From f48bf819eb27a8886ef0cf0d7c8e95fea1caf8c3 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Mon, 11 Nov 2024 08:41:53 +0100 Subject: [PATCH] packages/nixos: add IMDS setup script Azure needs special care for enabling IMDS within Peerpods. This adds a script to setup IMDS through Proxy ARP (from Peerpods upstream, see https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh), so that all requests to the IMDS from within the pod are routed through an interface that is peered to the Pod VM. Verified to work in 2 distinct Azure peer pods. --- .../by-name/cloud-api-adaptor/package.nix | 19 +++++++++++++++++ packages/nixos/azure.nix | 21 +++++++++++++++---- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/packages/by-name/cloud-api-adaptor/package.nix b/packages/by-name/cloud-api-adaptor/package.nix index ab008d7ba6..3d5115c9f7 100644 --- a/packages/by-name/cloud-api-adaptor/package.nix +++ b/packages/by-name/cloud-api-adaptor/package.nix @@ -9,6 +9,10 @@ libvirt, writeShellApplication, gnugrep, + iproute2, + iptables, + sysctl, + gawk, runCommand, # List of supported cloud providers @@ -86,6 +90,21 @@ buildGoModule rec { "SC2153" ]; }; + + setup-nat-for-imds = writeShellApplication { + name = "setup-nat-for-imds"; + runtimeInputs = [ + iproute2 + iptables + sysctl + gawk + ]; + text = builtins.readFile "${cloud-api-adaptor.src}/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh"; + meta = { + mainProgram = "peerpod-imds-nat"; + homepage = "https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh"; + }; + }; }; meta = { diff --git a/packages/nixos/azure.nix b/packages/nixos/azure.nix index 612b48e767..88f625e026 100644 --- a/packages/nixos/azure.nix +++ b/packages/nixos/azure.nix @@ -72,10 +72,7 @@ in services.udev.extraRules = azure-storage-rules; systemd.services.azure-readiness-report = { - wantedBy = [ - "basic.target" - "multi-user.target" - ]; + wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; description = "Azure Readiness Report"; @@ -85,5 +82,21 @@ in ExecStart = "${lib.getExe pkgs.azure-no-agent}"; }; }; + + systemd.services.setup-nat-for-imds = { + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + description = "Setup NAT for IMDS"; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + # TODO: Find out why just ordering this after network-online.target + # isn't sufficient. (Errors with saying that the network is unreachable) + Restart = "on-failure"; + RestartSec = "5s"; + ExecStart = "${lib.getExe pkgs.cloud-api-adaptor.setup-nat-for-imds}"; + }; + }; }; }