From 58d24e735de29fb76646b4032b53e82ae62ed9fa Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 29 Oct 2020 21:20:29 +0100 Subject: [PATCH] netns-bitcoind: allow RPC access from main netns --- modules/bitcoind.nix | 13 ++++--------- modules/netns-isolation.nix | 15 ++++----------- pkgs/netns-exec/src/main.c | 1 - test/tests.nix | 2 +- test/tests.py | 9 +++++---- 5 files changed, 14 insertions(+), 26 deletions(-) diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 1f3ed98..14930ce 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -40,6 +40,7 @@ let '') (builtins.attrValues cfg.rpc.users) } ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} + rpcconnect=${builtins.elemAt cfg.rpcbind 0} ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip} # Wallet options @@ -275,17 +276,12 @@ in { description = "What type of addresses to use"; }; cli = mkOption { - type = types.package; - # Overriden on netns-isolation - default = cfg.cliBase; - description = "Binary to connect with the bitcoind instance."; - }; - cliBase = mkOption { readOnly = true; type = types.package; default = pkgs.writeScriptBin "bitcoin-cli" '' exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" ''; + description = "Binary to connect with the bitcoind instance."; }; enforceTor = nix-bitcoin-services.enforceTor; }; @@ -341,9 +337,8 @@ in { fi ''; postStart = '' - cd ${cfg.cliBase}/bin # Poll until bitcoind accepts commands. This can take a long time. - while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do + while ! ${cfg.cli}/bin/bitcoin-cli getnetworkinfo &> /dev/null; do sleep 1 done ''; @@ -368,7 +363,7 @@ in { bindsTo = [ "bitcoind.service" ]; after = [ "bitcoind.service" ]; script = '' - cd ${cfg.cliBase}/bin + cd ${cfg.cli}/bin echo "Importing node banlist..." cat ${./banlist.cli.txt} | while read line; do if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index a2578c8..ca6bd0d 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -252,18 +252,11 @@ in { services.bitcoind = { bind = netns.bitcoind.address; - rpcbind = [ - "${netns.bitcoind.address}" - "127.0.0.1" - ]; + rpcbind = [ netns.bitcoind.address ]; rpcallowip = [ - "127.0.0.1" - ] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns; - cli = let - inherit (config.services.bitcoind) cliBase; - in pkgs.writeScriptBin cliBase.name '' - exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@" - ''; + bridgeIp # For operator user + netns.bitcoind.address + ] ++ map (n: netns.${n}.address) netns.bitcoind.availableNetns; }; systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind"; diff --git a/pkgs/netns-exec/src/main.c b/pkgs/netns-exec/src/main.c index 67c75b2..8b1d15a 100644 --- a/pkgs/netns-exec/src/main.c +++ b/pkgs/netns-exec/src/main.c @@ -12,7 +12,6 @@ static char *allowed_netns[] = { "nb-lnd", "nb-lightning-loop", - "nb-bitcoind", "nb-liquidd", "nb-joinmarket" }; diff --git a/test/tests.nix b/test/tests.nix index 436536d..07fe9b6 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -145,7 +145,7 @@ let testEnv = rec { services.bitcoind.regtest = true; systemd.services.bitcoind.postStart = mkAfter '' - cli=${config.services.bitcoind.cliBase}/bin/bitcoin-cli + cli=${config.services.bitcoind.cli}/bin/bitcoin-cli address=$($cli getnewaddress) $cli generatetoaddress 10 $address ''; diff --git a/test/tests.py b/test/tests.py index e2f918e..2d56f8d 100644 --- a/test/tests.py +++ b/test/tests.py @@ -259,10 +259,11 @@ def _(): assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"]) assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"]) - # netns-exec should drop capabilities - assert_full_match( - "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n" - ) + if "joinmarket" in enabled_tests: + # netns-exec should drop capabilities + assert_full_match( + "su operator -c 'netns-exec nb-joinmarket capsh --print | grep Current'", "Current: =\n" + ) if "clightning" in enabled_tests: # netns-exec should fail for unauthorized namespaces