Merge pull request #3892 from cevich/google_vpc

Cirrus: Block CNI use of google VPCs
2019-08-28 13:03:51 -07:00 · 2019-08-28 13:03:51 -07:00 · 9926a299f7
parent bdf9e56813 e06f17f580
commit 9926a299f7
3 changed files with 33 additions and 9 deletions
--- a/contrib/cirrus/99-do-not-use-google-subnets.conflist
+++ b/contrib/cirrus/99-do-not-use-google-subnets.conflist
@ -0,0 +1,21 @@
+{
+    "cniVersion": "0.4.0",
+    "name": "do-not-use-google-subnets",
+    "plugins": [
+        {
+            "type": "bridge",
+            "name": "do-not-use-google-subnets",
+            "bridge": "do-not-use-google-subnets",
+            "ipam": {
+                "type": "host-local",
+                "ranges": [
+                    [
+                        {
+                            "subnet": "10.128.0.0/9"
+                        }
+                    ]
+                ]
+            }
+        }
+    ]
+}
--- a/contrib/cirrus/lib.sh
+++ b/contrib/cirrus/lib.sh
@ -321,13 +321,15 @@ EOF

 install_test_configs(){
    echo "Installing cni config, policy and registry config"
-    req_env_var GOSRC
-    sudo install -D -m 755 $GOSRC/cni/87-podman-bridge.conflist \
-                           /etc/cni/net.d/87-podman-bridge.conflist
-    sudo install -D -m 755 $GOSRC/test/policy.json \
-                           /etc/containers/policy.json
-    sudo install -D -m 755 $GOSRC/test/registries.conf \
-                           /etc/containers/registries.conf
+    req_env_var GOSRC SCRIPT_BASE
+    cd $GOSRC
+    install -v -D -m 644 ./cni/87-podman-bridge.conflist /etc/cni/net.d/
+    # This config must always sort last in the list of networks (podman picks first one
+    # as the default).  This config prevents allocation of network address space used
+    # by default in google cloud.  https://cloud.google.com/vpc/docs/vpc#ip-ranges
+    install -v -D -m 644 $SCRIPT_BASE/99-do-not-use-google-subnets.conflist /etc/cni/net.d/
+    install -v -D -m 644 ./test/policy.json /etc/containers/
+    install -v -D -m 644 ./test/registries.conf /etc/containers/
 }

 # Remove all files (except conmon, for now) provided by the distro version of podman.
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@ -61,8 +61,7 @@ esac
 # Reload to incorporate any changes from above
 source "$SCRIPT_BASE/lib.sh"

-install_test_configs
-
+# Must execute before possible setup_rootless()
 make install.tools

 case "$SPECIALMODE" in
@ -97,3 +96,5 @@ case "$SPECIALMODE" in
    *)
        die 111 "Unsupported \$SPECIALMODE: $SPECIALMODE"
 esac
+
+install_test_configs