From fbf6e4d9a5bfb3f843a9c4a17366be9c70338c3b Mon Sep 17 00:00:00 2001 From: jonct <2807816+jonct@users.noreply.github.com> Date: Mon, 15 Jul 2024 03:35:00 -0400 Subject: [PATCH] Extract default configuration data --- src/jlmkr/donor/data.py | 70 ++++++++++++++++++++++++++++++++ src/jlmkr/donor/jlmkr.py | 65 ----------------------------- src/jlmkr/utils/config_parser.py | 2 +- 3 files changed, 71 insertions(+), 66 deletions(-) create mode 100644 src/jlmkr/donor/data.py diff --git a/src/jlmkr/donor/data.py b/src/jlmkr/donor/data.py new file mode 100644 index 0000000..f230f0d --- /dev/null +++ b/src/jlmkr/donor/data.py @@ -0,0 +1,70 @@ +# SPDX-FileCopyrightText: © 2024 Jip-Hop and the Jailmakers +# +# SPDX-License-Identifier: LGPL-3.0-only + + +DEFAULT_CONFIG = """startup=0 +gpu_passthrough_intel=0 +gpu_passthrough_nvidia=0 +# Turning off seccomp filtering improves performance at the expense of security +seccomp=1 + +# Below you may add additional systemd-nspawn flags behind systemd_nspawn_user_args= +# To mount host storage in the jail, you may add: --bind='/mnt/pool/dataset:/home' +# To readonly mount host storage, you may add: --bind-ro=/etc/certificates +# To use macvlan networking add: --network-macvlan=eno1 --resolv-conf=bind-host +# To use bridge networking add: --network-bridge=br1 --resolv-conf=bind-host +# Ensure to change eno1/br1 to the interface name you want to use +# To allow syscalls required by docker add: --system-call-filter='add_key keyctl bpf' +systemd_nspawn_user_args= + +# Specify command/script to run on the HOST before starting the jail +# For example to load kernel modules and config kernel settings +pre_start_hook= +# pre_start_hook=#!/usr/bin/bash +# set -euo pipefail +# echo 'PRE_START_HOOK_EXAMPLE' +# echo 1 > /proc/sys/net/ipv4/ip_forward +# modprobe br_netfilter +# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables +# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables + +# Specify command/script to run on the HOST after starting the jail +# For example to attach to multiple bridge interfaces +# when using --network-veth-extra=ve-myjail-1:veth1 +post_start_hook= +# post_start_hook=#!/usr/bin/bash +# set -euo pipefail +# echo 'POST_START_HOOK_EXAMPLE' +# ip link set dev ve-myjail-1 master br2 +# ip link set dev ve-myjail-1 up + +# Specify a command/script to run on the HOST after stopping the jail +post_stop_hook= +# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE' + +# Only used while creating the jail +distro=debian +release=bookworm + +# Specify command/script to run IN THE JAIL on the first start (once networking is ready in the jail) +# Useful to install packages on top of the base rootfs +initial_setup= +# initial_setup=bash -c 'apt-get update && apt-get -y upgrade' + +# Usually no need to change systemd_run_default_args +systemd_run_default_args=--collect + --property=Delegate=yes + --property=RestartForceExitStatus=133 + --property=SuccessExitStatus=133 + --property=TasksMax=infinity + --property=Type=notify + --setenv=SYSTEMD_NSPAWN_LOCK=0 + --property=KillMode=mixed + +# Usually no need to change systemd_nspawn_default_args +systemd_nspawn_default_args=--bind-ro=/sys/module + --boot + --inaccessible=/sys/module/apparmor + --quiet + --keep-unit""" diff --git a/src/jlmkr/donor/jlmkr.py b/src/jlmkr/donor/jlmkr.py index b63de9a..1f866dc 100755 --- a/src/jlmkr/donor/jlmkr.py +++ b/src/jlmkr/donor/jlmkr.py @@ -30,71 +30,6 @@ from inspect import cleandoc from pathlib import Path, PurePath from textwrap import dedent -DEFAULT_CONFIG = """startup=0 -gpu_passthrough_intel=0 -gpu_passthrough_nvidia=0 -# Turning off seccomp filtering improves performance at the expense of security -seccomp=1 - -# Below you may add additional systemd-nspawn flags behind systemd_nspawn_user_args= -# To mount host storage in the jail, you may add: --bind='/mnt/pool/dataset:/home' -# To readonly mount host storage, you may add: --bind-ro=/etc/certificates -# To use macvlan networking add: --network-macvlan=eno1 --resolv-conf=bind-host -# To use bridge networking add: --network-bridge=br1 --resolv-conf=bind-host -# Ensure to change eno1/br1 to the interface name you want to use -# To allow syscalls required by docker add: --system-call-filter='add_key keyctl bpf' -systemd_nspawn_user_args= - -# Specify command/script to run on the HOST before starting the jail -# For example to load kernel modules and config kernel settings -pre_start_hook= -# pre_start_hook=#!/usr/bin/bash -# set -euo pipefail -# echo 'PRE_START_HOOK_EXAMPLE' -# echo 1 > /proc/sys/net/ipv4/ip_forward -# modprobe br_netfilter -# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables -# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables - -# Specify command/script to run on the HOST after starting the jail -# For example to attach to multiple bridge interfaces -# when using --network-veth-extra=ve-myjail-1:veth1 -post_start_hook= -# post_start_hook=#!/usr/bin/bash -# set -euo pipefail -# echo 'POST_START_HOOK_EXAMPLE' -# ip link set dev ve-myjail-1 master br2 -# ip link set dev ve-myjail-1 up - -# Specify a command/script to run on the HOST after stopping the jail -post_stop_hook= -# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE' - -# Only used while creating the jail -distro=debian -release=bookworm - -# Specify command/script to run IN THE JAIL on the first start (once networking is ready in the jail) -# Useful to install packages on top of the base rootfs -initial_setup= -# initial_setup=bash -c 'apt-get update && apt-get -y upgrade' - -# Usually no need to change systemd_run_default_args -systemd_run_default_args=--collect - --property=Delegate=yes - --property=RestartForceExitStatus=133 - --property=SuccessExitStatus=133 - --property=TasksMax=infinity - --property=Type=notify - --setenv=SYSTEMD_NSPAWN_LOCK=0 - --property=KillMode=mixed - -# Usually no need to change systemd_nspawn_default_args -systemd_nspawn_default_args=--bind-ro=/sys/module - --boot - --inaccessible=/sys/module/apparmor - --quiet - --keep-unit""" # Use mostly default settings for systemd-nspawn but with systemd-run instead of a service file: # https://github.com/systemd/systemd/blob/main/units/systemd-nspawn%40.service.in diff --git a/src/jlmkr/utils/config_parser.py b/src/jlmkr/utils/config_parser.py index 9264ab4..720f79f 100644 --- a/src/jlmkr/utils/config_parser.py +++ b/src/jlmkr/utils/config_parser.py @@ -6,7 +6,7 @@ import configparser import io import re -from donor.jlmkr import DEFAULT_CONFIG +from donor.data import DEFAULT_CONFIG # Used in parser getters to indicate the default behavior when a specific