NetworkManager/clients/cloud-setup/nm-cloud-setup.service.in

[Unit]
Description=Automatically configure NetworkManager in cloud
After=NetworkManager.service

[Service]
Type=oneshot
ExecStart=@libexecdir@/nm-cloud-setup

#Environment=NM_CLOUD_SETUP_LOG=TRACE

# Cloud providers are disabled by default. You need to
# Opt-in by setting the right environment variable for
# the provider.
#Environment=NM_CLOUD_SETUP_EC2=yes

CapabilityBoundingSet=
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service

[Install]
WantedBy=NetworkManager.service
cloud-setup: add tool for automatic IP configuration in cloud This is a tool for automatically configuring networking in a cloud environment. Currently it only supports IPv4 on EC2, but it's intended for extending to other cloud providers (Azure). See [1] and [2] for how to configure secondary IP addresses on EC2. This is what the tool currently aims to do (but in the future it might do more). [1] https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ubuntu-secondary-network-interface/ It is inspired by SuSE's cloud-netconfig ([1], [2]) and ec2-net-utils package on Amazon Linux ([3], [4]). [1] https://www.suse.com/c/multi-nic-cloud-netconfig-ec2-azure/ [2] https://github.com/SUSE-Enceladus/cloud-netconfig [3] https://github.com/aws/ec2-net-utils [4] https://github.com/lorengordon/ec2-net-utils.git It is also intended to work without configuration. The main point is that you boot an image with NetworkManager and nm-cloud-setup enabled, and it just works. 2019-11-12 14:54:22 +00:00			`[Unit]`
			`Description=Automatically configure NetworkManager in cloud`
cloud-setup: let dispatcher script run tool only if service is enabled We don't want that when the user installs the package, that the dispatcher script automatically executes the tool. Instead, the user should use `systemctl enable/disable` to control whether the service is active (of via the timer). Hence, let the dispatcher script check whether the service is enabled. That leads to a different problem, that we need to make it possible for "nm-cloud-setup.service" to be enabled in the first place. As such, add a [Install] section and let it be wanted by NetworkManager.service. The problem with this is that now the tool will run very early, just after NetworkManager started. At that point, it might not yet have setup networking. But that should be acceptable, after all, the tool either fails to fetch meta data that early, or it succeeds. Very likely, it will by aborted by dispatcher's restart command. (cherry picked from commit 953e01336a1c062ee988d3dfe4650dd7c4ba2778) 2019-12-03 09:17:11 +00:00			`After=NetworkManager.service`
cloud-setup: add tool for automatic IP configuration in cloud This is a tool for automatically configuring networking in a cloud environment. Currently it only supports IPv4 on EC2, but it's intended for extending to other cloud providers (Azure). See [1] and [2] for how to configure secondary IP addresses on EC2. This is what the tool currently aims to do (but in the future it might do more). [1] https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ubuntu-secondary-network-interface/ It is inspired by SuSE's cloud-netconfig ([1], [2]) and ec2-net-utils package on Amazon Linux ([3], [4]). [1] https://www.suse.com/c/multi-nic-cloud-netconfig-ec2-azure/ [2] https://github.com/SUSE-Enceladus/cloud-netconfig [3] https://github.com/aws/ec2-net-utils [4] https://github.com/lorengordon/ec2-net-utils.git It is also intended to work without configuration. The main point is that you boot an image with NetworkManager and nm-cloud-setup enabled, and it just works. 2019-11-12 14:54:22 +00:00
			`[Service]`
			`Type=oneshot`
			`ExecStart=@libexecdir@/nm-cloud-setup`

			`#Environment=NM_CLOUD_SETUP_LOG=TRACE`
cloud-setup: enable more sandboxing in systemd unit (cherry picked from commit 667ae99f5dd673f7c2a92f6a4d9ba1e866811003) 2019-12-03 07:55:28 +00:00
cloud-setup: require to explicitly opt-in for providers via environment variable "nm-cloud-setup" is supposed to work without configuration. However, it (obviously) fetches data from the network you are connected to (which might be untrusted or controlled by somebody malicious). The tool cannot protect you against that, also because the meta data services uses HTTP and not HTTPS. It means, you should run the tool only when it's suitable for your environment, that is: in the right cloud. Usually, the user/admin/distributor would know for which cloud the enable the tool. It's also wasteful to repeatedly probe for the unavailable cloud. So, instead disable all providers by default and require to opt-in by setting an environment variable. This can be conveniently done via `systemctl edit nm-cloud-provider.service` to set Environment=. Of course, a image can also pre-deploy such am override file. (cherry picked from commit ff816dec17d34d996fc7dd5306945f10ed4add32) 2019-12-03 09:37:42 +00:00			`# Cloud providers are disabled by default. You need to`
			`# Opt-in by setting the right environment variable for`
			`# the provider.`
			`#Environment=NM_CLOUD_SETUP_EC2=yes`

cloud-setup: enable more sandboxing in systemd unit (cherry picked from commit 667ae99f5dd673f7c2a92f6a4d9ba1e866811003) 2019-12-03 07:55:28 +00:00			`CapabilityBoundingSet=`
			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`NoNewPrivileges=yes`
			`PrivateDevices=yes`
			`PrivateTmp=yes`
			`ProtectControlGroups=yes`
			`ProtectHome=yes`
			`ProtectHostname=yes`
			`ProtectKernelLogs=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelTunables=yes`
			`ProtectSystem=strict`
			`RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6`
			`RestrictNamespaces=yes`
			`RestrictRealtime=yes`
			`RestrictSUIDSGID=yes`
			`SystemCallFilter=@system-service`
cloud-setup: let dispatcher script run tool only if service is enabled We don't want that when the user installs the package, that the dispatcher script automatically executes the tool. Instead, the user should use `systemctl enable/disable` to control whether the service is active (of via the timer). Hence, let the dispatcher script check whether the service is enabled. That leads to a different problem, that we need to make it possible for "nm-cloud-setup.service" to be enabled in the first place. As such, add a [Install] section and let it be wanted by NetworkManager.service. The problem with this is that now the tool will run very early, just after NetworkManager started. At that point, it might not yet have setup networking. But that should be acceptable, after all, the tool either fails to fetch meta data that early, or it succeeds. Very likely, it will by aborted by dispatcher's restart command. (cherry picked from commit 953e01336a1c062ee988d3dfe4650dd7c4ba2778) 2019-12-03 09:17:11 +00:00
			`[Install]`
			`WantedBy=NetworkManager.service`