On SELinux-enabled systems, /etc/hosts has a different type `net_conf_t`
than the other files in /etc, so the temporary file that overwrites it
ends up with the wrong context, resulting in many system services
becoming unable to access the file. To fix this, manually look up the
context /etc/hosts has and copy it to the temporary file before
the rename.
In order to avoid depending on libselinux on systems that don't use it,
this support is gated behind the new "selinux" feature. It *is*
installed and enabled in the Dockerfile, however, in order to ensure
that it still builds.
* Add a new client / server command to rename CIDR.
* Add a docker test case
* Apply suggestions from code review
Co-authored-by: Matěj Laitl <matej@laitl.cz>
Co-authored-by: Jake McGinty <me@jakebot.org>
---------
Co-authored-by: Matěj Laitl <matej@laitl.cz>
Co-authored-by: Jake McGinty <me@jakebot.org>
* Add CLI parameters for disable/enable peer
Fixestonarino/innernet#214.
* Formatting
* Remove redundant clones
* Require name for yes param
Yes param only makes sense if name is provided.
* Formatting
* hostsfile: change internal map from hash to btree
This change makes the innernet section of /etc/hosts always ordered and
deterministic. We can take advantage of that to avoid writes, that will
be done in another commit.
* hostsfile: reduce number of writes if content hasn't changed
* hostsfile: return bool to inform if file has been written
This commit also makes the logs print accordingly to the new behavior.
* hostsfile: remove has_content_changed in favor of comparing old and new sections
* hostsfile: print the correct hosts path in log message
* hostsfile: remove unnecessary intermediate variable
* Turn ChangeString into a PeerChange enum, don't print NAT traversal reattempt as a modification
* Remove the ChangeString type
* Fix a stupid copy-paste error
* Add a missing call to reset a peer's endpoint when NAT traversal fails to connect to any endpoint candidates
* Simplify the process of resetting a peer to its server-reported endpoint
* client: Update enable_or_disable_peer exit message to be more accurate
* server: Implement disable-peer and enable-peer commands
* server: Immediately apply enable- and disable-peer to device
Surprisingly, Restart=always may not _always_ restart the unit if it restarts too fast.
Set a combination of options which should make systemd truly restart innernet always.
See https://unix.stackexchange.com/q/289629/352972.
The `RestartSec=60` is the main and important one which would prevent systemd from ever failing
to restart innernet in the default settings (because with it it would never exceed the default
limit of 5 restarts in 10 seconds).
`StartLimitIntervalSec=0` option is a complementary one for explicitly disabling the logic, and
may be removed from this PR if deemed unnecessary.
also introduces a new `netlink-request` crate to help modularize the netlink code. this currently depends on a fork of the `netlink` project, but we should be able to use the official version soon.
Brian Schwind