mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2026-02-04 07:21:40 +01:00
99 lines
3.4 KiB
Diff
99 lines
3.4 KiB
Diff
From e9fa602a76693ff508dd498bcae8b27ce73e8294 Mon Sep 17 00:00:00 2001
|
|
From: Ariadne Conill <ariadne@dereferenced.org>
|
|
Date: Fri, 14 Feb 2020 16:02:43 +0000
|
|
Subject: [PATCH] Add support for starting services in a specified VRF.
|
|
|
|
The venerable iproute2 utility has recently introduced support
|
|
for executing programs in specific VRFs which are virtualized
|
|
routing tables. These are typically used to isolate different
|
|
networking planes from each other, for security or flexibility
|
|
reasons.
|
|
|
|
Services which use the normal supervisor/start-stop-daemon
|
|
pattern can be configured by setting the vrf variable in the
|
|
/etc/conf.d tree for the service.
|
|
|
|
This allows for things like configuring the sshd service to
|
|
run in a management VRF, which is useful for high assurance
|
|
environments where the management plane is intended to be
|
|
isolated.
|
|
|
|
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
|
|
---
|
|
sh/openrc-run.sh.in | 6 ++++++
|
|
sh/runit.sh | 2 +-
|
|
sh/s6.sh | 2 +-
|
|
sh/start-stop-daemon.sh | 2 +-
|
|
sh/supervise-daemon.sh | 2 +-
|
|
5 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/sh/openrc-run.sh.in b/sh/openrc-run.sh.in
|
|
index 7e9064c2..0401423e 100644
|
|
--- a/sh/openrc-run.sh.in
|
|
+++ b/sh/openrc-run.sh.in
|
|
@@ -236,6 +236,12 @@ if ! sourcex -e "$_conf_d/$RC_SVCNAME.$RC_RUNLEVEL"; then
|
|
fi
|
|
unset _conf_d
|
|
|
|
+# If we are configured to run in a VRF, provide a hint for that
|
|
+RC_VRF_EXEC=""
|
|
+if [ -n "$vrf" ]; then
|
|
+ RC_VRF_EXEC="/sbin/ip vrf exec $vrf"
|
|
+fi
|
|
+
|
|
# load service supervisor functions
|
|
sourcex "@LIBEXECDIR@/sh/runit.sh"
|
|
sourcex "@LIBEXECDIR@/sh/s6.sh"
|
|
diff --git a/sh/runit.sh b/sh/runit.sh
|
|
index 3cef0f3a..ab729292 100644
|
|
--- a/sh/runit.sh
|
|
+++ b/sh/runit.sh
|
|
@@ -20,7 +20,7 @@ runit_start()
|
|
service_link="${RC_SVCDIR}/sv/${service_path##*/}"
|
|
ebegin "Starting ${name:-$RC_SVCNAME}"
|
|
ln -snf "${service_path}" "${service_link}"
|
|
- sv start "${service_link}" > /dev/null 2>&1
|
|
+ ${RC_VRF_EXEC} sv start "${service_link}" > /dev/null 2>&1
|
|
eend $? "Failed to start ${name:-$RC_SVCNAME}"
|
|
}
|
|
|
|
diff --git a/sh/s6.sh b/sh/s6.sh
|
|
index acbe965b..1f339703 100644
|
|
--- a/sh/s6.sh
|
|
+++ b/sh/s6.sh
|
|
@@ -37,7 +37,7 @@ s6_start()
|
|
ln -sf "${s6_service_path}" "${s6_service_link}"
|
|
s6-svscanctl -na "${RC_SVCDIR}"/s6-scan
|
|
sleep 1.5
|
|
- s6-svc -u "${s6_service_link}"
|
|
+ ${RC_VRF_EXEC} s6-svc -u "${s6_service_link}"
|
|
if [ -n "$s6_svwait_options_start" ]; then
|
|
s6-svwait ${s6_svwait_options_start} "${s6_service_link}"
|
|
fi
|
|
diff --git a/sh/start-stop-daemon.sh b/sh/start-stop-daemon.sh
|
|
index 2e549ae1..5e7a1b88 100644
|
|
--- a/sh/start-stop-daemon.sh
|
|
+++ b/sh/start-stop-daemon.sh
|
|
@@ -45,7 +45,7 @@ ssd_start()
|
|
#the eval call is necessary for cases like:
|
|
# command_args="this \"is a\" test"
|
|
# to work properly.
|
|
- eval start-stop-daemon --start \
|
|
+ eval ${RC_VRF_EXEC} start-stop-daemon --start \
|
|
--exec $command \
|
|
${chroot:+--chroot} $chroot \
|
|
${directory:+--chdir} $directory \
|
|
diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh
|
|
index e403a789..259b8166 100644
|
|
--- a/sh/supervise-daemon.sh
|
|
+++ b/sh/supervise-daemon.sh
|
|
@@ -24,7 +24,7 @@ supervise_start()
|
|
# The eval call is necessary for cases like:
|
|
# command_args="this \"is a\" test"
|
|
# to work properly.
|
|
- eval supervise-daemon "${RC_SVCNAME}" --start \
|
|
+ eval ${RC_VRF_EXEC} supervise-daemon "${RC_SVCNAME}" --start \
|
|
${retry:+--retry} $retry \
|
|
${directory:+--chdir} $directory \
|
|
${chroot:+--chroot} $chroot \
|