checkpoint

openziti · Mar 15, 2024 · 491d4d9 · 491d4d9
1 parent e18c43a
commit 491d4d9
Show file tree

Hide file tree

Showing 15 changed files with 352 additions and 71 deletions.
diff --git a/dist/dist-packages/linux/nfpm-openziti-router.yaml b/dist/dist-packages/linux/nfpm-openziti-router.yaml
@@ -31,5 +31,10 @@ contents:
 
   - dst: /opt/openziti/etc/router/
     src: ./dist/dist-packages/linux/openziti-router/entrypoint.bash
+
+scripts:
+  postinstall: ./dist/dist-packages/linux/openziti-router/postinstall.bash
+  preremove: ./dist/dist-packages/linux/openziti-router/preremove.bash
+
 depends:
   - openziti  # ziti CLI
diff --git a/dist/dist-packages/linux/openziti-router/bootstrap.bash b/dist/dist-packages/linux/openziti-router/bootstrap.bash
@@ -8,11 +8,11 @@ function makeConfig() {
   # create config file
   #
 
-  if [[ ! -s "./${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then
+  if [[ ! -s "${ZITI_ROUTER_CONFIG_FILE}" || "${1:-}" == --force ]]; then
     ziti create config router "${ZITI_ROUTER_TYPE}" \
       --tunnelerMode "${ZITI_ROUTER_MODE}" \
       --routerName "${ZITI_ROUTER_NAME}" \
-      --output "./${ZITI_ROUTER_CONFIG_FILE}"
+      --output "${ZITI_ROUTER_CONFIG_FILE}"
   fi
 
 }
@@ -25,10 +25,10 @@ function enroll() {
   if [[ ! -s "${ZITI_ROUTER_IDENTITY_CERT}" || "${1:-}" == --force ]]; then
     if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then
       # shellcheck disable=SC2188
-      ziti router enroll "./${ZITI_ROUTER_CONFIG_FILE}" \
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
         --jwt <(echo "${ZITI_ENROLL_TOKEN}")
     elif [ -s "/run/credentials/${UNIT_NAME:=ziti-router.service}/ZITI_ENROLL_TOKEN" ]; then
-      ziti router enroll "./${ZITI_ROUTER_CONFIG_FILE}" \
+      ziti router enroll "${ZITI_ROUTER_CONFIG_FILE}" \
         --jwt "/run/credentials/${UNIT_NAME}/ZITI_ENROLL_TOKEN"
     else
       echo  "ERROR: use SetCredential or LoadCredential in"\
@@ -69,9 +69,9 @@ function bootstrap() {
 # used by "ziti create config router" and "ziti create config environment" 
 : "${ZITI_ROUTER_ADVERTISED_ADDRESS:=${HOSTNAME:=$(hostname -f)}}"
 : "${ZITI_ROUTER_NAME:=${HOSTNAME%%.*}}"
-: "${ZITI_CTRL_ADVERTISED_PORT:=443}"
+: "${ZITI_CTRL_ADVERTISED_PORT:=1280}"
 export  ZITI_ROUTER_NAME \
         ZITI_ROUTER_ADVERTISED_ADDRESS \
         ZITI_CTRL_ADVERTISED_PORT \
-        ZITI_ROUTER_PORT="${ZITI_ROUTER_ADVERTISED_PORT}" \
-        ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_ADVERTISED_PORT}"
+        ZITI_ROUTER_PORT \
+        ZITI_ROUTER_LISTENER_BIND_PORT="${ZITI_ROUTER_PORT}"
diff --git a/dist/dist-packages/linux/openziti-router/entrypoint.bash b/dist/dist-packages/linux/openziti-router/entrypoint.bash
@@ -7,12 +7,27 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-# shellcheck disable=SC1090 # default path is set by the systemd service
+if ! (( $# )); then
+    # if no args, run the router with the default config file
+    set -- run config.yml
+elif [[ ${1} == run && -z ${2:-} ]]; then
+    # if first arg is "run" and second arg is empty, run the router with the default config file
+    set -- run config.yml
+fi
+
+# shellcheck disable=SC1090 # default path is assigned in env file
 source "${ZITI_ROUTER_BOOTSTRAP_BASH:-/opt/openziti/etc/router/bootstrap.bash}"
-# if no args or first arg is "run", bootstrap the router with the config file path as next arg, or default "config.yml"
-if [ "${1:-run}" == run ]; then
-    bootstrap "${2:-config.yml}"
+
+# if first arg is "run", bootstrap the router with the config file
+if [ "${1}" == run ]; then
+    bootstrap "${2}"
+fi
+
+# optionally renew certs at startup
+if [ "${ZITI_AUTO_RENEW_CERTS:-}" == true ]; then
+    # shellcheck disable=SC2068
+    set -- ${@} --extend
 fi
 
 # shellcheck disable=SC2068
-exec ziti router ${@:-run config.yml}
+exec ziti router ${@}
diff --git a/dist/dist-packages/linux/openziti-router/env b/dist/dist-packages/linux/openziti-router/env
@@ -2,40 +2,36 @@
 # this is a systemd env file allowing simple assignments for ziti-controller.service environment
 #
 
-# disable JSON logging
-PFXLOG_NO_JSON=true
-
 #
 # for "ziti create config router edge" commands in bootstrap.bash
 #
 
-# address and port of the controller (required)
+# address of the controller (required)
 ZITI_CTRL_ADVERTISED_ADDRESS=
-ZITI_CTRL_ADVERTISED_PORT=
+# tcp port of the controller (default: 1280)
+ZITI_CTRL_ADVERTISED_PORT=1280
+
+# for better security, leave this assignment empty and create a file readable only by root containing the
+# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in
+# /lib/systemd/system/ziti-router.service
+ZITI_ENROLL_TOKEN=
+# the router's address must be resolvable by other routers and edge identities (default: fully qualified hostname)
 
-# set identity filenames (default: hostname -s)
-ZITI_ROUTER_NAME=
-# the advertised address of the router is a domain name that can be resolved by all devices (default: hostname -f)
 ZITI_ROUTER_ADVERTISED_ADDRESS=
-# the advertised and listening port of the router (default: 80)
-ZITI_ROUTER_ADVERTISED_PORT=
+# the advertised and listening port of the router (default: 3022)
+ZITI_ROUTER_PORT=3022
+
 # the interface address on which to listen (default: 0.0.0.0)
-ZITI_ROUTER_BIND_ADDRESS=
+ZITI_ROUTER_BIND_ADDRESS="0.0.0.0"
+
 # where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53)
-ZITI_ROUTER_TPROXY_RESOLVER=
+ZITI_ROUTER_TPROXY_RESOLVER="udp://127.0.0.1:53"
+
+# set identity filenames (default: unqualified hostname)
+# ZITI_ROUTER_NAME=
+
 # type of router (default: edge, options: edge, fabric)
 ZITI_ROUTER_TYPE=edge
-
 # the mode of the router (default: host) requires that the router is administratively created with flag
 # --tunneler-enabled
 ZITI_ROUTER_MODE=host
-
-# create a config file unless it exists if "true", set "force" to overwrite
-ZITI_BOOTSTRAP_CONFIG=true
-
-# enroll unless already enrolled if "true", set "force" to overwrite key and cert (requires new enrollment token)
-ZITI_BOOTSTRAP_ENROLLMENT=true
-# for better security, leave this assignment empty and create a file readable only by root containing the
-# token and set "LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token" in
-# /lib/systemd/system/ziti-router.service
-ZITI_ENROLL_TOKEN=
diff --git a/dist/dist-packages/linux/openziti-router/postinstall.bash b/dist/dist-packages/linux/openziti-router/postinstall.bash
@@ -0,0 +1,218 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o xtrace
+
+install() {
+    checkSystemdVersion $MINIMUM_SYSTEMD_VERSION
+    commonActions
+
+}
+
+upgrade() {
+    # Step 2(upgrade), do what you need
+    commonActions
+
+}
+
+commonActions() {
+    makeTokenFile
+    loadEnv
+    promptCtrlAdvertisedAddress
+    promptRouterAdvertisedAddress
+    promptEnrollToken
+    promptRouterMode
+    promptRouterPort
+}
+
+checkSystemdVersion() {
+    # Step 2 (clean install), enable the service in the proper way for this platform
+    if ! command -V systemctl &>/dev/null; then
+        echo "ERROR: required command 'systemctl' is missing" >&2
+        return 1
+    else
+        systemd_version=$(systemctl --version | awk '/^systemd/ {print $2}')
+    fi
+
+    if [ "${systemd_version}" -lt "$1" ]; then
+        printf "\033[31m systemd version %s is less then 232, aborting \033[0m\n" "${systemd_version}"
+        return 1
+    fi
+}
+
+makeTokenFile() {
+    # unless it exists, create an empty enrollment token file with restrictive permissions so the service can start with
+    # LoadCredential enabled
+    ZITI_ENROLL_TOKEN_FILE=/opt/openziti/etc/router/.token
+    if ! [ -s "${ZITI_ENROLL_TOKEN_FILE}" ]; then
+        umask 0177
+        touch "${ZITI_ENROLL_TOKEN_FILE}"
+    fi
+}
+
+prompt() {
+    # return true if interactive and response is not empty
+    if [[ "${DEBIAN_FRONTEND:-}" != "noninteractive" && -t 0 ]]; then
+        read -r -p "$1" response
+        if [ -n "${response:-}" ]; then
+            echo "${response}"
+        else
+            return 1
+        fi
+    else
+        echo "ERROR: non-interactive, unable prompt '$1'" >&2
+        return 1
+    fi
+}
+
+loadEnv() {
+    # shellcheck disable=SC1091
+    source /opt/openziti/etc/router/env
+}
+
+promptCtrlAdvertisedAddress() {
+    if [ -z "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+        if ZITI_CTRL_ADVERTISED_ADDRESS="$(prompt 'Enter the advertised address for the controller: ')"; then
+            if [ -n "${ZITI_CTRL_ADVERTISED_ADDRESS:-}" ]; then
+                sed -Ei "s/^(ZITI_CTRL_ADVERTISED_ADDRESS)=.*/\1=${ZITI_CTRL_ADVERTISED_ADDRESS}/" /opt/openziti/etc/router/env
+            fi
+        else
+            echo "WARN: missing ZITI_CTRL_ADVERTISED_ADDRESS in /opt/openziti/etc/router/env" >&2
+        fi
+    fi
+}
+
+promptRouterAdvertisedAddress() {
+    if [ -z "${ZITI_ROUTER_ADVERTISED_ADDRESS:-}" ]; then
+        if ZITI_ROUTER_ADVERTISED_ADDRESS="$(prompt 'Enter the advertised address for this router: ')"; then
+            if [ -n "${ZITI_ROUTER_ADVERTISED_ADDRESS:-}" ]; then
+                sed -Ei "s/^(ZITI_ROUTER_ADVERTISED_ADDRESS)=.*/\1=${ZITI_ROUTER_ADVERTISED_ADDRESS}/" /opt/openziti/etc/router/env
+            fi
+        else
+            echo "WARN: missing ZITI_ROUTER_ADVERTISED_ADDRESS in /opt/openziti/etc/router/env" >&2
+        fi
+    fi
+}
+
+promptEnrollToken() {
+    # make ziti vars available in "ziti create config environment"
+    exportZitiVars
+    # shellcheck disable=SC1090 # compute the path to the identity file
+    source <(ZITI_HOME=/var/lib/ziti-router ziti create config environment)
+    # do nothing if identity file has stuff in it
+    if [ -s "${ZITI_ROUTER_IDENTITY_CERT}" ]; then
+        echo "INFO: enrolled identity exists in ${ZITI_ROUTER_IDENTITY_CERT}"
+    # prompt for enrollment token if interactive, unless already answered
+    else
+        ZITI_BOOTSTRAP_ENROLLMENT=$(awk -F= '/^Environment=ZITI_BOOTSTRAP_ENROLLMENT=/ {print $3}' /lib/systemd/system/ziti-router.service)
+        if ! [[ "${ZITI_BOOTSTRAP_ENROLLMENT:-}" == true ]]; then
+            echo "INFO: ZITI_BOOTSTRAP_ENROLLMENT is not true in /lib/systemd/system/ziti-router.service" >&2
+        # do nothing if enrollment token is already defined in env file
+        elif [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then
+            echo "INFO: ZITI_ENROLL_TOKEN is defined in /opt/openziti/etc/router/env and will be used to enroll during"\
+                    "next startup"
+        elif grep -qE "^LoadCredential=ZITI_ENROLL_TOKEN=${ZITI_ENROLL_TOKEN_FILE}" \
+                    /lib/systemd/system/ziti-router.service \
+                && [[ -s "${ZITI_ENROLL_TOKEN_FILE}" ]]; then
+            echo "INFO: ZITI_ENROLL_TOKEN is defined in ${ZITI_ENROLL_TOKEN_FILE} and will be used to"\
+                    "enroll during next startup "
+        elif grep -qE '^SetCredential=ZITI_ENROLL_TOKEN:.+' /lib/systemd/system/ziti-router.service; then
+            echo "INFO: ZITI_ENROLL_TOKEN is defined in /lib/systemd/system/ziti-router.service and will be used to"\
+                    "enroll during next startup"
+        else
+            if ZITI_ENROLL_TOKEN=$(prompt "Enter the enrollment token: "); then
+                if [ -n "${ZITI_ENROLL_TOKEN:-}" ]; then
+                    echo "$ZITI_ENROLL_TOKEN" >| /opt/openziti/etc/router/.token
+                fi
+            else
+                echo "WARN: missing ZITI_ENROLL_TOKEN; use LoadCredential or SetCredential in"\
+                        "/lib/systemd/system/ziti-router.service or set in /opt/openziti/etc/router/env" >&2
+            fi
+        fi
+    fi
+}
+
+promptRouterMode() {
+    # if undefined or default value in env file, prompt for router mode, preserving default if no answer
+    if [[ -z "${ZITI_ROUTER_MODE:-}" || "${ZITI_ROUTER_MODE}" == host ]]; then
+        if ZITI_ROUTER_MODE="$(prompt 'Enter the router mode (eg. host, tproxy, proxy) [host]: ' || echo 'host')"; then
+            sed -Ei "s/^(ZITI_ROUTER_MODE)=.*/\1=${ZITI_ROUTER_MODE}/" /opt/openziti/etc/router/env
+        fi
+    fi
+    if [[ "${ZITI_ROUTER_MODE}" == tproxy ]]; then
+        grantNetAdmin
+    fi
+}
+
+grantNetAdmin() {
+    # grant ambient capabilities to the router process if not already granted
+    if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' /lib/systemd/system/ziti-router.service; then
+        # uncomment the line
+        sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /lib/systemd/system/ziti-router.service
+    fi
+    systemctl daemon-reload
+}
+
+promptRouterPort() {
+    # if undefined or default value in env file, prompt for router port, preserving default if no answer
+    if [[ -z "${ZITI_ROUTER_PORT:-}" || "${ZITI_ROUTER_PORT}" == 3022 ]]; then
+        if ZITI_ROUTER_PORT="$(prompt 'Enter the router port [3022]: ' || echo '3022')"; then
+            sed -Ei "s/^(ZITI_ROUTER_PORT)=.*/\1=${ZITI_ROUTER_PORT}/" /opt/openziti/etc/router/env
+        fi
+    fi
+    if [[ "${ZITI_ROUTER_PORT}" -le 1024 ]]; then
+        grantNetBindService
+    fi
+}
+
+grantNetBindService() {
+    # grant binding privileged low ports unless already granted
+    if ! grep -qE '^AmbientCapabilities=CAP_NET_BIND_SERVICE' /lib/systemd/system/ziti-router.service; then
+        # uncomment the line
+        sed -Ei 's/.*AmbientCapabilities=CAP_NET_BIND_SERVICE/AmbientCapabilities=CAP_NET_BIND_SERVICE/' /lib/systemd/system/ziti-router.service
+    fi
+    systemctl daemon-reload
+}
+
+exportZitiVars() {
+    # make ziti vars available in forks like "ziti create config environment"
+    for line in $(set | grep -e "^ZITI_" | sort); do
+        # shellcheck disable=SC2013
+        for var in $(awk -F= '{print $1}' <<< "$line"); do
+            # shellcheck disable=SC2163
+            export "$var"
+        done
+    done
+}
+
+MINIMUM_SYSTEMD_VERSION=232
+
+# Step 1, check if this is a clean install or an upgrade
+if (( $# )); then
+    if  [[ $1 == 1 || ($1 == configure && -z ${2:-}) ]]; then
+        # deb passes $1=configure, rpm passes $1=1
+        action=install
+    elif [[ $1 == 2 || ($1 == configure && -n ${2:-}) ]]; then
+        # deb passes $1=configure $2=<current version>, rpm passes $1=2
+        action=upgrade
+    else
+        echo "ERROR: unexpected action '$1'" >&2
+        exit 1
+    fi
+else
+    echo "ERROR: missing action" >&2
+    exit 1
+fi
+
+case "$action" in
+    "install")
+        printf "\033[32m Post Install of an clean install\033[0m\n"
+        install
+        ;;
+    "upgrade")
+        printf "\033[32m Post Install of an upgrade\033[0m\n"
+        upgrade
+        ;;
+esac
diff --git a/dist/dist-packages/linux/openziti-router/preremove.bash b/dist/dist-packages/linux/openziti-router/preremove.bash
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o xtrace
+
+# if it exists and is still empty, clean up the enrollment token file that was created by postinstall.bash, allowing the
+# package manager to remove the empty directory
+ZITI_ENROLL_TOKEN_FILE=/opt/openziti/etc/router/.token
+if [ -e "${ZITI_ENROLL_TOKEN_FILE}" ]; then
+    if ! [ -s "${ZITI_ENROLL_TOKEN_FILE}" ]; then
+        rm -f "${ZITI_ENROLL_TOKEN_FILE}"
+    fi
+fi