updated rootfs with dns softlink (#274)

* updated rootfs with dns softlink Signed-off-by: Jordan Rash <[email protected]> * Revert "Use configured CNI subnet to lockdown DNS (#271)" This reverts commit 7994763. * Revert "Add DNS support for external name resolution (#270)" This reverts commit 9940ff2. * configurable cni dns during preflight Signed-off-by: Jordan Rash <[email protected]> --------- Signed-off-by: Jordan Rash <[email protected]>
synadia-io · Jun 12, 2024 · eac31ff · eac31ff
1 parent 2607ea8
commit eac31ff
Show file tree

Hide file tree

Showing 27 changed files with 81 additions and 477 deletions.
diff --git a/_scripts/docker/Dockerfile.alpine b/_scripts/docker/Dockerfile.alpine
@@ -2,10 +2,7 @@ FROM alpine:3.19.1
 
 ADD alpine-openrc.sh /etc/init.d/agent
 
-RUN apk add --no-cache iptables
-RUN apk add --no-cache iptables-legacy
 RUN apk add --no-cache openrc
-RUN apk add --no-cache sudo
 RUN apk add --no-cache util-linux
 
 RUN ln -s agetty /etc/init.d/agetty.ttyS0
@@ -17,8 +14,6 @@ RUN echo "root:root" | chpasswd
 RUN addgroup -g 1000 -S nex
 RUN adduser -u 1000 -S nex -G nex
 
-echo '%nex ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/nex
-
 RUN rc-update add devfs boot
 RUN rc-update add procfs boot
 RUN rc-update add sysfs boot

diff --git a/_scripts/docker/agent.service b/_scripts/docker/agent.service
@@ -12,6 +12,8 @@ StandardError=file:/home/user/err.log
 Type=simple
 Restart=always
 
+
 [Install]
 WantedBy=default.target
 RequiredBy=network.target
+
diff --git a/_scripts/docker/alpine-iptables.sh b/_scripts/docker/alpine-iptables.sh
diff --git a/agent/agent.go b/agent/agent.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"os/exec"
 	"os/signal"
 	"path"
 	"runtime"
@@ -335,17 +334,7 @@ func (a *Agent) init() error {
 		propagation.Baggage{},
 	))
 
-	var err error
-
-	if a.sandboxed {
-		err = a.setNameservers()
-		if err != nil {
-			a.LogError(fmt.Sprintf("Failed to set nameservers: %s", err))
-			return err
-		}
-	}
-
-	err = a.initNATS()
+	err := a.initNATS()
 	if err != nil {
 		a.LogError(fmt.Sprintf("Failed to initialize NATS connection: %s", err))
 		return err
@@ -479,32 +468,6 @@ func (a *Agent) newExecutionProviderParams(req *agentapi.DeployRequest, tmpFile
 	return params, nil
 }
 
-func (a *Agent) setNameservers() error {
-	if a.md.Nameserver == nil {
-		return errors.New("no nameserver included in metadata")
-	}
-
-	a.LogDebug(fmt.Sprintf("Metadata included nameserver: %s", *a.md.Nameserver))
-
-	cmd := exec.Command("sudo", "iptables-legacy", "-v", "-t", "nat", "-A", "OUTPUT", "-p", "tcp", "--dport", "domain", "-j", "DNAT", "--to-destination", *a.md.Nameserver)
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		a.LogError(fmt.Sprintf("Failed to update iptables for nameserver: %s", err))
-		return err
-	}
-	a.LogDebug(string(out))
-
-	cmd = exec.Command("sudo", "iptables-legacy", "-v", "-t", "nat", "-A", "OUTPUT", "-p", "udp", "--dport", "domain", "-j", "DNAT", "--to-destination", *a.md.Nameserver)
-	out, err = cmd.CombinedOutput()
-	if err != nil {
-		a.LogError(fmt.Sprintf("Failed to update iptables for nameserver: %s", err))
-		return err
-	}
-	a.LogDebug(string(out))
-
-	return nil
-}
-
 func (a *Agent) shutdown() {
 	if atomic.AddUint32(&a.closing, 1) == 1 {
 		if a.provider != nil {

diff --git a/examples/nameresolvingservice/.gitignore b/examples/nameresolvingservice/.gitignore
diff --git a/examples/nameresolvingservice/main.go b/examples/nameresolvingservice/main.go
diff --git a/go.mod b/go.mod
@@ -4,7 +4,6 @@ go 1.22.2
 
 require (
 	dagger.io/dagger v0.11.2
-	github.com/3th1nk/cidr v0.2.0
 	github.com/cdfmlr/ellipsis v0.0.1
 	github.com/charmbracelet/bubbles v0.18.0
 	github.com/charmbracelet/bubbletea v0.25.0
@@ -18,7 +17,6 @@ require (
 	github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf
 	github.com/jedib0t/go-pretty/v6 v6.5.8
 	github.com/jordan-rash/slog-handler v0.0.0-20240523140048-9e8ba2d5eb3d
-	github.com/miekg/dns v1.1.59
 	github.com/nats-io/jsm.go v0.1.1
 	github.com/nats-io/jwt/v2 v2.5.6
 	github.com/nats-io/nats-server/v2 v2.10.14

diff --git a/go.sum b/go.sum
@@ -6,8 +6,6 @@ contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRq
 contrib.go.opencensus.io/exporter/prometheus v0.1.0/go.mod h1:cGFniUXGZlKRjzOyuZJ6mgB+PgBcCIa79kEKR8YCW+A=
 dagger.io/dagger v0.11.2 h1:HoDAk1GZ676ziC/aNB4JX5tJbXhJ63ydBEo/oDacxJo=
 dagger.io/dagger v0.11.2/go.mod h1:ABrEbaXuGQtqOlc0WlHWHQt/azY0jEs/O/X8xkX8xxM=
-github.com/3th1nk/cidr v0.2.0 h1:81jjEknszD8SHPLVTPPk+BZjNVqq1ND2YXLSChl6Lrs=
-github.com/3th1nk/cidr v0.2.0/go.mod h1:XsSQnS4rEYyB2veDfnIGgViulFpIITPKtp3f0VxpiLw=
 github.com/99designs/gqlgen v0.17.45 h1:bH0AH67vIJo8JKNKPJP+pOPpQhZeuVRQLf53dKIpDik=
 github.com/99designs/gqlgen v0.17.45/go.mod h1:Bas0XQ+Jiu/Xm5E33jC8sES3G+iC2esHBMXcq0fUPs0=
 github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
@@ -58,6 +56,8 @@ github.com/charmbracelet/bubbles v0.18.0 h1:PYv1A036luoBGroX6VWjQIE9Syf2Wby2oOl/
 github.com/charmbracelet/bubbles v0.18.0/go.mod h1:08qhZhtIwzgrtBjAcJnij1t1H0ZRjwHyGsy6AL11PSw=
 github.com/charmbracelet/bubbletea v0.25.0 h1:bAfwk7jRz7FKFl9RzlIULPkStffg5k6pNt5dywy4TcM=
 github.com/charmbracelet/bubbletea v0.25.0/go.mod h1:EN3QDR1T5ZdWmdfDzYcqOCAps45+QIJbLOBxmVNWNNg=
+github.com/charmbracelet/lipgloss v0.10.0 h1:KWeXFSexGcfahHX+54URiZGkBFazf70JNMtwg/AFW3s=
+github.com/charmbracelet/lipgloss v0.10.0/go.mod h1:Wig9DSfvANsxqkRsqj6x87irdy123SR4dOXlKa91ciE=
 github.com/charmbracelet/lipgloss v0.11.0 h1:UoAcbQ6Qml8hDwSWs0Y1cB5TEQuZkDPH/ZqwWWYTG4g=
 github.com/charmbracelet/lipgloss v0.11.0/go.mod h1:1UdRTH9gYgpcdNN5oBtjbu/IzNKtzVtb7sqN1t9LNn8=
 github.com/charmbracelet/x/ansi v0.1.2 h1:6+LR39uG8DE6zAmbu023YlqjJHkYXDF1z36ZwzO4xZY=
@@ -199,6 +199,8 @@ github.com/jedib0t/go-pretty/v6 v6.5.8 h1:8BCzJdSvUbaDuRba4YVh+SKMGcAAKdkcF3SVFb
 github.com/jedib0t/go-pretty/v6 v6.5.8/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E=
 github.com/jordan-rash/firecracker-go-sdk v0.0.0-20240422123121-239cc054eb0a h1:HAp7k1pz8Ecz1nq/bBYKwxHY0Dc932K28G3om15Gvhg=
 github.com/jordan-rash/firecracker-go-sdk v0.0.0-20240422123121-239cc054eb0a/go.mod h1:bZQpQss4wFMwC7vku5/hQc1IpG+IemXqzNPUB/h8LdA=
+github.com/jordan-rash/slog-handler v0.0.0-20240514154657-1f72d9d2d911 h1:CoPeVFn7XpyZz5O5YLd1wmJ8PG7NPK/9CJSyKILMvEY=
+github.com/jordan-rash/slog-handler v0.0.0-20240514154657-1f72d9d2d911/go.mod h1:ZXgFXP35hKZTDjbTUFow7epfEoCkazXwe/mQBqAHaX0=
 github.com/jordan-rash/slog-handler v0.0.0-20240523140048-9e8ba2d5eb3d h1:i12gg9VzMKQRjdZBhLmZFrVO86Pshokp3XOVqa51CIE=
 github.com/jordan-rash/slog-handler v0.0.0-20240523140048-9e8ba2d5eb3d/go.mod h1:ZXgFXP35hKZTDjbTUFow7epfEoCkazXwe/mQBqAHaX0=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -239,8 +241,6 @@ github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRC
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
-github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
 github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -357,7 +357,6 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
@@ -490,6 +489,8 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=

diff --git a/internal/agent-api/types.go b/internal/agent-api/types.go
@@ -181,12 +181,11 @@ type HostServicesMessagingResponse struct {
 }
 
 type MachineMetadata struct {
-	Nameserver       *string `json:"nameserver"`
+	VmID             *string `json:"vmid"`
 	NodeNatsHost     *string `json:"node_nats_host"`
 	NodeNatsPort     *int    `json:"node_nats_port"`
 	NodeNatsNkeySeed *string `json:"node_nats_nkey"`
 	Message          *string `json:"message"`
-	VmID             *string `json:"vmid"`
 
 	Errors []error `json:"errors,omitempty"`
 }

diff --git a/internal/fc-image/rootfs.go b/internal/fc-image/rootfs.go
@@ -181,6 +181,16 @@ func build(ctx context.Context, tempdir, mountPoint, baseImg, outname string, wi
 		return err
 	}
 
+	err = os.Remove(filepath.Join(mountPoint, "/etc/resolv.conf"))
+	if err != nil {
+		return err
+	}
+
+	err = os.Symlink("/proc/net/pnp", filepath.Join(mountPoint, "/etc/resolv.conf"))
+	if err != nil {
+		return err
+	}
+
 	_, err = c.Stdout(ctx)
 	if err != nil {
 		return err

diff --git a/internal/models/cli.go b/internal/models/cli.go
@@ -112,8 +112,9 @@ type RootfsOptions struct {
 // Node configuration is used to configure the node process as well
 // as the virtual machines it produces
 type NodeOptions struct {
-	ConfigFilepath  string `json:"-"`
-	ForceDepInstall bool   `json:"-"`
+	ConfigFilepath  string   `json:"-"`
+	ForceDepInstall bool     `json:"-"`
+	CniNS           []string `json:"-"`
 
 	OtelMetrics         bool   `json:"-"`
 	OtelMetricsPort     int    `json:"-"`

diff --git a/internal/models/config.go b/internal/models/config.go
@@ -26,9 +26,12 @@ const (
 )
 
 var (
-	DefaultBinPath       = append([]string{"/usr/local/bin"}, filepath.SplitList(os.Getenv("PATH"))...)
-	DefaultCNIBinPath    = []string{"/opt/cni/bin"}
 	DefaultWorkloadTypes = []controlapi.NexWorkload{controlapi.NexWorkloadNative}
+
+	DefaultBinPath = append([]string{"/usr/local/bin"}, filepath.SplitList(os.Getenv("PATH"))...)
+
+	// check the default cni bin path first, otherwise look in the rest of the PATH
+	DefaultCNIBinPath = append([]string{"/opt/cni/bin"}, filepath.SplitList(os.Getenv("PATH"))...)
 )
 
 // Node configuration is used to configure the node process as well

diff --git a/internal/models/node.go b/internal/models/node.go
@@ -13,6 +13,7 @@ type CNIDefinition struct {
 	InterfaceName *string  `json:"interface_name"`
 	NetworkName   *string  `json:"network_name"`
 	Subnet        *string  `json:"subnet"`
+	Nameservers   []string `json:"nameservers"`
 }
 
 // Defines the CPU and memory usage of a machine to be configured when it is added to the pool