[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-deployment] branch master updated: new netjail

From: gnunet
Subject: [taler-deployment] branch master updated: new netjail
Date: Mon, 17 Feb 2020 14:08:13 +0100

This is an automated email from the git hooks/post-receive script.

dold pushed a commit to branch master
in repository deployment.

The following commit(s) were added to refs/heads/master by this push:
     new 114060f  new netjail
114060f is described below

commit 114060fb686285de9dc9b39acbd739ea9c9d7e15
Author: Florian Dold <address@hidden>
AuthorDate: Mon Feb 17 14:08:07 2020 +0100

    new netjail
 netjail/ | 47 +++++++++++++++++++++++++++++++++++++++++++++
 netjail/          | 38 +++++++++++++++---------------------
 2 files changed, 63 insertions(+), 22 deletions(-)

diff --git a/netjail/ b/netjail/
new file mode 100755
index 0000000..4ea2a3e
--- /dev/null
+++ b/netjail/
@@ -0,0 +1,47 @@
+# This file is in the public domain.
+# Shell script for to setup one instance of a network namespace.
+# Used by buildslaves to avoid port conflicts.
+# First argument ($1) must be a unique number (unique amongst
+# all users of the script) between 2 and 254 to be used in
+# the IP address for routing the traffic of the network
+# namespace to the Internet.
+# The remaining arguments are the command (and arguments to the
+# command) to be run in the network namespace (i.e. 'make check').
+# This script is executed by root and should *not* be in sudoers
+set -eu
+set -x
+shift 1
+# Go to the root namespace to delete our network NS,
+# as we can't do it from inside when we use 'ip netns' to enter it.
+nsenter -m -t 1 -- ip netns del $NAME
+# Configure our network inside the namespace
+ip link set dev lo up
+ip link set dev "tap-$N" up
+dhclient --no-pid "tap-$N"
+# Finally, run whatever the user's command was
+ME=${SUDO_USER:?must run in sudo}
+# Execute target program as the original user.
+# We should already be in a PID namespace, but we still need to mount proc.
+unshare --mount-proc -- sudo -u "$ME" -- "$@"
+# Release the lease
+dhclient --no-pid -r || false
+# Exit with the target program's exit status
+exit $ret
diff --git a/netjail/ b/netjail/
index df4df1a..17dd095 100755
--- a/netjail/
+++ b/netjail/
@@ -15,6 +15,7 @@
 set -eu
+set -x
 # Be extra safe, even though sudo should already do this.
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -22,30 +23,23 @@ export 
 # See
-# Make $N the first argument.
-shift 1
+# Generate random ID for namespace
+NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}')
-# Delete previous bridge and netns
-brctl delif "$BRIDGE" "br-tap$N" 2>/dev/null || true
-ip netns del "$NAME" 2>/dev/null || true
 # Create network namespace
-ip netns add "$NAME"
-# Ensure loopback is up
-ip netns exec "$NAME" ip link set lo up
+ip netns add "$NSNAME"
 # Setup link to our bridge
-ip link add "tap$N" type veth peer name br-tap$N
-brctl addif "$BRIDGE" "br-tap$N"
-ip link set "tap$N" netns "$NAME"
-ip netns exec "$NAME" ip link set dev "tap$N" up
-ip link set dev "br-tap$N" up
-ip netns exec "$NAME" ip addr add "10.42.42.$N/24" dev "tap$N"
-ip netns exec "$NAME" ip route add default via
-# Finally, run whatever the user's command was
-ME=${SUDO_USER:?must run in sudo}
-exec unshare -pf --mount-proc -- ip netns exec "$NAME" sudo -u "$ME" -- "$@"
+ip link add "$TAP" type veth peer name "$BRTAP"
+brctl addif "$BRIDGE" "$BRTAP"
+ip link set "$TAP" netns "$NSNAME"
+ip link set dev "$BRTAP" up
+# Execute netjail-privdrop in a process namespace, but do not mount proc yet,
+# so that we can still "nsenter" the root NS to drop the 
+exec unshare -fp --kill-child -- ip netns exec "$NSNAME" 
"$NSUID" "$@"

To stop receiving notification emails like this one, please contact

reply via email to

[Prev in Thread] Current Thread [Next in Thread]