WIP podman

locations/pktpls.yml

@@ -1,5 +1,10 @@
 ---
 
+# TODO
+# - move some init.d things to a library script to avoid repetition
+# - use a bridge preconfigured by openwrt, instead of podman0
+# - secrets management
+
 location: pktpls
 location_nice: Test von @pktpls
 contact_nickname: Packet Please
@@ -12,6 +17,111 @@ hosts:
     role: corerouter
     model: "x86-64"
     openwrt_version: snapshot
+    imagebuilder_config:
+      CONFIG_TARGET_ROOTFS_PARTSIZE: 256
+    host__packages__to_merge:
+      - podman conmon crun catatonit netavark external-protocol
+    host__rclocal__to_merge:
+      - "sed -i 's|#firewall_driver|firewall_driver|g' /etc/containers/containers.conf"
+    host__files__to_merge:
+      - path: /etc/init.d/pktpls-buildworker
+        mode: '0755'
+        content: |
+          #!/bin/sh /etc/rc.common
+          USE_PROCD=1
+          START=99
+          STOP=1
+          name="pktpls-buildworker"
+          password="trustno1"
+          ip6="2001:bf7:750:5503::2"
+          ip4="10.31.174.146"
+          dns="10.31.174.145"
+          start_service() {
+            logger -t $name "testing connectivity to docker.com"
+            cnt=0
+            while ! ping -q -c 1 -W 1 docker.com >/dev/null 2>/dev/null ; do
+              cnt=$((cnt+1))
+              if [ $cnt = 30 ] ; then
+                logger -t $name "no connectivity to docker.com"
+                exit 1
+              fi
+              sleep 1
+            done
+            podman build -t buildworker /usr/share/buildworker
+            procd_open_instance
+            procd_set_param command /usr/bin/podman run --rm -i \
+              --net bridge:ip6=$ip6,ip=$ip4 --dns $dns --no-hosts \
+              -e BUILDWORKER_NAME=$name \
+              -e BUILDWORKER_PASSWORD=$password \
+              -e BUILDWORKER_MASTER=buildbot.berlin.freifunk.net \
+              -e [email protected] \
+              -e BUILDWORKER_DESCRIPTION="Container testing" \
+              --name $name buildworker
+            procd_set_param respawn 60 10 0  # respawn indefinitely, wait 10s before retry
+            procd_set_param stdout 1
+            procd_set_param stderr 1
+            procd_close_instance
+          }
+          stop_service() {
+            podman kill $name
+          }
+    containerbuild__files__to_merge:
+      - path: /usr/share/buildworker/Dockerfile
+        content: |
+          FROM        docker.io/library/debian:11
+          MAINTAINER  [email protected]
+          ARG         DEBIAN_FRONTEND=noninteractive
+          ARG         BUILDBOT_VERSION=2.10.1
+          USER root
+          RUN apt-get update && apt-get install -y build-essential ccache curl file gawk g++-multilib gcc-multilib genisoimage git-core gosu libdw-dev libelf-dev libncurses5-dev locales pv pwgen python3 python3-venv python3-pip python3-pyelftools python3-cryptography qemu-utils rsync signify-openbsd subversion swig unzip wget zstd && apt-get clean && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+          RUN python3 -m venv /opt/venv
+          ENV PATH="/opt/venv/bin:$PATH"
+          RUN pip3 install -U pip
+          RUN pip3 install "buildbot-worker==$BUILDBOT_VERSION" pyelftools pyOpenSSL service_identity
+          ENV LANG=en_US.utf8
+          COPY entry.sh /entry.sh
+          COPY start.sh /start.sh
+          RUN groupadd buildbot && useradd --create-home --home-dir /builder --comment "Freifunk Berlin buildbot" --gid buildbot --shell /bin/bash buildbot && chown buildbot:buildbot /builder && chmod 0755 /entry.sh /start.sh
+          VOLUME [ "/builder" ]
+          ENTRYPOINT [ "/entry.sh" ]
+          CMD [ "/start.sh" ]
+      - path: /usr/share/buildworker/entry.sh
+        mode: '0755'
+        content: |
+          #!/usr/bin/env bash
+          chown buildbot:buildbot /builder
+          /usr/sbin/gosu buildbot "$@"
+      - path: /usr/share/buildworker/start.sh
+        mode: '0755'
+        content: |
+          #!/usr/bin/env bash
+          cleanup_buildworker_env_variables() {
+            for var in "${!BUILDWORKER_@}"; do
+              unset "$var"
+            done
+          }
+          [ -n "$BUILDWORKER_NAME" ] || {
+            echo "Please supply a name via --env BUILDWORKER_NAME=XXX" >&2
+            exit 1
+          }
+          [ -n "$BUILDWORKER_PASSWORD" ] || {
+            echo "Please supply a password via --env BUILDWORKER_PASSWORD=XXX" >&2
+            exit 2
+          }
+          rm -f /builder/buildbot.tac
+          /opt/venv/bin/buildbot-worker create-worker \
+            --force \
+            --umask="0o22" \
+            ${BUILDWORKER_TLS:+--connection-string="SSL:$BUILDWORKER_MASTER"} \
+            /builder \
+            "$BUILDWORKER_MASTER" \
+            "$BUILDWORKER_NAME" \
+            "$BUILDWORKER_PASSWORD"
+          echo "$BUILDWORKER_ADMIN" > /builder/info/admin
+          echo "$BUILDWORKER_DESCRIPTION" > /builder/info/host
+          cleanup_buildworker_env_variables
+          rm -f /builder/twistd.pid
+          exec /opt/venv/bin/buildbot-worker start --nodaemon /builder
 
 # Custom APK feed: snapshot
 # feed: "file:///home/user/w/ff/falter-packages/out/main/x86_64/falter/packages.adb"
@@ -27,7 +137,7 @@ location__packages__to_merge:
 # 10.31.174.128/26 - [email protected]
 # - 10.31.174.128/29 - mgmt
 # - 10.31.174.136/29 - mesh
-# - 10.31.174.144/28 - prdhcp
+# - 10.31.174.144/28 - podman
 # - 10.31.174.160/27 - dhcp
 ipv6_prefix: 2001:bf7:750:5500::/56
 
@@ -58,10 +168,19 @@ networks:
     assignments:
       pktpls-core: 1
 
+  # The podman role is a temporary hack, just to get things working.
+  # It should be just a normal bbb-configs bridge that Podman reuses.
+  - role: podman
+    ifname: podman0
+    prefix: 10.31.174.144/28
+    ipv6_subprefix: 3
+    assignments:
+      pktpls-buildworker: 2
+
+  # DHCP is available on both eth0.50 and eth1 in the MV
   # - vid: 50
   #   role: uplink
   #   untagged: false
-
   - vid: 50
     ifname: eth1
     role: uplink

roles/cfg_openwrt/templates/common/config/network.j2

@@ -77,11 +77,11 @@ config interface '{{ name }}'
     {% else %}
 	option proto 'none'
     {% endif %}
-  {% endif %}
-  {% if role == 'corerouter' and ipv6_prefix is defined %}
-    {% if 'ipv6_subprefix' in network %}
-      {% set subprefix = ipv6_prefix | ansible.utils.ipsubnet('64', network['ipv6_subprefix']) %}
+    {% if role == 'corerouter' and ipv6_prefix is defined %}
+      {% if 'ipv6_subprefix' in network %}
+        {% set subprefix = ipv6_prefix | ansible.utils.ipsubnet('64', network['ipv6_subprefix']) %}
 	option ip6addr '{{ subprefix | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}/{{ '128' if network['role'] == 'mesh' else '64' }}'
+      {% endif %}
     {% endif %}
   {% endif %}
 
@@ -95,6 +95,12 @@ config device
 	list ports '{{ libnetwork.getPortIfname(network) }}'
   {% endif %}
 
+  {% if role == 'corerouter' and network['role'] == 'podman' %}
+config interface '{{ name }}'
+  option device '{{ network['ifname'] }}'
+  option proto 'external'
+  {% endif %}
+
 {% endfor %}
 {% for i in mac_override|default({}) %}
 config device '{{ i }}_dev'

roles/cfg_openwrt/templates/corerouter/config/dhcp.j2

@@ -27,7 +27,7 @@ config domain '{{ host | replace('-', '_') }}_olsr'
   {% endfor %}
 {% endfor %}
 
-{% for network in networks | rejectattr('role', 'in', ['uplink', 'mesh', 'tunnel', 'ext']) %}
+{% for network in networks | rejectattr('role', 'in', ['uplink', 'mesh', 'tunnel', 'ext', 'podman']) %}
     {% set name = network['name'] if 'name' in network else network['role'] %}
 
 config dhcp 'dhcp_{{ name }}'

roles/cfg_openwrt/templates/corerouter/config/firewall.j2

@@ -19,6 +19,7 @@ config zone 'zone_freifunk'
 	{% endfor %}
 	list device 'wg_+'
 	list device 'ts_+'
+	list device 'podman+'
 
 {% for i in l3_networks | selectattr('inbound_filtering') %}
 config zone 'zone_{{ i['name'] }}'

roles/cfg_openwrt/templates/corerouter/containers/networks/podman.json.j2

@@ -0,0 +1,23 @@
+{
+     "name": "podman",
+     "id": "4899b42442372b0a1788ff4a94df70be628ca5c228f64eea518e59b797d6d3e1",
+     "driver": "bridge",
+     "network_interface": "podman0",
+     "created": "2024-12-23T00:00:00.000000000Z",
+     "subnets": [
+          {
+               "subnet": "10.31.174.144/28",
+               "gateway": "10.31.174.145"
+          },
+          {
+               "subnet": "2001:bf7:750:5503::/64",
+               "gateway": "2001:bf7:750:5503::1"
+          }
+     ],
+     "ipv6_enabled": true,
+     "internal": false,
+     "dns_enabled": false,
+     "ipam_options": {
+          "driver": "host-local"
+     }
+}

roles/cfg_openwrt/templates/libraries/network.j2

@@ -47,13 +47,14 @@
 {% macro isBridgeNeeded(network) %}
 {{- (getUciIfname(network) in getWirelessNetworks()
      or (role == 'ap' and network.get('mesh_ap') == inventory_hostname)
-     or (role == 'corerouter' and network['role'] == 'uplink' and network.get('uplink_mode') != 'direct')) | to_json -}}
+     or (role == 'corerouter' and network['role'] == 'uplink' and network.get('uplink_mode') != 'direct')
+     or (role == 'corerouter' and network['role'] == 'podman')) | to_json -}}
 {% endmacro %}
 
 {# Do we need to configure a port or is this network only connected local (e.g. Mesh Endpoint on the core router)
  # Warning: returns a bool. Use |from_json filter when calling #}
 {% macro isPortNeeded(network) %}
-{{- (not (role == 'corerouter' and network.get('mesh_ap') == inventory_hostname)) | to_yaml -}}
+{{- (not (role == 'corerouter' and (network.get('mesh_ap') == inventory_hostname or network['role'] == 'podman'))) | to_yaml -}}
 {% endmacro %}
 
 {# Retrieve the networks which shall be bridged to wifi