From ea81317d3757f625c6728ef8b1bd512aa3393332 Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Fri, 24 Mar 2017 13:54:49 +0200
Subject: Implement second stage (systemd) network configuration

---
 bootstrap      | 16 +++++++++++---
 doc/manual.cli | 19 ++++++++++++----
 init           | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 91 insertions(+), 13 deletions(-)

diff --git a/bootstrap b/bootstrap
index 18343be..c97d30b 100755
--- a/bootstrap
+++ b/bootstrap
@@ -30,7 +30,7 @@ btrfs=/btrfs
 release="unstable"
 mirror="https://deb.debian.org/debian/"
 passwd="123"                 #@@ TMP root passwd.
-macaddr="DE:AD:BE:EF:B8:DA"  # Mac address for testing.
+macaddr="de:ad:be:ef:b8:da"  # Mac address for testing.
 
 root="$btrfs/$id/buildos"
 
@@ -141,9 +141,15 @@ if [ "$stage" -eq "1" ]; then
   #  - systemd-container seems to be required by host systemd-nspawn.
   #
   pkgs="locales,systemd-container"
-  pkgs+=",net-tools,iproute2,iptables,isc-dhcp-client,ifupdown,ntp"
-  pkgs+=",iputils-ping,wget,curl"
+
   pkgs+=",linux-image-amd64,irqbalance,pciutils"
+
+  pkgs+=",hdparm,btrfs-progs"
+
+  pkgs+=",net-tools,iproute2,iptables,isc-dhcp-client"
+  pkgs+=",ifupdown,bridge-utils,dnsmasq,ntp"
+  pkgs+=",iputils-ping,wget,curl"
+
   pkgs+=",less"
 
   sudo debootstrap \
@@ -208,6 +214,10 @@ chattr +i /etc/localtime
 #
 chpasswd <<<'root:$passwd'
 
+# Enable IPv4 forwarding (used for private bridge NAT).
+#
+sed -i 's/^# *\(net.ipv4.ip_forward\).*/\1=1/' /etc/sysctl.conf
+
 # Setup locale. We only support en_US.UTF-8.
 #
 sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen
diff --git a/doc/manual.cli b/doc/manual.cli
index 22cbd13..e5d6cf3 100644
--- a/doc/manual.cli
+++ b/doc/manual.cli
@@ -105,13 +105,24 @@ sudo kvm \
 
 \h2#config-net|Network|
 
-Network is configured via DHCP. All Ethernet intrface that have carrier are
-tried in (some) order and the first interface that is successfully configured
-via DHCP is used.
+Network is configured via DHCP. Initially, all Ethernet interfaces that have
+carrier are tried in (some) order and the first interface that is successfully
+configured via DHCP is used.
 
 Hostname is configured from the DHCP information. Failed that, a name is
 generated based on the MAC address, in the form \c{build-xxxxxxxxxx}.
+@@ Maybe also kernel cmdline?
 
-@@ Maybe also kernel cmdline.
+Based on the discovery of the Ethernet interface, two bridge interfaces are
+configured: \c{br0} is a public bridge that includes the Ethernet interface
+and is configured via DHCP. \c{br1} is a private interface with NAT to \c{br0}
+with \c{dnsmasq} configured as a DHCP on this interface.
+
+Normally, \c{br0} is used for \c{bslave} virtual machines/container (since
+they may need to be accessed directly) and \c{br1} \- for \c{bbot} virtual
+machines. You can view the bridge configuration on a booted \c{buildos}
+instance by examining \c{/etc/network/interfaces}.
+
+@@ TODO: private network parameters.
 
 "
diff --git a/init b/init
index b733fde..28ec293 100755
--- a/init
+++ b/init
@@ -137,24 +137,81 @@ if [ -z "$eth" ]; then
 fi
 
 mac="$(cat "/sys/class/net/$eth/address")"
+mid="$(sed -e 's/://g' <<<"$mac")" # Machine id.
 
 info "configured $eth ($mac)"
 
 # Set the hostname.
 #
 hname="$(hostname)"
-
 if [ "$hname" = "(none)" ]; then
-  hname="build-$(sed -e 's/://g' <<<"$mac")"
+  hname="build-$mid"
   hostname "$hname"
 fi
-
 echo "$hname" >/etc/hostname
 
 info "hostname $hname"
 
-# --machine-id
+# Stop DHCP client without releasing the lease and deconfigure the interface.
+# The plan is to generate a bridge-based /etc/network/interfaces configuration
+# based on what we have discovered and then let the systemd networking bringup
+# to configure everything (at which point we will hopefully reuse the lease).
+#
+dhclient -q -x
+
+# @@ Need to be make configurable.
 #
-#exec /lib/systemd/systemd #</dev/console >/dev/console 2>&1
+priv_network="172.16.123.0"
+priv_netmask="255.255.255.0"
+priv_netbase="$(sed -e 's/^\(.*\)\.0$/\1/' <<<"$priv_network")"
 
-exec /bin/bash
+cat <<EOF >/etc/network/interfaces
+auto lo
+iface lo inet loopback
+
+# Public bridge.
+#
+auto br0
+iface br0 inet dhcp
+    bridge_ports   $eth
+    bridge_stp     off
+    bridge_maxwait 0
+    bridge_fd      0
+    bridge_mac     $mac
+
+# Private bridge with NAT to br0.
+#
+auto br1
+iface br1 inet static
+    address ${priv_netbase}.1
+    netmask $priv_netmask
+    bridge_ports   none
+    bridge_stp     off
+    bridge_maxwait 0
+    bridge_fd      0
+    post-up iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
+    post-up iptables -A FORWARD -i br0 -o br1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    post-up iptables -A FORWARD -i br1 -o br0 -j ACCEPT
+EOF
+
+cat <<EOF >/etc/dnsmasq.d/br1-dhcp
+interface=br1
+bind-interfaces
+dhcp-range=${priv_netbase}.10,${priv_netbase}.250,12h
+EOF
+
+/bin/bash
+
+# Hand off to systemd. But first arrange to keep console output (which
+# becomes tty1).
+#
+mkdir -p /etc/systemd/system/getty@tty1.service.d
+cat <<EOF >/etc/systemd/system/getty@tty1.service.d/noclear.conf
+[Service]
+TTYVTDisallocate=no
+EOF
+
+exec /lib/systemd/systemd \
+  --show-status=1 \
+  --machine-id="00000000000000000000$mid" \
+  </dev/console >/dev/console 2>&1
-- 
cgit v1.1