initial commit
This commit is contained in:
parent
e5b225b46f
commit
87cb850050
GPG Key ID:
E9B4156C1659C079
11
README.md
11
README.md
@ -1,5 +1,10 @@
|
||||
# wireguard-inject
|
||||
|
||||
Provisioning wireguard tunnels between a host and namespaces can be tricky, particularly if the namespaces are dynamically created as with containers.
|
||||
|
||||
wireguard-inject is a small shell script which can create and inject wireguard interfaces in to a namespace using a configuration directory and provisioning scripts.
|
||||
Provisioning wireguard tunnels between a host and namespaces can be tricky, particularly if the namespaces are dynamically created as when using containers.
|
||||
|
||||
wireguard-inject is a small shell script which can create and inject wireguard interfaces in to a namespace using a configuration directory and helper provisioning script.
|
||||
|
||||
The provisioning script includes a number of functions to identify actual and required tunnels, together with functions to add and remove tunnels appropriately. As such, the script can be used with arbirary configuration sources or namespace configurations.
|
||||
|
||||
The script is intended to run via a systemd path unit so that config changes are picked up immediately, and via a timer unit to validate the actual configuration on a periodic basis (for example, in case the namespace is re-created or a temporary error occurs)
|
||||
|
||||
|
||||
69
example-provisioner/provisioner.sh
Executable file
69
example-provisioner/provisioner.sh
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash -e
|
||||
###########################################################################
|
||||
|
||||
PROVISIONER_NAME='provisioner'
|
||||
CONFIG_PATH='/path/to/wireguard/config/files'
|
||||
|
||||
# find router PID
|
||||
ROUTER_PID=$(incus info --project my-project router 2>/dev/null | \
|
||||
grep '^PID:' | cut -d' ' -f2)
|
||||
echo "* my-project/router PID: $ROUTER_PID"
|
||||
|
||||
###########################################################################
|
||||
|
||||
function list_config_files
|
||||
{
|
||||
find "$CONFIG_PATH" -name '*.conf' -type f -print
|
||||
}
|
||||
|
||||
###########################################################################
|
||||
|
||||
function list_actual_interfaces
|
||||
{
|
||||
if [ -n "$ROUTER_PID" ]
|
||||
then
|
||||
nsenter -t "$ROUTER_PID" -n wg show interfaces
|
||||
fi
|
||||
}
|
||||
|
||||
###########################################################################
|
||||
|
||||
function add_tunnel
|
||||
{
|
||||
local iface="$1"
|
||||
local config="$2"
|
||||
|
||||
if [ -n "$ROUTER_PID" ]
|
||||
then
|
||||
ip link add dev "$iface" type wireguard
|
||||
wg setconf "$iface" "$config"
|
||||
ip link set dev "$iface" netns "$ROUTER_PID"
|
||||
nsenter -t "$ROUTER_PID" -n ip link set "$iface" up
|
||||
else
|
||||
echo >&2 'Unable to add tunnel, router PID not found'
|
||||
fi
|
||||
}
|
||||
|
||||
###########################################################################
|
||||
|
||||
function remove_tunnel
|
||||
{
|
||||
local iface="$1"
|
||||
|
||||
if [ -n "$ROUTER_PID" ]
|
||||
then
|
||||
nsenter -t "$ROUTER_PID" -n ip link del "$iface"
|
||||
else
|
||||
echo >&2 'Unable to delete tunnel, router PID not found'
|
||||
fi
|
||||
}
|
||||
|
||||
###########################################################################
|
||||
|
||||
function all_done
|
||||
{
|
||||
touch "${CONFIG_PATH}/inject.complete"
|
||||
}
|
||||
|
||||
###########################################################################
|
||||
# end of file
|
||||
14
example-systemd/wireguard-XXXXX.path
Normal file
14
example-systemd/wireguard-XXXXX.path
Normal file
@ -0,0 +1,14 @@
|
||||
##########################################################################
|
||||
|
||||
[Unit]
|
||||
Description="Monitor for wireguard tunnel changes"
|
||||
|
||||
[Path]
|
||||
PathChanged=XXXXX
|
||||
Unit=wireguard-inject@XXXXX.service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
##########################################################################
|
||||
# end of file
|
||||
14
example-systemd/wireguard-inject@.service
Normal file
14
example-systemd/wireguard-inject@.service
Normal file
@ -0,0 +1,14 @@
|
||||
##########################################################################
|
||||
|
||||
[Unit]
|
||||
Description="Wireguard tunnel injection"
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
Group=root
|
||||
Type=oneshot
|
||||
StandardOutput=journal
|
||||
ExecStart=/usr/local/sbin/wireguard-inject.sh /etc/wireguard-inject/"%i"
|
||||
|
||||
##########################################################################
|
||||
# end of file
|
||||
15
example-systemd/wireguard-inject@.timer
Normal file
15
example-systemd/wireguard-inject@.timer
Normal file
@ -0,0 +1,15 @@
|
||||
##########################################################################
|
||||
|
||||
[Unit]
|
||||
Description="Wireguard tunnel inject timer"
|
||||
|
||||
[Timer]
|
||||
Unit=wireguard-inject@%i.service
|
||||
OnUnitActiveSec=13m
|
||||
RandomizedDelaySec=60
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
||||
##########################################################################
|
||||
# end of file
|
||||
165
wireguard-inject.sh
Executable file
165
wireguard-inject.sh
Executable file
@ -0,0 +1,165 @@
|
||||
#!/bin/bash -e
|
||||
###########################################################################
|
||||
|
||||
if [ ! -x "$1" ]
|
||||
then
|
||||
echo >&2 "Usage: $0 <provisioner script>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# source the provisioner script
|
||||
. "$1"
|
||||
|
||||
printf 'Starting wireguard-inject: %s - %s\n' "$PROVISIONER_NAME" "$(date)"
|
||||
|
||||
# other configuration
|
||||
RUNDIR='/run/wireguard-inject'
|
||||
[ -d "$RUNDIR" ] || mkdir -m 0700 "$RUNDIR"
|
||||
MODFILE="${RUNDIR}/${PROVISIONER_NAME}"
|
||||
|
||||
###########################################################################
|
||||
|
||||
# loop until at least 5 seconds since the last modification date
|
||||
while :
|
||||
do
|
||||
|
||||
declare -A modtimes
|
||||
maxmod=0
|
||||
|
||||
# scan for modification dates
|
||||
while IFS= read -r file
|
||||
do
|
||||
[ -n "$file" ] || continue
|
||||
mod=$(stat -c "%Y" "$file")
|
||||
modtimes[$file]="$mod"
|
||||
if [ "$mod" -gt "$maxmod" ]
|
||||
then
|
||||
maxmod="$mod"
|
||||
fi
|
||||
|
||||
done <<< "$(list_config_files)"
|
||||
|
||||
# check the time
|
||||
now=$(date '+%s')
|
||||
date_diff=$(( now - maxmod ))
|
||||
[ "$date_diff" -gt 5 ] && break
|
||||
|
||||
# still updates happening, loop around
|
||||
echo "- waiting for config to settle: $(date)"
|
||||
sleep $(( 6 - date_diff ))
|
||||
|
||||
done
|
||||
|
||||
###########################################################################
|
||||
# compare against the previous run
|
||||
|
||||
declare -A interfaces
|
||||
declare -A previous_modtimes
|
||||
declare -A add_interfaces
|
||||
declare -A remove_interfaces
|
||||
modcount=0
|
||||
|
||||
if [ -f "$MODFILE" ]
|
||||
then
|
||||
# slurp the previous modtimes into a map
|
||||
declare -A previous_modtimes
|
||||
while IFS='!' read -r file mod
|
||||
do
|
||||
previous_modtimes[$file]="$mod"
|
||||
done < "$MODFILE"
|
||||
fi
|
||||
|
||||
# check for changed files
|
||||
# also, create a map of interfaces to config files along the way
|
||||
|
||||
for file in "${!modtimes[@]}"
|
||||
do
|
||||
base=${file##*/}
|
||||
iface=${base%%.*}
|
||||
interfaces[$iface]="$file"
|
||||
|
||||
if [ -v "previous_modtimes[$file]" ] &&
|
||||
[ "${previous_modtimes[$file]}" -eq "${modtimes[$file]}" ]
|
||||
then
|
||||
continue
|
||||
fi
|
||||
|
||||
# if an interface has been modified, remove it then re-add it
|
||||
remove_interfaces[$iface]=1
|
||||
add_interfaces[$iface]=1
|
||||
|
||||
modcount=$(( modcount + 1 ))
|
||||
done
|
||||
|
||||
###########################################################################
|
||||
# fetch a list of configured interfaces
|
||||
|
||||
declare -A actual_interfaces
|
||||
while IFS= read -r iface
|
||||
do
|
||||
actual_interfaces[$iface]=1
|
||||
done <<< "$(list_actual_interfaces)"
|
||||
|
||||
###########################################################################
|
||||
# now we can figure out if interfaces have been added or removed
|
||||
|
||||
for iface in "${!actual_interfaces[@]}"
|
||||
do
|
||||
# does actual interface exist in config ?
|
||||
if [ ! -v "interfaces[$iface]" ]
|
||||
then
|
||||
# interface has been removed
|
||||
remove_interfaces[$iface]=1
|
||||
fi
|
||||
done
|
||||
|
||||
for iface in "${!interfaces[@]}"
|
||||
do
|
||||
# does interface actually exist ?
|
||||
if [ ! -v "actual_interfaces[$iface]" ]
|
||||
then
|
||||
# interface has been added
|
||||
add_interfaces[$iface]=1
|
||||
|
||||
# can't remove the interface if it wasn't there in the first place
|
||||
unset "remove_interfaces[$iface]"
|
||||
fi
|
||||
done
|
||||
|
||||
###########################################################################
|
||||
# finally in a position to make some changes
|
||||
|
||||
echo " - Removing ${#remove_interfaces[@]} tunnels"
|
||||
for iface in "${!remove_interfaces[@]}"
|
||||
do
|
||||
echo " _ $iface"
|
||||
remove_tunnel "$iface"
|
||||
done
|
||||
|
||||
echo " - Adding ${#add_interfaces[@]} tunnels"
|
||||
for iface in "${!add_interfaces[@]}"
|
||||
do
|
||||
echo " + $iface"
|
||||
add_tunnel "$iface" "${interfaces[$iface]}"
|
||||
done
|
||||
|
||||
###########################################################################
|
||||
# all done
|
||||
|
||||
# save the modified times if required
|
||||
if [ "$modcount" -gt 0 ]
|
||||
then
|
||||
exec 3> "$MODFILE"
|
||||
for file in "${!modtimes[@]}"
|
||||
do
|
||||
echo >&3 "${file}!${modtimes[$file]}"
|
||||
done
|
||||
exec 3>&-
|
||||
fi
|
||||
|
||||
# also signal the provisioner
|
||||
all_done
|
||||
|
||||
echo "Completed changes: $(date)"
|
||||
###########################################################################
|
||||
# end of file
|
||||
Loading…
x
Reference in New Issue
Block a user