add Linux package openziti-router

dist/dist-packages/linux/nfpm-openziti-router.yaml

@@ -0,0 +1,35 @@
+# nfpm configuration file
+#
+# check https://nfpm.goreleaser.com/configuration for detailed usage
+#
+name: openziti-router
+arch: ${GOARCH}
+platform: linux
+version: ${ZITI_VERSION}
+maintainer: ${ZITI_MAINTAINER}
+description: >
+  Provides a system service for running an OpenZiti Router
+vendor: ${ZITI_VENDOR}
+homepage: ${ZITI_HOMEPAGE}
+license: Apache-2.0
+# Contents to add to the package.
+contents:
+  - dst: /lib/systemd/system/
+    src: ./dist/dist-packages/linux/openziti-router/ziti-router.service
+
+  - dst: /opt/openziti/etc/router
+    type: dir
+    file_info:
+      mode: 0755
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/env
+    type: config|noreplace
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/bootstrap.bash
+
+  - dst: /opt/openziti/etc/router/
+    src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash
+depends:
+  - openziti  # ziti CLI

dist/dist-packages/linux/openziti-controller/ziti-controller.service

@@ -29,7 +29,7 @@ StateDirectory=ziti-controller
 WorkingDirectory=/var/lib/ziti-controller
 
 # used by bootstrap.bash to look up /run/credentials/$UNIT_NAME/$CREDENTIAL_NAME
-Environment="UNIT_NAME=ziti-controller.service"
+Environment=UNIT_NAME=ziti-controller.service
 EnvironmentFile=/opt/openziti/etc/controller/env
 ExecStart=/opt/openziti/etc/controller/entrypoint.bash
 

dist/dist-packages/linux/openziti-router/bootstrap.bash

@@ -10,6 +10,7 @@ function makeConfig() {
 
   if [[ ! -s "./${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then
     ziti create config router "${ZITI_ROUTER_TYPE}" \
+      --tunnelerMode "${ZITI_ROUTER_MODE}" \
       --routerName "${ZITI_ROUTER_NAME}" \
       --output "./${ZITI_ROUTER_CONFIG_FILE}"
   fi
@@ -39,10 +40,11 @@ function enroll() {
 
 function bootstrap() {
 
-  if (( $# )); then
+  if [ -n "${1:-}" ]; then
     ZITI_ROUTER_CONFIG_FILE="${1}"
   else
-    : "${ZITI_ROUTER_CONFIG_FILE:=config.yml}"
+    echo "ERROR: no config file path provided" >&2
+    return 1
   fi
 
   # make config file unless it exists if true, set force to overwrite
@@ -65,10 +67,11 @@ function bootstrap() {
 #
 
 # used by "ziti create config router" and "ziti create config environment" 
-: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=$(hostname -f)}"
-: "${ZITI_ROUTER_NAME:=${ZITI_ROUTER_TYPE}-router}"
+: "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}"
+: "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}"
+: "${ZITI_CTRL_ADVERTISED_PORT:=443}"
 export  ZITI_ROUTER_NAME \
         ZITI_ROUTER_ADVERTISED_ADDRESS \
+        ZITI_CTRL_ADVERTISED_PORT \
         ZITI_ROUTER_PORT="${ZITI_ROUTER_ADVERTISED_PORT}" \
         ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_ADVERTISED_PORT}"
-

dist/dist-packages/linux/openziti-router/entrypoint.bash

@@ -6,14 +6,13 @@
 set -o errexit
 set -o nounset
 set -o pipefail
-set -x  # for debugging
 
 # shellcheck disable=SC1090 # default path is set by the systemd service
 source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}"
 # if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml"
-if [[ $# -eq 0 || ${1} == run ]]; then
-    bootstrap "${2:-}"
+if [ "${1:-run}" == run ]; then
+    bootstrap "${2:-config.yml}"
 fi
 
 # shellcheck disable=SC2068
-exec ziti router ${@}
+exec ziti router ${@:-run config.yml}

dist/dist-packages/linux/openziti-router/env

@@ -0,0 +1,41 @@
+#
+# this is a systemd env file allowing simple assignments for ziti-controller.service environment
+#
+
+# disable JSON logging
+PFXLOG_NO_JSON=true
+
+#
+# for "ziti create config router edge" commands in bootstrap.bash
+#
+
+# address and port of the controller (required)
+ZITI_CTRL_ADVERTISED_ADDRESS=
+ZITI_CTRL_ADVERTISED_PORT=
+
+# set identity filenames (default: hostname -s)
+ZITI_ROUTER_NAME=
+# the advertised address of the router is a domain name that can be resolved by all devices (default: hostname -f)
+ZITI_ROUTER_ADVERTISED_ADDRESS=
+# the advertised and listening port of the router (default: 80)
+ZITI_ROUTER_ADVERTISED_PORT=
+# the interface address on which to listen (default: 0.0.0.0)
+ZITI_ROUTER_BIND_ADDRESS=
+# where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53)
+ZITI_ROUTER_TPROXY_RESOLVER=
+# type of router (default: edge, options: edge, fabric)
+ZITI_ROUTER_TYPE=edge
+
+# the mode of the router (default: host) requires that the router is administratively created with flag
+# --tunneler-enabled
+ZITI_ROUTER_MODE=host
+
+# create a config file unless it exists if "true", set "force" to overwrite
+ZITI_BOOTSTRAP_CONFIG=true
+
+# enroll unless already enrolled if "true", set "force" to overwrite key and cert (requires new enrollment token)
+ZITI_BOOTSTRAP_ENROLLMENT=true
+# for better security, leave this assignment empty and create a file readable only by root containing the
+# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in
+# /lib/systemd/system/ziti-router.service
+ZITI_ENROLL_TOKEN=

dist/dist-packages/linux/openziti-router/ziti-router.service

@@ -0,0 +1,41 @@
+[Unit]
+Description=OpenZiti Router
+After=network-online.target
+
+[Service]
+# "ziti router run" is the main process managed by this service and replaces entrypoint.bash
+Type=simple
+
+# manage the user and permissions for the service automatically
+DynamicUser=yes
+
+# allow binding low ports, e.g., 443/tcp
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+# required when ZITI_ROUTER_MODE=tproxy
+AmbientCapabilities=CAP_NET_ADMIN
+
+
+# load enrollment token from a file readable only by root for better security
+LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token
+# or set one-time enrollment token as literal string
+# SetCredential=ZITI_ENROLL_TOKEN:<jwt string here>
+
+UMask=0007
+Restart=always
+RestartSec=3
+LimitNOFILE=65535
+
+# relative to /var/lib
+StateDirectory=ziti-router
+
+# absolute path where service will be run
+WorkingDirectory=/var/lib/ziti-router
+
+# used by bootstrap.bash to look up /run/credentials/$UNIT_NAME/$CREDENTIAL_NAME
+Environment=UNIT_NAME=ziti-router.service
+EnvironmentFile=/opt/openziti/etc/router/env
+
+ExecStart=/opt/openziti/etc/router/entrypoint.bash run config.yml
+
+[Install]
+WantedBy=multi-user.target

dist/docker-images/ziti-router/Dockerfile

@@ -19,10 +19,17 @@ RUN INSTALL_PKGS="util-linux iptables" && \
 
 # set a var for entrypoint.bash to find this script
 ENV ZITI_ROUTER_BOOTSTRAP_BASH=/bootstrap.bash
+ENV ZITI_ROUTER_TYPE=edge
+ENV ZITI_ROUTER_ADVERTISED_PORT=3022
+ENV ZITI_BOOTSTRAP_CONFIG=true
+ENV ZITI_BOOTSTRAP_ENROLLMENT=true
+ENV PFXLOG_NO_JSON=true
 COPY ./dist/dist-packages/linux/openziti-router/bootstrap.bash ${ZITI_ROUTER_BOOTSTRAP_BASH}
-
 COPY ./dist/dist-packages/linux/openziti-router/entrypoint.bash /
 
+WORKDIR /ziti-router
+RUN chown -R ziggy:ziggy /ziti-router
+
 # run as ziggy (2171:2171) by default, override run-as user with root when DOCKER_ROUTER_MODE=tproxy
 USER ziggy
 

dist/docker-images/ziti-router/README.md

@@ -39,17 +39,14 @@ services:
   # add a web client that waits for a healthy tproxy router
   tproxy-demo-client:
     image: busybox
-    network_mode: service:run-ziti-router
+    network_mode: service:ziti-router
     depends_on:
-      run-ziti-router:
+      ziti-router:
         condition: service_healthy
-    command: wget --output-document=- http://hello.internal:8000/
+    command: wget --output-document=- http://hello.internal/
 
   # link the router to the quickstart network so it can reach the Ziti controller
-  enroll-ziti-router:
-    networks:
-      - quickstart
-  run-ziti-router:
+  ziti-router:
     networks:
       - quickstart
 EOF
@@ -73,23 +70,23 @@ ziti edge update identity quickstart-router \
     --role-attributes=hello.servers
 
 # create a second Ziti router to use as a tproxy client
-ziti edge create edge-router "tproxyRouter" \
-   --jwt-output-file=/tmp/tproxyRouter.jwt \
+ziti edge create edge-router "tproxy-router" \
+   --jwt-output-file=./tproxy-router.jwt \
    --tunneler-enabled
 
 # grant the tproxy client permission to dial (consume) the hello service
-ziti edge update identity tproxyRouter \
+ziti edge update identity tproxy-router \
     --role-attributes=hello.clients
 
 # simulate policies to check for authorization problems
 ziti edge policy-advisor services -q
 
 # run the demo client which triggers the run of the tproxy router because it is a dependency
-ZITI_ROUTER_JWT="$(</tmp/tproxyRouter.jwt)" \
+ZITI_ROUTER_JWT="$(<./tproxyRouter.jwt)" \
 ZITI_ROUTER_MODE=tproxy \
 ZITI_CTRL_ADVERTISED_ADDRESS=quickstart \
 ZITI_CTRL_ADVERTISED_PORT=1280 \
 ZITI_ROUTER_PORT=3023 \
-ZITI_ROUTER_ADVERTISED_ADDRESS=run-ziti-router \
+ZITI_ROUTER_ADVERTISED_ADDRESS=ziti-router \
     docker compose up tproxy-demo-client
 ```

dist/docker-images/ziti-router/compose.yml

@@ -30,6 +30,8 @@ services:
       ZITI_ROUTER_MODE: ${ZITI_ROUTER_MODE:-host}                     # host, tproxy, tproxy (tproxy requires additional config below)
       # *** less relevant vars below ***
       ZITI_ROUTER_TYPE: edge           # edge, fabric
+      ZITI_ROUTER_NAME: ziti-router    # ensure the computed filenames based on this var are consistent, not based on
+                                       #  ephemeral container id
       ZITI_BOOTSTRAP_CONFIG: true      # make config file from env vars and defaults if "true," overwrite if "force"
       ZITI_BOOTSTRAP_ENROLLMENT: true  # enroll with controller if "true," overwrite if "force"
       PFXLOG_NO_JSON: true

ziti/cmd/create/config_templates/router.yml

@@ -40,7 +40,7 @@ link:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#{{ end }}  - binding: tunnel
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#{{ end }}    options:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#      mode: host #tproxy|host{{ else }}      mode: {{ .Router.TunnelerMode }} #tproxy|host{{ end }}
-{{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") }}      resolver: udp://0.0.0.0:53{{ end }}
+{{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") }}      resolver: {{ .Router.Edge.Resolver }}{{ end }}
 {{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") (.Router.Edge.LanInterface) }}      lanIf: {{ .Router.Edge.LanInterface }}{{ end }}
 {{ if .Router.IsFabric -}}
 csr:

ziti/cmd/create/create_config.go

@@ -166,6 +166,7 @@ type EdgeRouterTemplateValues struct {
 	IPOverride       string
 	AdvertisedHost   string
 	LanInterface     string
+	Resolver         string
 	ListenerBindPort string
 	CsrC             string
 	CsrST            string
@@ -281,6 +282,7 @@ func (data *ConfigTemplateValues) PopulateConfigValues() {
 	// ************* Router Values ************
 	data.Router.Edge.Port = cmdHelper.GetZitiEdgeRouterPort()
 	data.Router.Edge.ListenerBindPort = cmdHelper.GetZitiEdgeRouterListenerBindPort()
+	data.Router.Edge.Resolver = cmdHelper.GetZitiEdgeRouterResolver()
 	data.Router.Edge.CsrC = cmdHelper.GetZitiEdgeRouterC()
 	data.Router.Edge.CsrST = cmdHelper.GetZitiEdgeRouterST()
 	data.Router.Edge.CsrL = cmdHelper.GetZitiEdgeRouterL()

ziti/cmd/create/create_config_environment.go

@@ -126,6 +126,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 				{constants.ZitiRouterIdentityCAVarName, constants.ZitiRouterIdentityCAVarDescription, data.Router.IdentityCA},
 				{constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride},
 				{constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost},
+				{constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver},
 				{constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC},
 				{constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST},
 				{constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL},
@@ -205,6 +206,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiRouterIdentityCAVarName, constants.ZitiRouterIdentityCAVarDescription, data.Router.IdentityCA))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost))
+	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL))

ziti/cmd/create/create_config_router_edge.go

@@ -76,6 +76,7 @@ func NewCmdCreateConfigRouterEdge(routerOptions *CreateConfigRouterOptions, data
 			data.Router.IsPrivate = routerOptions.IsPrivate
 			data.Router.TunnelerMode = routerOptions.TunnelerMode
 			data.Router.Edge.LanInterface = routerOptions.LanInterface
+			data.Router.Edge.Resolver = cmdhelper.GetZitiEdgeRouterResolver()
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			routerOptions.Cmd = cmd

ziti/cmd/create/create_config_test.go

@@ -43,6 +43,10 @@ func getZitiEnvironmentVariables() []string {
 		"ZITI_CTRL_EDGE_BIND_ADDRESS",
 		"ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION",
 		"ZITI_HOME",
+		"ZITI_ROUTER_ENROLLMENT_DURATION",
+		"ZITI_ROUTER_ADVERTISED_ADDRESS",
+		"ZITI_ROUTER_LISTENER_BIND_PORT",
+		"ZITI_ROUTER_TPROXY_RESOLVER",
 		"ZITI_PKI_ALT_SERVER_CERT",
 		"ZITI_PKI_ALT_SERVER_KEY",
 		"ZITI_PKI_CTRL_CA",

ziti/cmd/helpers/env_helpers.go

@@ -17,6 +17,7 @@
 package helpers
 
 import (
+	"github.com/openziti/ziti/router/xgress_edge_tunnel"
 	edge "github.com/openziti/ziti/controller/config"
 	"github.com/openziti/ziti/ziti/constants"
 	"github.com/pkg/errors"
@@ -124,10 +125,6 @@ func GetCtrlEdgeAdvertisedPort() string {
 	return getFromEnv(constants.CtrlEdgeAdvertisedPortVarName, defaultValue(constants.DefaultCtrlEdgeAdvertisedPort))
 }
 
-func GetCtrlDatabaseFile() string {
-	return getFromEnv(constants.CtrlDatabaseFileVarName, defaultValue(constants.DefaultCtrlDatabaseFile))
-}
-
 func GetZitiEdgeRouterPort() string {
 	return getFromEnv(constants.ZitiEdgeRouterPortVarName, defaultValue(constants.DefaultZitiEdgeRouterPort))
 }
@@ -201,6 +198,9 @@ func NormalizePath(input string) string {
 func GetRouterAdvertisedAddress() string {
 	return getFromEnv(constants.ZitiEdgeRouterAdvertisedAddressVarName, HostnameOrNetworkName)
 }
+func GetZitiEdgeRouterResolver() string {
+	return getFromEnv(constants.ZitiEdgeRouterResolverVarName, defaultValue(xgress_edge_tunnel.DefaultDnsResolver))
+}
 func GetRouterSans() string {
 	return getFromEnv(constants.ZitiRouterCsrSansDnsVarName, GetRouterAdvertisedAddress)
 }

ziti/constants/constants.go

@@ -124,6 +124,8 @@ const (
 	ZitiEdgeRouterAdvertisedAddressVarDescription    = "The advertised address of the router"
 	ZitiEdgeRouterListenerBindPortVarName            = "ZITI_ROUTER_LISTENER_BIND_PORT"
 	ZitiEdgeRouterListenerBindPortVarDescription     = "The port a public router will advertise on"
+	ZitiEdgeRouterResolverVarName                    = "ZITI_ROUTER_TPROXY_RESOLVER"
+	ZitiEdgeRouterResolverVarDescription             = "The bind URI to listen for DNS requests in tproxy mode"
 	ZitiEdgeRouterCsrCVarName                        = "ZITI_ROUTER_CSR_C"
 	ZitiEdgeRouterCsrCVarDescription                 = "The country (C) to use for router CSRs"
 	ZitiEdgeRouterCsrSTVarName                       = "ZITI_ROUTER_CSR_ST"