ignition: propagate proxy settings from a host into a vm

esendjer · mheon · commit 2128236da5f6 · 2022-02-16T14:02:42.000-05:00
Set proxy settings (such as `HTTP_PROXY`, and others) for the whole guest OS with setting up `DefaultEnvironment` with a `systemd` configuration file `default-env.conf`, a `profile.d` scenario file - `default-env.sh` and a `environment.d` configuration file `default-env.conf` The **actual** environment variables are read by podman at a start, then they are encrypted with base64 into a single string and after are provided into a VM through QEMU Firmware Configuration (fw_cfg) Device Inside a VM a systemd service `envset-fwcfg.service` reads the providead encrypted string from fw_cfg, decrypts and then adds to the files - `/etc/systemd/system.conf.d/default-env.conf` - `/etc/profile.d/default-env.sh` - `/etc/environment.d/default-env.conf` At the end this service execute `systemctl daemon-reload` to propagate new variables for systemd manager [NO NEW TESTS NEEDED] Closes #13168 Signed-off-by: esendjer <esendjer@gmail.com>
diff --git a/pkg/machine/ignition.go b/pkg/machine/ignition.go
@@ -145,7 +145,42 @@ ExecStartPost=/bin/touch /var/lib/%N.stamp
 
 [Install]
 WantedBy=default.target
- `
+`
+	// This service gets environment variables that are provided
+	// through qemu fw_cfg and then sets them into systemd/system.conf.d,
+	// profile.d and environment.d files
+	//
+	// Currently, it is used for propagating
+	// proxy settings e.g. HTTP_PROXY and others, on a start avoiding
+	// a need of re-creating/re-initiating a VM
+	envset := `[Unit]
+Description=Environment setter from QEMU FW_CFG
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=FWCFGRAW=/sys/firmware/qemu_fw_cfg/by_name/opt/com.coreos/environment/raw
+Environment=SYSTEMD_CONF=/etc/systemd/system.conf.d/default-env.conf
+Environment=ENVD_CONF=/etc/environment.d/default-env.conf
+Environment=PROFILE_CONF=/etc/profile.d/default-env.sh
+ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} &&\
+	echo "[Manager]\n#Got from QEMU FW_CFG\nDefaultEnvironment=$(/usr/bin/base64 -d ${FWCFGRAW} | sed -e "s+|+ +g")\n" > ${SYSTEMD_CONF} ||\
+	echo "[Manager]\n#Got nothing from QEMU FW_CFG\n#DefaultEnvironment=\n" > ${SYSTEMD_CONF}'
+ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\
+	echo "#Got from QEMU FW_CFG"> ${ENVD_CONF};\
+	IFS="|";\
+	for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\
+		echo "$iprxy" >> ${ENVD_CONF}; done ) || \
+	echo "#Got nothing from QEMU FW_CFG"> ${ENVD_CONF}'
+ExecStart=/usr/bin/bash -c '/usr/bin/test -f ${FWCFGRAW} && (\
+	echo "#Got from QEMU FW_CFG"> ${PROFILE_CONF};\
+	IFS="|";\
+	for iprxy in $(/usr/bin/base64 -d ${FWCFGRAW}); do\
+		echo "export $iprxy" >> ${PROFILE_CONF}; done ) || \
+	echo "#Got nothing from QEMU FW_CFG"> ${PROFILE_CONF}'
+ExecStartPost=/usr/bin/systemctl daemon-reload
+[Install]
+WantedBy=sysinit.target
+`
 	_ = ready
 	ignSystemd := Systemd{
 		Units: []Unit{
@@ -173,6 +208,11 @@ WantedBy=default.target
 				Name:     "remove-moby.service",
 				Contents: &deMoby,
 			},
+			{
+				Enabled:  boolToPtr(true),
+				Name:     "envset-fwcfg.service",
+				Contents: &envset,
+			},
 		}}
 	ignConfig := Config{
 		Ignition: ignVersion,
@@ -226,6 +266,25 @@ func getDirs(usrName string) []Directory {
 		DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
 	})
 
+	// The directory is used by envset-fwcfg.service
+	// for propagating environment variables that got
+	// from a host
+	dirs = append(dirs, Directory{
+		Node: Node{
+			Group: getNodeGrp("root"),
+			Path:  "/etc/systemd/system.conf.d",
+			User:  getNodeUsr("root"),
+		},
+		DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
+	}, Directory{
+		Node: Node{
+			Group: getNodeGrp("root"),
+			Path:  "/etc/environment.d",
+			User:  getNodeUsr("root"),
+		},
+		DirectoryEmbedded1: DirectoryEmbedded1{Mode: intToPtr(0755)},
+	})
+
 	return dirs
 }
 
@@ -363,24 +422,6 @@ Delegate=memory pids cpu io
 		},
 	})
 
-	setProxyOpts := getProxyVariables()
-	if setProxyOpts != "" {
-		files = append(files, File{
-			Node: Node{
-				Group: getNodeGrp("root"),
-				Path:  "/etc/profile.d/proxy-opts.sh",
-				User:  getNodeUsr("root"),
-			},
-			FileEmbedded1: FileEmbedded1{
-				Append: nil,
-				Contents: Resource{
-					Source: encodeDataURLPtr(setProxyOpts),
-				},
-				Mode: intToPtr(0644),
-			},
-		})
-	}
-
 	setDockerHost := `export DOCKER_HOST="unix://$(podman info -f "{{.Host.RemoteSocket.Path}}")"
 `
 
@@ -506,11 +547,11 @@ func prepareCertFile(path string, name string) (File, error) {
 	return file, nil
 }
 
-func getProxyVariables() string {
-	proxyOpts := ""
+func GetProxyVariables() map[string]string {
+	proxyOpts := make(map[string]string)
 	for _, variable := range config.ProxyEnv {
 		if value, ok := os.LookupEnv(variable); ok {
-			proxyOpts += fmt.Sprintf("\n export %s=%s", variable, value)
+			proxyOpts[variable] = value
 		}
 	}
 	return proxyOpts
diff --git a/pkg/machine/qemu/machine.go b/pkg/machine/qemu/machine.go
@@ -1,9 +1,11 @@
+//go:build (amd64 && !windows) || (arm64 && !windows)
 // +build amd64,!windows arm64,!windows
 
 package qemu
 
 import (
 	"bufio"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -123,6 +125,20 @@ func (p *Provider) LoadVMByName(name string) (machine.VM, error) {
 		return nil, err
 	}
 	err = json.Unmarshal(b, vm)
+
+	// It is here for providing the ability to propagate
+	// proxy settings (e.g. HTTP_PROXY and others) on a start
+	// and avoid a need of re-creating/re-initiating a VM
+	if proxyOpts := machine.GetProxyVariables(); len(proxyOpts) > 0 {
+		proxyStr := "name=opt/com.coreos/environment,string="
+		var proxies string
+		for k, v := range proxyOpts {
+			proxies = fmt.Sprintf("%s%s=\"%s\"|", proxies, k, v)
+		}
+		proxyStr = fmt.Sprintf("%s%s", proxyStr, base64.StdEncoding.EncodeToString([]byte(proxies)))
+		vm.CmdLine = append(vm.CmdLine, "-fw_cfg", proxyStr)
+	}
+
 	logrus.Debug(vm.CmdLine)
 	return vm, err
 }
