxy-opts.sh", - User: getNodeUsr("root"), - }, - FileEmbedded1: FileEmbedded1{ - Append: nil, - Contents: Resource{ - Source: encodeDataURLPtr(setProxyOpts), - }, - Mode: intToPtr(0644), - }, - }) - } - setDockerHost := `export DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")" ` @@ -506,11 +547,11 @@ func prepareCertFile(path string, name string) (File, error) { return file, nil } -func getProxyVariables() string { - proxyOpts := "" +func GetProxyVariables() map[string]string { + proxyOpts := make(map[string]string) for _, variable := range config.ProxyEnv { if value, ok := os.LookupEnv(variable); ok { - proxyOpts += fmt.Sprintf("\n export %s=%s", variable, value) + proxyOpts[variable] = value } } return proxyOpts |