twh_eastasia/virtual-dsm
1
0
Fork 0
mirror of https://github.com/vdsm/virtual-dsm.git synced 2025-11-23 18:33:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: Workaround AppArmor profile for passt (#1108)

Browse Source
This commit is contained in:
Kroese
2025-11-12 07:03:22 +01:00
committed by GitHub
parent e77bca202b
commit 471cdbb338
1 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/network.sh
View File

@@ -19,14 +19,16 @@ set -Eeuo pipefail
: "${VM_NET_HOST:="VirtualDSM"}" : "${VM_NET_HOST:="VirtualDSM"}"
: "${VM_NET_MASK:="255.255.255.0"}" : "${VM_NET_MASK:="255.255.255.0"}"
: "${PASST:="passt"}" : "${PASST:="/run/passt"}"
: "${PASST_MTU:=""}" : "${PASST_MTU:=""}"
: "${PASST_OPTS:=""}" : "${PASST_OPTS:=""}"
: "${PASST_DEBUG:=""}" : "${PASST_DEBUG:=""}"
: "${PASST_PID:="/var/run/passt.pid"}"
: "${DNSMASQ_OPTS:=""}" : "${DNSMASQ_OPTS:=""}"
: "${DNSMASQ_DEBUG:=""}" : "${DNSMASQ_DEBUG:=""}"
: "${DNSMASQ:="/usr/sbin/dnsmasq"}" : "${DNSMASQ:="/usr/sbin/dnsmasq"}"
: "${DNSMASQ_PID:="/var/run/dnsmasq.pid"}"
: "${DNSMASQ_CONF_DIR:="/etc/dnsmasq.d"}" : "${DNSMASQ_CONF_DIR:="/etc/dnsmasq.d"}"
ADD_ERR="Please add the following setting to your container:" ADD_ERR="Please add the following setting to your container:"
@@ -127,8 +129,8 @@ configureDNS() {
[[ "${DNSMASQ_DISABLE:-}" == [Yy1]* ]] && return 0 [[ "${DNSMASQ_DISABLE:-}" == [Yy1]* ]] && return 0
[[ "$DEBUG" == [Yy1]* ]] && echo "Starting dnsmasq daemon..." [[ "$DEBUG" == [Yy1]* ]] && echo "Starting dnsmasq daemon..."
local log="/var/log/dnsmasq.log" [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
rm -f "$log" rm -f "$DNSMASQ_PID"
case "${NETWORK,,}" in case "${NETWORK,,}" in
"tap" | "tun" | "tuntap" | "y" ) "tap" | "tun" | "tuntap" | "y" )
@@ -162,6 +164,8 @@ configureDNS() {
[ -f /etc/resolv.dnsmasq ] && DNSMASQ_OPTS+=" --resolv-file=/etc/resolv.dnsmasq" [ -f /etc/resolv.dnsmasq ] && DNSMASQ_OPTS+=" --resolv-file=/etc/resolv.dnsmasq"
# Enable logging to file # Enable logging to file
local log="/var/log/dnsmasq.log"
rm -f "$log"
DNSMASQ_OPTS+=" --log-facility=$log" DNSMASQ_OPTS+=" --log-facility=$log"
DNSMASQ_OPTS=$(echo "$DNSMASQ_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//') DNSMASQ_OPTS=$(echo "$DNSMASQ_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
@@ -312,9 +316,6 @@ configurePasst() {
local log="/tmp/passt.log" local log="/tmp/passt.log"
rm -f "$log" rm -f "$log"
local pid="/var/run/dnsmasq.pid"
[ -s "$pid" ] && pKill "$(<"$pid")"
local ip="$IP" local ip="$IP"
[ -n "$VM_NET_IP" ] && ip="$VM_NET_IP" [ -n "$VM_NET_IP" ] && ip="$VM_NET_IP"
@@ -346,7 +347,7 @@ configurePasst() {
PASST_OPTS+=" -H $VM_NET_HOST" PASST_OPTS+=" -H $VM_NET_HOST"
PASST_OPTS+=" -M $GATEWAY_MAC" PASST_OPTS+=" -M $GATEWAY_MAC"
PASST_OPTS+=" -P /tmp/passt.pid" PASST_OPTS+=" -P $PASST_PID"
PASST_OPTS+=" -l $log" PASST_OPTS+=" -l $log"
PASST_OPTS+=" -q" PASST_OPTS+=" -q"
@@ -358,6 +359,8 @@ configurePasst() {
PASST_OPTS=$(echo "$PASST_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//') PASST_OPTS=$(echo "$PASST_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
[[ "$DEBUG" == [Yy1]* ]] && printf "Passt arguments:\n\n%s\n\n" "${PASST_OPTS// -/$'\n-'}" [[ "$DEBUG" == [Yy1]* ]] && printf "Passt arguments:\n\n%s\n\n" "${PASST_OPTS// -/$'\n-'}"
[ ! -f "$PASST" ] && cp /usr/bin/passt* /run
if ! $PASST ${PASST_OPTS:+ $PASST_OPTS} >/dev/null 2>&1; then if ! $PASST ${PASST_OPTS:+ $PASST_OPTS} >/dev/null 2>&1; then
rm -f "$log" rm -f "$log"
@@ -495,9 +498,12 @@ configureNAT() {
fi fi
fi fi
if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE > /dev/null 2>&1; then
[[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
warn "$tables" && return 1 warn "$tables" && return 1
fi fi
fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
if ! iptables -t nat -A PREROUTING -i "$VM_NET_DEV" -d "$IP" -p tcp${exclude} -j DNAT --to "$ip"; then if ! iptables -t nat -A PREROUTING -i "$VM_NET_DEV" -d "$IP" -p tcp${exclude} -j DNAT --to "$ip"; then
@@ -530,13 +536,11 @@ configureNAT() {
closeBridge() { closeBridge() {
local pid="/tmp/passt.pid" [ -s "$PASST_PID" ] && pKill "$(<"$PASST_PID")"
[ -s "$pid" ] && pKill "$(<"$pid")" rm -f "$PASST_PID"
rm -f "$pid"
pid="/var/run/dnsmasq.pid" [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
[ -s "$pid" ] && pKill "$(<"$pid")" rm -f "$DNSMASQ_PID"
rm -f "$pid"
case "${NETWORK,,}" in case "${NETWORK,,}" in
"user"* | "passt" | "slirp" ) return 0 ;; "user"* | "passt" | "slirp" ) return 0 ;;
@@ -592,9 +596,9 @@ closeNetwork() {
cleanUp() { cleanUp() {
# Clean up old files # Clean up old files
rm -f /tmp/passt.pid rm -f "$PASST_PID"
rm -f "$DNSMASQ_PID"
rm -f /etc/resolv.dnsmasq rm -f /etc/resolv.dnsmasq
rm -f /var/run/dnsmasq.pid
if [[ -d "/sys/class/net/$VM_NET_TAP" ]]; then if [[ -d "/sys/class/net/$VM_NET_TAP" ]]; then
info "Lingering interface will be removed..." info "Lingering interface will be removed..."