make passing version=v4 instead of light

rename zdblight to zdb and do some hardening

Signed-off-by: Ashraf Fouda <[email protected]>

bootstrap/bootstrap/README.md

@@ -20,4 +20,4 @@ will do a multiple stage bootstrap. Currently this is only two stages:
 - After internet service is fully started, bootstrap will start to download flists needed for zos node to work properly
 - As described above bootstrap run in two stages:
   - The first stage is used to update bootstrap itself, and it is done like that to avoid re-building the image if we only changed the bootstrap code. this update is basically done from `tf-autobuilder` repo in the [hub/tf-autobuilder](https://hub.grid.tf/tf-autobuilder) and download the latest bootstrap flist
-  - For the second stage bootstrap will download the flists for that env. bootstrap cares about `runmode` argument that we pass during the start of the node. for example if we passed `runmode=dev-light` it will get the the tag `development-light` under [hub/tf-zos](https://hub.grid.tf/tf-zos) each tag is linked to a sub-directory where all flists for this env exists to be downloaded and installed on the node
+  - For the second stage bootstrap will download the flists for that env. bootstrap cares about `runmode` argument that we pass during the start of the node. for example if we passed `runmode=dev` it will get the the tag `development` under [hub/tf-zos](https://hub.grid.tf/tf-zos) each tag is linked to a sub-directory where all flists for this env exists to be downloaded and installed on the node

bootstrap/bootstrap/src/bootstrap.rs

@@ -26,15 +26,19 @@ fn bootstrap_zos(cfg: &config::Config) -> Result<()> {
     let flist = match &cfg.runmode {
         RunMode::Prod => match &cfg.version {
             Version::V3 => "zos:production-3:latest.flist",
+            _ => bail!("unsupported version in old style"),
         },
         RunMode::Dev => match &cfg.version {
             Version::V3 => "zos:development-3:latest.flist",
+            _ => bail!("unsupported version in old style"),
         },
         RunMode::Test => match &cfg.version {
             Version::V3 => "zos:testing-3:latest.flist",
+            _ => bail!("unsupported version in old style"),
         },
         RunMode::QA => match &cfg.version {
             Version::V3 => "zos:qa-3:latest.flist",
+            _ => bail!("unsupported version in old style"),
         },
     };
 
@@ -118,8 +122,9 @@ pub fn install(cfg: &config::Config) -> Result<()> {
     let runmode = cfg.runmode.to_string();
 
     let mut listname = runmode.clone();
-    if cfg.light {
-        listname = format!("{}-light", runmode)
+    match cfg.version {
+        Version::V3 => {}
+        Version::V4 => listname = format!("{}-v4", runmode),
     }
     // we need to list all taglinks
     let mut tag = None;
@@ -167,6 +172,7 @@ pub fn install(cfg: &config::Config) -> Result<()> {
 fn install_packages_old(cfg: &config::Config) -> Result<()> {
     let name = match cfg.version {
         Version::V3 => BIN_REPO_V3,
+        _ => bail!("unsupported version for old style"),
     };
 
     let repo = match cfg.runmode {

bootstrap/bootstrap/src/config.rs

@@ -28,6 +28,7 @@ impl Display for RunMode {
 #[derive(Debug)]
 pub enum Version {
     V3,
+    V4,
 }
 
 fn runmode() -> Result<RunMode> {
@@ -64,6 +65,7 @@ fn version() -> Result<Version> {
         Some(input) => match input {
             Some(input) => match input.as_ref() {
                 "v3" => Version::V3,
+                "v4" => Version::V4,
                 m => {
                     bail!("unknown version: {}", m);
                 }
@@ -78,20 +80,11 @@ fn version() -> Result<Version> {
     Ok(ver)
 }
 
-fn light() -> Result<bool> {
-    let params = kparams::params()?;
-    if params.contains_key("light") {
-        return Ok(true);
-    }
-    Ok(false)
-}
-
 pub struct Config {
     pub stage: u32,
     pub debug: bool,
     pub runmode: RunMode,
     pub version: Version,
-    pub light: bool,
 }
 
 impl Config {
@@ -114,12 +107,6 @@ impl Config {
                     .takes_value(false)
                     .help("run in debug mode, will use the bootstrap:development.flist"),
             )
-            .arg(
-                Arg::with_name("light")
-                    .short("l")
-                    .takes_value(false)
-                    .help("run in light mode, will use the bootstrap:development.flist"),
-            )
             .get_matches();
 
         let stage: u32 = match matches.value_of("stage").unwrap().parse() {
@@ -138,7 +125,6 @@ impl Config {
             debug: matches.occurrences_of("debug") > 0,
             runmode: runmode()?,
             version: version()?,
-            light: light()?,
         })
     }
 }

bootstrap/bootstrap/src/kparams.rs

@@ -40,11 +40,11 @@ mod tests {
 
     #[test]
     fn test_parse() -> Result<(), Error> {
-        let input: &str = "initrd=initramfs-linux.img light root=UUID=10f9e7bb-ba63-4fbd-a95e-c78b5496cfbe rootflags=subvol=root rw b43.allhwsupport=1";
+        let input: &str = "initrd=initramfs-linux.img version=v3 root=UUID=10f9e7bb-ba63-4fbd-a95e-c78b5496cfbe rootflags=subvol=root rw b43.allhwsupport=1";
         let result = parse(input.as_bytes())?;
         assert_eq!(result.len(), 6);
         assert_eq!(result["rw"], None);
-        assert_eq!(result.contains_key("light"), true);
+        assert_eq!(result["version"], Some(String::from("v3")));
         assert_eq!(result["rootflags"], Some(String::from("subvol=root")));
         Ok(())
     }

cmds/modules/netlightd/main.go

@@ -2,6 +2,7 @@ package netlightd
 
 import (
 	"context"
+	"embed"
 	"fmt"
 	"net"
 	"os"
@@ -11,6 +12,7 @@ import (
 	"github.com/oasisprotocol/curve25519-voi/primitives/x25519"
 	"github.com/pkg/errors"
 	"github.com/threefoldtech/zos/pkg/netlight"
+	"github.com/threefoldtech/zos/pkg/netlight/nft"
 	"github.com/threefoldtech/zos/pkg/netlight/resource"
 	"github.com/urfave/cli/v2"
 
@@ -27,6 +29,9 @@ const (
 	module      = "netlight"
 )
 
+//go:embed nft/rules.nft
+var nftRules embed.FS
+
 // Module is entry point for module
 var Module cli.Command = cli.Command{
 	Name:  "netlightd",
@@ -93,8 +98,13 @@ func action(cli *cli.Context) error {
 		log.Info().Msg("shutting down")
 	})
 
-	if err := ensureHostFw(ctx); err != nil {
-		return errors.Wrap(err, "failed to host firewall rules")
+	rules, err := nftRules.Open("nft/rules.nft")
+	if err != nil {
+		return fmt.Errorf("failed to load rules.nft file")
+	}
+
+	if err := nft.Apply(rules, ""); err != nil {
+		return fmt.Errorf("failed to apply host nft rules: %w", err)
 	}
 
 	bridge, err := netlight.CreateNDMZBridge()

cmds/modules/netlightd/nft/rules.nft

@@ -0,0 +1,29 @@
+add table inet filter;
+add table arp filter;
+add table bridge filter;
+add table nat;
+
+
+add chain inet filter input   { type filter hook input priority filter; policy accept; }
+add chain inet filter forward { type filter hook forward priority filter; policy accept; }
+add chain inet filter output  { type filter hook output priority filter; policy accept; }
+add chain inet filter prerouting  { type filter hook prerouting priority filter; policy accept; }
+
+add chain arp filter input  { type filter hook input priority filter; policy accept; }
+add chain arp filter output { type filter hook output priority filter; policy accept; }
+
+add chain bridge filter input   { type filter hook input priority filter; policy accept; }
+add chain bridge filter forward { type filter hook forward priority filter; policy accept; }
+add chain bridge filter prerouting { type filter hook prerouting priority filter; policy accept; }
+add chain bridge filter postrouting { type filter hook postrouting priority filter; policy accept; }
+add chain bridge filter output  { type filter hook output priority filter; policy accept; }
+
+add chain nat postrouting { type nat hook postrouting priority 100 ; }
+
+flush chain bridge filter forward;
+flush chain inet filter forward;
+flush chain inet filter prerouting;
+flush chain nat postrouting
+
+add rule inet filter prerouting iifname "b-*" tcp dport {25, 587, 465} reject with icmp type admin-prohibited;
+add rule nat postrouting iifname gw masquerade fully-random;

cmds/modules/zbusdebug/main.go

@@ -24,7 +24,7 @@ var (
 		"identityd": {},
 		"vmd":       {},
 		"flist":     {},
-		"network":   {},
+		"netlight":  {},
 		"container": {},
 		"provision": {},
 		"gateway":   {},

etc/zinit/networkd.yaml

@@ -1,5 +1,5 @@
 exec: netlightd --broker unix:///var/run/redis.sock --root /var/cache/modules/networkd
 
-# test: zbusdebug --module network
+test: zbusdebug --module netlight
 after:
   - boot

pkg/environment/environment.go

@@ -41,7 +41,6 @@ type Environment struct {
 
 	FarmID       pkg.FarmID
 	Orphan       bool
-	Light        bool
 	FarmSecret   string
 	SubstrateURL []string
 	// IMPORTANT NOTICE:
@@ -321,10 +320,5 @@ func getEnvironmentFromParams(params kernel.Params) (Environment, error) {
 	if e := os.Getenv("ZOS_BIN_REPO"); e != "" {
 		env.BinRepo = e
 	}
-	env.Light = false
-	if params.Exists("light") {
-		env.Light = true
-	}
-
 	return env, nil
 }

pkg/gridtypes/zos/types.go

@@ -14,8 +14,8 @@ const (
 	NetworkType gridtypes.WorkloadType = "network"
 	// NetworkLightType type
 	NetworkLightType gridtypes.WorkloadType = "network-light"
-	// ZDBLightType type
-	ZDBLightType gridtypes.WorkloadType = "zdb-light"
+	// ZDBType type
+	ZDBType gridtypes.WorkloadType = "zdb"
 	// ZMachineType type
 	ZMachineType gridtypes.WorkloadType = "zmachine"
 	// ZMachineLightType type
@@ -43,7 +43,7 @@ func init() {
 	// deployments.
 	gridtypes.RegisterType(ZMachineLightType, ZMachineLight{})
 	gridtypes.RegisterSharableType(NetworkLightType, NetworkLight{})
-	gridtypes.RegisterType(ZDBLightType, ZDBLight{})
+	gridtypes.RegisterType(ZDBType, ZDB{})
 	gridtypes.RegisterType(ZMountType, ZMount{})
 	gridtypes.RegisterType(VolumeType, Volume{})
 	gridtypes.RegisterType(PublicIPv4Type, PublicIP4{})

pkg/gridtypes/zos/zdb_light.go → pkg/gridtypes/zos/zdb.go

@@ -7,8 +7,8 @@ import (
 	"github.com/threefoldtech/zos/pkg/gridtypes"
 )
 
-// ZDBLight namespace creation info
-type ZDBLight struct {
+// ZDB namespace creation info
+type ZDB struct {
 	Size     gridtypes.Unit `json:"size"`
 	Mode     ZDBMode        `json:"mode"`
 	Password string         `json:"password"`
@@ -38,7 +38,7 @@ func (m ZDBMode) Valid() error {
 }
 
 // Valid implementation
-func (z ZDBLight) Valid(getter gridtypes.WorkloadGetter) error {
+func (z ZDB) Valid(getter gridtypes.WorkloadGetter) error {
 	if z.Size == 0 {
 		return fmt.Errorf("invalid size")
 	}
@@ -51,7 +51,7 @@ func (z ZDBLight) Valid(getter gridtypes.WorkloadGetter) error {
 }
 
 // Challenge implementation
-func (z ZDBLight) Challenge(b io.Writer) error {
+func (z ZDB) Challenge(b io.Writer) error {
 
 	if _, err := fmt.Fprintf(b, "%d", z.Size); err != nil {
 		return err
@@ -71,14 +71,14 @@ func (z ZDBLight) Challenge(b io.Writer) error {
 }
 
 // Capacity implements WorkloadData
-func (z ZDBLight) Capacity() (cap gridtypes.Capacity, err error) {
+func (z ZDB) Capacity() (cap gridtypes.Capacity, err error) {
 	cap.HRU = z.Size
 	return
 }
 
-// ZDBLightResult is the information return to the BCDB
+// ZDBResult is the information return to the BCDB
 // after deploying a 0-db namespace
-type ZDBLightResult struct {
+type ZDBResult struct {
 	Namespace string
 	IPs       []string
 	Port      uint

pkg/kernel/kernel.go

@@ -65,11 +65,6 @@ func (k Params) IsDebug() bool {
 	return k.Exists(Debug)
 }
 
-// IsLight checks if in light mode
-func (k Params) IsLight() bool {
-	return k.Exists(Light)
-}
-
 // GPUDisabled checks if gpu is diabled
 func (k Params) IsGPUDisabled() bool {
 	return k.Exists(DisableGPU)