diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/completion/list_container_sysctl_parameters.sh | 20 | ||||
| -rwxr-xr-x | src/conf_mode/container.py | 55 | ||||
| -rwxr-xr-x | src/conf_mode/firewall.py | 1 | ||||
| -rwxr-xr-x | src/conf_mode/pki.py | 4 | ||||
| -rwxr-xr-x | src/op_mode/ikev2_profile_generator.py | 36 |
5 files changed, 87 insertions, 29 deletions
diff --git a/src/completion/list_container_sysctl_parameters.sh b/src/completion/list_container_sysctl_parameters.sh new file mode 100755 index 000000000..cf8d006e5 --- /dev/null +++ b/src/completion/list_container_sysctl_parameters.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +declare -a vals +eval "vals=($(/sbin/sysctl -N -a|grep -E '^(fs.mqueue|net)\.|^(kernel.msgmax|kernel.msgmnb|kernel.msgmni|kernel.sem|kernel.shmall|kernel.shmmax|kernel.shmmni|kernel.shm_rmid_forced)$'))" +echo ${vals[@]} +exit 0 diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 3efeb9b40..a969626a9 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -43,6 +43,7 @@ from vyos.template import render from vyos.xml_ref import default_value from vyos import ConfigError from vyos import airbag + airbag.enable() config_containers = '/etc/containers/containers.conf' @@ -50,16 +51,19 @@ config_registry = '/etc/containers/registries.conf' config_storage = '/etc/containers/storage.conf' systemd_unit_path = '/run/systemd/system' + def _cmd(command): if os.path.exists('/tmp/vyos.container.debug'): print(command) return cmd(command) + def network_exists(name): # Check explicit name for network, returns True if network exists c = _cmd(f'podman network ls --quiet --filter name=^{name}$') return bool(c) + # Common functions def get_config(config=None): if config: @@ -86,21 +90,22 @@ def get_config(config=None): # registry is a tagNode with default values - merge the list from # default_values['registry'] into the tagNode variables if 'registry' not in container: - container.update({'registry' : {}}) + container.update({'registry': {}}) default_values = default_value(base + ['registry']) for registry in default_values: - tmp = {registry : {}} + tmp = {registry: {}} container['registry'] = dict_merge(tmp, container['registry']) # Delete container network, delete containers tmp = node_changed(conf, base + ['network']) - if tmp: container.update({'network_remove' : tmp}) + if tmp: container.update({'network_remove': tmp}) tmp = node_changed(conf, base + ['name']) - if tmp: container.update({'container_remove' : tmp}) + if tmp: container.update({'container_remove': tmp}) return container + def verify(container): # bail out early - looks like removal from running config if not container: @@ -125,8 +130,8 @@ def verify(container): # of image upgrade and deletion. image = container_config['image'] if run(f'podman image exists {image}') != 0: - Warning(f'Image "{image}" used in container "{name}" does not exist '\ - f'locally. Please use "add container image {image}" to add it '\ + Warning(f'Image "{image}" used in container "{name}" does not exist ' \ + f'locally. Please use "add container image {image}" to add it ' \ f'to the system! Container "{name}" will not be started!') if 'cpu_quota' in container_config: @@ -167,11 +172,11 @@ def verify(container): # We can not use the first IP address of a network prefix as this is used by podman if ip_address(address) == ip_network(network)[1]: - raise ConfigError(f'IP address "{address}" can not be used for a container, '\ + raise ConfigError(f'IP address "{address}" can not be used for a container, ' \ 'reserved for the container engine!') if cnt_ipv4 > 1 or cnt_ipv6 > 1: - raise ConfigError(f'Only one IP address per address family can be used for '\ + raise ConfigError(f'Only one IP address per address family can be used for ' \ f'container "{name}". {cnt_ipv4} IPv4 and {cnt_ipv6} IPv6 address(es)!') if 'device' in container_config: @@ -186,6 +191,13 @@ def verify(container): if not os.path.exists(source): raise ConfigError(f'Device "{dev}" source path "{source}" does not exist!') + if 'sysctl' in container_config and 'parameter' in container_config['sysctl']: + for var, cfg in container_config['sysctl']['parameter'].items(): + if 'value' not in cfg: + raise ConfigError(f'sysctl parameter {var} has no value assigned!') + if var.startswith('net.') and 'allow_host_networks' in container_config: + raise ConfigError(f'sysctl parameter {var} cannot be set when using host networking!') + if 'environment' in container_config: for var, cfg in container_config['environment'].items(): if 'value' not in cfg: @@ -219,7 +231,8 @@ def verify(container): # Can not set both allow-host-networks and network at the same time if {'allow_host_networks', 'network'} <= set(container_config): - raise ConfigError(f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!') + raise ConfigError( + f'"allow-host-networks" and "network" for "{name}" cannot be both configured at the same time!') # gid cannot be set without uid if 'gid' in container_config and 'uid' not in container_config: @@ -235,8 +248,10 @@ def verify(container): raise ConfigError(f'prefix for network "{network}" must be defined!') for prefix in network_config['prefix']: - if is_ipv4(prefix): v4_prefix += 1 - elif is_ipv6(prefix): v6_prefix += 1 + if is_ipv4(prefix): + v4_prefix += 1 + elif is_ipv6(prefix): + v6_prefix += 1 if v4_prefix > 1: raise ConfigError(f'Only one IPv4 prefix can be defined for network "{network}"!') @@ -262,6 +277,7 @@ def verify(container): return None + def generate_run_arguments(name, container_config): image = container_config['image'] cpu_quota = container_config['cpu_quota'] @@ -269,6 +285,12 @@ def generate_run_arguments(name, container_config): shared_memory = container_config['shared_memory'] restart = container_config['restart'] + # Add sysctl options + sysctl_opt = '' + if 'sysctl' in container_config and 'parameter' in container_config['sysctl']: + for k, v in container_config['sysctl']['parameter'].items(): + sysctl_opt += f" --sysctl {k}={v['value']}" + # Add capability options. Should be in uppercase capabilities = '' if 'capability' in container_config: @@ -341,7 +363,7 @@ def generate_run_arguments(name, container_config): if 'allow_host_pid' in container_config: host_pid = '--pid host' - container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} ' \ + container_base_cmd = f'--detach --interactive --tty --replace {capabilities} --cpus {cpu_quota} {sysctl_opt} ' \ f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid} {host_pid}' @@ -375,6 +397,7 @@ def generate_run_arguments(name, container_config): return f'{container_base_cmd} --no-healthcheck --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip() + def generate(container): # bail out early - looks like removal from running config if not container: @@ -387,7 +410,7 @@ def generate(container): for network, network_config in container['network'].items(): tmp = { 'name': network, - 'id' : sha256(f'{network}'.encode()).hexdigest(), + 'id': sha256(f'{network}'.encode()).hexdigest(), 'driver': 'bridge', 'network_interface': f'pod-{network}', 'subnets': [], @@ -399,7 +422,7 @@ def generate(container): } } for prefix in network_config['prefix']: - net = {'subnet' : prefix, 'gateway' : inc_ip(prefix, 1)} + net = {'subnet': prefix, 'gateway': inc_ip(prefix, 1)} tmp['subnets'].append(net) if is_ipv6(prefix): @@ -418,11 +441,12 @@ def generate(container): file_path = os.path.join(systemd_unit_path, f'vyos-container-{name}.service') run_args = generate_run_arguments(name, container_config) - render(file_path, 'container/systemd-unit.j2', {'name': name, 'run_args': run_args,}, + render(file_path, 'container/systemd-unit.j2', {'name': name, 'run_args': run_args, }, formater=lambda _: _.replace(""", '"').replace("'", "'")) return None + def apply(container): # Delete old containers if needed. We can't delete running container # Option "--force" allows to delete containers with any status @@ -485,6 +509,7 @@ def apply(container): return None + if __name__ == '__main__': try: c = get_config() diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 4c289b921..ec6b86ef2 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -17,7 +17,6 @@ import os import re -from glob import glob from sys import exit from vyos.base import Warning diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 8deec0e85..f37cac524 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -67,6 +67,10 @@ sync_search = [ 'path': ['interfaces', 'sstpc'], }, { + 'keys': ['certificate', 'ca_certificate'], + 'path': ['load_balancing', 'reverse_proxy'], + }, + { 'keys': ['key'], 'path': ['protocols', 'rpki', 'cache'], }, diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py index 4ac4fb14a..169a15840 100755 --- a/src/op_mode/ikev2_profile_generator.py +++ b/src/op_mode/ikev2_profile_generator.py @@ -21,6 +21,10 @@ from socket import getfqdn from cryptography.x509.oid import NameOID from vyos.configquery import ConfigTreeQuery +from vyos.pki import CERT_BEGIN +from vyos.pki import CERT_END +from vyos.pki import find_chain +from vyos.pki import encode_certificate from vyos.pki import load_certificate from vyos.template import render_to_string from vyos.utils.io import ask_input @@ -146,27 +150,33 @@ data['rfqdn'] = '.'.join(tmp) pki = conf.get_config_dict(pki_base, get_first_key=True) cert_name = data['authentication']['x509']['certificate'] -data['certs'] = [] +cert_data = load_certificate(pki['certificate'][cert_name]['certificate']) +data['cert_common_name'] = cert_data.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value +data['ca_common_name'] = cert_data.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value +data['ca_certificates'] = [] -for ca_name in data['authentication']['x509']['ca_certificate']: - tmp = {} - ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) - cert = load_certificate(pki['certificate'][cert_name]['certificate']) - - - tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value - tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value - tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate']) - - data['certs'].append(tmp) +loaded_ca_certs = {load_certificate(c['certificate']) + for c in pki['ca'].values()} if 'ca' in pki else {} +for ca_name in data['authentication']['x509']['ca_certificate']: + loaded_ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + for ca in ca_full_chain: + tmp = { + 'ca_name' : ca.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value, + 'ca_chain' : encode_certificate(ca).replace(CERT_BEGIN, '').replace(CERT_END, '').replace('\n', ''), + } + data['ca_certificates'].append(tmp) + +# Remove duplicate list entries for CA certificates, as they are added by their common name +# https://stackoverflow.com/a/9427216 +data['ca_certificates'] = [dict(t) for t in {tuple(d.items()) for d in data['ca_certificates']}] esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'], key_mangling=('-', '_'), get_first_key=True) ike_proposal = conf.get_config_dict(ipsec_base + ['ike-group', data['ike_group'], 'proposal'], key_mangling=('-', '_'), get_first_key=True) - # This script works only for Apple iOS/iPadOS and Windows. Both operating systems # have different limitations thus we load the limitations based on the operating # system used. |