[baseimage]: Updates for Ebtables and support for multi-asic (#6542)

Following changes were done for ebtables:

- Support for Multi-asic platforms. Ebtable filters are installed in namespace for multi-asic and not host. On Single asic installed on  host.

- For Multi-asic platforms we don't want to install on host otherwise Namespace-to-Namespace communication does not happens since ARP Request are not forwarded.

- Updated to use text file to restore ebtables rules then the binary format. Rules are restore as part of Database docker init instead of rc.local

- Removed the ebtable service files for buster as not needed as filters are restored/installed as part of database docker init.
   All the binaries are pre-installed with ebtables* binary are same as ebatbles-legacy-* 

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
This commit is contained in:
abdosi 2021-01-27 08:36:10 -08:00 committed by GitHub
parent f3a901c41e
commit cfa8fbbf1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 244 deletions

View File

@ -498,13 +498,8 @@ if [ "${enable_organization_extensions}" = "y" ]; then
fi fi
fi fi
## Setup ebtable rules (rule file is in binary format) ## Setup ebtable rules (rule file in text format)
sudo cp -f files/image_config/ebtables/ebtables.default $FILESYSTEM_ROOT/etc/default/ebtables
sudo cp -f files/image_config/ebtables/ebtables.init $FILESYSTEM_ROOT/etc/init.d/ebtables
sudo cp -f files/image_config/ebtables/ebtables.service $FILESYSTEM_ROOT/lib/systemd/system/ebtables.service
sudo cp files/image_config/ebtables/ebtables.filter.cfg ${FILESYSTEM_ROOT}/etc sudo cp files/image_config/ebtables/ebtables.filter.cfg ${FILESYSTEM_ROOT}/etc
sudo LANG=C chroot $FILESYSTEM_ROOT update-alternatives --set ebtables /usr/sbin/ebtables-legacy
sudo LANG=C chroot $FILESYSTEM_ROOT systemctl enable ebtables.service
## Debug Image specific changes ## Debug Image specific changes
## Update motd for debug image ## Update motd for debug image

View File

@ -42,6 +42,18 @@ function updateSyslogConf()
rm -rf $TMP_FILE rm -rf $TMP_FILE
fi fi
} }
function ebtables_config()
{
if [ "$DEV" ]; then
# Install ebtables filter in namespaces on multi-asic.
ip netns exec $NET_NS ebtables-restore < /etc/ebtables.filter.cfg
else
if [[ ! ($NUM_ASIC -gt 1) ]]; then
# Install ebtables filter in host for single asic.
ebtables-restore < /etc/ebtables.filter.cfg
fi
fi
}
function getMountPoint() function getMountPoint()
{ {
@ -100,6 +112,8 @@ function postStartAction()
docker exec -i database$DEV sysctl --system -e docker exec -i database$DEV sysctl --system -e
link_namespace $DEV link_namespace $DEV
fi fi
# Setup ebtables configuration
ebtables_config
# chassisdb starts before database starts, bypass the PING check since other # chassisdb starts before database starts, bypass the PING check since other
# databases are not availbale until database container is ready. # databases are not availbale until database container is ready.

View File

@ -1,35 +0,0 @@
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
EBTABLES_MODULES_UNLOAD="yes"
# Load firewall rules on system startup.
# Value: yes|no, default: no
# Restores the ebtables rulesets from the last saved state when the
# system boots up.
EBTABLES_LOAD_ON_START="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets restarted.
EBTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"
# Backup suffix for ruleset save files.
# Value: <string>, default: "~"
# Keep one backup level of saved rules.
# Set this variable to the empty string to disable backups.
EBTABLES_BACKUP_SUFFIX="~"

View File

@ -1,175 +0,0 @@
#!/bin/bash
#
# init script for the Ethernet Bridge filter tables
#
# Written by Dag Wieers <dag@wieers.com>
# Modified by Rok Papez <rok.papez@arnes.si>
# Bart De Schuymer <bdschuym@pandora.be>
# Adapted to Debian by Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
#
# chkconfig: - 15 85
# description: Ethernet Bridge filtering tables
#
### BEGIN INIT INFO
# Provides: ebtables
# Required-Start:
# Required-Stop:
# Should-Start: $local_fs
# Should-Stop: $local_fs
# Default-Start: S
# Default-Stop: 0 1 6
# Short-Description: ebtables ruleset management
# Description: Saves and restores the state of the ebtables rulesets.
### END INIT INFO
. /lib/lsb/init-functions
test -f /sbin/ebtables || exit 0
EBTABLES_DUMPFILE_STEM=/etc/ebtables
RETVAL=0
prog="ebtables"
desc="Ethernet bridge filtering"
umask 0077
#default configuration
EBTABLES_MODULES_UNLOAD="yes"
EBTABLES_LOAD_ON_START="no"
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_ON_RESTART="no"
EBTABLES_SAVE_COUNTER="no"
EBTABLES_BACKUP_SUFFIX="~"
config=/etc/default/$prog
[ -f "$config" ] && . "$config"
function get_supported_tables() {
EBTABLES_SUPPORTED_TABLES=
/sbin/ebtables -t filter -L 2>&1 1>/dev/null | grep -q permission
if [ $? -eq 0 ]; then
log_failure_msg "Error: insufficient privileges to access the ebtables rulesets."
exit 1
fi
for table in filter nat broute; do
/sbin/ebtables -t $table -L &> /dev/null
if [ $? -eq 0 ]; then
EBTABLES_SUPPORTED_TABLES="${EBTABLES_SUPPORTED_TABLES} $table"
fi
done
}
function load() {
RETVAL=0
get_supported_tables
log_daemon_msg "Restoring ebtables rulesets"
for table in $EBTABLES_SUPPORTED_TABLES; do
log_progress_msg "$table"
if [ -s ${EBTABLES_DUMPFILE_STEM}.$table ]; then
/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-commit
RET=$?
if [ $RET -ne 0 ]; then
log_progress_msg "(failed)"
RETVAL=$RET
fi
else
log_progress_msg "(no saved state)"
fi
done
if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
log_progress_msg "no kernel support"
else
log_progress_msg "done"
fi
log_end_msg $RETVAL
}
function clear() {
RETVAL=0
get_supported_tables
log_daemon_msg "Clearing ebtables rulesets"
for table in $EBTABLES_SUPPORTED_TABLES; do
log_progress_msg "$table"
/sbin/ebtables -t $table --init-table
done
if [ "$EBTABLES_MODULES_UNLOAD" = "yes" ]; then
for mod in $(grep -E '^(ebt|ebtable)_' /proc/modules | cut -d' ' -f1) ebtables; do
rmmod $mod 2> /dev/null
done
fi
if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
log_progress_msg "no kernel support"
else
log_progress_msg "done"
fi
log_end_msg $RETVAL
}
function save() {
RETVAL=0
get_supported_tables
log_daemon_msg "Saving ebtables rulesets"
for table in $EBTABLES_SUPPORTED_TABLES; do
log_progress_msg "$table"
[ -n "$EBTABLES_BACKUP_SUFFIX" ] && [ -s ${EBTABLES_DUMPFILE_STEM}.$table ] && \
mv ${EBTABLES_DUMPFILE_STEM}.$table ${EBTABLES_DUMPFILE_STEM}.$table$EBTABLES_BACKUP_SUFFIX
/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table --atomic-save
RET=$?
if [ $RET -ne 0 ]; then
log_progress_msg "(failed)"
RETVAL=$RET
else
if [ "$EBTABLES_SAVE_COUNTER" = "no" ]; then
/sbin/ebtables -t $table --atomic-file ${EBTABLES_DUMPFILE_STEM}.$table -Z
fi
fi
done
if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
log_progress_msg "no kernel support"
else
log_progress_msg "done"
fi
log_end_msg $RETVAL
}
case "$1" in
start)
[ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
;;
stop)
[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
clear
;;
restart|reload|force-reload)
[ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
clear
[ "$EBTABLES_LOAD_ON_START" = "yes" ] && load
;;
load)
load
;;
save)
save
;;
status)
get_supported_tables
if [ -z "$EBTABLES_SUPPORTED_TABLES" ]; then
log_failure_msg "No kernel support for ebtables."
RETVAL=1
else
log_daemon_msg "Ebtables support available, number of installed rules"
for table in $EBTABLES_SUPPORTED_TABLES; do
COUNT=$(( $(/sbin/ebtables -t $table -L | sed -e "/^Bridge chain/! d" -e "s/^.*entries: //" -e "s/,.*$/ +/") 0 ))
log_progress_msg "$table($COUNT)"
done
log_end_msg 0
RETVAL=0
fi
;;
*)
echo "Usage: $0 {start|stop|restart|reload|force-reload|load|save|status}" >&2
RETVAL=1
esac
exit $RETVAL

View File

@ -1,19 +0,0 @@
[Unit]
Description=ebtables ruleset management
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
After=local-fs.target
# n.b. use below if we want to tear down rules before shutting down.
#Before=shutdown.target
#Conflicts=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/init.d/ebtables start
ExecStop=/etc/init.d/ebtables stop
ExecReload=/etc/init.d/ebtables reload
[Install]
WantedBy=multi-user.target

View File

@ -186,12 +186,6 @@ program_console_speed()
systemctl daemon-reload systemctl daemon-reload
} }
ebtables_config()
{
# Generate atomic config file and save it persistent
/usr/sbin/ebtables-restore < /etc/ebtables.filter.cfg
/usr/sbin/ebtables -t filter --atomic-file /etc/ebtables.filter --atomic-save
}
#### Begin Main Body #### #### Begin Main Body ####
@ -362,9 +356,6 @@ if [ -f $FIRST_BOOT_FILE ]; then
# Create dir where following scripts put their output files # Create dir where following scripts put their output files
mkdir -p /var/platform mkdir -p /var/platform
# Firsttime ebtables configuration
ebtables_config
# Kdump tools configuration # Kdump tools configuration
sed -i -e "s/__PLATFORM__/$platform/g" /etc/default/kdump-tools sed -i -e "s/__PLATFORM__/$platform/g" /etc/default/kdump-tools