diff options
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | doc/forum/Using_ip_address_in_a_container/comment_1_f14578affbfdb771a74a30f535b9e9a0._comment | 32 | ||||
| -rw-r--r-- | src/Propellor/Info.hs | 22 | ||||
| -rw-r--r-- | src/Propellor/Property/Dns.hs | 6 | ||||
| -rw-r--r-- | src/Propellor/Spin.hs | 2 | ||||
| -rw-r--r-- | src/Propellor/Types/Dns.hs | 33 |
6 files changed, 91 insertions, 16 deletions
diff --git a/debian/changelog b/debian/changelog index 70c95f35..8265f777 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +propellor (4.9.0) UNRELEASED; urgency=medium + + * When the ipv4 and ipv6 properties are used with a container, avoid + propagating the address out to the host. + * DnsInfo has been replaced with DnsInfoPropagated and + DnsInfoUnpropagated. (API change) + * Code that used fromDnsInfo . fromInfo changes to use getDnsInfo. + * addDNS takes an additional Bool parameter to control whether + the DNS info should propagate out of containers. (API change) + + -- Joey Hess <id@joeyh.name> Wed, 04 Oct 2017 12:46:23 -0400 + propellor (4.8.1) unstable; urgency=medium * Borg: Fix propigation of exit status of borg backup. diff --git a/doc/forum/Using_ip_address_in_a_container/comment_1_f14578affbfdb771a74a30f535b9e9a0._comment b/doc/forum/Using_ip_address_in_a_container/comment_1_f14578affbfdb771a74a30f535b9e9a0._comment new file mode 100644 index 00000000..4c88c808 --- /dev/null +++ b/doc/forum/Using_ip_address_in_a_container/comment_1_f14578affbfdb771a74a30f535b9e9a0._comment @@ -0,0 +1,32 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2017-10-04T16:08:14Z" + content=""" +I'd also like to use systemd-nspawn with its own network in the container. +Have not worked through all the necessary config, which seems fairly +complicated on the systemd side. Examples of how to do that with propellor +would be great to have! + +(There's a partial example in the haddock for +Systemd.publish, which uses networkd to auto-configure a private network, +but IIRC that is missing some routing/masqerading to let the +container access the internet.) + +As for `alias` and `ipv4` properties, when used in a container, their info +does get propagated out to the info of the host as of propellor 4.8.1. +That was done because it's sometimes useful to have an `alias` be part +of a container's configuration and get the DNS server automatically +configured with that alias pointing at the host(s) that have the container. + +I agree it does not make sense for `ipv4`/`ipv6` used in a container +to propagate out. I've changed propellor to not do that any longer, +and allow controlling whether any given DNS info should propagate or not. + +As for the hostname, it's not currently part of the Info system, +and so there's no risk of a container overriding its Host's name. +Things like Hostname.sane that look at the hostname will see the parent +host's name. Hostname.setTo should work in a container to give it +its own name. (At some point it would probably be worth moving hostnames +into Info to avoid the extra complication..) +"""]] diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs index ed6c2d85..fd295aa3 100644 --- a/src/Propellor/Info.hs +++ b/src/Propellor/Info.hs @@ -128,11 +128,11 @@ getOS = fromInfoVal <$> askInfo -- if the host's IP Property matches the DNS. If the DNS is missing or -- out of date, the host will instead be contacted directly by IP address. ipv4 :: String -> Property (HasInfo + UnixLike) -ipv4 = addDNS . Address . IPv4 +ipv4 = addDNS False . Address . IPv4 -- | Indicate that a host has an AAAA record in the DNS. ipv6 :: String -> Property (HasInfo + UnixLike) -ipv6 = addDNS . Address . IPv6 +ipv6 = addDNS False . Address . IPv6 -- | Indicates another name for the host in the DNS. -- @@ -145,11 +145,21 @@ alias d = pureInfoProperty' ("alias " ++ d) $ mempty `addInfo` toAliasesInfo [d] -- A CNAME is added here, but the DNS setup code converts it to an -- IP address when that makes sense. - `addInfo` (toDnsInfo $ S.singleton $ CNAME $ AbsDomain d) + `addInfo` (toDnsInfoPropagated $ S.singleton $ CNAME $ AbsDomain d) -addDNS :: Record -> Property (HasInfo + UnixLike) -addDNS r = pureInfoProperty (rdesc r) (toDnsInfo (S.singleton r)) +-- | Add a DNS Record. +addDNS + :: Bool + -- ^ When used in a container, the DNS info will only + -- propagate out the the Host when this is True. + -> Record + -> Property (HasInfo + UnixLike) +addDNS prop r + | prop = pureInfoProperty (rdesc r) (toDnsInfoPropagated s) + | otherwise = pureInfoProperty (rdesc r) (toDnsInfoUnpropagated s) where + s = S.singleton r + rdesc (CNAME d) = unwords ["alias", ddesc d] rdesc (Address (IPv4 addr)) = unwords ["ipv4", addr] rdesc (Address (IPv6 addr)) = unwords ["ipv6", addr] @@ -182,7 +192,7 @@ findAlias :: [Host] -> HostName -> Maybe Host findAlias l hn = M.lookup hn (aliasMap l) getAddresses :: Info -> [IPAddr] -getAddresses = mapMaybe getIPAddr . S.toList . fromDnsInfo . fromInfo +getAddresses = mapMaybe getIPAddr . S.toList . getDnsInfo hostAddresses :: HostName -> [Host] -> [IPAddr] hostAddresses hn hosts = maybe [] (getAddresses . hostInfo) (findHost hosts hn) diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index 889aece5..d99a76b0 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -468,7 +468,7 @@ genZone inzdomain hostmap zdomain soa = -- So we can just use the IPAddrs. addcnames :: Host -> [Either WarningMessage (BindDomain, Record)] addcnames h = concatMap gen $ filter (inDomain zdomain) $ - mapMaybe getCNAME $ S.toList $ fromDnsInfo $ fromInfo info + mapMaybe getCNAME $ S.toList $ getDnsInfo info where info = hostInfo h gen c = case getAddresses info of @@ -483,7 +483,7 @@ genZone inzdomain hostmap zdomain soa = where info = hostInfo h l = zip (repeat $ AbsDomain $ hostName h) - (S.toList $ S.filter (\r -> isNothing (getIPAddr r) && isNothing (getCNAME r)) (fromDnsInfo $ fromInfo info)) + (S.toList $ S.filter (\r -> isNothing (getIPAddr r) && isNothing (getCNAME r)) (getDnsInfo info)) -- Simplifies the list of hosts. Remove duplicate entries. -- Also, filter out any CHAMES where the same domain has an @@ -531,7 +531,7 @@ genSSHFP domain h = concatMap mk . concat <$> (gen =<< get) gen = liftIO . mapM genSSHFP' . M.elems . fromMaybe M.empty mk r = mapMaybe (\d -> if inDomain domain d then Just (d, r) else Nothing) (AbsDomain hostname : cnames) - cnames = mapMaybe getCNAME $ S.toList $ fromDnsInfo $ fromInfo info + cnames = mapMaybe getCNAME $ S.toList $ getDnsInfo info hostname = hostName h info = hostInfo h diff --git a/src/Propellor/Spin.hs b/src/Propellor/Spin.hs index aeaa4643..88d2b473 100644 --- a/src/Propellor/Spin.hs +++ b/src/Propellor/Spin.hs @@ -173,7 +173,7 @@ getSshTarget target hst return ip configips = map val $ mapMaybe getIPAddr $ - S.toList $ fromDnsInfo $ fromInfo $ hostInfo hst + S.toList $ getDnsInfo $ hostInfo hst -- Update the privdata, repo url, and git repo over the ssh -- connection, talking to the user's local propellor instance which is diff --git a/src/Propellor/Types/Dns.hs b/src/Propellor/Types/Dns.hs index 87756d81..513f162a 100644 --- a/src/Propellor/Types/Dns.hs +++ b/src/Propellor/Types/Dns.hs @@ -1,4 +1,5 @@ {-# LANGUAGE DeriveDataTypeable, GeneralizedNewtypeDeriving #-} +{-# LANGUAGE FlexibleInstances #-} module Propellor.Types.Dns where @@ -36,17 +37,37 @@ toAliasesInfo l = AliasesInfo (S.fromList l) fromAliasesInfo :: AliasesInfo -> [HostName] fromAliasesInfo (AliasesInfo s) = S.toList s -newtype DnsInfo = DnsInfo { fromDnsInfo :: S.Set Record } +-- | Use this for DNS Info that should propagate from a container to a +-- host. For example, this can be used for CNAME to make aliases +-- of the containers in the host be reflected in the DNS. +newtype DnsInfoPropagated = DnsInfoPropagated + { fromDnsInfoPropagated :: S.Set Record } deriving (Show, Eq, Ord, Monoid, Typeable) -toDnsInfo :: S.Set Record -> DnsInfo -toDnsInfo = DnsInfo +toDnsInfoPropagated :: S.Set Record -> DnsInfoPropagated +toDnsInfoPropagated = DnsInfoPropagated --- | DNS Info is propagated, so that eg, aliases of a container --- are reflected in the dns for the host where it runs. -instance IsInfo DnsInfo where +instance IsInfo DnsInfoPropagated where propagateInfo _ = PropagateInfo True +-- | Use this for DNS Info that should not propagate from a container to a +-- host. For example, an IP address of a container should not influence +-- the host. +newtype DnsInfoUnpropagated = DnsInfoUnpropagated + { fromDnsInfoUnpropagated :: S.Set Record } + deriving (Show, Eq, Ord, Monoid, Typeable) + +toDnsInfoUnpropagated :: S.Set Record -> DnsInfoUnpropagated +toDnsInfoUnpropagated = DnsInfoUnpropagated + +-- | Get all DNS Info. +getDnsInfo :: Info -> S.Set Record +getDnsInfo i = fromDnsInfoUnpropagated (fromInfo i) + `S.union` fromDnsInfoPropagated (fromInfo i) + +instance IsInfo DnsInfoUnpropagated where + propagateInfo _ = PropagateInfo False + -- | Represents a bind 9 named.conf file. data NamedConf = NamedConf { confDomain :: Domain |