diff options
Diffstat (limited to 'roles/linux-ns')
19 files changed, 0 insertions, 477 deletions
diff --git a/roles/linux-ns/README.md b/roles/linux-ns/README.md deleted file mode 100644 index cf5808e..0000000 --- a/roles/linux-ns/README.md +++ /dev/null @@ -1,34 +0,0 @@ -Linux (Network) Namespaces -========================== - -(Quick and dirty?) setup of a Linux (network) namespace. - -Requirements ------------- - -Target is Linux. - -Role Variables --------------- - -??? - -Dependencies ------------- - -None - -Example Playbook ----------------- - -None - -License -------- - -Choose your own: MIT / BSD - -Author Information ------------------- - -uvok. diff --git a/roles/linux-ns/defaults/main.yml b/roles/linux-ns/defaults/main.yml deleted file mode 100644 index f7472ec..0000000 --- a/roles/linux-ns/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for linux-ns diff --git a/roles/linux-ns/files/iptables/ip6tables.save b/roles/linux-ns/files/iptables/ip6tables.save deleted file mode 100644 index 036e5a5..0000000 --- a/roles/linux-ns/files/iptables/ip6tables.save +++ /dev/null @@ -1,38 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmpv6 -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT -# BGP --A INPUT -p tcp --dport 179 -j ACCEPT -# LG --A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT --A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT - --A INPUT -j REJECT --reject-with icmp6-port-unreachable - --A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp6-port-unreachable - -COMMIT - -*mangle --A PREROUTING -i eth0 -j MARK --set-mark 0x4242 -COMMIT - -*nat --A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE -COMMIT diff --git a/roles/linux-ns/files/iptables/iptables.save b/roles/linux-ns/files/iptables/iptables.save deleted file mode 100644 index 4f72cc5..0000000 --- a/roles/linux-ns/files/iptables/iptables.save +++ /dev/null @@ -1,24 +0,0 @@ -*filter -:INPUT DROP [0:0] -:FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] - --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - --A INPUT -i lo -j ACCEPT --A INPUT -i tinc_dn42 -j ACCEPT - --A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT --A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT --A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT --A INPUT -p icmp --icmp-type echo-request -j ACCEPT - -# traceroute --A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp-port-unreachable -# DNS --A INPUT -p udp --dport 53 -j ACCEPT --A INPUT -p tcp --dport 53 -j ACCEPT - --A FORWARD -j REJECT --reject-with icmp-port-unreachable - -COMMIT diff --git a/roles/linux-ns/files/systemd/dn42_bird-lg.service b/roles/linux-ns/files/systemd/dn42_bird-lg.service deleted file mode 100644 index 85c5358..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lg.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass - DN42 edition -Requires=network-online.target -After=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/lgstart.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LG_PORT=6142" -Environment="LG_CONFIG_FILE=/home/lgproxy/lg/lg-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service b/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service deleted file mode 100644 index 273ab16..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird-lgproxy.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Run Bird Looking Glass Proxy -Requires=network-online.target dn42_bird.service -After=network-online.target dn42_bird.service -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/bin/bash /home/lgproxy/start.sh -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -User=lgproxy -WorkingDirectory=/home/lgproxy/ -Environment="LGPROXY_PORT=6042" -Environment="LGPROXY_CONFIG_FILE=/home/lgproxy/lgp/lgproxy-dn42.cfg" -NetworkNamespacePath=/run/netns/dn42 -Type=exec -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=default.target - -#Type=simple diff --git a/roles/linux-ns/files/systemd/dn42_bird.service b/roles/linux-ns/files/systemd/dn42_bird.service deleted file mode 100644 index cbf80f0..0000000 --- a/roles/linux-ns/files/systemd/dn42_bird.service +++ /dev/null @@ -1,25 +0,0 @@ -[Unit] -Description=BIRD Internet Routing Daemon - DN42 daemon -After=network.target -Wants=dn42_tinc@tn_int.service -After=dn42_tinc@tn_int.service - -[Service] -EnvironmentFile=/etc/bird/envvars -ExecStartPre=/bin/sleep 3 -ExecStartPre=/usr/lib/bird/prepare-environment -ExecStartPre=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -p -ExecStart=/usr/sbin/bird -c /etc/bird/dn42/bird.conf -f -g bird -u bird -s /var/run/bird/bird_dn42.sock -ExecReload=/usr/sbin/birdc -s /var/run/bird/bird_dn42.sock configure -Restart=on-abort - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -# rel: /var/log -# nope, doesn't work, bird must start with root -#LogsDirectory= -ReadWritePaths=/run/bird/ /var/log/bird/dn42/ - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_namespace.service b/roles/linux-ns/files/systemd/dn42_namespace.service deleted file mode 100644 index 4034879..0000000 --- a/roles/linux-ns/files/systemd/dn42_namespace.service +++ /dev/null @@ -1,17 +0,0 @@ -# fine-adjustments, routing, etcpp - -[Unit] -Description=DN42 Network namespace -After=network-online.target my-netns@dn42.service -Requires=my-netns@dn42.service -Before=dn42_tinc@tn_int.service -WantedBy=dn42_tinc@tn_int.service - -[Install] -WantedBy=multi-user.target - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/dn42-route-namespace.sh start -ExecStop=/usr/local/bin/dn42-route-namespace.sh stop -RemainAfterExit=yes diff --git a/roles/linux-ns/files/systemd/dn42_nginx.service b/roles/linux-ns/files/systemd/dn42_nginx.service deleted file mode 100644 index 43d8a67..0000000 --- a/roles/linux-ns/files/systemd/dn42_nginx.service +++ /dev/null @@ -1,37 +0,0 @@ -# Stop dance for nginx -# ======================= -# -# ExecStop sends SIGQUIT (graceful stop) to the nginx process. -# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control -# and sends SIGTERM (fast shutdown) to the main process. -# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends -# SIGKILL to all the remaining processes in the process group (KillMode=mixed). -# -# nginx signals reference doc: -# http://nginx.org/en/docs/control.html -# -[Unit] -Description=A high performance web server and a reverse proxy server -Documentation=man:nginx(8) -After=network-online.target remote-fs.target nss-lookup.target -Wants=network-online.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -Type=forking -PIDFile=/run/dn42_nginx.pid -ExecStartPre=/usr/sbin/nginx -t -q -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecStart=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -ExecReload=/usr/sbin/nginx -c /etc/nginx/dn42/nginx.conf -g 'daemon on; master_process on;' -s reload -ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/dn42_nginx.pid -TimeoutStopSec=5 -KillMode=mixed -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_pdns.service b/roles/linux-ns/files/systemd/dn42_pdns.service deleted file mode 100644 index 45cc367..0000000 --- a/roles/linux-ns/files/systemd/dn42_pdns.service +++ /dev/null @@ -1,55 +0,0 @@ -[Unit] -Description=PowerDNS Authoritative Server dn42 -Documentation=man:pdns_server(1) man:pdns_control(1) -Documentation=https://doc.powerdns.com -Wants=network-online.target -After=network-online.target time-sync.target -After=dn42_namespace.service -Requires=dn42_namespace.service - -[Service] -ExecStart=/usr/sbin/pdns_server --config-name=dn42 --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no -SyslogIdentifier=pdns_server-dn42 -User=pdns -Group=pdns -Type=notify -Restart=on-failure -RestartSec=1 -StartLimitInterval=0 -RuntimeDirectory=pdns-dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf - -# Sandboxing -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN -AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN -LockPersonality=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -# Setting PrivateUsers=true prevents us from opening our sockets -ProtectClock=true -ProtectControlGroups=true -ProtectHome=true -ProtectHostname=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -# ProtectSystem=full will disallow write access to /etc and /usr, possibly -# not being able to write slaved-zones into sqlite3 or zonefiles. -ProtectSystem=full -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=true -RestrictRealtime=true -RestrictSUIDSGID=true -SystemCallArchitectures=native -SystemCallFilter=~ @clock @debug @module @mount @raw-io @reboot @swap @cpu-emulation @obsolete -ProtectProc=invisible -PrivateIPC=true -RemoveIPC=true -DevicePolicy=closed -# Not enabled by default because it does not play well with LuaJIT -# MemoryDenyWriteExecute=true -NetworkNamespacePath=/run/netns/dn42 - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/dn42_tinc@.service b/roles/linux-ns/files/systemd/dn42_tinc@.service deleted file mode 100644 index bf17815..0000000 --- a/roles/linux-ns/files/systemd/dn42_tinc@.service +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description=Tinc net %i in namespace dn42 -Documentation=info:tinc -Documentation=man:tinc(8) man:tinc.conf(5) -Documentation=http://tinc-vpn.org/docs/ -PartOf=tinc.service -ReloadPropagatedFrom=tinc.service - -[Service] -Type=simple -WorkingDirectory=/etc/tinc/%i -EnvironmentFile=/etc/default/tinc -ExecStart=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i -D --pidfile /run/tinc/dn42/tinc.pid $EXTRA -ExecReload=/usr/sbin/tincd -c /etc/tinc/dn42/%i/ -n %i --pidfile /run/tinc/dn42/tinc.pid -kHUP -KillMode=mixed -Restart=on-failure -RestartSec=5 -TimeoutStopSec=5 - -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -RuntimeDirectory=./tinc/dn42/ - -PrivateTmp=true -#tun -#PrivateDevices=true -PrivateIPC=true - -#[Install] -#WantedBy=tinc.service diff --git a/roles/linux-ns/files/systemd/dn42_wg@.service b/roles/linux-ns/files/systemd/dn42_wg@.service deleted file mode 100644 index 0f67fda..0000000 --- a/roles/linux-ns/files/systemd/dn42_wg@.service +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=WireGuard via wg-quick(8) for %I -PartOf=wg-quick.target -Documentation=man:wg-quick(8) -Documentation=man:wg(8) -Documentation=https://www.wireguard.com/ -Documentation=https://www.wireguard.com/quickstart/ -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 -Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 -After=dn42_namespace.service network-online.target nss-lookup.target -Requires=dn42_namespace.service network-online.target nss-lookup.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/wg-quick up /etc/wireguard/dn42/%i.conf -ExecStop=/usr/bin/wg-quick down /etc/wireguard/dn42/%i.conf -#ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' -Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity -NetworkNamespacePath=/run/netns/dn42 -BindReadOnlyPaths=/etc/netns/dn42/resolv.conf:/etc/resolv.conf -ProtectSystem=strict -PrivateTmp=true -PrivateDevices=true -PrivateIPC=true - -[Install] -WantedBy=multi-user.target diff --git a/roles/linux-ns/files/systemd/my-netns@.service b/roles/linux-ns/files/systemd/my-netns@.service deleted file mode 100644 index c9735b7..0000000 --- a/roles/linux-ns/files/systemd/my-netns@.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/Jamesits/systemd-named-netns - -After=network-pre.target -Before=network.target network-online.target - -[Install] -WantedBy=network-online.target -WantedBy=multi-user.target - -[Service] -Type=oneshot -RemainAfterExit=yes - -# precaution -ExecStartPre=-/usr/bin/env ip netns delete %I - -# set up netns and bind it to this service -ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I -ExecStart=/usr/bin/env ip link add veth%I type veth peer vethpeer%I netns %I -ExecStart=/usr/bin/env ip link set veth%I up -ExecStart=/usr/bin/env ip netns exec %I ip link set vethpeer%I name eth0 -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=/usr/bin/env ip netns exec %I ip link set eth0 up - -# remove the netns -ExecStop=/usr/bin/env ip link del veth%I -# type veth peer vethpeer%I netns %I -ExecStop=/usr/bin/env ip netns delete %I diff --git a/roles/linux-ns/files/systemd/readme.txt b/roles/linux-ns/files/systemd/readme.txt deleted file mode 100644 index 99d220e..0000000 --- a/roles/linux-ns/files/systemd/readme.txt +++ /dev/null @@ -1,2 +0,0 @@ -except my-netns@.service, consider these examples, -or a "backup" for me.
\ No newline at end of file diff --git a/roles/linux-ns/handlers/main.yml b/roles/linux-ns/handlers/main.yml deleted file mode 100644 index 144e1c1..0000000 --- a/roles/linux-ns/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for linux-ns diff --git a/roles/linux-ns/meta/main.yml b/roles/linux-ns/meta/main.yml deleted file mode 100644 index 20a965c..0000000 --- a/roles/linux-ns/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: uvok - description: Linux Network Namespace Setup - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - license: MIT - - min_ansible_version: 2.1 - - galaxy_tags: [] - -dependencies: [] diff --git a/roles/linux-ns/tasks/main.yml b/roles/linux-ns/tasks/main.yml deleted file mode 100644 index 6984b1f..0000000 --- a/roles/linux-ns/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# tasks file for linux-ns diff --git a/roles/linux-ns/templates/dn42-route-namespace.sh b/roles/linux-ns/templates/dn42-route-namespace.sh deleted file mode 100755 index 6822834..0000000 --- a/roles/linux-ns/templates/dn42-route-namespace.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh -x - -set -eu - -# Set public IPv6 network prefix in the form aaaa:bbbb:cccc:dddd -# (yes, without trailing: or ::) -hoster_prefix_v6="{{ hoster_ipv6_prefix }}" -# hardcoded: use 42 prefix -ns_prefix_v6="${hoster_prefix_v6}:42" - -# insert IPv4 address -hoster_addr_v4="{{ hoster_ipv4_address }}" -# hardcoded: net -ns_net_v4="10.42.0.0/24" -# hardcoded: peer address (inside namespace) -ns_addr_peer_v4="10.42.0.2/32" - -case $- in - *x*) debug="-x" ;; - *) debug="" ;; -esac - -case "$1" in - start) - ip netns exec dn42 sh $debug "$0" start-ns - ip route add ${ns_net_v4} dev vethdn42 - ip a add ${ns_prefix_v6}::1/128 dev vethdn42 - ip route add ${ns_prefix_v6}::2/128 dev vethdn42 - # hardcoded: route for dn42 - ip route replace fd00::/8 via ${ns_prefix_v6}::2 dev vethdn42 src fcee::1 - ;; - start-ns) - sysctl -w net.ipv6.conf.all.forwarding=1 - - ip -4 route flush dev eth0 - ip -6 route flush dev eth0 - ip -4 a flush dev eth0 - ip -6 a flush dev eth0 - - ip a add ${ns_addr_peer_v4} dev eth0 - ip route add ${hoster_addr_v4} dev eth0 - ip route add default via ${hoster_addr_v4} dev eth0 - - ip a add ${ns_prefix_v6}::2/128 dev eth0 - ip route add ${ns_prefix_v6}::1 dev eth0 - ip route add default via ${ns_prefix_v6}::1 dev eth0 - - # hardcoded: dummy-interface with additional addresses - ifup dn42_int - - # hardcoded: Additional rules for (policy) routing. - # tables are filled by bird. - ip -6 rule add prio 31000 table 210 - ip -6 rule add prio 32000 table 250 - - # hardcoded: iptables - iptables-nft-restore < /etc/iptables/netns/dn42/iptables.save - ip6tables-nft-restore < /etc/iptables/netns/dn42/ip6tables.save - ;; - stop) - ip -6 route flush dev vethdn42 - ip -4 route flush dev vethdn42 - - ip -6 a flush dev vethdn42 - ip -4 a flush dev vethdn42 - - ip netns exec dn42 sh $debug "$0" stop-ns - ;; - stop-ns) - ifdown dn42_int - - ip -6 route flush dev eth0 - ip -6 a flush dev eth0 - - ip -4 route flush dev eth0 - ip -4 a flush dev eth0 - - ip -6 rule del prio 31000 - ip -6 rule del prio 32000 - - ;; - *) - echo "Ignore invalid parameter $1" >&2 - ;; -esac diff --git a/roles/linux-ns/vars/main.yml b/roles/linux-ns/vars/main.yml deleted file mode 100644 index 0635f6c..0000000 --- a/roles/linux-ns/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for linux-ns |