Fix netlink and capabilities (#172)

sky-uk · Apr 3, 2018 · 3b069d1 · 3b069d1
1 parent b7e46cc
commit 3b069d1
Show file tree

Hide file tree

Showing 9 changed files with 35 additions and 51 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+# v1.9.2
+* Bug fix for merlin attacher - fix netlink and capabilities for feed-ingress.
+
 # v1.9.1
 * Introduced flag to set the amount of memory allocated to the vhost statistics module (default: 1 MiB)
 

diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/docker/ingress/Dockerfile b/docker/ingress/Dockerfile
@@ -1,9 +1,12 @@
-FROM phusion/baseimage:0.9.22
+FROM debian:stretch-slim
 
+# Install useful diagnostic packages
 RUN apt-get update \
     && apt-get dist-upgrade -y \
     && apt-get install --no-install-suggests --no-install-recommends -y \
+        libcap2-bin \
         curl \
+        ca-certificates \
         dnsutils \
         vim-tiny \
         lsof \
@@ -12,33 +15,29 @@ RUN apt-get update \
     && apt-get autoremove -y \
     && rm -rf /var/lib/apt/lists/* /tmp/*
 
+# Install nginx
 ENV NGINX_VERSION 1.12.2
 ENV NGINX_SHA256 305f379da1d5fb5aefa79e45c829852ca6983c7cd2a79328f8e084a324cf0416
 ENV VTS_VERSION 0.1.15
 ENV VTS_SHA256 5112a054b1b1edb4c0042a9a840ef45f22abb3c05c68174e28ebf483164fb7e1
 
 COPY build-nginx.sh /tmp
-RUN /bin/bash /tmp/build-nginx.sh
-
-COPY feed-ingress /
-COPY nginx.tmpl /nginx/
-RUN chown nginx:nginx /nginx/nginx.tmpl
+RUN chmod 755 /tmp/build-nginx.sh
+RUN /tmp/build-nginx.sh
+# For binding to privileged ports in nginx.
 RUN setcap "cap_net_bind_service=+ep" /usr/sbin/nginx
 
-ADD logrotate.config /etc/logrotate.d/nginx
-RUN chmod 600 /etc/logrotate.d/nginx
+# Setup feed controller
+RUN useradd -s /sbin/nologin feed
+RUN mkdir -p /nginx /var/cache/nginx
+RUN chown -R feed:feed /nginx /var/cache/nginx
 
-ADD logrotate.cron /etc/cron.d/nginx
-RUN chmod 600 /etc/cron.d/nginx
-
-# Defer execution as the log dir may be mounted when running
-ADD log-dir-ownership.sh /etc/my_init.d/log-dir-ownership.sh
+COPY feed-ingress /
+# For binding VIP for merlin.
+RUN setcap "cap_net_admin=+ep" /feed-ingress
 
-# Let feed shutdown gracefully by giving it plenty of time to stop.
-# Give children processes 5 minutes to timeout
-ENV KILL_PROCESS_TIMEOUT=300
-# Give all other processes (such as those which have been forked) 5 minutes to timeout
-ENV KILL_ALL_PROCESSES_TIMEOUT=300
+COPY nginx.tmpl /nginx/
+RUN chown feed:feed /nginx/nginx.tmpl
 
-ENTRYPOINT ["/sbin/my_init", "--quiet", "--", "/sbin/setuser", "nginx", \
-    "/feed-ingress", "-nginx-workdir", "/nginx"]
+USER feed
+ENTRYPOINT ["/feed-ingress", "-nginx-workdir", "/nginx"]
diff --git a/docker/ingress/build-nginx.sh b/docker/ingress/build-nginx.sh
@@ -2,10 +2,6 @@
 
 set -ex
 
-useradd -s /sbin/nologin nginx
-mkdir -p /nginx /var/cache/nginx
-chown -R nginx:nginx /nginx /var/cache/nginx
-
 apt-get update
 apt-get install --no-install-suggests --no-install-recommends -y \
     build-essential \
@@ -15,9 +11,6 @@ apt-get install --no-install-suggests --no-install-recommends -y \
     libaio1 libaio-dev \
     sudo libssl-dev
 
-# allow nginx user to manage interfaces and arp configuration
-echo "%nginx ALL=NOPASSWD: /sbin/ip, /usr/bin/tee" >> /etc/sudoers
-
 echo "--- Downloading nginx and modules"
 mkdir /tmp/nginx
 cd /tmp/nginx
@@ -70,6 +63,6 @@ make
 make install
 
 echo "--- Cleaning up"
-apt-get purge -y build-essential libc6-dev libpcre3-dev zlib1g-dev libaio-dev gcc-5 cpp-5
+apt-get purge -y build-essential ca-certificates libc6-dev libpcre3-dev zlib1g-dev libaio-dev gcc-5
 apt-get clean -y
 rm -rf /var/lib/apt/lists/* /tmp/*
diff --git a/docker/ingress/log-dir-ownership.sh b/docker/ingress/log-dir-ownership.sh
diff --git a/docker/ingress/logrotate.config b/docker/ingress/logrotate.config
diff --git a/docker/ingress/logrotate.cron b/docker/ingress/logrotate.cron
diff --git a/merlin/merlin.go b/merlin/merlin.go
@@ -184,3 +184,7 @@ func (u *updater) removeVIP() error {
 	}
 	return u.nl.removeVIP(u.VIPInterface, u.VIP)
 }
+
+func (u *updater) String() string {
+	return "merlin attacher"
+}
diff --git a/merlin/netlink.go b/merlin/netlink.go
@@ -3,6 +3,8 @@ package merlin
 import (
 	"fmt"
 
+	"strings"
+
 	"github.com/vishvananda/netlink"
 )
 
@@ -15,6 +17,10 @@ type netlinkWrapper interface {
 type netlinkWrapperImpl struct{}
 
 func (i *netlinkWrapperImpl) handleVIP(vipInterface, vip string, fn func(netlink.Link, *netlink.Addr) error) error {
+	if !strings.Contains(vip, "/") {
+		// Doesn't contain a network, add /32.
+		vip = vip + "/32"
+	}
 	ipNet, err := netlink.ParseIPNet(vip)
 	if err != nil {
 		return fmt.Errorf("unable to parse VIP %s: %v", vip, err)
@@ -23,7 +29,7 @@ func (i *netlinkWrapperImpl) handleVIP(vipInterface, vip string, fn func(netlink
 	if err != nil {
 		return fmt.Errorf("unable to add/remove VIP on %s: %v", vipInterface, err)
 	}
-	if err := fn(lnk, &netlink.Addr{IPNet: ipNet, Label: "feed-vip"}); err != nil {
+	if err := fn(lnk, &netlink.Addr{IPNet: ipNet}); err != nil {
 		return fmt.Errorf("unable to add/remove VIP %s to %s: %v", vip, vipInterface, err)
 	}
 	return nil