🐛 BUG: nebula does not send Systemd ready signal when using type: notify

[Troyhy]

What version of nebula are you using?

1.7.2

What operating system are you using?

Linux

Describe the Bug

Test with systemd-notify program

This is what I expect.

# terminal 1
❯ socat unix-recv:/tmp/test.sock -
READY=1
STATUS=helloBARRIER=1ERRNO=110EXIT_STATUS=1

# terminal 2
❯  NOTIFY_SOCKET=/tmp/test.sock systemd-notify --ready --status="hello"

Test With Nebula

# terminal 1
❯ socat unix-recv:/tmp/test.sock -

# terminal 2
❯ NOTIFY_SOCKET=/tmp/test.sock nebula -config config.yaml  
...  connection will be established ...

Issue

Nebula notify does not work as nothing comes to test.sock socket.
I would expect to get also log if notify could not be sent

nebula/cmd/nebula/notify_linux.go

Lines 16 to 21 in 50d6a1e

	func notifyReady(l *logrus.Logger) {
	sockName := os.Getenv("NOTIFY_SOCKET")
	if sockName == "" {
	l.Debugln("NOTIFY_SOCKET systemd env var not set, not sending ready signal")
	return
	}

This will result example nebula.service to hang for timeout period in starting state and finally restart.

Logs from affected hosts

INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
INFO[0000] Firewall started                              firewallHash=807243764ac783d089ea5ae93e0ed7fc0a1da4756ca7cb7ae553e128a2b3eb65
INFO[0000] Main HostMap created                          network=10.250.0.2/16 preferredRanges="[]"
INFO[0000] punchy enabled                               
INFO[0000] Loaded send_recv_error config                 sendRecvError=always
INFO[0000] Nebula interface is active                    boringcrypto=false build=1.7.2 interface=nebula1 network=10.250.0.2/16 udpAddr="0.0.0.0:4242"
INFO[0000] Handshake message sent                        handshake="map[stage:1 style:ix_psk0]" initiatorIndex=1312030387 localIndex=1312030387 remoteIndex=0 udpAddrs="[XXX.XXX.XXX.XXX:4242]" vpnIp=10.250.0.1
INFO[0000] Handshake message received                    certName=lighthouse1 durationNs=24264526 fingerprint=46ccff068e39f1b27a12d4b14c7ac2e88ff56b9d6ea54ab9050810a5fa829c4a handshake="map[stage:2 style:ix_psk0]" initiatorIndex=1312030387 issuer=a5fdee0187dabbe031ce279d569d574680d17314d862894c5dc9e60a1dadc393 remoteIndex=1312030387 responderIndex=3241798842 sentCachedPackets=1 udpAddr="XXX.XXX.XXX.XXX:4242" vpnIp=10.250.0.1

Config files from affected hosts

pki:
  ca: |
    -----BEGIN NEBULA CERTIFICATE-----
    xxxx
    -----END NEBULA CERTIFICATE-----
  cert: |
    -----BEGIN NEBULA CERTIFICATE-----
    xxxx
    -----END NEBULA CERTIFICATE-----
  key: |
    -----BEGIN NEBULA X25519 PRIVATE KEY-----
    xxxx
    -----END NEBULA X25519 PRIVATE KEY-----
static_host_map:
  "10.250.0.1": ["XXX.XXX.XXX.XXX:4242"]
lighthouse:
  am_lighthouse: false
  interval: 10
  hosts:
    - "10.250.0.1"
listen:
  host: 0.0.0.0
  port: 4242
punchy:
  punch: true
  respond: true
relay:
  am_relay: false
  use_relays: true
tun:
  disabled: false
  dev: nebula1
  drop_local_broadcast: false
  drop_multicast: false
  tx_queue: 500
  mtu: 1300
  routes:
  unsafe_routes:
logging:
  level: info
  format: text
firewall:
  outbound_action: reject
  inbound_action: reject
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
    default_timeout: 10m
  outbound:
    - port: any
      proto: any
      host: any
  inbound:
    - port: any
      proto: icmp
      host: any

[Troyhy]

Ok My bad. this feature is not yet in 1.7.2 version
https://github.com/slackhq/nebula/blob/v1.7.2/cmd/nebula/main.go#L66-L69
vs main
https://github.com/slackhq/nebula/blob/master/cmd/nebula/main.go#L61-L64

[johnmaguire]

Yep, this is coming in v1.7.3 (see #929.) You can run a nightly build if you like, or wait for the next release.

If the ready signal doesn't work in a nightly build or v1.7.3, feel free to open a new ticket, or tag me on this ticket and I'll reopen it.