From 286917cd95201a53bc4235e6dcbb0044a831f552 Mon Sep 17 00:00:00 2001 From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com> Date: Wed, 22 Apr 2026 10:56:35 +0200 Subject: [PATCH] feat(init): pass mgmt + container pools to coold as builder deny nets When --enable-builder is set, populate BuilderConfig.DenyNets with the mesh management pool (default 100.64.0.0/16) and the container pool (default 10.210.0.0/16). coold emits these as COOLD_BUILDER_DENY_NETS, which the builder adapter expands into systemd IPAddressDeny entries for every build subprocess. This keeps the policy in sync with the operator's actual --wg-mgmt-pool and --container-pool choices without hard-coding RFC1918 defaults. Co-Authored-By: Claude Opus 4.7 --- internal/services/coold.go | 7 +++++-- internal/wireguard/apply.go | 12 +++++++++++- scripts/e2e-mesh.sh | 8 ++++---- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/internal/services/coold.go b/internal/services/coold.go index 4600ed6..a8ccd33 100644 --- a/internal/services/coold.go +++ b/internal/services/coold.go @@ -53,7 +53,8 @@ type BrokerConfig struct { // spawns build subprocesses. nil means the capability is disabled and no // COOLD_BUILDER_* env vars are emitted. type BuilderConfig struct { - Capacity int // concurrent builds the host accepts; 0 falls back to 2 + Capacity int // concurrent builds the host accepts; 0 falls back to 2 + DenyNets []string // extra CIDRs to deny at systemd-run IPAddressDeny level } // CooldServiceUnitWithBroker is like CooldServiceUnit but injects broker env @@ -102,11 +103,13 @@ Environment=COOLD_HOST_JWT_PATH=%s if capacity <= 0 { capacity = 2 } + denyNets := strings.Join(builder.DenyNets, ",") builderEnv = fmt.Sprintf(`Environment=COOLD_BUILDER_ENABLED=true Environment=COOLD_BUILDER_WORK_DIR=%s Environment=COOLD_BUILDER_CAPACITY=%d Environment=COOLD_BUILDER_BIN=%s -`, BuilderWorkDir, capacity, BuilderBinaryPath) +Environment=COOLD_BUILDER_DENY_NETS=%s +`, BuilderWorkDir, capacity, BuilderBinaryPath, denyNets) builderPre = fmt.Sprintf("ExecStartPre=/bin/mkdir -p %s\n", BuilderWorkDir) } diff --git a/internal/wireguard/apply.go b/internal/wireguard/apply.go index a6d2913..670b86c 100644 --- a/internal/wireguard/apply.go +++ b/internal/wireguard/apply.go @@ -637,7 +637,17 @@ func phase5PerHost( } var builderCfg *services.BuilderConfig if desired.EnableBuilder { - builderCfg = &services.BuilderConfig{Capacity: desired.BuilderCapacity} + denyNets := []string{} + if desired.MgmtPool != nil { + denyNets = append(denyNets, desired.MgmtPool.String()) + } + if desired.ContainerPool != nil { + denyNets = append(denyNets, desired.ContainerPool.String()) + } + builderCfg = &services.BuilderConfig{ + Capacity: desired.BuilderCapacity, + DenyNets: denyNets, + } } cooldUnit := services.CooldServiceUnitWithBroker(mgmtIP, nsConfigs, broker, builderCfg) updateCmd := heredocWrite("/etc/systemd/system/coold.service", diff --git a/scripts/e2e-mesh.sh b/scripts/e2e-mesh.sh index 6851970..b3b7820 100755 --- a/scripts/e2e-mesh.sh +++ b/scripts/e2e-mesh.sh @@ -242,12 +242,12 @@ if ssh_exec "$SERVER_A" "test -f /etc/coolify/jwt.priv" >/dev/null 2>&1; then for _ in 1 2 3 4 5 6 7 8 9 10; do sleep 2 for host in "$SERVER_A" "$SERVER_B"; do - if ssh_exec "$host" "systemctl list-units --no-legend --plain 'coolify-build-*.scope' 2>/dev/null | grep -q $CAN_ID"; then + if ssh_exec "$host" "systemctl list-units --no-legend --plain 'coolify-build-*.service' 2>/dev/null | grep -q $CAN_ID"; then SCOPE_HOST="$host"; break 2 fi done done - [[ -n "$SCOPE_HOST" ]] || fail "scope coolify-build-$CAN_ID.scope never appeared" + [[ -n "$SCOPE_HOST" ]] || fail "scope coolify-build-$CAN_ID.service never appeared" printf ' scope running on %s ✓\n' "$SCOPE_HOST" ssh_exec "$SERVER_A" "redis-cli XADD build:cmd '*' payload '$CAN_MSG'" >/dev/null @@ -262,8 +262,8 @@ if ssh_exec "$SERVER_A" "test -f /etc/coolify/jwt.priv" >/dev/null 2>&1; then done echo "$RESP" | grep -q '"stage":"cancel"' || fail "expected stage=cancel in response, got: $RESP" - if ssh_exec "$SCOPE_HOST" "systemctl is-active coolify-build-$CAN_ID.scope >/dev/null 2>&1"; then - fail "scope still active after cancel: coolify-build-$CAN_ID.scope" + if ssh_exec "$SCOPE_HOST" "systemctl is-active coolify-build-$CAN_ID.service >/dev/null 2>&1"; then + fail "scope still active after cancel: coolify-build-$CAN_ID.service" fi printf ' OK: cancel SIGTERM killed cgroup; stage=cancel ✓\n' else