summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2015-06-01 14:18:36 -0400
committerJoey Hess2015-06-01 14:18:36 -0400
commit65357750d212ac3d8faaad0340f8259d74913810 (patch)
tree505f46bc32f956d064b120da7cf7e1b353b5baff
parenta5bb972d94b2e29f73ecfa4abab275400d0caeef (diff)
Added publish property for systemd-spawn containers. (Needs systemd version 220.)
-rw-r--r--debian/changelog2
-rw-r--r--src/Propellor/Property/Systemd.hs46
2 files changed, 45 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 6a105804..9b75e118 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ propellor (2.5.0) UNRELEASED; urgency=medium
* Mount /proc inside a chroot before provisioning it, to work around #787227
* --spin now works when given a short hostname that only resolves to an
ipv6 address.
+ * Added publish property for systemd-spawn containers.
+ (Needs systemd version 220.)
-- Joey Hess <id@joeyh.name> Thu, 07 May 2015 12:08:34 -0400
diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs
index c698f780..21b66cb8 100644
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@@ -1,22 +1,30 @@
module Propellor.Property.Systemd (
+ -- * Services
module Propellor.Property.Systemd.Core,
ServiceName,
- MachineName,
started,
stopped,
enabled,
disabled,
restarted,
- persistentJournal,
+ -- * Configuration
Option,
configured,
- journaldConfigured,
daemonReloaded,
+ -- * Journal
+ persistentJournal,
+ journaldConfigured,
+ -- * Containers
+ MachineName,
Container,
container,
nspawned,
+ -- * Container configuration
containerCfg,
resolvConfed,
+ publish,
+ Proto(..),
+ publish'
) where
import Propellor
@@ -24,6 +32,7 @@ import Propellor.Types.Chroot
import qualified Propellor.Property.Chroot as Chroot
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.File as File
+import Propellor.Property.Firewall (Port)
import Propellor.Property.Systemd.Core
import Utility.FileMode
@@ -270,3 +279,34 @@ containerCfg p = RevertableProperty (mk True) (mk False)
-- This property is enabled by default. Revert it to disable it.
resolvConfed :: RevertableProperty
resolvConfed = containerCfg "bind=/etc/resolv.conf"
+
+-- | Disconnect networking of the container from the host.
+privateNetwork :: RevertableProperty
+privateNetwork = containerCfg "private-network"
+
+-- | Publish a container's (tcp) port to same port on the host.
+--
+-- This automatically enables privateNetwork, so all non-published ports
+-- will not be accessible outside the container.
+--
+-- Note that this feature was first added in systemd version 220.
+publish :: Port -> RevertableProperty
+publish p = publish' TCP p p
+ `requires` privateNetwork
+
+data Proto = TCP | UDP
+
+publish'
+ :: Proto
+ -> Port -- ^ Host port
+ -> Port -- ^ Container port
+ -> RevertableProperty
+publish' proto hostport containerport = containerCfg $ "--port=" ++
+ intercalate ":"
+ [ sproto proto
+ , show hostport
+ , show containerport
+ ]
+ where
+ sproto TCP = "tcp"
+ sproto UDP = "udp"