summaryrefslogtreecommitdiff
path: root/repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch
diff options
context:
space:
mode:
Diffstat (limited to 'repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch')
-rw-r--r--repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch101
1 files changed, 101 insertions, 0 deletions
diff --git a/repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch b/repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch
new file mode 100644
index 0000000..6f7ed69
--- /dev/null
+++ b/repo/openrc/0006-Add-support-for-starting-services-in-a-specified-VRF.patch
@@ -0,0 +1,101 @@
+From c250503412b061e69a99cfe12514e47fc06b5885 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Fri, 14 Feb 2020 16:02:43 +0000
+Subject: [PATCH] Add support for starting services in a specified VRF.
+
+The venerable iproute2 utility has recently introduced support
+for executing programs in specific VRFs which are virtualized
+routing tables. These are typically used to isolate different
+networking planes from each other, for security or flexibility
+reasons.
+
+Services which use the normal supervisor/start-stop-daemon
+pattern can be configured by setting the vrf variable in the
+/etc/conf.d tree for the service.
+
+This allows for things like configuring the sshd service to
+run in a management VRF, which is useful for high assurance
+environments where the management plane is intended to be
+isolated.
+
+Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
+---
+ sh/openrc-run.sh.in | 6 ++++++
+ sh/runit.sh | 2 +-
+ sh/s6.sh | 2 +-
+ sh/start-stop-daemon.sh | 2 +-
+ sh/supervise-daemon.sh | 2 +-
+ 5 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/sh/openrc-run.sh.in b/sh/openrc-run.sh.in
+index 5c84af45..a1f374b0 100644
+--- a/sh/openrc-run.sh.in
++++ b/sh/openrc-run.sh.in
+@@ -236,6 +236,12 @@ if ! sourcex -e "$_conf_d/$RC_SVCNAME.$RC_RUNLEVEL"; then
+ fi
+ unset _conf_d
+
++# If we are configured to run in a VRF, provide a hint for that
++RC_VRF_EXEC=""
++if [ -n "$vrf" ]; then
++ RC_VRF_EXEC="/sbin/ip vrf exec $vrf"
++fi
++
+ # load service supervisor functions
+ sourcex "@LIBEXECDIR@/sh/runit.sh"
+ sourcex "@LIBEXECDIR@/sh/s6.sh"
+diff --git a/sh/runit.sh b/sh/runit.sh
+index 5d82c9f6..c0186a43 100644
+--- a/sh/runit.sh
++++ b/sh/runit.sh
+@@ -23,7 +23,7 @@ runit_start()
+ local i=0 retval=1
+ # it can take upto 5 seconds for runsv to start
+ while [ $i -lt 6 ] ; do
+- if sv start "${service_link}" > /dev/null 2>&1; then
++ if ${RC_VRF_EXEC} sv start "${service_link}" > /dev/null 2>&1; then
+ retval=0
+ break
+ fi
+diff --git a/sh/s6.sh b/sh/s6.sh
+index acbe965b..1f339703 100644
+--- a/sh/s6.sh
++++ b/sh/s6.sh
+@@ -37,7 +37,7 @@ s6_start()
+ ln -sf "${s6_service_path}" "${s6_service_link}"
+ s6-svscanctl -na "${RC_SVCDIR}"/s6-scan
+ sleep 1.5
+- s6-svc -u "${s6_service_link}"
++ ${RC_VRF_EXEC} s6-svc -u "${s6_service_link}"
+ if [ -n "$s6_svwait_options_start" ]; then
+ s6-svwait ${s6_svwait_options_start} "${s6_service_link}"
+ fi
+diff --git a/sh/start-stop-daemon.sh b/sh/start-stop-daemon.sh
+index 2e549ae1..5e7a1b88 100644
+--- a/sh/start-stop-daemon.sh
++++ b/sh/start-stop-daemon.sh
+@@ -45,7 +45,7 @@ ssd_start()
+ #the eval call is necessary for cases like:
+ # command_args="this \"is a\" test"
+ # to work properly.
+- eval start-stop-daemon --start \
++ eval ${RC_VRF_EXEC} start-stop-daemon --start \
+ --exec $command \
+ ${chroot:+--chroot} $chroot \
+ ${directory:+--chdir} $directory \
+diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh
+index e403a789..259b8166 100644
+--- a/sh/supervise-daemon.sh
++++ b/sh/supervise-daemon.sh
+@@ -24,7 +24,7 @@ supervise_start()
+ # The eval call is necessary for cases like:
+ # command_args="this \"is a\" test"
+ # to work properly.
+- eval supervise-daemon "${RC_SVCNAME}" --start \
++ eval ${RC_VRF_EXEC} supervise-daemon "${RC_SVCNAME}" --start \
+ ${retry:+--retry} $retry \
+ ${directory:+--chdir} $directory \
+ ${chroot:+--chroot} $chroot \
+--
+2.33.1
+