packages/nixos: add IMDS setup script

Azure needs special care for enabling IMDS within Peerpods. This adds a script to setup IMDS through Proxy ARP (from Peerpods upstream, see https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh), so that all requests to the IMDS from within the pod are routed through an interface that is peered to the Pod VM. Verified to work in 2 distinct Azure peer pods.
edgelesssys · Nov 11, 2024 · f48bf81 · f48bf81
1 parent 8da19c0
commit f48bf81
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/packages/by-name/cloud-api-adaptor/package.nix b/packages/by-name/cloud-api-adaptor/package.nix
@@ -9,6 +9,10 @@
   libvirt,
   writeShellApplication,
   gnugrep,
+  iproute2,
+  iptables,
+  sysctl,
+  gawk,
   runCommand,
 
   # List of supported cloud providers
@@ -86,6 +90,21 @@ buildGoModule rec {
         "SC2153"
       ];
     };
+
+    setup-nat-for-imds = writeShellApplication {
+      name = "setup-nat-for-imds";
+      runtimeInputs = [
+        iproute2
+        iptables
+        sysctl
+        gawk
+      ];
+      text = builtins.readFile "${cloud-api-adaptor.src}/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
+      meta = {
+        mainProgram = "peerpod-imds-nat";
+        homepage = "https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
+      };
+    };
   };
 
   meta = {

diff --git a/packages/nixos/azure.nix b/packages/nixos/azure.nix
@@ -72,10 +72,7 @@ in
 
     services.udev.extraRules = azure-storage-rules;
     systemd.services.azure-readiness-report = {
-      wantedBy = [
-        "basic.target"
-        "multi-user.target"
-      ];
+      wantedBy = [ "multi-user.target" ];
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
       description = "Azure Readiness Report";
@@ -85,5 +82,21 @@ in
         ExecStart = "${lib.getExe pkgs.azure-no-agent}";
       };
     };
+
+    systemd.services.setup-nat-for-imds = {
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      description = "Setup NAT for IMDS";
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+        # TODO: Find out why just ordering this after network-online.target
+        # isn't sufficient. (Errors with saying that the network is unreachable)
+        Restart = "on-failure";
+        RestartSec = "5s";
+        ExecStart = "${lib.getExe pkgs.cloud-api-adaptor.setup-nat-for-imds}";
+      };
+    };
   };
 }