Skip to content

Commit

Permalink
ignition: propagate proxy settings from a host into a vm
Browse files Browse the repository at this point in the history
Set proxy settings (such as `HTTP_PROXY`, and others)
for the whole guest OS with setting up `DefaultEnvironment`
with a `systemd` configuration file `default-env.conf`,
a `profile.d` scenario file - `default-env.sh` and
a `environment.d` configuration file `default-env.conf`

The **actual** environment variables are read by podman
at a start, then they are encrypted with base64 into
a single string and after are provided into a VM through
QEMU Firmware Configuration (fw_cfg) Device

Inside a VM a systemd service `envset-fwcfg.service`
reads the providead encrypted string from fw_cfg, decrypts
and then adds to the files
 - `/etc/systemd/system.conf.d/default-env.conf`
 - `/etc/profile.d/default-env.sh`
 - `/etc/environment.d/default-env.conf`
At the end this service execute  `systemctl daemon-reload`
to propagate new variables for systemd manager

[NO NEW TESTS NEEDED]

Closes containers#13168

Signed-off-by: esendjer <[email protected]>
  • Loading branch information
esendjer committed Feb 12, 2022
1 parent 12836a5 commit a8928a3
Show file tree
Hide file tree
Showing 2 changed files with 79 additions and 22 deletions.
85 changes: 63 additions & 22 deletions pkg/machine/ignition.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,42 @@ ExecStartPost=/bin/touch /var/lib/%N.stamp
[Install]
WantedBy=default.target
`
`
// This service gets environment variables that are provided
// through qemu fw_cfg and then sets them into systemd/system.conf.d,
// profile.d and environment.d files
//
// Currently, it is used for propagating
// proxy settings e.g. HTTP_PROXY and others, on a start avoiding
// a need of re-creating/re-initiating a VM
envset := `[Unit]
Description=Environment setter from QEMU FW_CFG
[Service]
Type=oneshot
RemainAfterExit=yes
Environment=FWCFGRAW=/sys/firmware/qemu_fw_cfg/by_name/opt/com.coreos/environment/raw
Environment=SYSTEMD_CONF=/etc/systemd/system.conf.d/default-env.conf
Environment=ENVD_CONF=/etc/environment.d/default-env.conf
Environment=PROFILE_CONF=/etc/profile.d/default-env.sh
ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} &&\
echo "[Manager]\n#Got from QEMU FW_CFG\nDefaultEnvironment=$(/usr/bin/base64 -d ${FWCFGRAW} | sed -e "s+|+ +g")\n" > ${SYSTEMD_CONF} ||\
echo "[Manager]\n#Got nothing from QEMU FW_CFG\n#DefaultEnvironment=\n" > ${SYSTEMD_CONF}'
ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\
echo "#Got from QEMU FW_CFG"> ${ENVD_CONF};\
IFS="|";\
for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\
echo "$iprxy" >> ${ENVD_CONF}; done ) || \
echo "#Got nothing from QEMU FW_CFG"> ${ENVD_CONF}'
ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\
echo "#Got from QEMU FW_CFG"> ${PROFILE_CONF};\
IFS="|";\
for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\
echo "export $iprxy" >> ${PROFILE_CONF}; done ) || \
echo "#Got nothing from QEMU FW_CFG"> ${PROFILE_CONF}'
ExecStartPost=/usr/bin/systemctl daemon-reload
[Install]
WantedBy=sysinit.target
`
_ = ready
ignSystemd := Systemd{
Units: []Unit{
Expand Down Expand Up @@ -173,6 +208,11 @@ WantedBy=default.target
Name: "remove-moby.service",
Contents: &deMoby,
},
{
Enabled: boolToPtr(true),
Name: "envset-fwcfg.service",
Contents: &envset,
},
}}
ignConfig := Config{
Ignition: ignVersion,
Expand Down Expand Up @@ -226,6 +266,25 @@ func getDirs(usrName string) []Directory {
DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
})

// The directory is used by envset-fwcfg.service
// for propagating environment variables that got
// from a host
dirs = append(dirs, Directory{
Node: Node{
Group: getNodeGrp("root"),
Path: "/etc/systemd/system.conf.d",
User: getNodeUsr("root"),
},
DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
}, Directory{
Node: Node{
Group: getNodeGrp("root"),
Path: "/etc/environment.d",
User: getNodeUsr("root"),
},
DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
})

return dirs
}

Expand Down Expand Up @@ -363,24 +422,6 @@ Delegate=memory pids cpu io
},
})

setProxyOpts := getProxyVariables()
if setProxyOpts != "" {
files = append(files, File{
Node: Node{
Group: getNodeGrp("root"),
Path: "/etc/profile.d/proxy-opts.sh",
User: getNodeUsr("root"),
},
FileEmbedded1: FileEmbedded1{
Append: nil,
Contents: Resource{
Source: encodeDataURLPtr(setProxyOpts),
},
Mode: intToPtr(0644),
},
})
}

setDockerHost := `export DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")"
`

Expand Down Expand Up @@ -506,11 +547,11 @@ func prepareCertFile(path string, name string) (File, error) {
return file, nil
}

func getProxyVariables() string {
proxyOpts := ""
func GetProxyVariables() map[string]string {
proxyOpts := make(map[string]string)
for _, variable := range config.ProxyEnv {
if value, ok := os.LookupEnv(variable); ok {
proxyOpts += fmt.Sprintf("\n export %s=%s", variable, value)
proxyOpts[variable] = value
}
}
return proxyOpts
Expand Down
16 changes: 16 additions & 0 deletions pkg/machine/qemu/machine.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
//go:build (amd64 && !windows) || (arm64 && !windows)
// +build amd64,!windows arm64,!windows

package qemu

import (
"bufio"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
Expand Down Expand Up @@ -123,6 +125,20 @@ func (p *Provider) LoadVMByName(name string) (machine.VM, error) {
return nil, err
}
err = json.Unmarshal(b, vm)

// It is here for providing the ability to propagate
// proxy settings (e.g. HTTP_PROXY and others) on a start
// and avoid a need of re-creating/re-initiating a VM
if proxyOpts := machine.GetProxyVariables(); len(proxyOpts) > 0 {
proxyStr := "name=opt/com.coreos/environment,string="
var proxies string
for k, v := range proxyOpts {
proxies = fmt.Sprintf("%s%s=\"%s\"|", proxies, k, v)
}
proxyStr = fmt.Sprintf("%s%s", proxyStr, base64.StdEncoding.EncodeToString([]byte(proxies)))
vm.CmdLine = append(vm.CmdLine, "-fw_cfg", proxyStr)
}

logrus.Debug(vm.CmdLine)
return vm, err
}
Expand Down

0 comments on commit a8928a3

Please sign in to comment.