From 2544e9adfeff0d167a467b93fab8784749832443 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 26 Sep 2023 14:14:24 +0200 Subject: [PATCH 1/8] systemd: refactor units for rootless --- imageroot/systemd/controller-api.service | 33 ------------------- .../systemd/controller-metrics-exporter.path | 7 ---- .../controller-metrics-exporter.service | 9 ----- imageroot/systemd/controller-promtail.service | 30 ----------------- imageroot/systemd/controller-proxy.service | 30 ----------------- imageroot/systemd/controller-ui.service | 29 ---------------- imageroot/systemd/controller-vpn.service | 30 ----------------- imageroot/systemd/controller.service | 27 --------------- imageroot/systemd/user/api.service | 33 +++++++++++++++++++ imageroot/systemd/user/controller.service | 27 +++++++++++++++ imageroot/systemd/user/metrics-exporter.path | 7 ++++ .../systemd/user/metrics-exporter.service | 9 +++++ imageroot/systemd/user/promtail.service | 30 +++++++++++++++++ imageroot/systemd/user/proxy.service | 30 +++++++++++++++++ imageroot/systemd/user/ui.service | 29 ++++++++++++++++ imageroot/systemd/user/vpn.service | 31 +++++++++++++++++ 16 files changed, 196 insertions(+), 195 deletions(-) delete mode 100644 imageroot/systemd/controller-api.service delete mode 100644 imageroot/systemd/controller-metrics-exporter.path delete mode 100644 imageroot/systemd/controller-metrics-exporter.service delete mode 100644 imageroot/systemd/controller-promtail.service delete mode 100644 imageroot/systemd/controller-proxy.service delete mode 100644 imageroot/systemd/controller-ui.service delete mode 100644 imageroot/systemd/controller-vpn.service delete mode 100644 imageroot/systemd/controller.service create mode 100644 imageroot/systemd/user/api.service create mode 100644 imageroot/systemd/user/controller.service create mode 100644 imageroot/systemd/user/metrics-exporter.path create mode 100644 imageroot/systemd/user/metrics-exporter.service create mode 100644 imageroot/systemd/user/promtail.service create mode 100644 imageroot/systemd/user/proxy.service create mode 100644 imageroot/systemd/user/ui.service create mode 100644 imageroot/systemd/user/vpn.service diff --git a/imageroot/systemd/controller-api.service b/imageroot/systemd/controller-api.service deleted file mode 100644 index db4c432..0000000 --- a/imageroot/systemd/controller-api.service +++ /dev/null @@ -1,33 +0,0 @@ - -[Unit] -Description=Podman MODULE_ID-api.service -BindsTo=MODULE_ID.service -After=MODULE_ID.service MODULE_ID-vpn.service - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID-api.pid %t/MODULE_ID-api.ctr-id -ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/MODULE_ID-api.pid \ - --cidfile %t/MODULE_ID-api.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/MODULE_ID.pod-id \ - --replace -d --name MODULE_ID-api \ - --volume MODULE_ID-credentials:/nethsecurity-api/credentials/:z \ - --volumes-from=MODULE_ID-vpn \ - --network=host \ - --env-file=/var/lib/nethserver/MODULE_ID/state/network.env \ - --env-file=/var/lib/nethserver/MODULE_ID/state/secret.env \ - --env-file=/var/lib/nethserver/MODULE_ID/state/config.env \ - --env-file=/var/lib/nethserver/MODULE_ID/state/promtail.env \ - ${NETHSECURITY_API_IMAGE} -ExecStop=/usr/bin/podman stop --ignore --cidfile %t/MODULE_ID-api.ctr-id -t 10 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/MODULE_ID-api.ctr-id -PIDFile=%t/MODULE_ID-api.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/controller-metrics-exporter.path b/imageroot/systemd/controller-metrics-exporter.path deleted file mode 100644 index a816945..0000000 --- a/imageroot/systemd/controller-metrics-exporter.path +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Watch for vpn connections from MODULE_ID-vpn.service -BindsTo=MODULE_ID.service -After=MODULE_ID-vpn.service - -[Path] -PathChanged=/var/lib/nethserver/MODULE_ID/state/clients diff --git a/imageroot/systemd/controller-metrics-exporter.service b/imageroot/systemd/controller-metrics-exporter.service deleted file mode 100644 index 7257a04..0000000 --- a/imageroot/systemd/controller-metrics-exporter.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=Add client as service provider for prometheus -BindsTo=MODULE_ID.service -After=MODULE_ID-vpn.service - -[Service] -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -ExecStart=/usr/local/bin/runagent /var/lib/nethserver/MODULE_ID/bin/metrics_exporter_handler /var/lib/nethserver/MODULE_ID/state/clients -Type=oneshot diff --git a/imageroot/systemd/controller-promtail.service b/imageroot/systemd/controller-promtail.service deleted file mode 100644 index 3d646d5..0000000 --- a/imageroot/systemd/controller-promtail.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Podman MODULE_ID-promtail.service -BindsTo=MODULE_ID.service -After=MODULE_ID-vpn.service - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID-promtail.pid %t/MODULE_ID-promtail.ctr-id -ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/MODULE_ID-promtail.pid \ - --cidfile %t/MODULE_ID-promtail.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/MODULE_ID.pod-id \ - --replace -d --name MODULE_ID-promtail \ - --volume /var/lib/nethserver/MODULE_ID/etc/config.yml:/etc/promtail/config.yml:z \ - --network=host \ - --env-file=/var/lib/nethserver/MODULE_ID/state/promtail.env \ - --env-file=/var/lib/nethserver/MODULE_ID/state/config.env \ - ${PROMTAIL_IMAGE} \ - -config.expand-env=true -config.file=/etc/promtail/config.yml -ExecStop=/usr/bin/podman stop --ignore --cidfile %t/MODULE_ID-promtail.ctr-id -t 10 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/MODULE_ID-promtail.ctr-id -PIDFile=%t/MODULE_ID-promtail.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/controller-proxy.service b/imageroot/systemd/controller-proxy.service deleted file mode 100644 index 49af7d9..0000000 --- a/imageroot/systemd/controller-proxy.service +++ /dev/null @@ -1,30 +0,0 @@ - -[Unit] -Description=Podman MODULE_ID-proxy.service -BindsTo=MODULE_ID.service -After=MODULE_ID-api.service MODULE_ID-vpn.service -Requires=MODULE_ID-api.service MODULE_ID-vpn.service - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID-.pid %t/MODULE_ID-proxy.ctr-id -ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/MODULE_ID-proxy.pid \ - --cidfile %t/MODULE_ID-proxy.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/MODULE_ID.pod-id \ - --replace -d --name MODULE_ID-proxy \ - --volumes-from=MODULE_ID-vpn \ - --network=host \ - --env-file=/var/lib/nethserver/MODULE_ID/state/network.env \ - ${NETHSECURITY_PROXY_IMAGE} -ExecStop=/usr/bin/podman stop --ignore --cidfile %t/MODULE_ID-proxy.ctr-id -t 10 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/MODULE_ID-proxy.ctr-id -PIDFile=%t/MODULE_ID-proxy.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/controller-ui.service b/imageroot/systemd/controller-ui.service deleted file mode 100644 index c477a38..0000000 --- a/imageroot/systemd/controller-ui.service +++ /dev/null @@ -1,29 +0,0 @@ - -[Unit] -Description=Podman MODULE_ID-ui.service -BindsTo=MODULE_ID.service -After=MODULE_ID-api.service -Requires=MODULE_ID-api.service - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID-.pid %t/MODULE_ID-ui.ctr-id -ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/MODULE_ID-ui.pid \ - --cidfile %t/MODULE_ID-ui.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/MODULE_ID.pod-id \ - --replace -d --name MODULE_ID-ui \ - --network=host \ - --env-file=/var/lib/nethserver/MODULE_ID/state/network.env \ - ${NETHSECURITY_UI_IMAGE} -ExecStop=/usr/bin/podman stop --ignore --cidfile %t/MODULE_ID-ui.ctr-id -t 10 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/MODULE_ID-ui.ctr-id -PIDFile=%t/MODULE_ID-ui.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/controller-vpn.service b/imageroot/systemd/controller-vpn.service deleted file mode 100644 index fb7bbdc..0000000 --- a/imageroot/systemd/controller-vpn.service +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Podman MODULE_ID-vpn.service -BindsTo=MODULE_ID.service -After=MODULE_ID.service - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID-vpn.pid %t/MODULE_ID-vpn.ctr-id -ExecStart=/usr/bin/podman run \ - --conmon-pidfile %t/MODULE_ID-vpn.pid \ - --cidfile %t/MODULE_ID-vpn.ctr-id \ - --cgroups=no-conmon \ - --pod-id-file %t/MODULE_ID.pod-id \ - --replace -d --name MODULE_ID-vpn \ - -v MODULE_ID-vpn-data:/etc/openvpn/:z \ - --volume=/var/lib/nethserver/MODULE_ID/state/clients:/etc/openvpn/clients:z \ - --env-file=/var/lib/nethserver/MODULE_ID/state/network.env \ - --env-file=/var/lib/nethserver/MODULE_ID/state/config.env \ - --network=host --cap-add=NET_ADMIN --device /dev/net/tun \ - ${NETHSECURITY_VPN_IMAGE} -ExecStop=/usr/bin/podman stop --ignore --cidfile %t/MODULE_ID-vpn.ctr-id -t 10 -ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/MODULE_ID-vpn.ctr-id -PIDFile=%t/MODULE_ID-vpn.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/controller.service b/imageroot/systemd/controller.service deleted file mode 100644 index dbba450..0000000 --- a/imageroot/systemd/controller.service +++ /dev/null @@ -1,27 +0,0 @@ -[Unit] -Description=Podman MODULE_ID.service -Requires=MODULE_ID-vpn.service MODULE_ID-api.service MODULE_ID-ui.service MODULE_ID-proxy.service MODULE_ID-promtail.service MODULE_ID-metrics-exporter.path -Before=MODULE_ID-vpn.service MODULE_ID-api.service MODULE_ID-ui.service MODULE_ID-proxy.service MODULE_ID-promtail.service MODULE_ID-metrics-exporter.path -ConditionPathExists=/var/lib/nethserver/MODULE_ID/state/environment -ConditionPathExists=/var/lib/nethserver/MODULE_ID/state/network.env - -[Service] -Environment=PODMAN_SYSTEMD_UNIT=%n -EnvironmentFile=/var/lib/nethserver/MODULE_ID/state/environment -Restart=always -TimeoutStopSec=70 -ExecStartPre=/bin/rm -f %t/MODULE_ID.pid %t/MODULE_ID.pod-id -ExecStartPre=/usr/bin/podman pod create \ - --infra-conmon-pidfile %t/MODULE_ID.pid \ - --pod-id-file %t/MODULE_ID.pod-id \ - --name MODULE_ID \ - --network=host \ - --replace -ExecStart=/usr/bin/podman pod start --pod-id-file %t/MODULE_ID.pod-id -ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/MODULE_ID.pod-id -t 10 -ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/MODULE_ID.pod-id -PIDFile=%t/MODULE_ID.pid -Type=forking - -[Install] -WantedBy=default.target diff --git a/imageroot/systemd/user/api.service b/imageroot/systemd/user/api.service new file mode 100644 index 0000000..c1bb32f --- /dev/null +++ b/imageroot/systemd/user/api.service @@ -0,0 +1,33 @@ + +[Unit] +Description=Podman api.service +BindsTo=controller.service +After=controller.service vpn.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/api.pid %t/api.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/api.pid \ + --cidfile %t/api.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/controller.pod-id \ + --replace -d --name api \ + --volume credentials:/nethsecurity-api/credentials/:z \ + --volumes-from=vpn \ + --network=host \ + --env-file=%S/state/network.env \ + --env-file=%S/state/secret.env \ + --env-file=%S/state/config.env \ + --env-file=%S/state/promtail.env \ + ${NETHSECURITY_API_IMAGE} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/api.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/api.ctr-id +PIDFile=%t/api.pid +Type=forking + +[Install] +WantedBy=default.target diff --git a/imageroot/systemd/user/controller.service b/imageroot/systemd/user/controller.service new file mode 100644 index 0000000..a68abed --- /dev/null +++ b/imageroot/systemd/user/controller.service @@ -0,0 +1,27 @@ +[Unit] +Description=Podman controller.service +Requires=vpn.service api.service ui.service proxy.service promtail.service metrics-exporter.path +Before=vpn.service api.service ui.service proxy.service promtail.service metrics-exporter.path +ConditionPathExists=%S/state/environment +ConditionPathExists=%S/state/network.env + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/controller.pid %t/controller.pod-id +ExecStartPre=/usr/bin/podman pod create \ + --infra-conmon-pidfile %t/controller.pid \ + --pod-id-file %t/controller.pod-id \ + --name controller \ + --network=host \ + --replace +ExecStart=/usr/bin/podman pod start --pod-id-file %t/controller.pod-id +ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/controller.pod-id -t 10 +ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/controller.pod-id +PIDFile=%t/controller.pid +Type=forking + +[Install] +WantedBy=default.target diff --git a/imageroot/systemd/user/metrics-exporter.path b/imageroot/systemd/user/metrics-exporter.path new file mode 100644 index 0000000..805cf0c --- /dev/null +++ b/imageroot/systemd/user/metrics-exporter.path @@ -0,0 +1,7 @@ +[Unit] +Description=Watch for vpn connections from vpn.service +BindsTo=controller.service +After=vpn.service + +[Path] +PathChanged=%S/state/clients diff --git a/imageroot/systemd/user/metrics-exporter.service b/imageroot/systemd/user/metrics-exporter.service new file mode 100644 index 0000000..8ec2a06 --- /dev/null +++ b/imageroot/systemd/user/metrics-exporter.service @@ -0,0 +1,9 @@ +[Unit] +Description=Add client as service provider for prometheus +BindsTo=controller.service +After=vpn.service + +[Service] +EnvironmentFile=%S/state/environment +ExecStart=/usr/local/bin/runagent %S/bin/metrics_exporter_handler %S/state/clients +Type=oneshot diff --git a/imageroot/systemd/user/promtail.service b/imageroot/systemd/user/promtail.service new file mode 100644 index 0000000..ade1ee2 --- /dev/null +++ b/imageroot/systemd/user/promtail.service @@ -0,0 +1,30 @@ +[Unit] +Description=Podman promtail.service +BindsTo=controller.service +After=vpn.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/promtail.pid %t/promtail.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/promtail.pid \ + --cidfile %t/promtail.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/controller.pod-id \ + --replace -d --name promtail \ + --volume %S/etc/config.yml:/etc/promtail/config.yml:z \ + --network=host \ + --env-file=%S/state/promtail.env \ + --env-file=%S/state/config.env \ + ${PROMTAIL_IMAGE} \ + -config.expand-env=true -config.file=/etc/promtail/config.yml +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/promtail.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/promtail.ctr-id +PIDFile=%t/promtail.pid +Type=forking + +[Install] +WantedBy=default.target diff --git a/imageroot/systemd/user/proxy.service b/imageroot/systemd/user/proxy.service new file mode 100644 index 0000000..7faeb98 --- /dev/null +++ b/imageroot/systemd/user/proxy.service @@ -0,0 +1,30 @@ + +[Unit] +Description=Podman proxy.service +BindsTo=controller.service +After=api.service vpn.service +Requires=api.service vpn.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/.pid %t/proxy.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/proxy.pid \ + --cidfile %t/proxy.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/controller.pod-id \ + --replace -d --name proxy \ + --volumes-from=vpn \ + --network=host \ + --env-file=%S/state/network.env \ + ${NETHSECURITY_PROXY_IMAGE} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/proxy.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/proxy.ctr-id +PIDFile=%t/proxy.pid +Type=forking + +[Install] +WantedBy=default.target diff --git a/imageroot/systemd/user/ui.service b/imageroot/systemd/user/ui.service new file mode 100644 index 0000000..7f19162 --- /dev/null +++ b/imageroot/systemd/user/ui.service @@ -0,0 +1,29 @@ + +[Unit] +Description=Podman ui.service +BindsTo=controller.service +After=api.service +Requires=api.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/.pid %t/ui.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/ui.pid \ + --cidfile %t/ui.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/controller.pod-id \ + --replace -d --name ui \ + --network=host \ + --env-file=%S/state/network.env \ + ${NETHSECURITY_UI_IMAGE} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/ui.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/ui.ctr-id +PIDFile=%t/ui.pid +Type=forking + +[Install] +WantedBy=default.target diff --git a/imageroot/systemd/user/vpn.service b/imageroot/systemd/user/vpn.service new file mode 100644 index 0000000..77870a3 --- /dev/null +++ b/imageroot/systemd/user/vpn.service @@ -0,0 +1,31 @@ +[Unit] +Description=Podman vpn.service +BindsTo=controller.service +After=controller.service + +[Service] +Environment=PODMAN_SYSTEMD_UNIT=%n +EnvironmentFile=%S/state/environment +Restart=always +TimeoutStopSec=70 +ExecStartPre=/bin/rm -f %t/vpn.pid %t/vpn.ctr-id +ExecStart=/usr/bin/podman run \ + --conmon-pidfile %t/vpn.pid \ + --cidfile %t/vpn.ctr-id \ + --cgroups=no-conmon \ + --pod-id-file %t/controller.pod-id \ + --replace -d --name vpn \ + -v vpn-data:/etc/openvpn/:z \ + --volume=%S/state/clients:/etc/openvpn/clients:z \ + --env-file=%S/state/network.env \ + --env-file=%S/state/config.env \ + --network=host --cap-add=NET_ADMIN --device /dev/net/tun \ + --security-opt label=disable \ + ${NETHSECURITY_VPN_IMAGE} +ExecStop=/usr/bin/podman stop --ignore --cidfile %t/vpn.ctr-id -t 10 +ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/vpn.ctr-id +PIDFile=%t/vpn.pid +Type=forking + +[Install] +WantedBy=default.target From 897b253c34247dcc41288dc4145713e835660ca7 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 26 Sep 2023 15:51:54 +0200 Subject: [PATCH 2/8] api: add tun creation --- build-images.sh | 2 +- .../actions/configure-module/20configure | 3 ++ .../actions/configure-module/80start_services | 4 +-- imageroot/actions/create-module/20initialize | 2 +- imageroot/actions/create-module/30systemd | 32 ------------------- imageroot/actions/destroy-module/60tun | 12 +++++++ 6 files changed, 19 insertions(+), 36 deletions(-) delete mode 100755 imageroot/actions/create-module/30systemd create mode 100755 imageroot/actions/destroy-module/60tun diff --git a/build-images.sh b/build-images.sh index 3cd1c57..a2d87cc 100755 --- a/build-images.sh +++ b/build-images.sh @@ -32,7 +32,7 @@ buildah add "${container}" imageroot /imageroot buildah add "${container}" ui/dist /ui # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container buildah config --entrypoint=/ \ - --label="org.nethserver.authorizations=traefik@any:routeadm node:fwadm" \ + --label="org.nethserver.authorizations=traefik@any:routeadm node:fwadm node:tunadm" \ --label="org.nethserver.tcp-ports-demand=5" \ --label="org.nethserver.rootfull=1" \ --label="org.nethserver.images=ghcr.io/nethserver/nethsecurity-vpn:$tag ghcr.io/nethserver/nethsecurity-api:$tag ghcr.io/nethserver/nethsecurity-ui:$tag ghcr.io/nethserver/nethsecurity-proxy:$tag docker.io/grafana/promtail:2.7.1" \ diff --git a/imageroot/actions/configure-module/20configure b/imageroot/actions/configure-module/20configure index 90d3587..e815c33 100755 --- a/imageroot/actions/configure-module/20configure +++ b/imageroot/actions/configure-module/20configure @@ -95,3 +95,6 @@ rules = [ ] ports = [f"{ports[4]}/tcp"] # promtail port agent.add_custom_zone(tun, tun, ports, rules) + +network = agent.read_envfile('network.env') +agent.add_tun(network.get('OVPN_TUN'), f'{server_address}/{bits}') diff --git a/imageroot/actions/configure-module/80start_services b/imageroot/actions/configure-module/80start_services index a83052c..751ffa9 100755 --- a/imageroot/actions/configure-module/80start_services +++ b/imageroot/actions/configure-module/80start_services @@ -22,5 +22,5 @@ # If the control reaches this step, the service can be enabled and started -systemctl enable ${MODULE_ID}.service -systemctl restart ${MODULE_ID}.service +systemctl enable controller.service +systemctl restart controller.service diff --git a/imageroot/actions/create-module/20initialize b/imageroot/actions/create-module/20initialize index 1cdc654..430b90b 100755 --- a/imageroot/actions/create-module/20initialize +++ b/imageroot/actions/create-module/20initialize @@ -34,7 +34,7 @@ secret=$(uuidgen | sha256sum | awk '{print $1}') cat << EOF > network.env OVPN_UDP_PORT=$ovpn_udp_port -OVPN_TUN=nsc$num +OVPN_TUN=tunnsc$num API_PORT=$api_port API_BIND_IP=127.0.0.1 LISTEN_ADDRESS=127.0.0.1:$api_port diff --git a/imageroot/actions/create-module/30systemd b/imageroot/actions/create-module/30systemd deleted file mode 100755 index 7a8d72c..0000000 --- a/imageroot/actions/create-module/30systemd +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -# -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. -# - -exec 1>&2 # Send any output to stderr, to not alter the action response protocol -set -e - -# Install the Systemd unit for this module instance -for f in ${AGENT_INSTALL_DIR}/systemd/*{.service,.path} -do - sname=$(basename $f | sed "s/controller/${MODULE_ID}/") - sed "s/MODULE_ID/${MODULE_ID}/g" $f > /etc/systemd/system/$sname -done -systemctl daemon-reload diff --git a/imageroot/actions/destroy-module/60tun b/imageroot/actions/destroy-module/60tun new file mode 100755 index 0000000..0f9d589 --- /dev/null +++ b/imageroot/actions/destroy-module/60tun @@ -0,0 +1,12 @@ +#!/usr/bin/env python3 + +# +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +import os +import agent + +network = agent.read_envfile('network.env') +agent.remove_tun(network.get('OVPN_TUN')) From 310520dd73dba0e5c63fbdbc2184ab7f45e8e66b Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 26 Sep 2023 16:01:12 +0200 Subject: [PATCH 3/8] build: remove rootless flag --- build-images.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/build-images.sh b/build-images.sh index a2d87cc..e07a316 100755 --- a/build-images.sh +++ b/build-images.sh @@ -34,7 +34,6 @@ buildah add "${container}" ui/dist /ui buildah config --entrypoint=/ \ --label="org.nethserver.authorizations=traefik@any:routeadm node:fwadm node:tunadm" \ --label="org.nethserver.tcp-ports-demand=5" \ - --label="org.nethserver.rootfull=1" \ --label="org.nethserver.images=ghcr.io/nethserver/nethsecurity-vpn:$tag ghcr.io/nethserver/nethsecurity-api:$tag ghcr.io/nethserver/nethsecurity-ui:$tag ghcr.io/nethserver/nethsecurity-proxy:$tag docker.io/grafana/promtail:2.7.1" \ "${container}" # Commit the image From 31589eedcab86458e2dfaefdf987aa2a4534a345 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 26 Sep 2023 17:25:43 +0200 Subject: [PATCH 4/8] build: fix grant --- build-images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-images.sh b/build-images.sh index e07a316..c28ae11 100755 --- a/build-images.sh +++ b/build-images.sh @@ -32,7 +32,7 @@ buildah add "${container}" imageroot /imageroot buildah add "${container}" ui/dist /ui # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container buildah config --entrypoint=/ \ - --label="org.nethserver.authorizations=traefik@any:routeadm node:fwadm node:tunadm" \ + --label="org.nethserver.authorizations=traefik@any:routeadm node:tunadm" \ --label="org.nethserver.tcp-ports-demand=5" \ --label="org.nethserver.images=ghcr.io/nethserver/nethsecurity-vpn:$tag ghcr.io/nethserver/nethsecurity-api:$tag ghcr.io/nethserver/nethsecurity-ui:$tag ghcr.io/nethserver/nethsecurity-proxy:$tag docker.io/grafana/promtail:2.7.1" \ "${container}" From 11fbd6968dc60ce59a9cd29a6338c57ec6ade3f1 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Wed, 27 Sep 2023 09:26:42 +0200 Subject: [PATCH 5/8] api: fix systemd calls for rootless mode --- .../actions/configure-module/80start_services | 4 +-- imageroot/actions/destroy-module/50systemd | 30 ------------------- 2 files changed, 2 insertions(+), 32 deletions(-) delete mode 100755 imageroot/actions/destroy-module/50systemd diff --git a/imageroot/actions/configure-module/80start_services b/imageroot/actions/configure-module/80start_services index 751ffa9..d568437 100755 --- a/imageroot/actions/configure-module/80start_services +++ b/imageroot/actions/configure-module/80start_services @@ -22,5 +22,5 @@ # If the control reaches this step, the service can be enabled and started -systemctl enable controller.service -systemctl restart controller.service +systemctl --user enable controller.service +systemctl --user restart controller.service diff --git a/imageroot/actions/destroy-module/50systemd b/imageroot/actions/destroy-module/50systemd deleted file mode 100755 index a4f5f30..0000000 --- a/imageroot/actions/destroy-module/50systemd +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -x - -# -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. -# - -exec 1>&2 # Send any output to stderr, to not alter the action response protocol - -# -# We must stop and clean up what we installed in the "create-module" action -# -systemctl disable --now "${MODULE_ID}.service" -rm -vf /etc/systemd/system/${MODULE_ID}-*.service -systemctl daemon-reload From ecccb5c082fc4e556ac3337a1b3061ccf6d9b179 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Wed, 27 Sep 2023 11:47:42 +0200 Subject: [PATCH 6/8] systemd: remove NET_ADMIN cap The cap is not required --- imageroot/systemd/user/vpn.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/imageroot/systemd/user/vpn.service b/imageroot/systemd/user/vpn.service index 77870a3..85676c1 100644 --- a/imageroot/systemd/user/vpn.service +++ b/imageroot/systemd/user/vpn.service @@ -19,7 +19,7 @@ ExecStart=/usr/bin/podman run \ --volume=%S/state/clients:/etc/openvpn/clients:z \ --env-file=%S/state/network.env \ --env-file=%S/state/config.env \ - --network=host --cap-add=NET_ADMIN --device /dev/net/tun \ + --network=host --device /dev/net/tun \ --security-opt label=disable \ ${NETHSECURITY_VPN_IMAGE} ExecStop=/usr/bin/podman stop --ignore --cidfile %t/vpn.ctr-id -t 10 From 612006264ed7b8890a6e6e62611d3a52d5005cfe Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Wed, 27 Sep 2023 11:48:20 +0200 Subject: [PATCH 7/8] destroy-module: stop the service Make sure the tun device is not in use before removing it --- imageroot/actions/destroy-module/50systemd | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100755 imageroot/actions/destroy-module/50systemd diff --git a/imageroot/actions/destroy-module/50systemd b/imageroot/actions/destroy-module/50systemd new file mode 100755 index 0000000..a4bfc00 --- /dev/null +++ b/imageroot/actions/destroy-module/50systemd @@ -0,0 +1,11 @@ +#!/bin/bash + +# +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +exec 1>&2 # Send any output to stderr, to not alter the action response protocol + +# Stop the controller to free the tun device +systemctl --user disable --now controller.service From 6a79a1e8af7efce34db12099211d94d2afe1c2dc Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Wed, 27 Sep 2023 14:16:53 +0200 Subject: [PATCH 8/8] license: use spdx header --- .../actions/configure-module/20configure | 19 ++----------------- .../actions/configure-module/80start_services | 19 ++----------------- imageroot/actions/create-module/20initialize | 19 ++----------------- imageroot/actions/create-module/40firewall | 19 ++----------------- imageroot/actions/destroy-module/20destroy | 19 ++----------------- imageroot/actions/destroy-module/40firewall | 19 ++----------------- imageroot/actions/get-configuration/20read | 19 ++----------------- 7 files changed, 14 insertions(+), 119 deletions(-) diff --git a/imageroot/actions/configure-module/20configure b/imageroot/actions/configure-module/20configure index e815c33..f06ad40 100755 --- a/imageroot/actions/configure-module/20configure +++ b/imageroot/actions/configure-module/20configure @@ -1,23 +1,8 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # import json diff --git a/imageroot/actions/configure-module/80start_services b/imageroot/actions/configure-module/80start_services index d568437..cd4cc13 100755 --- a/imageroot/actions/configure-module/80start_services +++ b/imageroot/actions/configure-module/80start_services @@ -1,23 +1,8 @@ #!/bin/bash # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # # If the control reaches this step, the service can be enabled and started diff --git a/imageroot/actions/create-module/20initialize b/imageroot/actions/create-module/20initialize index 430b90b..0f704f8 100755 --- a/imageroot/actions/create-module/20initialize +++ b/imageroot/actions/create-module/20initialize @@ -1,23 +1,8 @@ #!/bin/bash # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # exec 1>&2 # Send any output to stderr, to not alter the action response protocol diff --git a/imageroot/actions/create-module/40firewall b/imageroot/actions/create-module/40firewall index 5a0694f..743ed8e 100755 --- a/imageroot/actions/create-module/40firewall +++ b/imageroot/actions/create-module/40firewall @@ -1,23 +1,8 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # import os diff --git a/imageroot/actions/destroy-module/20destroy b/imageroot/actions/destroy-module/20destroy index f3e903c..0d8c895 100755 --- a/imageroot/actions/destroy-module/20destroy +++ b/imageroot/actions/destroy-module/20destroy @@ -1,23 +1,8 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # # Remove traefik route diff --git a/imageroot/actions/destroy-module/40firewall b/imageroot/actions/destroy-module/40firewall index 66cba63..fb3a6d9 100755 --- a/imageroot/actions/destroy-module/40firewall +++ b/imageroot/actions/destroy-module/40firewall @@ -1,23 +1,8 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # import os diff --git a/imageroot/actions/get-configuration/20read b/imageroot/actions/get-configuration/20read index 0865b4f..c311e34 100755 --- a/imageroot/actions/get-configuration/20read +++ b/imageroot/actions/get-configuration/20read @@ -1,23 +1,8 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 Nethesis S.r.l. -# http://www.nethesis.it - nethserver@nethesis.it -# -# This script is part of NethServer. -# -# NethServer is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, -# or any later version. -# -# NethServer is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with NethServer. If not, see COPYING. +# Copyright (C) 2023 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later # import json