Skip to content

Commit

Permalink
packages/nixos: add IMDS setup script
Browse files Browse the repository at this point in the history
Azure needs special care for enabling IMDS within Peerpods. This adds a script to setup IMDS through Proxy ARP (from Peerpods upstream, see https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh), so that all requests to the IMDS from within the pod are routed through an interface that is peered to the Pod VM. Verified to work in 2 distinct Azure peer pods.
  • Loading branch information
msanft committed Dec 2, 2024
1 parent 65bae63 commit 70640cc
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 4 deletions.
19 changes: 19 additions & 0 deletions packages/by-name/cloud-api-adaptor/package.nix
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
writeShellApplication,
gnugrep,
iptables,
iproute2,
sysctl,
gawk,
runCommand,
applyPatches,
makeWrapper,
Expand Down Expand Up @@ -102,6 +105,22 @@ buildGoModule rec {
"SC2153"
];
};

setup-nat-for-imds = writeShellApplication {
name = "setup-nat-for-imds";
runtimeInputs = [
iproute2
iptables
sysctl
gawk
];
# TODO(burgerdev): generalize for all link-local IPs and investigate routing simplification
text = builtins.readFile "${cloud-api-adaptor.src}/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
meta = {
mainProgram = "setup-nat-for-imds";
homepage = "https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/podvm/files/usr/local/bin/setup-nat-for-imds.sh";
};
};
};

meta = {
Expand Down
25 changes: 21 additions & 4 deletions packages/nixos/azure.nix
Original file line number Diff line number Diff line change
Expand Up @@ -72,10 +72,7 @@ in

services.udev.extraRules = azure-storage-rules;
systemd.services.azure-readiness-report = {
wantedBy = [
"basic.target"
"multi-user.target"
];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
description = "Azure Readiness Report";
Expand All @@ -85,5 +82,25 @@ in
ExecStart = "${lib.getExe pkgs.azure-no-agent}";
};
};

systemd.services.setup-nat-for-imds = {
wantedBy = [ "multi-user.target" ];
requires = [ "[email protected]" ];
wants = [ "network-online.target" ];
after = [
"network-online.target"
"[email protected]"
];
description = "Setup NAT for IMDS";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
# TODO: Find out why just ordering this after network-online.target
# isn't sufficient. (Errors with saying that the network is unreachable)
Restart = "on-failure";
RestartSec = "5s";
ExecStart = "${lib.getExe pkgs.cloud-api-adaptor.setup-nat-for-imds}";
};
};
};
}

0 comments on commit 70640cc

Please sign in to comment.