netns-bitcoind: allow RPC access from main netns
This commit is contained in:
parent
0e2ff948d3
commit
58d24e735d
@ -40,6 +40,7 @@ let
|
|||||||
'') (builtins.attrValues cfg.rpc.users)
|
'') (builtins.attrValues cfg.rpc.users)
|
||||||
}
|
}
|
||||||
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
||||||
|
rpcconnect=${builtins.elemAt cfg.rpcbind 0}
|
||||||
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
|
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
|
||||||
|
|
||||||
# Wallet options
|
# Wallet options
|
||||||
@ -275,17 +276,12 @@ in {
|
|||||||
description = "What type of addresses to use";
|
description = "What type of addresses to use";
|
||||||
};
|
};
|
||||||
cli = mkOption {
|
cli = mkOption {
|
||||||
type = types.package;
|
|
||||||
# Overriden on netns-isolation
|
|
||||||
default = cfg.cliBase;
|
|
||||||
description = "Binary to connect with the bitcoind instance.";
|
|
||||||
};
|
|
||||||
cliBase = mkOption {
|
|
||||||
readOnly = true;
|
readOnly = true;
|
||||||
type = types.package;
|
type = types.package;
|
||||||
default = pkgs.writeScriptBin "bitcoin-cli" ''
|
default = pkgs.writeScriptBin "bitcoin-cli" ''
|
||||||
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
|
exec ${cfg.package}/bin/bitcoin-cli -datadir='${cfg.dataDir}' "$@"
|
||||||
'';
|
'';
|
||||||
|
description = "Binary to connect with the bitcoind instance.";
|
||||||
};
|
};
|
||||||
enforceTor = nix-bitcoin-services.enforceTor;
|
enforceTor = nix-bitcoin-services.enforceTor;
|
||||||
};
|
};
|
||||||
@ -341,9 +337,8 @@ in {
|
|||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
postStart = ''
|
postStart = ''
|
||||||
cd ${cfg.cliBase}/bin
|
|
||||||
# Poll until bitcoind accepts commands. This can take a long time.
|
# Poll until bitcoind accepts commands. This can take a long time.
|
||||||
while ! ./bitcoin-cli getnetworkinfo &> /dev/null; do
|
while ! ${cfg.cli}/bin/bitcoin-cli getnetworkinfo &> /dev/null; do
|
||||||
sleep 1
|
sleep 1
|
||||||
done
|
done
|
||||||
'';
|
'';
|
||||||
@ -368,7 +363,7 @@ in {
|
|||||||
bindsTo = [ "bitcoind.service" ];
|
bindsTo = [ "bitcoind.service" ];
|
||||||
after = [ "bitcoind.service" ];
|
after = [ "bitcoind.service" ];
|
||||||
script = ''
|
script = ''
|
||||||
cd ${cfg.cliBase}/bin
|
cd ${cfg.cli}/bin
|
||||||
echo "Importing node banlist..."
|
echo "Importing node banlist..."
|
||||||
cat ${./banlist.cli.txt} | while read line; do
|
cat ${./banlist.cli.txt} | while read line; do
|
||||||
if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then
|
if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then
|
||||||
|
@ -252,18 +252,11 @@ in {
|
|||||||
|
|
||||||
services.bitcoind = {
|
services.bitcoind = {
|
||||||
bind = netns.bitcoind.address;
|
bind = netns.bitcoind.address;
|
||||||
rpcbind = [
|
rpcbind = [ netns.bitcoind.address ];
|
||||||
"${netns.bitcoind.address}"
|
|
||||||
"127.0.0.1"
|
|
||||||
];
|
|
||||||
rpcallowip = [
|
rpcallowip = [
|
||||||
"127.0.0.1"
|
bridgeIp # For operator user
|
||||||
] ++ map (n: "${netns.${n}.address}") netns.bitcoind.availableNetns;
|
netns.bitcoind.address
|
||||||
cli = let
|
] ++ map (n: netns.${n}.address) netns.bitcoind.availableNetns;
|
||||||
inherit (config.services.bitcoind) cliBase;
|
|
||||||
in pkgs.writeScriptBin cliBase.name ''
|
|
||||||
exec netns-exec ${netns.bitcoind.netnsName} ${cliBase}/bin/${cliBase.name} "$@"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
|
systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
|
||||||
|
|
||||||
|
@ -12,7 +12,6 @@
|
|||||||
static char *allowed_netns[] = {
|
static char *allowed_netns[] = {
|
||||||
"nb-lnd",
|
"nb-lnd",
|
||||||
"nb-lightning-loop",
|
"nb-lightning-loop",
|
||||||
"nb-bitcoind",
|
|
||||||
"nb-liquidd",
|
"nb-liquidd",
|
||||||
"nb-joinmarket"
|
"nb-joinmarket"
|
||||||
};
|
};
|
||||||
|
@ -145,7 +145,7 @@ let testEnv = rec {
|
|||||||
|
|
||||||
services.bitcoind.regtest = true;
|
services.bitcoind.regtest = true;
|
||||||
systemd.services.bitcoind.postStart = mkAfter ''
|
systemd.services.bitcoind.postStart = mkAfter ''
|
||||||
cli=${config.services.bitcoind.cliBase}/bin/bitcoin-cli
|
cli=${config.services.bitcoind.cli}/bin/bitcoin-cli
|
||||||
address=$($cli getnewaddress)
|
address=$($cli getnewaddress)
|
||||||
$cli generatetoaddress 10 $address
|
$cli generatetoaddress 10 $address
|
||||||
'';
|
'';
|
||||||
|
@ -259,10 +259,11 @@ def _():
|
|||||||
assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
|
assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
|
||||||
assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"])
|
assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop", "liquidd"])
|
||||||
|
|
||||||
# netns-exec should drop capabilities
|
if "joinmarket" in enabled_tests:
|
||||||
assert_full_match(
|
# netns-exec should drop capabilities
|
||||||
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
|
assert_full_match(
|
||||||
)
|
"su operator -c 'netns-exec nb-joinmarket capsh --print | grep Current'", "Current: =\n"
|
||||||
|
)
|
||||||
|
|
||||||
if "clightning" in enabled_tests:
|
if "clightning" in enabled_tests:
|
||||||
# netns-exec should fail for unauthorized namespaces
|
# netns-exec should fail for unauthorized namespaces
|
||||||
|
Loading…
Reference in New Issue
Block a user