From a8928a3caa432c9523070f790eb15b733ab44753 Mon Sep 17 00:00:00 2001 From: esendjer Date: Fri, 11 Feb 2022 02:58:53 +0500 Subject: ignition: propagate proxy settings from a host into a vm Set proxy settings (such as `HTTP_PROXY`, and others) for the whole guest OS with setting up `DefaultEnvironment` with a `systemd` configuration file `default-env.conf`, a `profile.d` scenario file - `default-env.sh` and a `environment.d` configuration file `default-env.conf` The **actual** environment variables are read by podman at a start, then they are encrypted with base64 into a single string and after are provided into a VM through QEMU Firmware Configuration (fw_cfg) Device Inside a VM a systemd service `envset-fwcfg.service` reads the providead encrypted string from fw_cfg, decrypts and then adds to the files - `/etc/systemd/system.conf.d/default-env.conf` - `/etc/profile.d/default-env.sh` - `/etc/environment.d/default-env.conf` At the end this service execute `systemctl daemon-reload` to propagate new variables for systemd manager [NO NEW TESTS NEEDED] Closes #13168 Signed-off-by: esendjer --- pkg/machine/ignition.go | 85 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 63 insertions(+), 22 deletions(-) (limited to 'pkg/machine/ignition.go') diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go index 206c9144f..47b1836f0 100644 --- a/pkg/machine/ignition.go +++ b/pkg/machine/ignition.go @@ -145,7 +145,42 @@ ExecStartPost=/bin/touch /var/lib/%N.stamp [Install] WantedBy=default.target - ` +` + // This service gets environment variables that are provided + // through qemu fw_cfg and then sets them into systemd/system.conf.d, + // profile.d and environment.d files + // + // Currently, it is used for propagating + // proxy settings e.g. HTTP_PROXY and others, on a start avoiding + // a need of re-creating/re-initiating a VM + envset := `[Unit] +Description=Environment setter from QEMU FW_CFG +[Service] +Type=oneshot +RemainAfterExit=yes +Environment=FWCFGRAW=/sys/firmware/qemu_fw_cfg/by_name/opt/com.coreos/environment/raw +Environment=SYSTEMD_CONF=/etc/systemd/system.conf.d/default-env.conf +Environment=ENVD_CONF=/etc/environment.d/default-env.conf +Environment=PROFILE_CONF=/etc/profile.d/default-env.sh +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} &&\ + echo "[Manager]\n#Got from QEMU FW_CFG\nDefaultEnvironment=$(/usr/bin/base64 -d ${FWCFGRAW} | sed -e "s+|+ +g")\n" > ${SYSTEMD_CONF} ||\ + echo "[Manager]\n#Got nothing from QEMU FW_CFG\n#DefaultEnvironment=\n" > ${SYSTEMD_CONF}' +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\ + echo "#Got from QEMU FW_CFG"> ${ENVD_CONF};\ + IFS="|";\ + for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\ + echo "$iprxy" >> ${ENVD_CONF}; done ) || \ + echo "#Got nothing from QEMU FW_CFG"> ${ENVD_CONF}' +ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\ + echo "#Got from QEMU FW_CFG"> ${PROFILE_CONF};\ + IFS="|";\ + for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\ + echo "export $iprxy" >> ${PROFILE_CONF}; done ) || \ + echo "#Got nothing from QEMU FW_CFG"> ${PROFILE_CONF}' +ExecStartPost=/usr/bin/systemctl daemon-reload +[Install] +WantedBy=sysinit.target +` _ = ready ignSystemd := Systemd{ Units: []Unit{ @@ -173,6 +208,11 @@ WantedBy=default.target Name: "remove-moby.service", Contents: &deMoby, }, + { + Enabled: boolToPtr(true), + Name: "envset-fwcfg.service", + Contents: &envset, + }, }} ignConfig := Config{ Ignition: ignVersion, @@ -226,6 +266,25 @@ func getDirs(usrName string) []Directory { DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, }) + // The directory is used by envset-fwcfg.service + // for propagating environment variables that got + // from a host + dirs = append(dirs, Directory{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/systemd/system.conf.d", + User: getNodeUsr("root"), + }, + DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, + }, Directory{ + Node: Node{ + Group: getNodeGrp("root"), + Path: "/etc/environment.d", + User: getNodeUsr("root"), + }, + DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)}, + }) + return dirs } @@ -363,24 +422,6 @@ Delegate=memory pids cpu io }, }) - setProxyOpts := getProxyVariables() - if setProxyOpts != "" { - files = append(files, File{ - Node: Node{ - Group: getNodeGrp("root"), - Path: "/etc/profile.d/proxy-opts.sh", - User: getNodeUsr("root"), - }, - FileEmbedded1: FileEmbedded1{ - Append: nil, - Contents: Resource{ - Source: encodeDataURLPtr(setProxyOpts), - }, - Mode: intToPtr(0644), - }, - }) - } - setDockerHost := `export DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")" ` @@ -506,11 +547,11 @@ func prepareCertFile(path string, name string) (File, error) { return file, nil } -func getProxyVariables() string { - proxyOpts := "" +func GetProxyVariables() map[string]string { + proxyOpts := make(map[string]string) for _, variable := range config.ProxyEnv { if value, ok := os.LookupEnv(variable); ok { - proxyOpts += fmt.Sprintf("\n export %s=%s", variable, value) + proxyOpts[variable] = value } } return proxyOpts -- cgit v1.2.3-54-g00ecf