Added ifg.usr (cvm -> vhost migration, Fedora 31 upgrade).

diff --git a/sources/ifg.usr/config b/sources/ifg.usr/config
new file mode 100644 (file)
index 0000000..2b075cb
--- /dev/null
+++ b/sources/ifg.usr/config
@@ -0,0 +1,24 @@
+lxc.include = /usr/share/lxc/config/common.conf
+
+lxc.arch = x86_64
+lxc.uts.name = ifg.usr.user.hu
+lxc.rootfs.path = __CONTAINER_PATH__/rootfs
+lxc.mount.auto = proc:rw sys:ro
+
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = bri-dev
+lxc.net.0.hwaddr = 02:0c:18:03:6d:fe
+
+lxc.net.1.type = veth
+lxc.net.1.flags = up
+lxc.net.1.link = brh-dev
+lxc.net.1.hwaddr = 02:0c:18:03:ad:01
+
+lxc.autodev = 1
+
+lxc.signal.halt = SIGRTMIN+4
+
+lxc.start.auto = 1
+lxc.start.order = 2
+lxc.start.delay = 3

diff --git a/sources/ifg.usr/envvars b/sources/ifg.usr/envvars
new file mode 100644 (file)
index 0000000..5eb2281
--- /dev/null
+++ b/sources/ifg.usr/envvars
@@ -0,0 +1,4 @@
+DISTRIBUTION=Fedora
+DISTRIBUTION_VERSION=31
+BASE_PACKAGES="NetworkManager hostname initscripts iproute iputils logrotate rootfiles rsyslog tar vim-minimal"
+SPEC_PACKAGES="ethtool nftables radvd tcpdump"

diff --git a/sources/ifg.usr/firstboot/01_setupnetworking.sh b/sources/ifg.usr/firstboot/01_setupnetworking.sh
new file mode 100755 (executable)
index 0000000..3c31156
--- /dev/null
+++ b/sources/ifg.usr/firstboot/01_setupnetworking.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active NetworkManager.service
+NM_RC=$?
+WAITED=0
+while [ $NM_RC -ne 0 ]
+do
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active NetworkManager.service
+    NM_RC=$?
+done
+[ $WAITED -eq 1 ] && echo
+
+# wait for two network connections
+CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
+CYCLES_WAITED=0
+while [ $CONNECTION_DEVICES_UP -lt 2 ]
+do
+    if [ $CYCLES_WAITED -ge 10 ]
+    then
+        nmcli connection show
+        exit 1
+    fi
+    sleep 1
+    CYCLES_WAITED=$(( $CYCLES_WAITED + 1 ))
+    CONNECTION_DEVICES_UP=$(nmcli --terse connection show | grep -v ':$' | wc -l)
+done
+
+CONNECTIONS=$(nmcli --terse connection show | wc -l)
+while [ $CONNECTIONS -gt 0 ]
+do
+    CONNECTION_LINE=$(nmcli --terse connection show | head -n 1)
+    CONNECTION_UUID=$(echo $CONNECTION_LINE | cut -f 2 -d ':')
+    nmcli connection delete uuid "$CONNECTION_UUID"
+    CONNECTIONS=$(nmcli --terse connection show | wc -l)
+done
+
+INTERNAL_DEVICE=ifg
+PM_DEVICE=eth0
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id internal \
+    connection.interface-name $INTERNAL_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "10.228.109.254/16, 192.168.42.254/24, 192.168.43.254/24" \
+    ipv4.dns "10.228.109.104, 10.228.109.253" \
+    ipv4.dns-search "usr.user.hu" \
+    ipv4.method "manual" \
+    ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236" \
+    save yes
+
+nmcli connection add \
+    connection.autoconnect yes \
+    connection.id perimeter \
+    connection.interface-name $PM_DEVICE \
+    connection.type 802-3-ethernet \
+    ipv4.addresses "192.168.173.1/24" \
+    ipv4.gateway "192.168.173.254" \
+    ipv4.method "manual" \
+    save yes
+
+nmcli connection show

diff --git a/sources/ifg.usr/firstboot/02_settimezone.sh b/sources/ifg.usr/firstboot/02_settimezone.sh
new file mode 100755 (executable)
index 0000000..20b2a71
--- /dev/null
+++ b/sources/ifg.usr/firstboot/02_settimezone.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+
+sleep 1
+systemctl --quiet is-active dbus.service
+DBUS_RC=$?
+WAITED=0
+while [ $DBUS_RC -ne 0 ]
+do
+    if [ $WAITED -eq 0 ]
+    then
+        echo -n "Waiting for dbus.service"
+    fi
+    echo -n .
+    sleep 1
+    WAITED=1
+    systemctl --quiet is-active dbus.service
+    DBUS_RC=$?
+done
+[ $WAITED -ne 0 ] && echo
+timedatectl set-timezone Europe/Budapest

diff --git a/sources/ifg.usr/firstboot/10_setupnftables.sh b/sources/ifg.usr/firstboot/10_setupnftables.sh
new file mode 100755 (executable)
index 0000000..2f32506
--- /dev/null
+++ b/sources/ifg.usr/firstboot/10_setupnftables.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+
+REAL_PATH=$(realpath $(dirname $0))
+
+
+nft list ruleset
+nft list ruleset | grep ^table | sed 's/ {$//' | while read TABLE_SPEC
+do
+    nft flush $TABLE_SPEC
+    nft delete $TABLE_SPEC
+done
+
+nft --echo --file $REAL_PATH/nftables.config
+nft list ruleset >/etc/nftables/ifg.nft
+
+systemctl enable nftables.service

diff --git a/sources/ifg.usr/firstboot/99_cleanup.sh b/sources/ifg.usr/firstboot/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ifg.usr/firstboot/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ifg.usr/firstboot/nftables.config b/sources/ifg.usr/firstboot/nftables.config
new file mode 100644 (file)
index 0000000..6694a10
--- /dev/null
+++ b/sources/ifg.usr/firstboot/nftables.config
@@ -0,0 +1,293 @@
+#!/usr/sbin/nft -f
+
+
+################################
+# interface definitions
+################################
+
+# internal interface
+define INTERNAL_IF = ifg
+
+# loopback interface
+define LOOPBACK_IF = lo
+
+# perimeter interface
+define PERIMETER_IF = eth0
+
+################################
+# address definitions
+################################
+
+# loopback address
+define LOOPBACK_IP = 127.0.0.1
+
+# public addresses
+define PUBLIC_EFG_IP       = 194.149.40.146
+define PUBLIC_MX_IP        = 194.149.40.147
+define PUBLIC_NS_IP        = 194.149.40.148
+define PUBLIC_VPN_IP       = 194.149.40.149
+define PUBLIC_WS_IP        = 194.149.40.150
+define PUBLIC_MINECRAFT_IP = 194.149.40.151
+define PUBLIC_IP_152       = 194.149.40.152
+define PUBLIC_IP_153       = 194.149.40.153
+define PUBLIC_IP_154       = 194.149.40.154
+define PUBLIC_IP_155       = 194.149.40.155
+define PUBLIC_IP_156       = 194.149.40.156
+define PUBLIC_RX300_IP     = 194.149.40.157
+define PUBLIC_DL360E_IP    = 194.149.40.158
+
+define PUBLIC_IP_194 = 84.2.25.194
+define PUBLIC_IP_195 = 84.2.25.195
+define PUBLIC_IP_196 = 84.2.25.196
+define PUBLIC_IP_197 = 84.2.25.197
+define PUBLIC_IP_198 = 84.2.25.198
+define PUBLIC_IP_199 = 84.2.25.199
+define PUBLIC_IP_200 = 84.2.25.200
+define PUBLIC_IP_201 = 84.2.25.201
+define PUBLIC_IP_202 = 84.2.25.202
+define PUBLIC_IP_203 = 84.2.25.203
+define PUBLIC_IP_204 = 84.2.25.204
+define PUBLIC_IP_205 = 84.2.25.205
+define PUBLIC_IP_206 = 84.2.25.206
+
+# efg address (perimeter network)
+define EFG_PERIMETER_IP = 192.168.173.254
+
+# service address (perimeter network)
+#define SVC_PERIMETER_IP = 192.168.173.253
+
+# transfer web server address (perimeter network)
+define XFR_PERIMETER_IP = 192.168.173.251
+
+# subversion address (perimeter network)
+#define SVN_PERIMETER_IP = 192.168.173.250
+
+# web server address (perimeter network)
+define WS_PERIMETER_IP = 192.168.173.249
+
+# perimeter name server address (perimeter network)
+define PNS_PERIMETER_IP = 192.168.173.174
+
+# external name server address (perimeter network)
+define ENS_PERIMETER_IP = 192.168.173.64
+
+# ifg address (perimeter network)
+define IFG_PERIMETER_IP = 192.168.173.1
+
+# ifg addresses (internal network)
+define IFG_USR_IP = 10.228.109.254
+define IFG_SR_IP = 192.168.42.254
+define IFG_IN_IP = 192.168.43.254
+
+# dvredmine address (internal network)
+define DVREDMINE_INTERNAL_IP = 10.228.62.193
+
+# minicrm address (internal network)
+define MINICRM_INTERNAL_IP = 10.228.109.133
+
+# store address (internal network)
+define STORE_INTERNAL_IP = 10.228.109.250
+
+# service address (internal network)
+define SVC_INTERNAL_IP = 10.228.109.253
+
+# vpn address (internal network)
+define VPN_INTERNAL_IP = 10.228.109.236
+
+# primary name server address (internal network)
+define PNS_INTERNAL_IP = 10.228.109.174
+
+# internal name server address (internal network)
+define INS_INTERNAL_IP = 10.228.109.104
+
+# worksheet address (internal network)
+define WORKSHEET_SR_IP = 192.168.42.248
+
+################################
+# network definitions
+################################
+
+# internal networks
+define USR_NET = 10.228.0.0/16
+define SR_NET = 192.168.42.0/24
+define IN_NET = 192.168.43.0/24
+define INTERNAL_NETS = { $USR_NET, $SR_NET, $IN_NET }
+
+# perimeter network
+define PERIMETER_NET = 192.168.173.0/24
+
+# vpn client network
+define VPN_NET = 172.16.223.0/24
+
+# peep-bo network
+define PEEP_BO_NET = 10.162.104.0/24
+
+################################
+# port definitions
+################################
+
+#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define WS_PORTS = { 80, 443 }
+
+
+################################
+# reset nftables
+################################
+
+create table inet ifg_filter
+create table ip ifg_nat
+
+create chain inet ifg_filter input { type filter hook input priority 0; policy drop; }
+create chain inet ifg_filter forward { type filter hook forward priority 0; policy drop; }
+create chain inet ifg_filter output { type filter hook output priority 0; policy drop; }
+create chain ip ifg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
+
+
+################################
+# NAT prerouting rules
+################################
+
+add rule ip ifg_nat prerouting \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \
+    ip daddr $PUBLIC_WS_IP tcp dport $WS_PORTS \
+    counter dnat $WS_PERIMETER_IP comment "Webserver access"
+
+
+################################
+# FILTER input rules
+################################
+
+add rule inet ifg_filter input \
+    ct state established \
+    ip protocol udp \
+    iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp sport 53 \
+    ip daddr $IFG_USR_IP udp dport 1024-65535 \
+    counter accept comment "DNS replies"
+
+add rule inet ifg_filter input \
+    ip protocol icmp \
+    counter accept comment "ICMP"
+
+add rule inet ifg_filter input \
+    counter log prefix "INPUT"
+
+
+################################
+# FILTER forward rules
+################################
+
+add rule inet ifg_filter forward \
+    ct state established, related \
+    iifname $PERIMETER_IF \
+    oifname $INTERNAL_IF ip daddr $INTERNAL_NETS \
+    counter accept comment "Established sessions"
+
+add rule inet ifg_filter forward \
+    iifname $INTERNAL_IF ip saddr $INTERNAL_NETS \
+    oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \
+    counter accept comment "Internet access"
+
+add rule inet ifg_filter forward \
+    ct state new, established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $INTERNAL_NETS tcp sport 1024-65535 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport $WS_PORTS \
+    counter accept comment "Webserver access"
+
+add rule inet ifg_filter forward \
+    ct state new \
+    ip protocol udp \
+    iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP udp sport 1024-65535 \
+    oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } udp dport 53 \
+    counter accept comment "DNS zone notification"
+
+add rule inet ifg_filter forward \
+    ct state new \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IP tcp dport 53 \
+    counter accept comment "DNS zone transfer requests"
+
+add rule inet ifg_filter forward \
+    ct state established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IP tcp sport 53 \
+    oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IP, $PNS_PERIMETER_IP } tcp dport 1024-65535 \
+    counter accept comment "DNS zone transfer replies"
+
+add rule inet ifg_filter forward \
+    ip protocol udp \
+    iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IP udp dport 1194 \
+    counter accept comment "Incoming VPN traffic"
+
+add rule inet ifg_filter forward \
+    iifname $INTERNAL_IF \
+    oifname $INTERNAL_IF \
+    counter accept comment "Internal traffic"
+
+add rule inet ifg_filter forward \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $DVREDMINE_INTERNAL_IP tcp dport 80 \
+    counter accept comment "Redmine requests"
+
+add rule inet ifg_filter forward \
+    ct state established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $DVREDMINE_INTERNAL_IP tcp sport 80 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+    counter accept comment "Redmine replies"
+
+add rule inet ifg_filter forward \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $MINICRM_INTERNAL_IP tcp dport 8080 \
+    counter accept comment "MiniCRM requests"
+
+add rule inet ifg_filter forward \
+    ct state established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $MINICRM_INTERNAL_IP tcp sport 8080 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+    counter accept comment "MiniCRM replies"
+
+add rule inet ifg_filter forward \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IP tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $WORKSHEET_SR_IP tcp dport 8079 \
+    counter accept comment "Worksheet requests"
+
+add rule inet ifg_filter forward \
+    ct state established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $WORKSHEET_SR_IP tcp sport 8079 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IP tcp dport 1024-65535 \
+    counter accept comment "Worksheet replies"
+
+add rule inet ifg_filter forward \
+    ip protocol icmp \
+    counter accept comment "ICMP"
+
+add rule inet ifg_filter forward \
+    counter log prefix "FORWARD"
+
+
+################################
+# FILTER output rules
+################################
+
+add rule inet ifg_filter output \
+    ct state new \
+    ip protocol udp \
+    ip saddr $IFG_USR_IP udp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IP, $SVC_INTERNAL_IP } udp dport 53 \
+    counter accept comment "DNS requests"
+
+add rule inet ifg_filter output \
+    ip protocol icmp \
+    counter accept comment "ICMP"
+
+add rule inet ifg_filter output \
+    counter log prefix "OUTPUT"

diff --git a/sources/ifg.usr/firstboot/traversal.txt b/sources/ifg.usr/firstboot/traversal.txt
new file mode 100644 (file)
index 0000000..97ebf2d
--- /dev/null
+++ b/sources/ifg.usr/firstboot/traversal.txt
@@ -0,0 +1,53 @@
+###############################
+ chain traversal
+ for all tables
+###############################
+
+                   NETWORK
+                      |
+                ______v_____
+               /    raw     \
+               | PREROUTING |
+               \____________/
+                      |
+  ________      ______v_____
+ / mangle \    /   mangle   \
+ | INPUT  |<-  | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v___   |  ______v_____
+ / filter \  | /    nat     \
+ | INPUT  |  | | PREROUTING |
+ \________/  | \____________/
+      |      |        |
+  ____v____  |    ____v___
+ |         | |   /        \
+ |  local  | |__/ routing  \__________
+ | process |    \ decision /          |
+ |_________|     \________/       ____v____
+      |                          / mangle  \
+   ___v____                      | FORWARD |
+  /        \                     \_________/
+ / routing  \                         |
+ \ decision /                     ____v____
+  \________/                     / filter  \
+      |                          | FORWARD |
+  ____v___        ________       \_________/
+ /  raw   \      /        \           |
+ | OUTPUT |     / routing  \          |
+ \________/   ->\ decision /<---------
+      |      |   \________/
+  ____v___   |        |
+ / mangle \  |  ______v______
+ | OUTPUT |  | /   mangle    \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ /  nat   \  |  ______v______
+ | OUTPUT |  | /     nat     \
+ \________/  | | POSTROUTING |
+      |      | \_____________/
+  ____v___   |        |
+ / filter \  |        v
+ | OUTPUT |--      NETWORK
+ \________/

diff --git a/sources/ifg.usr/postinstall/01_setownership.sh b/sources/ifg.usr/postinstall/01_setownership.sh
new file mode 100755 (executable)
index 0000000..f2e6b94
--- /dev/null
+++ b/sources/ifg.usr/postinstall/01_setownership.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install
+
+chown -R root.root $SOURCE_PATH/*

diff --git a/sources/ifg.usr/postinstall/02_setpermissions.sh b/sources/ifg.usr/postinstall/02_setpermissions.sh
new file mode 100755 (executable)
index 0000000..241386a
--- /dev/null
+++ b/sources/ifg.usr/postinstall/02_setpermissions.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+SOURCE_PATH=$REAL_PATH/install

diff --git a/sources/ifg.usr/postinstall/03_installfiles.sh b/sources/ifg.usr/postinstall/03_installfiles.sh
new file mode 100755 (executable)
index 0000000..f190caf
--- /dev/null
+++ b/sources/ifg.usr/postinstall/03_installfiles.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+tar --create \
+    --directory=$REAL_PATH \
+    --to-stdout \
+    install \
+    | tar --extract \
+          --backup \
+          --directory=/ \
+          --no-overwrite-dir \
+          --strip-components=1 \
+          --suffix=.orig

diff --git a/sources/ifg.usr/postinstall/10_setupservices.sh b/sources/ifg.usr/postinstall/10_setupservices.sh
new file mode 100755 (executable)
index 0000000..5250ed4
--- /dev/null
+++ b/sources/ifg.usr/postinstall/10_setupservices.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+
+#systemctl enable iptables.service
+systemctl enable NetworkManager-wait-online.service
+
+systemctl mask wpa_supplicant.service

diff --git a/sources/ifg.usr/postinstall/99_cleanup.sh b/sources/ifg.usr/postinstall/99_cleanup.sh
new file mode 100755 (executable)
index 0000000..b87f2f4
--- /dev/null
+++ b/sources/ifg.usr/postinstall/99_cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+
+REAL_PATH=$(dirname $(realpath $0))
+
+echo rm -Rf $REAL_PATH

diff --git a/sources/ifg.usr/postinstall/install/etc/hosts b/sources/ifg.usr/postinstall/install/etc/hosts
new file mode 100644 (file)
index 0000000..98645cf
--- /dev/null
+++ b/sources/ifg.usr/postinstall/install/etc/hosts
@@ -0,0 +1,6 @@
+127.0.0.1      localhost.localdomain localhost localhost4.localdomain4 localhost4
+::1            localhost6.localdomain6 localhost6
+
+10.228.109.254 ifg.usr.user.hu ifg
+192.168.42.254 ifg.sr.user.hu
+192.168.43.254 ifg.in.user.hu

diff --git a/sources/ifg.usr/postinstall/install/etc/resolv.conf b/sources/ifg.usr/postinstall/install/etc/resolv.conf
new file mode 100644 (file)
index 0000000..656e3f2
--- /dev/null
+++ b/sources/ifg.usr/postinstall/install/etc/resolv.conf
@@ -0,0 +1,4 @@
+nameserver 10.228.109.253
+nameserver 10.228.109.104
+domain usr.user.hu
+search usr.user.hu

diff --git a/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf b/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf
new file mode 100644 (file)
index 0000000..a6d184f
--- /dev/null
+++ b/sources/ifg.usr/postinstall/install/etc/sysconfig/nftables.conf
@@ -0,0 +1 @@
+include "/etc/nftables/ifg.nft"

diff --git a/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf b/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf
new file mode 100644 (file)
index 0000000..05b3f78
--- /dev/null
+++ b/sources/ifg.usr/postinstall/install/etc/sysctl.d/01_ipforward.conf
@@ -0,0 +1 @@
+net.ipv4.conf.all.forwarding = 1