mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-05-10 05:24:22 +02:00
100 lines
3.3 KiB
Diff
100 lines
3.3 KiB
Diff
From c250503412b061e69a99cfe12514e47fc06b5885 Mon Sep 17 00:00:00 2001
|
|
From: Ariadne Conill <ariadne@dereferenced.org>
|
|
Date: Fri, 14 Feb 2020 16:02:43 +0000
|
|
Subject: [PATCH] Add support for starting services in a specified VRF.
|
|
|
|
The venerable iproute2 utility has recently introduced support
|
|
for executing programs in specific VRFs which are virtualized
|
|
routing tables. These are typically used to isolate different
|
|
networking planes from each other, for security or flexibility
|
|
reasons.
|
|
|
|
Services which use the normal supervisor/start-stop-daemon
|
|
pattern can be configured by setting the vrf variable in the
|
|
/etc/conf.d tree for the service.
|
|
|
|
This allows for things like configuring the sshd service to
|
|
run in a management VRF, which is useful for high assurance
|
|
environments where the management plane is intended to be
|
|
isolated.
|
|
|
|
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
|
|
---
|
|
sh/openrc-run.sh.in | 6 ++++++
|
|
sh/runit.sh | 2 +-
|
|
sh/s6.sh | 2 +-
|
|
sh/start-stop-daemon.sh | 2 +-
|
|
sh/supervise-daemon.sh | 2 +-
|
|
5 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/sh/openrc-run.sh.in b/sh/openrc-run.sh.in
|
|
index 5c84af45..a1f374b0 100644
|
|
--- a/sh/openrc-run.sh.in
|
|
+++ b/sh/openrc-run.sh.in
|
|
@@ -236,6 +236,12 @@ if ! sourcex -e "$_conf_d/$RC_SVCNAME.$RC_RUNLEVEL"; then
|
|
fi
|
|
unset _conf_d
|
|
|
|
+# If we are configured to run in a VRF, provide a hint for that
|
|
+RC_VRF_EXEC=""
|
|
+if [ -n "$vrf" ]; then
|
|
+ RC_VRF_EXEC="/sbin/ip vrf exec $vrf"
|
|
+fi
|
|
+
|
|
# load service supervisor functions
|
|
sourcex "@LIBEXECDIR@/sh/runit.sh"
|
|
sourcex "@LIBEXECDIR@/sh/s6.sh"
|
|
diff --git a/sh/runit.sh b/sh/runit.sh
|
|
index 5d82c9f6..c0186a43 100644
|
|
--- a/sh/runit.sh
|
|
+++ b/sh/runit.sh
|
|
@@ -23,7 +23,7 @@ runit_start()
|
|
local i=0 retval=1
|
|
# it can take upto 5 seconds for runsv to start
|
|
while [ $i -lt 6 ] ; do
|
|
- if sv start "${service_link}" > /dev/null 2>&1; then
|
|
+ if ${RC_VRF_EXEC} sv start "${service_link}" > /dev/null 2>&1; then
|
|
retval=0
|
|
break
|
|
fi
|
|
diff --git a/sh/s6.sh b/sh/s6.sh
|
|
index acbe965b..1f339703 100644
|
|
--- a/sh/s6.sh
|
|
+++ b/sh/s6.sh
|
|
@@ -37,7 +37,7 @@ s6_start()
|
|
ln -sf "${s6_service_path}" "${s6_service_link}"
|
|
s6-svscanctl -na "${RC_SVCDIR}"/s6-scan
|
|
sleep 1.5
|
|
- s6-svc -u "${s6_service_link}"
|
|
+ ${RC_VRF_EXEC} s6-svc -u "${s6_service_link}"
|
|
if [ -n "$s6_svwait_options_start" ]; then
|
|
s6-svwait ${s6_svwait_options_start} "${s6_service_link}"
|
|
fi
|
|
diff --git a/sh/start-stop-daemon.sh b/sh/start-stop-daemon.sh
|
|
--- a/sh/start-stop-daemon.sh
|
|
+++ b/sh/start-stop-daemon.sh
|
|
@@ -41,7 +41,7 @@ ssd_start()
|
|
#the eval call is necessary for cases like:
|
|
# command_args="this \"is a\" test"
|
|
# to work properly.
|
|
- eval start-stop-daemon --start \
|
|
+ eval ${RC_VRF_EXEC} start-stop-daemon --start \
|
|
--exec $command \
|
|
${chroot:+--chroot} $chroot \
|
|
${directory:+--chdir} $directory \
|
|
diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh
|
|
index e403a789..259b8166 100644
|
|
--- a/sh/supervise-daemon.sh
|
|
+++ b/sh/supervise-daemon.sh
|
|
@@ -24,7 +24,7 @@ supervise_start()
|
|
# The eval call is necessary for cases like:
|
|
# command_args="this \"is a\" test"
|
|
# to work properly.
|
|
- eval supervise-daemon "${RC_SVCNAME}" --start \
|
|
+ eval ${RC_VRF_EXEC} supervise-daemon "${RC_SVCNAME}" --start \
|
|
${retry:+--retry} $retry \
|
|
${directory:+--chdir} $directory \
|
|
${chroot:+--chroot} $chroot \
|
|
--
|
|
2.33.1
|
|
|