netns-bitcoind: allow RPC access from main netns

This commit is contained in:
Erik Arvstedt 2020-10-29 21:20:29 +01:00
parent 0e2ff948d3
commit 58d24e735d
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
5 changed files with 14 additions and 26 deletions

View File

@ -40,6 +40,7 @@ let
'') (builtins.attrValues cfg.rpc.users) '') (builtins.attrValues cfg.rpc.users)
} }
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
rpcconnect=${builtins.elemAt cfg.rpcbind 0}
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip} ${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
# Wallet options # Wallet options
@ -275,17 +276,12 @@ in {
description = "What type of addresses to use"; description = "What type of addresses to use";
}; };
cli = mkOption { cli = mkOption {
type = types.package;
# Overriden on netns-isolation
default = cfg.cliBase;
description = "Binary to connect with the bitcoind instance.";
};
cliBase = mkOption {
readOnly = true; readOnly = true;
type = types.package; type = types.package;
default = pkgs.writeScriptBin "bitcoin-cli" '' default = pkgs.writeScriptBin "bitcoin-cli" ''
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@" exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
''; '';
description = "Binary to connect with the bitcoind instance.";
}; };
enforceTor = nix-bitcoin-services.enforceTor; enforceTor = nix-bitcoin-services.enforceTor;
}; };
@ -341,9 +337,8 @@ in {
fi fi
''; '';
postStart = '' postStart = ''
cd ${cfg.cliBase}/bin
# Poll until bitcoind accepts commands. This can take a long time. # Poll until bitcoind accepts commands. This can take a long time.
while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do while ! ${cfg.cli}/bin/bitcoin-cli getnetworkinfo &> /dev/null; do
sleep 1 sleep 1
done done
''; '';
@ -368,7 +363,7 @@ in {
bindsTo = [ "bitcoind.service" ]; bindsTo = [ "bitcoind.service" ];
after = [ "bitcoind.service" ]; after = [ "bitcoind.service" ];
script = '' script = ''
cd ${cfg.cliBase}/bin cd ${cfg.cli}/bin
echo "Importing node banlist..." echo "Importing node banlist..."
cat ${./banlist.cli.txt} | while read line; do cat ${./banlist.cli.txt} | while read line; do
if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then

View File

@ -252,18 +252,11 @@ in {
services.bitcoind = { services.bitcoind = {
bind = netns.bitcoind.address; bind = netns.bitcoind.address;
rpcbind = [ rpcbind = [ netns.bitcoind.address ];
"${netns.bitcoind.address}"
"127.0.0.1"
];
rpcallowip = [ rpcallowip = [
"127.0.0.1" bridgeIp # For operator user
] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns; netns.bitcoind.address
cli = let ] ++ map (n: netns.${n}.address) netns.bitcoind.availableNetns;
inherit (config.services.bitcoind) cliBase;
in pkgs.writeScriptBin cliBase.name ''
exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@"
'';
}; };
systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind"; systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";

View File

@ -12,7 +12,6 @@
static char *allowed_netns[] = { static char *allowed_netns[] = {
"nb-lnd", "nb-lnd",
"nb-lightning-loop", "nb-lightning-loop",
"nb-bitcoind",
"nb-liquidd", "nb-liquidd",
"nb-joinmarket" "nb-joinmarket"
}; };

View File

@ -145,7 +145,7 @@ let testEnv = rec {
services.bitcoind.regtest = true; services.bitcoind.regtest = true;
systemd.services.bitcoind.postStart = mkAfter '' systemd.services.bitcoind.postStart = mkAfter ''
cli=${config.services.bitcoind.cliBase}/bin/bitcoin-cli cli=${config.services.bitcoind.cli}/bin/bitcoin-cli
address=$($cli getnewaddress) address=$($cli getnewaddress)
$cli generatetoaddress 10 $address $cli generatetoaddress 10 $address
''; '';

View File

@ -259,10 +259,11 @@ def _():
assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"]) assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"]) assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"])
# netns-exec should drop capabilities if "joinmarket" in enabled_tests:
assert_full_match( # netns-exec should drop capabilities
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n" assert_full_match(
) "su operator -c 'netns-exec nb-joinmarket capsh --print | grep Current'", "Current: =\n"
)
if "clightning" in enabled_tests: if "clightning" in enabled_tests:
# netns-exec should fail for unauthorized namespaces # netns-exec should fail for unauthorized namespaces