ifstate 1.13.7__py3-none-any.whl → 2.0.0rc2__py3-none-any.whl

hooks/wrapper.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# ifstate: wrapper to run hooks
+
+# debugging
+export IFS_VERBOSE=${verbose}
+if [ "$$IFS_VERBOSE" = 1 ]; then
+    set -x
+fi
+
+# return codes
+export IFS_RC_OK="${rc_ok}"
+export IFS_RC_ERROR="${rc_error}"
+export IFS_RC_STARTED="${rc_started}"
+export IFS_RC_STOPPED="${rc_stopped}"
+export IFS_RC_CHANGED="${rc_changed}"
+
+# generic environment variables
+export IFS_SCRIPT="${script}"
+export IFS_RUNDIR="${rundir}"
+
+export IFS_IFNAME="${ifname}"
+export IFS_INDEX="${index}"
+export IFS_NETNS="${netns}"
+export IFS_VRF="${vrf}"
+
+# hook arguments
+${args}
+
+# run hook NetNS and VRF aware
+if [ -z "$$IFS_NETNS" ]; then
+    if [ -z "$$IFS_VRF" ]; then
+        # just exec the script
+        exec "$$IFS_SCRIPT" "$$@"
+    else
+        # exec in VRF
+        exec ip vrf exec "$$IFS_VRF" "$$IFS_SCRIPT" "$$@"
+    fi
+else
+    if [ -z "$$IFS_VRF" ]; then
+        # exec in NetNS
+        exec ip netns exec "$$IFS_NETNS" "$$IFS_SCRIPT" "$$@"
+    else
+        # exec in NetNS->VRF
+        exec ip -n "$$IFS_NETNS" vrf exec "$$IFS_VRF" "$$IFS_SCRIPT" "$$@"
+    fi
+fi
+
+# somthing gone wrong
+return $$IFS_RC_ERROR

ifstate/ifstate.py

@@ -21,6 +21,7 @@ import yaml
 class Actions():
     CHECK = "check"
     APPLY = "apply"
+    IDENTIFY = "identify"
     SHOW = "show"
     SHOWALL = "showall"
     VRRP = "vrrp"
@@ -31,6 +32,7 @@ class Actions():
 ACTIONS_HELP = {
     "CHECK"      : "dry run update the network config",
     "APPLY"      : "update the network config",
+    "IDENTIFY"   : "show interface attributes available for identification",
     "SHOW"       : "show running network config",
     "SHOWALL"    : "show running network config (more settings)",
     "VRRP"       : "run as keepalived notify script",
@@ -134,6 +136,8 @@ def main():
                        help="be more quiet, print only warnings and errors")
     parser.add_argument("-s", "--soft-schema", action="store_true",
                         help="ignore schema validation errors, expect ifstatecli to trigger internal exceptions")
+    parser.add_argument("-S", "--show-secrets", action="store_true",
+                        help="show secrets when dumping config")
     parser.add_argument("-c", "--config", type=str,
                         default="/etc/ifstate/config.yml", help="configuration YaML filename")
     subparsers = parser.add_subparsers(
@@ -180,13 +184,16 @@ def main():
 
     ifslog = IfStateLogging(lvl, action=args.action)
 
-    if args.action in [Actions.SHOW, Actions.SHOWALL]:
+    if args.action in [Actions.IDENTIFY, Actions.SHOW, Actions.SHOWALL]:
         # preserve dict order on python 3.7+
         if sys.version_info >= (3, 7):
             yaml.add_representer(
                 dict, lambda self, data: yaml.representer.SafeRepresenter.represent_dict(self, data.items()))
         ifs = IfState()
-        print(yaml.dump(ifs.show(args.action == Actions.SHOWALL)))
+        if args.action == Actions.IDENTIFY:
+            print(yaml.dump(ifs.identify()))
+        else:
+            print(yaml.dump(ifs.show(args.action == Actions.SHOWALL, args.show_secrets)))
 
         ifslog.quit()
         exit(0)

{ifstate-1.13.7.dist-info → ifstate-2.0.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ifstate
-Version: 1.13.7
+Version: 2.0.0rc2
 Summary: Manage host interface settings in a declarative manner
 Home-page: https://ifstate.net/
 Author: Thomas Liske
@@ -9,7 +9,7 @@ License: GPL3+
 Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: jsonschema
-Requires-Dist: pyroute2
+Requires-Dist: pyroute2!=0.9.3
 Requires-Dist: pyyaml
 Requires-Dist: setproctitle
 Provides-Extra: shell

ifstate-2.0.0rc2.dist-info/RECORD

@@ -0,0 +1,38 @@
+hooks/wrapper.sh,sha256=ipCmvcadJbXTT6oUR7BIhT5uglITnHfiAdm44vydZuw,1101
+ifstate/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ifstate/ifstate.py,sha256=ioiM9xgVWdrpTpK_UxJdaJFlmpFM9R-2_d5pq9_Hepo,9272
+ifstate/shell.py,sha256=7_JFpi4icr9MijynDzbb0v5mxhFsng6PCC4m3uQ255A,2177
+ifstate/vrrp.py,sha256=FJ9b1eJseTtZFfknHU-xV68Qz7cPrRrc5PTcjUVj-fY,5953
+ifstate-2.0.0rc2.dist-info/licenses/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+libifstate/__init__.py,sha256=REX94ISXtdyY24_cc26Od5D2xGnz2U8dYNtRRMjRu1M,33194
+libifstate/exception.py,sha256=5i59BZdl56J_sNJbyU9n6uHuUNJEyDOO4FJ-neDn9Ds,2608
+libifstate/log.py,sha256=XVoZdwdQoWsjuupFIuG6OP0OrBpXpx7oqyAaUhQ-nJk,4553
+libifstate/util.py,sha256=1CGVgaEj7L4At9FPWcDQLwSe027XSKoxFHIdkS5spSA,11354
+libifstate/address/__init__.py,sha256=zIGM7UWXSvoijHMD06DfS2CDtiHpiJlqDgJG7Dl1IPE,3222
+libifstate/bpf/__init__.py,sha256=NVzaunTmJU2PbIQg9eWBMKpFgLh3EnD3ujNa7Yt6rNc,7699
+libifstate/bpf/ctypes.py,sha256=kLZJHZlba09Vc-tbsJAcKpDwdoNO2IjlYVLCopawHmA,4274
+libifstate/bpf/map.py,sha256=cLHNMvRBDNW2yVCEf3z242_oRdU0HqVbFEYVkKXng0w,10818
+libifstate/brport/__init__.py,sha256=NzdA8F4hr2se1bXKNnyKZbvOFlCWBq_cdjwsL1H0Y-o,2964
+libifstate/fdb/__init__.py,sha256=9dpL5n8ct3CaA-z8I6ZEkD3yL6yWJQeq3fpIe9pc2zw,6486
+libifstate/hook/__init__.py,sha256=OPUyhrr-eT1UNp8ryYoJyvi4WWqL2Ql33szir673Td4,7379
+libifstate/link/__init__.py,sha256=QZggoC-bIscqwVedqVycaSqS1CmXB3Bx3m2FZei8Q_4,115
+libifstate/link/base.py,sha256=dazZVPRMyXms-ICiL7VOCUXwZnqNr1X6R2NjTlm2nEU,34384
+libifstate/link/physical.py,sha256=ectyXVchCHqWZR8qsjAD9667wjQbGW1OUKLQheTUFys,594
+libifstate/link/tun.py,sha256=SWkscSAgIk3DWFPWHo9Cmokhj88rO1_sR7Z0Qlg2xGA,993
+libifstate/link/veth.py,sha256=Sv5WZMMsefYFz9I0BQSZyKytCQYxv0vjwAnB7FYHR1A,2283
+libifstate/neighbour/__init__.py,sha256=FJJpbJvqnxvOEii6QDMYzW5jQDEbiEy71GQOEbqaS48,2463
+libifstate/netns/__init__.py,sha256=4DWFsgkT84foKoE0ZIbCIAqezDZzOBf8Ka1OAZS_T9E,10164
+libifstate/parser/__init__.py,sha256=byz1W0G7UewVc5FFie-ti3UZjGK3-75wHIaOeq0oySQ,88
+libifstate/parser/base.py,sha256=EV7uJYdVke3a2ghkUZ6ZeaIeVQAPVS4rFnYhebXeQm0,5932
+libifstate/parser/yaml.py,sha256=MC0kmwqt3P45z61fb_wfUqoj0iZyhFYkdPyr0UqMSZA,1415
+libifstate/routing/__init__.py,sha256=EvuS0GC5s7up92DYwSGhkohqhCQKPJpvs-alY4WAQws,25326
+libifstate/sysctl/__init__.py,sha256=EF52CdOOkVSUFR2t21A99KlG1-PjsD4qOiceQC4eI24,3074
+libifstate/tc/__init__.py,sha256=inPdampCOIr_4oKNB3awqMkW0Eh4fpPh9jvSba6sPVg,12092
+libifstate/wireguard/__init__.py,sha256=cpXqcZK_xNexwhz-1OqN1RQe21NaNVgF-adhXU6mv14,8797
+libifstate/xdp/__init__.py,sha256=X1xhEIGng7R5d5F4KsChykT2g6H-XBRWbWABijoYDQA,7208
+schema/2/ifstate.conf.schema.json,sha256=_ltHBK8iTy8xAhJapQIMmUavlXbDCcOI3R2EhjrMWa0,218618
+ifstate-2.0.0rc2.dist-info/METADATA,sha256=Hgol7xinIWq2lp6D7PNFpgrZ9_lnqBgspEko0tzIaK4,1607
+ifstate-2.0.0rc2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+ifstate-2.0.0rc2.dist-info/entry_points.txt,sha256=HF6jX7Uu_nF1Ly-J9uEPeiRapOxnM6LuHsb2y6Mt-k4,52
+ifstate-2.0.0rc2.dist-info/top_level.txt,sha256=A7peI7aKBaM69fsiSPvMbL3rzTKZZr5qDxKC-pHMGdE,19
+ifstate-2.0.0rc2.dist-info/RECORD,,

libifstate/__init__.py

@@ -2,6 +2,7 @@ from libifstate.exception import LinkDuplicate, NetnsUnknown
 from libifstate.link.base import ethtool_path, Link
 from libifstate.address import Addresses
 from libifstate.fdb import FDB
+from libifstate.hook import Hooks
 from libifstate.neighbour import Neighbours
 from libifstate.routing import Tables, Rules, RTLookups
 from libifstate.parser import Parser
@@ -35,7 +36,7 @@ except ModuleNotFoundError:
     pass
 
 from libifstate.netns import NetNameSpace, prepare_netns, LinkRegistry, get_netns_instances
-from libifstate.util import logger, IfStateLogging, LinkDependency
+from libifstate.util import logger, root_iw, IfStateLogging, LinkDependency, IDENTIFY_LOOKUPS
 from libifstate.exception import FeatureMissingError, LinkCircularLinked, LinkNoConfigFound, ParserValidationError
 from ipaddress import ip_network, ip_interface
 from jsonschema import validate, ValidationError, FormatChecker
@@ -48,8 +49,7 @@ import json
 import errno
 import logging
 
-__version__ = "1.13.7"
-
+__version__ = "2.0.0rc2"
 
 class IfState():
     def __init__(self):
@@ -61,6 +61,8 @@ class IfState():
         self.ignore = {}
         self.features = {
             'brport': True,
+            'devicetree': os.access('/sys/firmware/devicetree', os.R_OK),
+            'iw': root_iw is not None,
             'link': True,
             'sysctl': os.access('/proc/sys/net', os.R_OK),
             'ethtool': not ethtool_path is None,
@@ -81,7 +83,7 @@ class IfState():
     def update(self, ifstates, soft_schema):
         # check config schema
         schema = json.loads(pkgutil.get_data(
-            "libifstate", "../schema/ifstate.conf.schema.json"))
+            "libifstate", "../schema/{}/ifstate.conf.schema.json".format(__version__.split('.')[0])))
         try:
             validate(ifstates, schema, format_checker=FormatChecker())
         except ValidationError as ex:
@@ -104,10 +106,10 @@ class IfState():
 
         # add interface defaults
         if 'defaults' in ifstates:
-            self.defaults = ifstates['defaults']
+            self.defaults = ifstates['parameters']['defaults']
 
         # add ignore list items
-        self.ignore.update(ifstates['ignore'])
+        self.ignore.update(ifstates['parameters']['ignore'])
         self.ipaddr_ignore = set()
         for ip in self.ignore.get('ipaddr', []):
             self.ipaddr_ignore.add(ip_network(ip))
@@ -116,7 +118,10 @@ class IfState():
             self.fdb_ignore = re.compile('|'.join(self.ignore.get('fdb')))
 
         # save cshaper profiles
-        self.cshaper_profiles = ifstates['cshaper']
+        self.cshaper_profiles = ifstates['parameters']['cshaper']
+
+        # prepare hooks
+        self.hooks = Hooks(ifstates['parameters'].get('hooks', {}))
 
         # build link registry over all named netns
         self.link_registry = LinkRegistry(self.ignore.get('ifname', []), self.root_netns)
@@ -134,17 +139,15 @@ class IfState():
                 self._update(self.namespaces[netns_name], netns_ifstates)
 
     def _update(self, netns, ifstates):
-        # parse options
-        if 'options' in ifstates:
-            # parse global sysctl settings
-            if 'sysctl' in ifstates['options']:
-                for proto in  ifstates['options']['sysctl'].keys():
-                    if proto in ['all', 'default']:
-                        netns.sysctl.add(
-                            proto, ifstates['options']['sysctl'][proto])
-                    else:
-                        netns.sysctl.add_global(
-                            proto, ifstates['options']['sysctl'][proto])
+        # parse network sysctl settings
+        if 'sysctl' in ifstates:
+            for proto in  ifstates['sysctl'].keys():
+                if proto in ['all', 'default']:
+                    netns.sysctl.add(
+                        proto, ifstates['sysctl'][proto])
+                else:
+                    netns.sysctl.add_global(
+                        proto, ifstates['sysctl'][proto])
 
         # load BPF programs
         if 'bpf' in ifstates:
@@ -157,8 +160,7 @@ class IfState():
                 netns.bpf_progs.add(name, config)
 
         # add interfaces from config
-        for ifstate in ifstates['interfaces']:
-            name = ifstate['name']
+        for name, ifstate in ifstates['interfaces'].items():
             kind = ifstate['link']['kind']
             defaults = self.get_defaults(
                 ifname=name,
@@ -189,7 +191,7 @@ class IfState():
                 link.update(ifstate['link'])
             if link:
                 netns.links[name] = Link(self,
-                    netns, name, link, ethtool, ifstate.get('vrrp'), ifstate.get('brport'))
+                    netns, name, link, ifstate.get('identify', {}), ethtool, ifstate.get('hooks', []), ifstate.get('vrrp'), ifstate.get('brport'))
             else:
                 netns.links[name] = None
 
@@ -224,7 +226,7 @@ class IfState():
                 netns.sysctl.add(name, ifstate['sysctl'])
 
             if 'cshaper' in ifstate:
-                profile_name = ifstate['cshaper'].get(
+                profile_name = ifstate['parameters']['cshaper'].get(
                     'profile', 'default')
                 logger.debug('cshaper profile {} enabled'.format(profile_name),
                              extra={'iface': name, 'netns': netns})
@@ -246,7 +248,7 @@ class IfState():
                         'qdisc': cshaper_profile['ingress_qdisc'],
                     }
                 }
-                ifb_state['tc']['qdisc']['bandwidth'] = ifstate['cshaper'].get(
+                ifb_state['tc']['qdisc']['bandwidth'] = ifstate['parameters']['cshaper'].get(
                     'ingress', 'unlimited')
 
                 if 'vrrp' in ifstate:
@@ -279,10 +281,10 @@ class IfState():
                     ]
                 }
 
-                ifstate['tc']['qdisc']['bandwidth'] = ifstate['cshaper'].get(
+                ifstate['tc']['qdisc']['bandwidth'] = ifstate['parameters']['cshaper'].get(
                     'egress', 'unlimited')
 
-                del ifstate['cshaper']
+                del ifstate['parameters']['cshaper']
 
             if 'tc' in ifstate:
                 netns.tc[name] = TC(
@@ -611,6 +613,8 @@ class IfState():
         if ifname in netns.wireguard:
             netns.wireguard[ifname].apply(do_apply)
 
+        self.hooks.apply(link, do_apply)
+
     def _apply_routing(self, do_apply, netns, by_vrrp, vrrp_type, vrrp_name, vrrp_state):
         if not netns.tables is None:
             netns.tables.apply(self.ignore.get('routes', []), do_apply, by_vrrp, vrrp_type, vrrp_name, vrrp_state)
@@ -618,36 +622,82 @@ class IfState():
         if not netns.rules is None:
             netns.rules.apply(self.ignore.get('rules', []), do_apply, by_vrrp, vrrp_type, vrrp_name, vrrp_state)
 
-    def show(self, showall=False):
+    def identify(self):
+        root_config = self._identify_netns(self.root_netns)
+        netns_instances = get_netns_instances()
+        if len(netns_instances) > 0:
+            netns_identifies = {}
+            for netns in netns_instances:
+                netns_identify = self._identify_netns(netns)
+                if netns_identify is not None:
+                    netns_identifies[netns.netns] = netns_identify
+
+            if netns_identifies:
+                return {**root_config, 'namespaces': netns_identifies}
+
+        return {**root_config}
+
+    def _identify_netns(self, netns):
+        ifs_links = {}
+        for ipr_link in netns.ipr.get_links():
+            name = ipr_link.get_attr('IFLA_IFNAME')
+            # skip links on ignore list
+            if name != 'lo' and not any(re.match(regex, name) for regex in Parser._default_ifstates['parameters']['ignore']['ifname_builtin']):
+                info = ipr_link.get_attr('IFLA_LINKINFO')
+                if info is None:
+                    kind = None
+                else:
+                    kind = info.get_attr('IFLA_INFO_KIND')
+
+                if kind is not None:
+                    continue
+
+                ifs_link = {
+                    'identify': {
+                    },
+                }
+
+                for attr, lookup in IDENTIFY_LOOKUPS.items():
+                    value = lookup(netns, ipr_link)
+                    if value is not None:
+                        ifs_link['identify'][attr] = value
+
+                ifs_links[name] = ifs_link
+
+        if ifs_links:
+            return {**{'interfaces': ifs_links}}
+        else:
+            return None
+
+    def show(self, showall=False, show_secrets=False):
         if showall:
             defaults = deepcopy(Parser._default_ifstates)
         else:
             defaults = {}
 
         ipaddr_ignore = []
-        for ip in Parser._default_ifstates['ignore']['ipaddr_builtin']:
+        for ip in Parser._default_ifstates['parameters']['ignore']['ipaddr_builtin']:
             ipaddr_ignore.append(ip_network(ip))
 
-        root_config = self._show_netns(self.root_netns, showall, ipaddr_ignore)
+        root_config = self._show_netns(self.root_netns, showall, show_secrets, ipaddr_ignore)
         netns_instances = get_netns_instances()
         if len(netns_instances) > 0:
             netns_configs = {}
             for netns in netns_instances:
-                netns_configs[netns.netns] = self._show_netns(netns, showall, ipaddr_ignore)
+                netns_configs[netns.netns] = self._show_netns(netns, showall, show_secrets, ipaddr_ignore)
 
             return {**defaults, **root_config, 'namespaces': netns_configs}
 
 
         return {**defaults, **root_config}
 
-    def _show_netns(self, netns, showall, ipaddr_ignore):
-        ifs_links = []
+    def _show_netns(self, netns, showall, show_secrets, ipaddr_ignore):
+        ifs_links = {}
         for ipr_link in netns.ipr.get_links():
             name = ipr_link.get_attr('IFLA_IFNAME')
             # skip links on ignore list
-            if name != 'lo' and not any(re.match(regex, name) for regex in Parser._default_ifstates['ignore']['ifname_builtin']):
+            if name != 'lo' and not any(re.match(regex, name) for regex in Parser._default_ifstates['parameters']['ignore']['ifname_builtin']):
                 ifs_link = {
-                    'name': name,
                     'addresses': [],
                     'link': {
                         'state': ipr_link['state'],
@@ -687,15 +737,13 @@ class IfState():
                     addr = ipr_link.get_attr('IFLA_ADDRESS')
                     if not addr is None:
                         ifs_link['link']['address'] = addr
-                    permaddr = netns.ipr.get_permaddr(name)
-                    if not permaddr is None:
-                        if addr is None:
-                            ifs_link['link']['addr'] = permaddr
-                        elif addr != permaddr:
-                            ifs_link['link']['permaddr'] = permaddr
-                    businfo = netns.ipr.get_businfo(name)
-                    if not businfo is None:
-                        ifs_link['link']['businfo'] = businfo
+
+                    # add identify section for physical links
+                    ifs_link['identify'] = {}
+                    for attr, func in IDENTIFY_LOOKUPS.items():
+                        value = func(netns, ipr_link)
+                        if value:
+                            ifs_link['identify'][attr] = value
 
                 # add device group if not 0
                 group = ipr_link.get_attr('IFLA_GROUP')
@@ -722,6 +770,9 @@ class IfState():
 
                 brport.BRPort.show(netns.ipr, showall, ipr_link['index'], ifs_link)
 
+                if ifs_link['link']['kind'] == 'wireguard':
+                    wireguard.WireGuard.show(netns, showall, show_secrets, name, ifs_link)
+
                 if name == 'lo':
                     if ifs_link['addresses'] == Parser._default_lo_link['addresses']:
                         del(ifs_link['addresses'])
@@ -730,13 +781,13 @@ class IfState():
                         del(ifs_link['link'])
 
                     if len(ifs_link) > 1:
-                        ifs_links.append(ifs_link)
+                        ifs_links['lo'] = ifs_link
                 else:
-                    ifs_links.append(ifs_link)
+                    ifs_links[name] = ifs_link
 
         routing = {
-            'routes': Tables(netns).show_routes(Parser._default_ifstates['ignore']['routes_builtin']),
-            'rules': Rules(netns).show_rules(Parser._default_ifstates['ignore']['rules_builtin']),
+            'routes': Tables(netns).show_routes(Parser._default_ifstates['parameters']['ignore']['routes_builtin']),
+            'rules': Rules(netns).show_rules(Parser._default_ifstates['parameters']['ignore']['rules_builtin']),
         }
 
         return {**{'interfaces': ifs_links, 'routing': routing}}

libifstate/hook/__init__.py

@@ -0,0 +1,195 @@
+from libifstate.util import get_netns_run_dir, dump_yaml_file, slurp_yaml_file, RUN_BASE_DIR
+from libifstate.util import logger
+
+import logging
+from pathlib import Path
+import os
+import pkgutil
+from shlex import quote
+import shutil
+from string import Template
+import subprocess
+import tempfile
+
+
+HOOK_DIR = '/etc/ifstate/hooks'
+HOOK_WRAPPER = Template(pkgutil.get_data("libifstate", "../hooks/wrapper.sh").decode("utf-8"))
+
+RC_OK = 0
+RC_ERROR = 1
+RC_STARTED = 2
+# it is the same value, but there are two constants to make it more convinient
+RC_STOPPED = RC_STARTED
+RC_CHANGED = 3
+
+def _open_perm(path, flags):
+    return os.open(path, flags, 0o600)
+
+class Hook():
+    def __init__(self, name, script, provides=[], after=[]):
+        self.name = name
+
+        if script[0] == '/':
+            self.script = Path(script).as_posix()
+        else:
+            self.script = Path(HOOK_DIR, script).as_posix()
+
+        self.provides = provides
+        self.after = after
+
+    def start(self, link, args, run_dir, do_apply):
+        wrapper_fn = f"{run_dir}/wrapper.sh"
+
+        with open(wrapper_fn, "w", opener=_open_perm) as fh:
+            template_vars = {
+                    'verbose': 1 if logger.getEffectiveLevel() == logging.DEBUG else '',
+                    'script': self.script,
+                    'ifname': link.settings.get('ifname'),
+                    'index': link.idx,
+                    'netns': link.netns.netns or '',
+                    'vrf': '',
+                    'rundir': run_dir,
+                    'rc_ok': RC_OK,
+                    'rc_error': RC_ERROR,
+                    'rc_started': RC_STARTED,
+                    'rc_stopped': RC_STOPPED,
+                    'rc_changed': RC_CHANGED,
+                }
+
+            if link.get_if_attr('IFLA_INFO_SLAVE_KIND') == 'vrf':
+                template_vars['vrf'] = link.settings.get('master')
+
+            args_list = []
+            for k, v in args.items():
+                args_list.append(f'export IFS_ARG_{k.upper()}={quote(v)}')
+            template_vars['args'] = "\n".join(args_list)
+
+            try:
+                fh.write(HOOK_WRAPPER.substitute(template_vars))
+            except KeyError as ex:
+                logger.error("Failed to prepare wrapper for hook {}: variable {} unknown".format(self.name, str(ex)))
+                return
+            except ValueError as ex:
+                logger.error("Failed to prepare wrapper for hook {}: {}".format(self.name, str(ex)))
+                return
+
+        try:
+            if do_apply:
+                subprocess.run(['/bin/sh', wrapper_fn, "start"], timeout=3, check=True)
+            else:
+                subprocess.run(['/bin/sh', wrapper_fn, "check-start"], timeout=3, check=True)
+
+            return RC_OK
+        except (FileNotFoundError, PermissionError) as ex:
+            logger.error("Failed executing hook {}: {}".format(self.name, str(ex)))
+            return RC_ERROR
+        except subprocess.TimeoutExpired as ex:
+            logger.error("Running hook {} has timed out.".format(self.name))
+            return RC_ERROR
+        except subprocess.CalledProcessError as ex:
+            if ex.returncode < 0:
+                logger.warning("Hook {} got signal {}".format(hook_name, -1 * ex.returncode))
+                return RC_ERROR
+
+            return ex.returncode
+
+    @staticmethod
+    def stop(link, hook_name, run_dir, do_apply):
+        wrapper_fn = f"{run_dir}/wrapper.sh"
+
+        try:
+            if do_apply:
+                subprocess.run(['/bin/sh', wrapper_fn, "stop"], timeout=3, check=True)
+            else:
+                subprocess.run(['/bin/sh', wrapper_fn, "check-stop"], timeout=3, check=True)
+
+            return RC_OK
+        except (FileNotFoundError, PermissionError) as ex:
+            logger.error("Failed executing hook {}: {}".format(hook_name, str(ex)))
+            return RC_ERROR
+        except subprocess.TimeoutExpired as ex:
+            logger.error("Running hook {} has timed out.".format(hook_name))
+            return RC_ERROR
+        except subprocess.CalledProcessError as ex:
+            if ex.returncode < 0:
+                logger.warning("Hook {} got signal {}".format(hook_name, -1 * ex.returncode))
+                return RC_ERROR
+
+            assert(run_dir.startswith(RUN_BASE_DIR))
+
+            try:
+                shutil.rmtree(run_dir)
+            except FileNotFoundError:
+                pass
+            except OSError as err:
+                logger.error("Failed cleanup hook rundir {}: {}".format(run_dir, str(err)))
+
+            return ex.returncode
+
+class Hooks():
+    def __init__(self, ifstate):
+        self.hooks = {}
+        for hook, opts in ifstate.items():
+            if 'script' in opts:
+                self.hooks[hook] = Hook(hook, **opts)
+            else:
+                self.hooks[hook] = Hook(hook, script=hook, **opts)
+
+    def apply(self, link, do_apply):
+        run_dir = get_netns_run_dir('hooks', link.netns, str(link.idx))
+
+        state_fn = f"{run_dir}/state"
+        old_state = slurp_yaml_file(state_fn, default=[])
+        run_state = []
+
+        # Stop any running hooks which should not run any more or have other
+        # parameters - hooks are identified by all of their settings. Keep
+        # the rundir for any hook already running.
+        for entry in old_state:
+            if not entry.get('hook') in link.hooks:
+                rc = Hook.stop(link, entry["hook"]["name"], entry["rundir"], do_apply)
+                if rc == RC_OK:
+                    pass
+                elif rc == RC_STOPPED:
+                    logger.log_del('hooks', '- {}'.format(entry["hook"]["name"]))
+                else:
+                    run_state.append(entry)
+                    logger.log_err('hooks', '! {}'.format(entry["hook"]["name"]))
+            else:
+                hook = next((hook for hook in link.hooks if hook == entry["hook"]), None)
+                # tepmorary keep mapping between running and configured hook dict
+                hook["__rundir"] = entry["rundir"]
+
+        try:
+            if not link.hooks:
+                return
+
+            for hook in link.hooks:
+                if not hook["name"] in self.hooks:
+                    logger.warning("Hook {} for {} is unknown!".format(link.settings.get('ifname'), hook))
+                    continue
+
+                hook_run_dir = hook.get("__rundir")
+                # hook is not running, yet
+                if hook_run_dir is None:
+                    hook_run_dir = tempfile.mkdtemp(prefix="hook_", dir=run_dir)
+                # hook was already running
+                else:
+                    del(hook["__rundir"])
+                rc = self.hooks[hook["name"]].start(link, hook.get('args', {}), hook_run_dir, do_apply)
+
+                if rc == RC_OK:
+                    logger.log_ok('hooks', '= {}'.format(hook["name"]))
+                elif rc == RC_STARTED:
+                    logger.log_add('hooks', '+ {}'.format(hook["name"]))
+                elif rc == RC_CHANGED:
+                    logger.log_change('hooks', '~ {}'.format(hook["name"]))
+                else:
+                    logger.log_err('hooks', '! {}'.format(hook["name"]))
+
+                run_state.append({
+                    "hook": hook,
+                    "rundir": hook_run_dir,
+                })
+        finally:
+            dump_yaml_file(state_fn, run_state)

libifstate/link/__init__.py

@@ -1,5 +1,4 @@
 import libifstate.link.base
-import libifstate.link.dsa
 import libifstate.link.physical
 import libifstate.link.tun
 import libifstate.link.veth