diff options
Diffstat (limited to 'main/openrc/0008-Add-support-for-starting-services-in-a-specified-VRF.patch')
| -rw-r--r-- | main/openrc/0008-Add-support-for-starting-services-in-a-specified-VRF.patch | 101 |
1 files changed, 0 insertions, 101 deletions
diff --git a/main/openrc/0008-Add-support-for-starting-services-in-a-specified-VRF.patch b/main/openrc/0008-Add-support-for-starting-services-in-a-specified-VRF.patch deleted file mode 100644 index 08df91a7014..00000000000 --- a/main/openrc/0008-Add-support-for-starting-services-in-a-specified-VRF.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 31b0a32737339ad1efc5b2a7efd3eca7e421d14f Mon Sep 17 00:00:00 2001 -From: Ariadne Conill <ariadne@dereferenced.org> -Date: Fri, 14 Feb 2020 16:02:43 +0000 -Subject: [PATCH] Add support for starting services in a specified VRF. - -The venerable iproute2 utility has recently introduced support -for executing programs in specific VRFs which are virtualized -routing tables. These are typically used to isolate different -networking planes from each other, for security or flexibility -reasons. - -Services which use the normal supervisor/start-stop-daemon -pattern can be configured by setting the vrf variable in the -/etc/conf.d tree for the service. - -This allows for things like configuring the sshd service to -run in a management VRF, which is useful for high assurance -environments where the management plane is intended to be -isolated. - -Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> ---- - sh/openrc-run.sh.in | 6 ++++++ - sh/runit.sh | 2 +- - sh/s6.sh | 2 +- - sh/start-stop-daemon.sh | 2 +- - sh/supervise-daemon.sh | 2 +- - 5 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/sh/openrc-run.sh.in b/sh/openrc-run.sh.in -index 5c84af45..a1f374b0 100644 ---- a/sh/openrc-run.sh.in -+++ b/sh/openrc-run.sh.in -@@ -236,6 +236,12 @@ if ! sourcex -e "$_conf_d/$RC_SVCNAME.$RC_RUNLEVEL"; then - fi - unset _conf_d - -+# If we are configured to run in a VRF, provide a hint for that -+RC_VRF_EXEC="" -+if [ -n "$vrf" ]; then -+ RC_VRF_EXEC="/sbin/ip vrf exec $vrf" -+fi -+ - # load service supervisor functions - sourcex "@LIBEXECDIR@/sh/runit.sh" - sourcex "@LIBEXECDIR@/sh/s6.sh" -diff --git a/sh/runit.sh b/sh/runit.sh -index 5d82c9f6..c0186a43 100644 ---- a/sh/runit.sh -+++ b/sh/runit.sh -@@ -23,7 +23,7 @@ runit_start() - local i=0 retval=1 - # it can take upto 5 seconds for runsv to start - while [ $i -lt 6 ] ; do -- if sv start "${service_link}" > /dev/null 2>&1; then -+ if ${RC_VRF_EXEC} sv start "${service_link}" > /dev/null 2>&1; then - retval=0 - break - fi -diff --git a/sh/s6.sh b/sh/s6.sh -index acbe965b..1f339703 100644 ---- a/sh/s6.sh -+++ b/sh/s6.sh -@@ -37,7 +37,7 @@ s6_start() - ln -sf "${s6_service_path}" "${s6_service_link}" - s6-svscanctl -na "${RC_SVCDIR}"/s6-scan - sleep 1.5 -- s6-svc -u "${s6_service_link}" -+ ${RC_VRF_EXEC} s6-svc -u "${s6_service_link}" - if [ -n "$s6_svwait_options_start" ]; then - s6-svwait ${s6_svwait_options_start} "${s6_service_link}" - fi -diff --git a/sh/start-stop-daemon.sh b/sh/start-stop-daemon.sh -index 2e549ae1..5e7a1b88 100644 ---- a/sh/start-stop-daemon.sh -+++ b/sh/start-stop-daemon.sh -@@ -45,7 +45,7 @@ ssd_start() - #the eval call is necessary for cases like: - # command_args="this \"is a\" test" - # to work properly. -- eval start-stop-daemon --start \ -+ eval ${RC_VRF_EXEC} start-stop-daemon --start \ - --exec $command \ - ${chroot:+--chroot} $chroot \ - ${directory:+--chdir} $directory \ -diff --git a/sh/supervise-daemon.sh b/sh/supervise-daemon.sh -index e403a789..259b8166 100644 ---- a/sh/supervise-daemon.sh -+++ b/sh/supervise-daemon.sh -@@ -24,7 +24,7 @@ supervise_start() - # The eval call is necessary for cases like: - # command_args="this \"is a\" test" - # to work properly. -- eval supervise-daemon "${RC_SVCNAME}" --start \ -+ eval ${RC_VRF_EXEC} supervise-daemon "${RC_SVCNAME}" --start \ - ${retry:+--retry} $retry \ - ${directory:+--chdir} $directory \ - ${chroot:+--chroot} $chroot \ --- -2.33.0 - |