From 9e71165dd3fa31accbcce8d5875aa774ab8b8fe1 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Wed, 30 Aug 2023 11:40:19 +0200 Subject: run Exim in container --- guix-container.sh | 101 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 67 insertions(+), 34 deletions(-) (limited to 'guix-container.sh') diff --git a/guix-container.sh b/guix-container.sh index da8b765..d117ae3 100755 --- a/guix-container.sh +++ b/guix-container.sh @@ -2,7 +2,7 @@ # SPDX-License-Identifier: CC0-1.0 -# Copyright (C) 2022 Wojtek Kosior +# Copyright (C) 2022-2023 Wojtek Kosior # # Available under the terms of Creative Commons Zero v1.0 Universal. @@ -87,6 +87,49 @@ is_running() { return $? } +network_setup() { + SHEPHERD_PID="$1" + + ip link add veth-guix-out type veth peer name veth-guix-in + ip link set veth-guix-in netns "$SHEPHERD_PID" + + ip link set veth-guix-out up + ip addr add 10.207.87.1/24 dev veth-guix-out + + nsenter --target "$SHEPHERD_PID" --net ip link set lo up + nsenter --target "$SHEPHERD_PID" --net ip link set veth-guix-in up + nsenter --target "$SHEPHERD_PID" --net ip addr add \ + 10.207.87.2/24 dev veth-guix-in + nsenter --target "$SHEPHERD_PID" --net ip route add \ + default via 10.207.87.1 dev veth-guix-in + + if [ -n "$HOST_SYSTEM_ROOT" ]; then + # Don't connect to the real net when running in a test environment. + return + fi + + for LINKNAME in $(ip route | grep default | awk '{print $5}'); do + iptables -t nat -A POSTROUTING \ + -s 10.207.87.1/24 -o "$LINKNAME" -j MASQUERADE + iptables -t nat -A PREROUTING \ + -i "$LINKNAME" -p tcp \ + -m multiport --dports 25,12525,465,587 \ + -j DNAT --to-destination 10.207.87.2 + done + + cat /etc/resolv.conf | + nsenter --target "$SHEPHERD_PID" --all \ + /run/current-system/profile/bin/tee /etc/resolv.conf > /dev/null + + echo 1 > /proc/sys/net/ipv4/ip_forward +} + +iptables_rip_rule() { + while iptables "$@" 2>/dev/null; do + true + done +} + network_rip() { ip link delete veth-guix-out 2>/dev/null || true @@ -99,18 +142,26 @@ network_rip() { echo 0 > /proc/sys/net/ipv4/ip_forward for LINKNAME in $(ip route | grep default | awk '{print $5}'); do - iptables -t nat -D POSTROUTING \ - -s 10.207.87.1/24 -o "$LINKNAME" -j MASQUERADE 2>/dev/null \ - || true + iptables_rip_rule -t nat -D PREROUTING \ + -i "$LINKNAME" -p tcp \ + -m multiport --dports 25,12525,465,587 \ + -j DNAT --to-destination 10.207.87.2 + iptables_rip_rule -t nat -D POSTROUTING \ + -s 10.207.87.1/24 -o "$LINKNAME" \ + -j MASQUERADE done } stop() { network_rip + if ! is_running; then + return + fi + if [ -x /sbin/start-stop-daemon ]; then - /sbin/start-stop-daemon \ - --stop --signal TERM --pidfile "$PIDFILE" --remove-pidfile --quiet \ + /sbin/start-stop-daemon \ + --stop --signal TERM --pidfile "$PIDFILE" --remove-pidfile --quiet \ --retry 60 2>/dev/null || true else DAEMON_PID="$(cat "$PIDFILE")" @@ -153,18 +204,24 @@ start() { HYDRILLAREPOS_HTTP_REAL="$HOST_SYSTEM_ROOT"/var/www/hydrillarepos.koszko.org/html LOG_REAL="$LOG_DIR"/container ETC_LETSENCRYPT_REAL="$HOST_SYSTEM_ROOT"/etc/letsencrypt + ETC_EXIM_REAL="$HOST_SYSTEM_ROOT"/etc/exim ETC_REAL="$HOST_SYSTEM_ROOT"/etc/guix-container + VAR_SPOOL_EXIM_REAL="$HOST_SYSTEM_ROOT"/var/spool/exim VAR_HYDRILLA_REAL="$HOST_SYSTEM_ROOT"/var/lib/hydrilla VAR_GITOLITE_REAL="$HOST_SYSTEM_ROOT"/var/lib/gitolite3 + HOME_REAL="$HOST_SYSTEM_ROOT"/home KOSZKO_SIDELOAD_DIR_SHARE_OPT=--share="$KOSZKO_SIDELOAD_REAL"=/srv/http/koszko.org HYDRILLA_HTTP_DIR_SHARE_OPT=--share="$HYDRILLA_HTTP_REAL"=/srv/http/hydrilla.koszko.org HYDRILLAREPOS_HTTP_DIR_SHARE_OPT=--share="$HYDRILLAREPOS_HTTP_REAL"=/srv/http/hydrillarepos.koszko.org LOG_DIR_SHARE_OPT=--share="$LOG_REAL"=/var/log ETC_LETSENCRYPT_DIR_SHARE_OPT=--share="$ETC_LETSENCRYPT_REAL"=/etc/letsencrypt + ETC_EXIM_DIR_SHARE_OPT=--share="$ETC_EXIM_REAL"=/etc/exim ETC_DIR_SHARE_OPT=--share="$ETC_REAL"=/etc + VAR_SPOOL_EXIM_DIR_SHARE_OPT=--share="$VAR_SPOOL_EXIM_REAL"=/var/spool/exim VAR_HYDRILLA_DIR_SHARE_OPT=--share="$VAR_HYDRILLA_REAL"=/var/lib/hydrilla VAR_GITOLITE_DIR_SHARE_OPT=--share="$VAR_GITOLITE_REAL"=/var/lib/gitolite3 + HOME_DIR_SHARE_OPT=--share="$HOME_REAL"=/home mkdir --mode=700 -p "$LOG_DIR" mkdir --mode=700 -p "$LOG_DIR"/container @@ -174,9 +231,12 @@ start() { "$HYDRILLAREPOS_HTTP_DIR_SHARE_OPT" \ "$LOG_DIR_SHARE_OPT" \ "$ETC_LETSENCRYPT_DIR_SHARE_OPT" \ + "$ETC_EXIM_DIR_SHARE_OPT" \ "$ETC_DIR_SHARE_OPT" \ + "$VAR_SPOOL_EXIM_DIR_SHARE_OPT" \ "$VAR_HYDRILLA_DIR_SHARE_OPT" \ "$VAR_GITOLITE_DIR_SHARE_OPT" \ + "$HOME_DIR_SHARE_OPT" \ >> "$LOG_DIR"/stdout.log 2>> "$LOG_DIR"/stderr.log & GUILE_PID=$! @@ -200,34 +260,7 @@ start() { network_rip - ip link add veth-guix-out type veth peer name veth-guix-in - ip link set veth-guix-in netns "$SHEPHERD_PID" - - ip link set veth-guix-out up - ip addr add 10.207.87.1/24 dev veth-guix-out - - nsenter --target "$SHEPHERD_PID" --net ip link set lo up - nsenter --target "$SHEPHERD_PID" --net ip link set veth-guix-in up - nsenter --target "$SHEPHERD_PID" --net ip addr add \ - 10.207.87.2/24 dev veth-guix-in - nsenter --target "$SHEPHERD_PID" --net ip route add \ - default via 10.207.87.1 dev veth-guix-in - - if [ -n "$HOST_SYSTEM_ROOT" ]; then - # Don't connect to the real net when running in a test environment. - return - fi - - for LINKNAME in $(ip route | grep default | awk '{print $5}'); do - iptables -t nat -A POSTROUTING \ - -s 10.207.87.1/24 -o "$LINKNAME" -j MASQUERADE - done - - cat /etc/resolv.conf | - nsenter --target "$SHEPHERD_PID" --all \ - /run/current-system/profile/bin/tee /etc/resolv.conf > /dev/null - - echo 1 > /proc/sys/net/ipv4/ip_forward + network_setup "$SHEPHERD_PID" } trap onexit EXIT -- cgit v1.2.3