From patchwork Tue Jul 21 10:36:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3268 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4x49cVz3xKT for ; Tue, 21 Jul 2020 10:36:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4B9w4v2Gglz1rl; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4B9w4v114Wz2ylK; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4s4372z2y9h for ; Tue, 21 Jul 2020 10:36:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4B9w4r5J71z1rl; Tue, 21 Jul 2020 10:36:44 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1595327804; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=h/LJEPVHmEKwFA+u0zzhqk3lZlFxGLrKjBanTdwerzc=; b=pAPnRqYBdXtjIoQNtiIX8JGaZXIVMEqweal/yppgeeyIQVxoPCo4r99kxe1fA37O0ahOv0 XWYrHwBagCO9d5Cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1595327804; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=h/LJEPVHmEKwFA+u0zzhqk3lZlFxGLrKjBanTdwerzc=; b=r4+bSVJ8FQE9kO5GMbs13Xg5VfJPwmicOIsHqO8aHM5W8Usp+mYLtj0bTqMP36ipwGNlMO lVL+cubcfXNYKtpdgpMGTTEh0RM40xhVhvMg82acfYucT18u49ikTk9kcrfWFgT1ccT4tj 53Mx0VpM+qwucNZAs+S4IMU/MYfuarIj1zRC17vMhbqrB39IpOL2OAKwuNyHTEkZop9QJ3 eevGcytI84FT4qSR9658jxmEOR+/12I5GO8eM4ZXKUtMKlDas2KisaRfX5lI8bLFF5Kg3a 5Vv5cl7bljq+SR1iixt42CqQXS9N5ytu467OoiNV5Xa9l8hrF77idKN0xId+1Q== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/3] oci: Add detection for Oracle Cloud Date: Tue, 21 Jul 2020 10:36:39 +0000 Message-Id: <20200721103641.30305-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- src/initscripts/system/cloud-init | 2 ++ src/initscripts/system/functions | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/src/initscripts/system/cloud-init b/src/initscripts/system/cloud-init index 284e24d7b..d39552b01 100644 --- a/src/initscripts/system/cloud-init +++ b/src/initscripts/system/cloud-init @@ -15,6 +15,8 @@ case "${1}" in scriptname="/etc/rc.d/helper/azure-setup" elif running_on_gcp; then scriptname="/etc/rc.d/helper/gcp-setup" + elif running_on_oci; then + scriptname="/etc/rc.d/helper/oci-setup" else # This system is not running in the cloud exit 0 diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index b6e6507d6..30119918c 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -834,4 +834,15 @@ running_on_gcp() { return 1 } +running_on_oci() { + if [ -r "/sys/devices/virtual/dmi/id/chassis_asset_tag" ]; then + local asset_tag="$( X-Patchwork-Id: 3269 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4x6wmjz3xSs for ; Tue, 21 Jul 2020 10:36:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4B9w4v4c3Yz3L8; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4B9w4v1vGPz301w; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4t1bTdz2y9h for ; Tue, 21 Jul 2020 10:36:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4B9w4s3f5lz2tw; Tue, 21 Jul 2020 10:36:45 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1595327805; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mdIYEL3SgsqEQeD7sztxq+MZY79q4Sk4H7h6fI53ZW4=; b=Mn1/8+i1+ddFQahy4VG4PeLGY7jETMAubUt+VECbInUnhnN2x3YsCeQeErXZlW+KWuqWIm 921UB15B/SqUq7Dw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1595327805; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mdIYEL3SgsqEQeD7sztxq+MZY79q4Sk4H7h6fI53ZW4=; b=TEkzoBkaRKp3c9H5P53jgqhp1753dpxq670gXy27rhdwLOZpQ54L3+zlcidBLq2a60Div8 IHqDJ3ESQxpGd41r8fMvOWy8oHk6lsFv23sg2XCJKHgKGHKW0Uy17gkROlcXCPBOWLG5iI mu6O9vfStx3B/DewvZo0MsETH5f0Qfl0R2ZVSrU4CSUrwfJuKzgNFElJ9RUjHORUP7bPl8 BGb0vc0zZ00oXFNVk1UPzMqGfm4ZcheryYar4BncoDsTGgac3inranNdwujkq23AdkRBaG 1dixStUeb9GJCo+qBSuTdUdmxJxBiXldcNK6IEJK7U9ID1Y6/M5fcPPQ9RFwCQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/3] oci: Add automatic configuration script Date: Tue, 21 Jul 2020 10:36:40 +0000 Message-Id: <20200721103641.30305-2-michael.tremer@ipfire.org> In-Reply-To: <20200721103641.30305-1-michael.tremer@ipfire.org> References: <20200721103641.30305-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/rootfiles/common/aarch64/initscripts | 1 + config/rootfiles/common/armv5tel/initscripts | 1 + config/rootfiles/common/i586/initscripts | 1 + config/rootfiles/common/x86_64/initscripts | 1 + src/initscripts/helper/oci-setup | 308 +++++++++++++++++++ 5 files changed, 312 insertions(+) create mode 100644 src/initscripts/helper/oci-setup diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 330bb532e..8140b9073 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 330bb532e..8140b9073 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index c0fc18705..4ec56f700 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index c0fc18705..4ec56f700 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -5,6 +5,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/helper/azure-setup etc/rc.d/helper/gcp-setup etc/rc.d/helper/getdnsfromdhcpc.pl +etc/rc.d/helper/oci-setup #etc/rc.d/init.d etc/rc.d/init.d/acpid etc/rc.d/init.d/apache diff --git a/src/initscripts/helper/oci-setup b/src/initscripts/helper/oci-setup new file mode 100644 index 000000000..aca09e673 --- /dev/null +++ b/src/initscripts/helper/oci-setup @@ -0,0 +1,308 @@ +#!/bin/bash + +. /etc/sysconfig/rc +. ${rc_functions} + +# Set PATH to find our own executables +export PATH=/usr/local/sbin:/usr/local/bin:${PATH} + +# GCP only supports an MTU of 1460 +DEFAULT_MTU=1460 + +get() { + local file="${1}" + + wget -qO - "http://169.254.169.254/opc/v1/${file}" +} + +to_address() { + local n="${1}" + + local o1=$(( (n & 0xff000000) >> 24 )) + local o2=$(( (n & 0xff0000) >> 16 )) + local o3=$(( (n & 0xff00) >> 8 )) + local o4=$(( (n & 0xff) )) + + printf "%d.%d.%d.%d\n" "${o1}" "${o2}" "${o3}" "${o4}" +} + +to_integer() { + local address="${1}" + + local integer=0 + + local i + for i in ${address//\./ }; do + integer=$(( (integer << 8) + i )) + done + + printf "%d\n" "${integer}" +} + +prefix2netmask() { + local prefix=${1} + + local zeros=$(( 32 - prefix )) + local netmask=0 + + local i + for (( i=0; i<${zeros}; i++ )); do + netmask=$(( (netmask << 1) ^ 1 )) + done + + to_address "$(( netmask ^ 0xffffffff ))" +} + +oci_list_interfaces() { + get "vnics/" | python3 -c "import json, sys; print(\"\n\".join([vnic[\"vnicId\"] for vnic in json.load(sys.stdin)]))" +} + +oci_get_interface_param() { + local id="${1}" + local param="${2}" + + get "vnics/" | python3 -c "import json, sys; print(\"\n\".join(vnic.get(\"${param}\", \"\") for vnic in json.load(sys.stdin) if vnic[\"vnicId\"] == \"${id}\"))" +} + +import_oci_configuration() { + local instance_id="$(get instance/id)" + + boot_mesg "Importing Oracle Cloud Infrastructure configuration for instance ${instance_id}..." + + # Store instance ID + echo "${instance_id}" > /var/run/oci-instance-id + + # Initialise system settings + local hostname=$(get instance/hostname) + + # Set hostname + if ! grep -q "^HOSTNAME=" /var/ipfire/main/settings; then + echo "HOSTNAME=${hostname%%.*}" >> /var/ipfire/main/settings + fi + + # Set domainname + if ! grep -q "^DOMAINNAME=" /var/ipfire/main/settings; then + echo "DOMAINNAME=${hostname#*.}" >> /var/ipfire/main/settings + fi + + # Create setup user + if ! getent passwd setup &>/dev/null; then + useradd setup -s /usr/bin/run-setup -g nobody -m + + # Unlock the account + usermod -p "x" setup + fi + + # Import SSH keys for setup user + local line + while read -r line; do + # Strip the username part from the key + local key="${line#*:}" + + if [ -n "${key}" ] && ! grep -q "^${key}$" "/home/setup/.ssh/authorized_keys" 2>/dev/null; then + mkdir -p "/home/setup/.ssh" + chmod 700 "/home/setup/.ssh" + chown setup.nobody "/home/setup/.ssh" + + echo "${key}" >> "/home/setup/.ssh/authorized_keys" + chmod 600 "/home/setup/.ssh/authorized_keys" + chown setup.nobody "/home/setup/.ssh/authorized_keys" + fi + done <<<"$(get instance/metadata/ssh_authorized_keys)" + + # Download the user-data script only on the first boot + if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then + # Download a startup script + local script="$(get instance/metadata/user_data)" + + # Execute the script + if [ "${script:0:2}" = "#!" ]; then + echo "${script}" > /tmp/user-data.script + chmod 700 /tmp/user-data.script + + # Run the script + local now="$(date -u +"%s")" + /tmp/user-data.script &>/var/log/user-data.log.${now} + + # Delete the script right away + rm /tmp/user-data.script + fi + fi + + # Import network configuration + # After this, no network connectivity will be available from this script due to the + # renaming of the network interfaces for which they have to be shut down + local config_type=1 + : > /var/ipfire/ethernet/settings + + local id + for id in $(oci_list_interfaces); do + local mac="$(oci_get_interface_param "${id}" "macAddr")" + + # First IPv4 address + local ipv4_address="$(oci_get_interface_param "${id}" "privateIp")" + local ipv4_address_num="$(to_integer "${ipv4_address}")" + + local subnet="$(oci_get_interface_param "${id}" "subnetCidrBlock")" + local prefix="${subnet#*/}" + + local netmask="$(prefix2netmask "${prefix}")" + local netmask_num="$(to_integer "${netmask}")" + + # Calculate the network and broadcast addresses + local netaddress="${subnet%/*}" + local broadcast="$(to_address $(( ipv4_address_num | (0xffffffff ^ netmask_num) )))" + + local index="$(oci_get_interface_param "${id}" "nicIndex")" + + # Set index to zero if it was empty + if [ -z "${index}" ]; then + index=0 + fi + + case "${index}" in + # RED + 0) + local interface_name="red0" + local gateway="$(oci_get_interface_param "${id}" "virtualRouterIp")" + + ( + echo "RED_TYPE=STATIC" + echo "RED_DEV=${interface_name}" + echo "RED_MACADDR=${mac}" + echo "RED_DESCRIPTION='${id}'" + echo "RED_ADDRESS=${ipv4_address}" + echo "RED_NETMASK=${netmask}" + echo "RED_NETADDRESS=${netaddress}" + echo "RED_BROADCAST=${broadcast}" + echo "RED_MTU=1500" + echo "DEFAULT_GATEWAY=${gateway}" + ) >> /var/ipfire/ethernet/settings + + # Import aliases for RED + #for alias in $(get "instance/network-interfaces/${device_number}/ip-aliases"); do + # echo "${alias},on," + #done > /var/ipfire/ethernet/aliases + ;; + + # GREEN + 1) + local interface_name="green0" + + ( + echo "GREEN_DEV=${interface_name}" + echo "GREEN_MACADDR=${mac}" + echo "GREEN_DESCRIPTION='${id}'" + echo "GREEN_ADDRESS=${ipv4_address}" + echo "GREEN_NETMASK=${netmask}" + echo "GREEN_NETADDRESS=${netaddress}" + echo "GREEN_BROADCAST=${broadcast}" + echo "GREEN_MTU=${DEFAULT_MTU}" + ) >> /var/ipfire/ethernet/settings + ;; + + # ORANGE + 2) + local interface_name="orange0" + config_type=2 + + ( + echo "ORANGE_DEV=${interface_name}" + echo "ORANGE_MACADDR=${mac}" + echo "ORANGE_DESCRIPTION='${id}'" + echo "ORANGE_ADDRESS=${ipv4_address}" + echo "ORANGE_NETMASK=${netmask}" + echo "ORANGE_NETADDRESS=${netaddress}" + echo "ORANGE_BROADCAST=${broadcast}" + echo "ORANGE_MTU=${DEFAULT_MTU}" + ) >> /var/ipfire/ethernet/settings + ;; + esac + done + + # Save CONFIG_TYPE + echo "CONFIG_TYPE=${config_type}" >> /var/ipfire/ethernet/settings + + # Actions performed only on the very first start + if [ ! -e "/var/ipfire/main/firstsetup_ok" ]; then + # Disable using ISP nameservers + sed -e "s/^USE_ISP_NAMESERVERS=.*/USE_ISP_NAMESERVERS=off/" -i /var/ipfire/dns/settings + + # Enable SSH + sed -e "s/ENABLE_SSH=.*/ENABLE_SSH=on/g" -i /var/ipfire/remote/settings + + # Disable SSH password authentication + sed -e "s/^ENABLE_SSH_PASSWORDS=.*/ENABLE_SSH_PASSWORDS=off/" -i /var/ipfire/remote/settings + + # Enable SSH key authentication + sed -e "s/^ENABLE_SSH_KEYS=.*/ENABLE_SSH_KEYS=on/" -i /var/ipfire/remote/settings + + # Apply SSH settings + /usr/local/bin/sshctrl + + # Mark SSH to start immediately (but not right now) + touch /var/ipfire/remote/enablessh + chown nobody:nobody /var/ipfire/remote/enablessh + + # Firewall rules for SSH and WEBIF + ( + echo "1,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,cust_srv,SSH,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + echo "2,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,RED1,,TCP,,,ON,,,TGT_PORT,444,,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second" + ) >> /var/ipfire/firewall/input + + # This script has now completed the first steps of setup + touch /var/ipfire/main/firstsetup_ok + fi + + # All done + echo_ok +} + +case "${reason}" in + PREINIT) + # Bring up the interface + ip link set "${interface}" up + ;; + + BOUND|RENEW|REBIND|REBOOT) + # Remove any previous IP addresses + ip addr flush dev "${interface}" + + # Add (or re-add) the new IP address + ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}" + + # Add the default route + ip route add "${new_routers}" dev "${interface}" + ip route add default via "${new_routers}" + + # Setup DNS + for domain_name_server in ${new_domain_name_servers}; do + echo "nameserver ${domain_name_server}" + done > /etc/resolv.conf + + # The system is online now + touch /var/ipfire/red/active + + # Import OCI configuration + import_oci_configuration + ;; + + EXPIRE|FAIL|RELEASE|STOP) + # The system is no longer online + rm -f /var/ipfire/red/active + + # Remove all IP addresses + ip addr flush dev "${interface}" + + # Shut down the interface + ip link set "${interface}" down + ;; + + *) + echo "Unhandled reason: ${reason}" >&2 + exit 2 + ;; +esac + +# Terminate +exit 0 From patchwork Tue Jul 21 10:36:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3270 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4y2h5rz3xSt for ; Tue, 21 Jul 2020 10:36:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4B9w4w02dmz3VC; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4B9w4v2ndtz302n; Tue, 21 Jul 2020 10:36:47 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4B9w4t28HRz2yWq for ; Tue, 21 Jul 2020 10:36:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4B9w4t0v6hz1rl; Tue, 21 Jul 2020 10:36:46 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1595327806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DrT8TXIYdhp7UEMJElXKtnyxmMCWIQ3VuPozg3IKGrY=; b=nXIFnwPDUcglfSnPD2k27RqIkWT2yWI9zIswdNCHj2rY3wN+WI0bbH4ncbOec4ZtWJwi6p fnA8zsJEemVuAFCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1595327806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DrT8TXIYdhp7UEMJElXKtnyxmMCWIQ3VuPozg3IKGrY=; b=dhh4czmQZl49JREWkvHbKk+T7uY7hPlgONeGoAaLWjRw3fh5G5vM1FMrzIveyGBlajgUKa nRe8pQHmtIzyt+pLbDGjCZjiG7buA7vmSNpVS7+h+3f4igG5a6U3KYgDcvW/R/9UNMAweD 09yJ1V51t+Wd3EUS8LDIZtzi7zrybgU2S6210ICrFgSx5CzFilK/Ahhj+11CMMO8pZ3y2p wy2769Q5+Gr2VQp1SYWyrPEvqkcbPN8FbDvYS/R3FUuGhKcH40mrewtdU2CUtOCmd+txIx ZTCs41KZ7kQotI+gJMTbNjQgALx/za0VuzBwCTfsZXmZdaw26zHzaophEqhSeA== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/3] smt: Do not disable SMT in virtual machines Date: Tue, 21 Jul 2020 10:36:41 +0000 Message-Id: <20200721103641.30305-3-michael.tremer@ipfire.org> In-Reply-To: <20200721103641.30305-1-michael.tremer@ipfire.org> References: <20200721103641.30305-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Processors in virtual machines are *virtual*. Therefore this only degrades the performance of the guest, but does not increase it's security. This patch always leaves SMT enabled in all virtual environments. Signed-off-by: Michael Tremer --- src/initscripts/system/smt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/initscripts/system/smt b/src/initscripts/system/smt index cc4128b2d..bfa7d57b3 100644 --- a/src/initscripts/system/smt +++ b/src/initscripts/system/smt @@ -20,6 +20,11 @@ case "${1}" in exit 0 fi 2>/dev/null + # Do not disable SMT inside virtual machines + if [ -d "/sys/hypervisor" ]; then + exit 0 + fi + # Disable SMT when the processor is vulnerable to Foreshadow or Fallout/ZombieLoad/RIDL for vuln in l1tf mds; do if [ -r "/sys/devices/system/cpu/vulnerabilities/${vuln}" ] && \