split-zone, dn42-routes and more

container.json

@@ -1,14 +1,18 @@
 {
   "zone": {
     "soa": "ns1.higgsboson.tk.",
-    "serial": 124,
+    "serial": 149,
     "refresh": "1H",
     "hostmaster": "hostmaster.higgsboson.tk",
     "domain": "eve.higgsboson.tk",
+    "ttl": 300,
+    "a": "148.251.132.243",
+    "aaaa": "2a01:4f8:210:31fd::1",
     "retry": "4H",
     "expire": "3W",
     "minimum": "1D",
     "v4_subnet": "192.168.66.0/24",
+    "dn42_v4_subnet": "172.23.75.0/24",
     "v6_subnet": "2a01:4f8:210:31fd:1::/80"
   },
   "network": {
@@ -19,17 +23,17 @@
     },
     "tinc2": {
       "ipv4": "188.166.16.37",
-      "ipv6": "2a03:b0c0:2:d0::2a5:f004",
+      "ipv6": "2a03:b0c0:0:1010::3d:b003",
       "lxc": false
     },
     "eve": {
+      "ipv4": "192.168.66.1",
       "ipv6": "2a01:4f8:210:31fd::1",
-      "ipv4": "148.251.132.243",
       "lxc": false
     },
     "eva": {
+      "ipv4": "192.168.67.1",
       "ipv6": "2a03:b0c0:2:d0::2a5:f001",
-      "ipv4": "188.166.16.37",
       "lxc": false
     },
     "bridge": {
@@ -68,23 +72,27 @@
     "ns1": {
       "ns": true,
       "lxc": false,
-      "rdns6": "ns1.higgsboson.tk",
-      "ipv4": "192.168.66.6/32",
+      "ipv4": "148.251.132.243/32",
       "ipv6": "2a01:4f8:210:31fd:1::6/128"
     },
     "ns2": {
       "ns": true,
       "lxc": false,
-      "ipv4": "192.168.67.1/32",
-      "ipv6": "2a03:b0c0:2:d0:1::1/128"
+      "ipv4": "188.226.214.194/32",
+      "ipv6": "2a03:b0c0:0:1010::3d:b002/128"
     },
     "dns": {
       "ipv4": "192.168.66.6/32",
       "ipv6": "2a01:4f8:210:31fd:1::6/128",
       "rdns6": "ns1.higgsboson.tk",
-      "dn42": {
-        "ipv4": "172.23.75.4"
-      }
+      "dn42_ipv4": "172.23.75.6/32",
+      "dn42_ipv6": "fdc0:4992:6a6d:6::1/64"
+    },
+    "dn42": {
+      "ipv4": "192.168.66.31/32",
+      "ipv6": "2a01:4f8:210:31fd:1::1f/128",
+      "dn42_ipv4": "172.23.75.1/32",
+      "dn42_ipv6": "fdc0:4992:6a6d:1::1/64"
     },
     "faces": {
       "ipv4": "192.168.66.7/32",
@@ -132,7 +140,8 @@
           "mysql",
           "pdo_mysql"
         ]
-      }
+      },
+      "lxc": false
     },
     "phppgadmin": {
       "ipv4": "192.168.66.13/32",
@@ -143,7 +152,8 @@
           "pgsql",
           "pdo_pgsql"
         ]
-      }
+      },
+      "lxc": false
     },
     "adminer": {
       "ipv4": "192.168.66.14/32",
@@ -339,6 +349,10 @@
 
         ]
       }
+    },
+    "terraria": {
+      "ipv4": "192.168.66.34/32",
+      "ipv6": "2a01:4f8:210:31fd:1::22/128"
     }
   }
-}
+}

default.conf

@@ -1,6 +1,20 @@
 lxc.autodev = 1
 lxc.kmsg = 0
-lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin
+lxc.cap.drop = sys_module mac_admin mac_override sys_time net_admin setfcap sys_nice sys_pacct sys_rawio
+
+# Setup the LXC devices in /dev/lxc/
+lxc.devttydir = lxc
+
+# Set the halt/stop signals
+lxc.haltsignal=SIGRTMIN+4
+lxc.stopsignal=SIGRTMIN+14
+
+# Set the pivot directory
+lxc.pivotdir = lxc_putold
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
 
 lxc.network.type = veth
 lxc.network.link = br0
@@ -12,30 +26,45 @@ lxc.network.ipv6.gateway = 2a01:4f8:210:31fd:1::1
 
 # cgroups
 lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
 lxc.cgroup.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
 lxc.cgroup.devices.allow = c 1:3 rwm
+### /dev/zero
 lxc.cgroup.devices.allow = c 1:5 rwm
+### /dev/full
 lxc.cgroup.devices.allow = c 1:7 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
 lxc.cgroup.devices.allow = c 4:1 rwm
+### /dev/tty
 lxc.cgroup.devices.allow = c 5:0 rwm
+### /dev/console
 lxc.cgroup.devices.allow = c 5:1 rwm
+### /dev/ptmx
 lxc.cgroup.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup.devices.allow = c 1:9 rwm
+### /dev/pts/*
 lxc.cgroup.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
 
 lxc.cgroup.memory.soft_limit_in_bytes = 1500M
 lxc.cgroup.memory.limit_in_bytes = 2000M
 lxc.cgroup.cpu.shares = 256
 lxc.cgroup.blkio.weight = 500
 
-lxc.mount.entry = /data/pacman-cache var/cache/pacman/pkg none bind 0 0
+# Setup the default mounts
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
+lxc.mount.entry = /data/pacman/pkg var/cache/pacman/pkg none bind 0 0
+lxc.mount.entry = /data/pacman/sync var/lib/pacman/sync none bind 0 0
 lxc.mount.entry = /data/repo srv/repo none bind,ro,create=dir 0 0
 lxc.mount.entry = /run/systemd/journal mnt/journal none bind,ro,create=dir 0 0
 
-lxc.hook.autodev = /etc/lxc/hooks/dn42-routes
-
 lxc.hook.clone = /etc/lxc/hooks/setup-machine-id
 lxc.hook.clone = /etc/lxc/hooks/remove-journal
 lxc.hook.clone = /etc/lxc/hooks/cleanup-lxc-config

evenet.conf

@@ -3,3 +3,4 @@ lxc.network.link = evenet
 lxc.network.flags = up
 lxc.network.name = eth1
 lxc.network.mtu = 1500
+lxc.hook.autodev = /etc/lxc/hooks/dn42-routes

hooks/build-split-zone

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+require "resolv"
+require_relative "lib/lxc"
+
+class Resolver
+  def initialize
+    @stub_resolver = Resolv::DNS.new
+    @cache = {}
+  end
+  def resolve(name, delegated_subdomain, typeclass)
+    if name == "@"
+      fqdn = delegated_subdomain
+    else
+      fqdn = "#{name}.#{delegated_subdomain}"
+    end
+    result = @cache[fqdn + typeclass.to_s] ||= @stub_resolver.getresource(fqdn, typeclass)
+    if result == :no_record
+      nil
+    else
+      result
+    end
+  rescue Resolv::ResolvError => e
+    puts "warning: #{e}"
+    @cache[fqdn + typeclass.to_s] = :no_record
+    return nil
+  end
+  def a(name, delegated_subdomain)
+    result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::A)
+    return "" unless result
+    "#{name} A #{result.address.to_s}\n"
+  end
+  def aaaa(name, delegated_subdomain)
+    result = resolve(name, delegated_subdomain, Resolv::DNS::Resource::IN::AAAA)
+    return "" unless result
+    "#{name} AAAA #{result.address.to_s}\n"
+  end
+end
+
+template_path = Lxc::CONFIG_ROOT.join("templates/higgsboson.tk.zone.erb")
+template = Lxc::Template.new(template_path)
+serial = Time.new.to_i
+resolver = Resolver.new
+zones = [
+  ["zones/higgsboson.tk.zone", :pub],
+  ["zones/internal-eve.higgsboson.tk.zone", :eve],
+  ["zones/internal-eva.higgsboson.tk.zone", :eva],
+]
+zones.each do |zone, type|
+  template.write(zone, resolver: resolver, serial: serial, type: type)
+end
+Lxc::Utils.sh("lxc-attach", "-n", "dns", "--", "rndc", "reload")

hooks/dn42-routes

@@ -1,5 +1,7 @@
 #!/bin/bash
 
-/usr/bin/ip route add 172.16.0.0/12 via 172.16.75.1 proto static metric 200
-/usr/bin/ip route add 10.0.0.0/8 via 172.16.75.1 proto static metric 200
-exit 0
+ip rule add from 172.23.75.0/24 table 42
+ip route add 192.168.66.0/24 via 172.23.75.4 dev eth1 table 42
+ip route add 172.16.0.0/12 via 172.23.75.1
+ip route add 10.0.0.0/8 via 172.23.75.1
+ip route flush cache

hooks/lib/lxc/container.rb

@@ -16,13 +16,13 @@ module Lxc
       @ipv4_subnet = NetAddr::CIDR.create(zone["v4_subnet"] || "192.168.10.0/24")
       @ipv6_subnet = NetAddr::CIDR.create(zone["v6_subnet"] || "fd7d:aed0:18aa::/48")
 
-      if subnet = zone["dn42_ipv4_subnet"]
+      if subnet = zone["dn42_v4_subnet"]
         @dn42_ipv4_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
       else
         @dn42_ipv4_netmask = 24
       end
 
-      if subnet = zone["dn42_ipv6_subnet"]
+      if subnet = zone["dn42_v6_subnet"]
         @dn42_ipv6_netmask = NetAddr::CIDR.create(subnet).to_i(:netmask)
       else
         @dn42_ipv6_netmask = 48
@@ -47,12 +47,12 @@ module Lxc
                             ipv4: format_address(@ipv4, @ipv4_subnet.to_i(:netmask)),
                             ipv6: format_address(@ipv6, @ipv6_subnet.to_i(:netmask)))
       if @dn42_ipv4
-        opts[:dn42_ipv4] = format_address(dn42_ipv6, dn42_ipv4_netmask)
+        opts[:dn42_ipv4] = format_address(@dn42_ipv4, @dn42_ipv4_netmask)
         c["dn42_ipv4"] = NetAddr::CIDR.create(@dn42_ipv4).to_s(Short: true)
       end
 
       if @dn42_ipv6
-        opts[:dn42_ipv6] = format_address(dn42_ipv4, dn42_ipv6_netmask)
+        opts[:dn42_ipv6] = format_address(@dn42_ipv6, @dn42_ipv6_netmask)
         c["dn42_ipv6"] = NetAddr::CIDR.create(@dn42_ipv6).to_s(Short: true)
       end
 

hooks/lib/lxc/template.rb

@@ -8,12 +8,13 @@ module Lxc
   end
 
   class Template
-    def initialize(path)
+    def initialize(path, context: nil)
       @path = path
       @erb = ERB.new(File.read(path), nil, "-")
     end
     def render(params={})
-      @erb.result(TemplateContext.new(params).get_binding)
+      context = TemplateContext.new(params)
+      @erb.result(context.get_binding)
     rescue => e
       raise StandardError.new("fail to render '#{@path}': #{e}")
     end

hooks/tun-device

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+cd ${LXC_ROOTFS_MOUNT}/dev
+mkdir net
+mknod net/tun c 10 200
+chmod 0666 net/tun

templates/config.erb

@@ -5,3 +5,13 @@ lxc.rootfs = <%= rootfs %>
 lxc.network.ipv4 = <%= ipv4 %>
 lxc.network.ipv6 = <%= ipv6 %>
 lxc.network.veth.pair = lxc_<%= name[0..(16-4)] %>
+
+<% if dn42_ipv4 || dn42_ipv6 -%>
+lxc.include = /etc/lxc/evenet.conf
+<% if dn42_ipv4 -%>
+lxc.network.ipv4 = <%= dn42_ipv4 %>
+<% end -%>
+<% if dn42_ipv6 -%>
+lxc.network.ipv6 = <%= dn42_ipv6 %>
+<% end -%>
+<% end -%>

templates/higgsboson.tk.zone.erb

@@ -0,0 +1,89 @@
+$TTL 300
+@ 3600  IN  SOA ns1 admin.higgsboson.tk. (
+    <%= serial %>  ; serial
+    7200    ; refresh
+    3600    ; retry
+    86400   ; expire
+    3600)   ; minimum
+
+;; NS Records (YOU MUST CHANGE THIS)
+  NS ns1
+  NS ns2
+
+;; MX Records
+  MX 10 mail
+
+;; TXT Records
+                   TXT "v=spf1 mx a:mail.higgsboson.tk aaaa:mail.higgsboson.tk -all"
+_adsp._domainkey   TXT "dkim=all\;"
+default._domainkey TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhqBgbSEMgdWYmBSBsNbI2opjEZSFuZiqnAzv2yxLYyXB0l1uL4tw9npNkC4w5cNehc87qhuuzADsSOJoFUQ+H3oWOnENcGKatQqRKzLxKLBWwUf+TnC21AKGHXD4eABZk3ahfYnlR7li3Wh/JSMsAxWmaikLj3uLHd/WN9eH4rwIDAQAB"
+_dmarc             TXT "v=DMARC1\; p=none\; adkim=r\; aspf=r\; rua=mailto:admin@higgsboson.tk\; ruf=mailto:admin@higgsboson.tk\; pct=100"
+joerg._pka         TXT "v=pka1\;fpr=4ABA07382AD57E6B9AA4E88DCA4106B8D7CC79FA\;uri=http://higgsboson.tk/joerg/joerg.asc"
+
+;; SRV Records (Service locator)
+_xmpp-client._tcp.muc SRV 0 5 5222 jabber
+_xmpp-client._tcp     SRV 0 5 5222 jabber
+_xmpp-server._tcp.muc SRV 0 5 5269 jabber
+_xmpp-server._tcp     SRV 0 5 5269 jabber
+
+;; CNAME Records
+*.jabber CNAME jabber
+anon     CNAME jabber
+proxy    CNAME jabber
+pubsub   CNAME jabber
+
+imap CNAME mail
+smtp CNAME mail
+
+tinc1 CNAME dn42
+
+archfeed    CNAME arch-pkg-feed.herokuapp.com.
+githubtags  CNAME github-tags-feed.herokuapp.com.
+reisekosten CNAME reisekosten.herokuapp.com.
+
+;; A Records (IPv4 addresses)
+<% if type == :eve -%>
+* A 192.168.66.5
+<% else -%>
+* A 148.251.132.243
+<% end -%>
+
+dn42 A 148.251.132.243
+<%= resolver.aaaa("dn42", "eve.higgsboson.tk") -%>
+
+;; eve -->
+<% eve_services = %w{@ classifier eve jabber login mail ns1 web} -%>
+<% if type == :eve -%>
+<% eve_services.each do |name| -%>
+<%= resolver.a(name, "eve.higgsboson.tk") -%>
+<% end -%>
+<% else -%>
+<% eve_services.each do |name| -%>
+<%= name %> A 148.251.132.243
+<% end -%>
+<% end -%>
+;; <-- eve
+
+;; eva -->
+<% eva_services = %w{eva ns2 tinc2} -%>
+<% if type == :eva -%>
+<% eva_services.each do |name| -%>
+<%= resolver.a(name, "eva.higgsboson.tk") -%>
+<% end -%>
+<% else -%>
+<% eva_services.each do |name| -%>
+<%= name %> A 188.166.16.37
+<% end -%>
+<% end -%>
+;; <-- eva
+
+;; AAAA Records (IPv6 addresses)
+* AAAA 2a01:4f8:210:31fd:1::5
+
+<% eve_services.each do |name| -%>
+<%= resolver.aaaa(name, "eve.higgsboson.tk") -%>
+<% end -%>
+
+<% eva_services.each do |name| -%>
+<%= resolver.aaaa(name, "eva.higgsboson.tk") -%>
+<% end -%>

templates/lxc-zone.erb

@@ -1,15 +1,26 @@
-@     IN SOA   <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
+<% if data["zone"]["ttl"] -%>
+$TTL <%= data["zone"]["ttl"] %>
+<% end -%>
+
+@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
                     <%= data["zone"]["serial"] %> ; serial
                     <%= data["zone"]["refresh"] %> ; refresh
                     <%= data["zone"]["retry"] %> ; retry
                     <%= data["zone"]["expire"] %> ; expire
                     <%= data["zone"]["minimum"] %>) ; minimum
+
 <% data["network"].each do |name, value| -%>
 <% if value["ns"] -%>
-  IN NS <%= name %>
+  NS <%= name %>
 <% end -%>
 <% end -%>
 
+<% if data["zone"]["a"] -%>
+  A <%= data["zone"]["a"] %>
+<% end -%>
+<% if data["zone"]["aaaa"] -%>
+  AAAA <%= data["zone"]["aaaa"]%>
+<% end -%>
 <% data["network"].each do |name, value| %>
 <% if value["cname"] -%>
 <%= name %> CNAME <%= value["cname"] %>

templates/rdns-zone.erb

@@ -1,4 +1,4 @@
-@     IN SOA   <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
+@ IN SOA <%= data["zone"]["soa"] %> <%= data["zone"]["hostmaster"] %> (
                     <%= data["zone"]["serial"] %> ; serial
                     <%= data["zone"]["refresh"] %> ; refresh
                     <%= data["zone"]["retry"] %> ; retry
@@ -6,18 +6,7 @@
                     <%= data["zone"]["minimum"] %>) ; minimum
 <% data["network"].each do |name, value| -%>
 <% if value["ns"] -%>
-  IN NS <%= name %>
-<% end -%>
-<% end -%>
-
-<% data["network"].each do |name, value| -%>
-<% if value["ns"] -%>
-<% if value["ipv4"] -%>
-<%= name %> A <%= NetAddr::CIDR.create(value["ipv4"]).ip(Short: true) %>
-<% end -%>
-<% if value["ipv6"] -%>
-<%= name %> AAAA <%= NetAddr::CIDR.create(value["ipv6"]).ip(Short: true) %>
-<% end -%>
+  IN NS <%= name %>.<%= data["zone"]["domain"] %>.
 <% end -%>
 <% end -%>