From e36ff1470c82779e7df08fe01f79ebd1c029534c Mon Sep 17 00:00:00 2001 From: Packet Please Date: Tue, 31 Dec 2024 03:54:01 +0100 Subject: [PATCH] WIP podman --- locations/pktpls.yml | 123 +++++++++++++++++- .../templates/common/config/network.j2 | 14 +- .../templates/corerouter/config/dhcp.j2 | 2 +- .../templates/corerouter/config/firewall.j2 | 1 + .../containers/networks/podman.json.j2 | 23 ++++ .../templates/libraries/network.j2 | 5 +- 6 files changed, 159 insertions(+), 9 deletions(-) create mode 100644 roles/cfg_openwrt/templates/corerouter/containers/networks/podman.json.j2 diff --git a/locations/pktpls.yml b/locations/pktpls.yml index 6377f1e44..a195686fd 100644 --- a/locations/pktpls.yml +++ b/locations/pktpls.yml @@ -1,5 +1,10 @@ --- +# TODO +# - move some init.d things to a library script to avoid repetition +# - use a bridge preconfigured by openwrt, instead of podman0 +# - secrets management + location: pktpls location_nice: Test von @pktpls contact_nickname: Packet Please @@ -12,6 +17,111 @@ hosts: role: corerouter model: "x86-64" openwrt_version: snapshot + imagebuilder_config: + CONFIG_TARGET_ROOTFS_PARTSIZE: 256 + host__packages__to_merge: + - podman conmon crun catatonit netavark external-protocol + host__rclocal__to_merge: + - "sed -i 's|#firewall_driver|firewall_driver|g' /etc/containers/containers.conf" + host__files__to_merge: + - path: /etc/init.d/pktpls-buildworker + mode: '0755' + content: | + #!/bin/sh /etc/rc.common + USE_PROCD=1 + START=99 + STOP=1 + name="pktpls-buildworker" + password="trustno1" + ip6="2001:bf7:750:5503::2" + ip4="10.31.174.146" + dns="10.31.174.145" + start_service() { + logger -t $name "testing connectivity to docker.com" + cnt=0 + while ! ping -q -c 1 -W 1 docker.com >/dev/null 2>/dev/null ; do + cnt=$((cnt+1)) + if [ $cnt = 30 ] ; then + logger -t $name "no connectivity to docker.com" + exit 1 + fi + sleep 1 + done + podman build -t buildworker /usr/share/buildworker + procd_open_instance + procd_set_param command /usr/bin/podman run --rm -i \ + --net bridge:ip6=$ip6,ip=$ip4 --dns $dns --no-hosts \ + -e BUILDWORKER_NAME=$name \ + -e BUILDWORKER_PASSWORD=$password \ + -e BUILDWORKER_MASTER=buildbot.berlin.freifunk.net \ + -e BUILDWORKER_ADMIN=pktpls@systemli.org \ + -e BUILDWORKER_DESCRIPTION="Container testing" \ + --name $name buildworker + procd_set_param respawn 60 10 0 # respawn indefinitely, wait 10s before retry + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_close_instance + } + stop_service() { + podman kill $name + } + containerbuild__files__to_merge: + - path: /usr/share/buildworker/Dockerfile + content: | + FROM docker.io/library/debian:11 + MAINTAINER pktpls@systemli.org + ARG DEBIAN_FRONTEND=noninteractive + ARG BUILDBOT_VERSION=2.10.1 + USER root + RUN apt-get update && apt-get install -y build-essential ccache curl file gawk g++-multilib gcc-multilib genisoimage git-core gosu libdw-dev libelf-dev libncurses5-dev locales pv pwgen python3 python3-venv python3-pip python3-pyelftools python3-cryptography qemu-utils rsync signify-openbsd subversion swig unzip wget zstd && apt-get clean && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 + RUN python3 -m venv /opt/venv + ENV PATH="/opt/venv/bin:$PATH" + RUN pip3 install -U pip + RUN pip3 install "buildbot-worker==$BUILDBOT_VERSION" pyelftools pyOpenSSL service_identity + ENV LANG=en_US.utf8 + COPY entry.sh /entry.sh + COPY start.sh /start.sh + RUN groupadd buildbot && useradd --create-home --home-dir /builder --comment "Freifunk Berlin buildbot" --gid buildbot --shell /bin/bash buildbot && chown buildbot:buildbot /builder && chmod 0755 /entry.sh /start.sh + VOLUME [ "/builder" ] + ENTRYPOINT [ "/entry.sh" ] + CMD [ "/start.sh" ] + - path: /usr/share/buildworker/entry.sh + mode: '0755' + content: | + #!/usr/bin/env bash + chown buildbot:buildbot /builder + /usr/sbin/gosu buildbot "$@" + - path: /usr/share/buildworker/start.sh + mode: '0755' + content: | + #!/usr/bin/env bash + cleanup_buildworker_env_variables() { + for var in "${!BUILDWORKER_@}"; do + unset "$var" + done + } + [ -n "$BUILDWORKER_NAME" ] || { + echo "Please supply a name via --env BUILDWORKER_NAME=XXX" >&2 + exit 1 + } + [ -n "$BUILDWORKER_PASSWORD" ] || { + echo "Please supply a password via --env BUILDWORKER_PASSWORD=XXX" >&2 + exit 2 + } + rm -f /builder/buildbot.tac + /opt/venv/bin/buildbot-worker create-worker \ + --force \ + --umask="0o22" \ + ${BUILDWORKER_TLS:+--connection-string="SSL:$BUILDWORKER_MASTER"} \ + /builder \ + "$BUILDWORKER_MASTER" \ + "$BUILDWORKER_NAME" \ + "$BUILDWORKER_PASSWORD" + echo "$BUILDWORKER_ADMIN" > /builder/info/admin + echo "$BUILDWORKER_DESCRIPTION" > /builder/info/host + cleanup_buildworker_env_variables + rm -f /builder/twistd.pid + exec /opt/venv/bin/buildbot-worker start --nodaemon /builder # Custom APK feed: snapshot # feed: "file:///home/user/w/ff/falter-packages/out/main/x86_64/falter/packages.adb" @@ -27,7 +137,7 @@ location__packages__to_merge: # 10.31.174.128/26 - pktpls+bbb@systemli.org # - 10.31.174.128/29 - mgmt # - 10.31.174.136/29 - mesh -# - 10.31.174.144/28 - prdhcp +# - 10.31.174.144/28 - podman # - 10.31.174.160/27 - dhcp ipv6_prefix: 2001:bf7:750:5500::/56 @@ -58,10 +168,19 @@ networks: assignments: pktpls-core: 1 + # The podman role is a temporary hack, just to get things working. + # It should be just a normal bbb-configs bridge that Podman reuses. + - role: podman + ifname: podman0 + prefix: 10.31.174.144/28 + ipv6_subprefix: 3 + assignments: + pktpls-buildworker: 2 + + # DHCP is available on both eth0.50 and eth1 in the MV # - vid: 50 # role: uplink # untagged: false - - vid: 50 ifname: eth1 role: uplink diff --git a/roles/cfg_openwrt/templates/common/config/network.j2 b/roles/cfg_openwrt/templates/common/config/network.j2 index 1d229303b..8cfb08298 100644 --- a/roles/cfg_openwrt/templates/common/config/network.j2 +++ b/roles/cfg_openwrt/templates/common/config/network.j2 @@ -77,11 +77,11 @@ config interface '{{ name }}' {% else %} option proto 'none' {% endif %} - {% endif %} - {% if role == 'corerouter' and ipv6_prefix is defined %} - {% if 'ipv6_subprefix' in network %} - {% set subprefix = ipv6_prefix | ansible.utils.ipsubnet('64', network['ipv6_subprefix']) %} + {% if role == 'corerouter' and ipv6_prefix is defined %} + {% if 'ipv6_subprefix' in network %} + {% set subprefix = ipv6_prefix | ansible.utils.ipsubnet('64', network['ipv6_subprefix']) %} option ip6addr '{{ subprefix | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}/{{ '128' if network['role'] == 'mesh' else '64' }}' + {% endif %} {% endif %} {% endif %} @@ -95,6 +95,12 @@ config device list ports '{{ libnetwork.getPortIfname(network) }}' {% endif %} + {% if role == 'corerouter' and network['role'] == 'podman' %} +config interface '{{ name }}' + option device '{{ network['ifname'] }}' + option proto 'external' + {% endif %} + {% endfor %} {% for i in mac_override|default({}) %} config device '{{ i }}_dev' diff --git a/roles/cfg_openwrt/templates/corerouter/config/dhcp.j2 b/roles/cfg_openwrt/templates/corerouter/config/dhcp.j2 index 7daab8e4a..a4a078585 100644 --- a/roles/cfg_openwrt/templates/corerouter/config/dhcp.j2 +++ b/roles/cfg_openwrt/templates/corerouter/config/dhcp.j2 @@ -27,7 +27,7 @@ config domain '{{ host | replace('-', '_') }}_olsr' {% endfor %} {% endfor %} -{% for network in networks | rejectattr('role', 'in', ['uplink', 'mesh', 'tunnel', 'ext']) %} +{% for network in networks | rejectattr('role', 'in', ['uplink', 'mesh', 'tunnel', 'ext', 'podman']) %} {% set name = network['name'] if 'name' in network else network['role'] %} config dhcp 'dhcp_{{ name }}' diff --git a/roles/cfg_openwrt/templates/corerouter/config/firewall.j2 b/roles/cfg_openwrt/templates/corerouter/config/firewall.j2 index 6b28c69d7..fe703aa29 100644 --- a/roles/cfg_openwrt/templates/corerouter/config/firewall.j2 +++ b/roles/cfg_openwrt/templates/corerouter/config/firewall.j2 @@ -19,6 +19,7 @@ config zone 'zone_freifunk' {% endfor %} list device 'wg_+' list device 'ts_+' + list device 'podman+' {% for i in l3_networks | selectattr('inbound_filtering') %} config zone 'zone_{{ i['name'] }}' diff --git a/roles/cfg_openwrt/templates/corerouter/containers/networks/podman.json.j2 b/roles/cfg_openwrt/templates/corerouter/containers/networks/podman.json.j2 new file mode 100644 index 000000000..b9cbff313 --- /dev/null +++ b/roles/cfg_openwrt/templates/corerouter/containers/networks/podman.json.j2 @@ -0,0 +1,23 @@ +{ + "name": "podman", + "id": "4899b42442372b0a1788ff4a94df70be628ca5c228f64eea518e59b797d6d3e1", + "driver": "bridge", + "network_interface": "podman0", + "created": "2024-12-23T00:00:00.000000000Z", + "subnets": [ + { + "subnet": "10.31.174.144/28", + "gateway": "10.31.174.145" + }, + { + "subnet": "2001:bf7:750:5503::/64", + "gateway": "2001:bf7:750:5503::1" + } + ], + "ipv6_enabled": true, + "internal": false, + "dns_enabled": false, + "ipam_options": { + "driver": "host-local" + } +} diff --git a/roles/cfg_openwrt/templates/libraries/network.j2 b/roles/cfg_openwrt/templates/libraries/network.j2 index 501bf5433..7d5b41da8 100644 --- a/roles/cfg_openwrt/templates/libraries/network.j2 +++ b/roles/cfg_openwrt/templates/libraries/network.j2 @@ -47,13 +47,14 @@ {% macro isBridgeNeeded(network) %} {{- (getUciIfname(network) in getWirelessNetworks() or (role == 'ap' and network.get('mesh_ap') == inventory_hostname) - or (role == 'corerouter' and network['role'] == 'uplink' and network.get('uplink_mode') != 'direct')) | to_json -}} + or (role == 'corerouter' and network['role'] == 'uplink' and network.get('uplink_mode') != 'direct') + or (role == 'corerouter' and network['role'] == 'podman')) | to_json -}} {% endmacro %} {# Do we need to configure a port or is this network only connected local (e.g. Mesh Endpoint on the core router) # Warning: returns a bool. Use |from_json filter when calling #} {% macro isPortNeeded(network) %} -{{- (not (role == 'corerouter' and network.get('mesh_ap') == inventory_hostname)) | to_yaml -}} +{{- (not (role == 'corerouter' and (network.get('mesh_ap') == inventory_hostname or network['role'] == 'podman'))) | to_yaml -}} {% endmacro %} {# Retrieve the networks which shall be bridged to wifi