mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-06 05:04:27 +08:00
remove network capabilities from netmaker
remove NET_ADMIN, NET_RAW, SYS_MODULE capabilities from docker-compose files remove sysctls from dockerfiles remove ManageIPTables and PortForwardServices from ServerConfig remove functions related to removed attributes
This commit is contained in:
Matthew R Kasun
parent
ff0a770174
commit
9b072e1050
10 changed files with 0 additions and 210 deletions
|
|
@ -4,15 +4,6 @@ services:
|
|||
netmaker:
|
||||
container_name: netmaker
|
||||
image: gravitl/netmaker:v0.17.1-ee
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
- SYS_MODULE
|
||||
sysctls:
|
||||
- net.ipv4.ip_forward=1
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
- net.ipv6.conf.all.disable_ipv6=0
|
||||
- net.ipv6.conf.all.forwarding=1
|
||||
restart: always
|
||||
volumes:
|
||||
- dnsconfig:/root/config/dnsconfig
|
||||
|
|
|
|||
|
|
@ -4,15 +4,6 @@ services:
|
|||
netmaker: # The Primary Server for running Netmaker
|
||||
container_name: netmaker
|
||||
image: gravitl/netmaker:v0.17.1
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
- SYS_MODULE
|
||||
sysctls:
|
||||
- net.ipv4.ip_forward=1
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
- net.ipv6.conf.all.disable_ipv6=0
|
||||
- net.ipv6.conf.all.forwarding=1
|
||||
restart: always
|
||||
volumes: # Volume mounts necessary for sql, coredns, and mqtt
|
||||
- dnsconfig:/root/config/dnsconfig
|
||||
|
|
|
|||
|
|
@ -4,15 +4,6 @@ services:
|
|||
netmaker:
|
||||
container_name: netmaker
|
||||
image: gravitl/netmaker:v0.17.1
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
- SYS_MODULE
|
||||
sysctls:
|
||||
- net.ipv4.ip_forward=1
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
- net.ipv6.conf.all.disable_ipv6=0
|
||||
- net.ipv6.conf.all.forwarding=1
|
||||
restart: always
|
||||
volumes:
|
||||
- dnsconfig:/root/config/dnsconfig
|
||||
|
|
|
|||
|
|
@ -63,8 +63,6 @@ type ServerConfig struct {
|
|||
AzureTenant string `yaml:"azuretenant"`
|
||||
RCE string `yaml:"rce"`
|
||||
Telemetry string `yaml:"telemetry"`
|
||||
ManageIPTables string `yaml:"manageiptables"`
|
||||
PortForwardServices string `yaml:"portforwardservices"`
|
||||
HostNetwork string `yaml:"hostnetwork"`
|
||||
MQPort string `yaml:"mqport"`
|
||||
MQServerPort string `yaml:"mqserverport"`
|
||||
|
|
|
|||
1
go.mod
1
go.mod
|
|
@ -37,7 +37,6 @@ require (
|
|||
github.com/coreos/go-oidc/v3 v3.5.0
|
||||
github.com/gorilla/websocket v1.5.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/sirupsen/logrus v1.9.0
|
||||
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
|
||||
gortc.io/stun v1.23.0
|
||||
)
|
||||
|
|
|
|||
3
go.sum
3
go.sum
|
|
@ -127,8 +127,6 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
|
|||
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
|
||||
github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
|
||||
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
|
||||
github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
|
||||
github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
|
||||
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
|
||||
|
|
@ -208,7 +206,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
|
|||
golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
|
||||
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
|
|
|
|||
6
main.go
6
main.go
|
|
@ -110,12 +110,6 @@ func initialize() { // Client Mode Prereq Check
|
|||
logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.")
|
||||
}
|
||||
}
|
||||
// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
|
||||
if servercfg.ManageIPTables() != "off" {
|
||||
if err = serverctl.InitIPTables(true); err != nil {
|
||||
logger.FatalLog("Unable to initialize iptables on host:", err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
if servercfg.IsDNSMode() {
|
||||
err := functions.SetDNSDir()
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
"github.com/gravitl/netmaker/logic"
|
||||
"github.com/gravitl/netmaker/models"
|
||||
"github.com/gravitl/netmaker/servercfg"
|
||||
"github.com/gravitl/netmaker/serverctl"
|
||||
)
|
||||
|
||||
// PublishPeerUpdate --- determines and publishes a peer update to all the hosts
|
||||
|
|
@ -123,13 +122,7 @@ func sendPeers() {
|
|||
var force bool
|
||||
peer_force_send++
|
||||
if peer_force_send == 5 {
|
||||
|
||||
// run iptables update to ensure gateways work correctly and mq is forwarded if containerized
|
||||
if servercfg.ManageIPTables() != "off" {
|
||||
serverctl.InitIPTables(false)
|
||||
}
|
||||
servercfg.SetHost()
|
||||
|
||||
force = true
|
||||
peer_force_send = 0
|
||||
err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed..
|
||||
|
|
|
|||
|
|
@ -82,9 +82,6 @@ func GetServerConfig() config.ServerConfig {
|
|||
cfg.RCE = "off"
|
||||
}
|
||||
cfg.Telemetry = Telemetry()
|
||||
cfg.ManageIPTables = ManageIPTables()
|
||||
services := strings.Join(GetPortForwardServiceList(), ",")
|
||||
cfg.PortForwardServices = services
|
||||
cfg.Server = GetServer()
|
||||
cfg.Verbosity = GetVerbosity()
|
||||
cfg.IsEE = "no"
|
||||
|
|
@ -377,18 +374,6 @@ func Telemetry() string {
|
|||
return telemetry
|
||||
}
|
||||
|
||||
// ManageIPTables - checks if iptables should be manipulated on host
|
||||
func ManageIPTables() string {
|
||||
manage := "on"
|
||||
if os.Getenv("MANAGE_IPTABLES") == "off" {
|
||||
manage = "off"
|
||||
}
|
||||
if config.Config.Server.ManageIPTables == "off" {
|
||||
manage = "off"
|
||||
}
|
||||
return manage
|
||||
}
|
||||
|
||||
// GetServer - gets the server name
|
||||
func GetServer() string {
|
||||
server := ""
|
||||
|
|
@ -526,19 +511,6 @@ func GetPlatform() string {
|
|||
return platform
|
||||
}
|
||||
|
||||
// GetIPForwardServiceList - get the list of services that the server should be forwarding
|
||||
func GetPortForwardServiceList() []string {
|
||||
//services := "mq,dns,ssh"
|
||||
services := ""
|
||||
if os.Getenv("PORT_FORWARD_SERVICES") != "" {
|
||||
services = os.Getenv("PORT_FORWARD_SERVICES")
|
||||
} else if config.Config.Server.PortForwardServices != "" {
|
||||
services = config.Config.Server.PortForwardServices
|
||||
}
|
||||
serviceSlice := strings.Split(services, ",")
|
||||
return serviceSlice
|
||||
}
|
||||
|
||||
// GetSQLConn - get the sql connection string
|
||||
func GetSQLConn() string {
|
||||
sqlconn := "http://"
|
||||
|
|
|
|||
|
|
@ -1,136 +0,0 @@
|
|||
package serverctl
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gravitl/netmaker/logger"
|
||||
"github.com/gravitl/netmaker/netclient/ncutils"
|
||||
"github.com/gravitl/netmaker/servercfg"
|
||||
)
|
||||
|
||||
const netmakerProcessName = "netmaker"
|
||||
|
||||
// InitIPTables - intializes the server iptables
|
||||
func InitIPTables(force bool) error {
|
||||
_, err := exec.LookPath("iptables")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = setForwardPolicy()
|
||||
if err != nil {
|
||||
logger.Log(0, "error setting iptables forward policy: "+err.Error())
|
||||
}
|
||||
|
||||
err = portForwardServices(force)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if isContainerized() && servercfg.IsHostNetwork() {
|
||||
err = setHostCoreDNSMapping()
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// set up port forwarding for services listed in config
|
||||
func portForwardServices(force bool) error {
|
||||
var err error
|
||||
services := servercfg.GetPortForwardServiceList()
|
||||
if len(services) == 0 || services[0] == "" {
|
||||
return nil
|
||||
}
|
||||
for _, service := range services {
|
||||
switch service {
|
||||
case "mq":
|
||||
err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force)
|
||||
case "dns":
|
||||
err = iptablesPortForward("coredns", "53", "53", false, force)
|
||||
case "ssh":
|
||||
err = iptablesPortForward("netmaker", "22", "22", false, force)
|
||||
default:
|
||||
params := strings.Split(service, ":")
|
||||
if len(params) == 3 {
|
||||
err = iptablesPortForward(params[0], params[1], params[2], true, force)
|
||||
}
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// determine if process is running in container
|
||||
func isContainerized() bool {
|
||||
fileBytes, err := os.ReadFile("/proc/1/sched")
|
||||
if err != nil {
|
||||
logger.Log(1, "error determining containerization: "+err.Error())
|
||||
return false
|
||||
}
|
||||
fileString := string(fileBytes)
|
||||
return strings.Contains(fileString, netmakerProcessName)
|
||||
}
|
||||
|
||||
// make sure host allows forwarding
|
||||
func setForwardPolicy() error {
|
||||
logger.Log(2, "setting iptables forward policy")
|
||||
_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
|
||||
return err
|
||||
}
|
||||
|
||||
// port forward from an entry, can contain a dns name for lookup
|
||||
func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error {
|
||||
|
||||
var address string
|
||||
if !isIP {
|
||||
out:
|
||||
for i := 1; i < 4; i++ {
|
||||
ips, err := net.LookupIP(entry)
|
||||
if err != nil && i > 2 {
|
||||
return err
|
||||
}
|
||||
for _, ip := range ips {
|
||||
if ipv4 := ip.To4(); ipv4 != nil {
|
||||
address = ipv4.String()
|
||||
}
|
||||
}
|
||||
if address != "" {
|
||||
break out
|
||||
}
|
||||
time.Sleep(time.Second)
|
||||
}
|
||||
} else {
|
||||
address = entry
|
||||
}
|
||||
if address == "" {
|
||||
return errors.New("could not locate ip for " + entry)
|
||||
}
|
||||
|
||||
if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force {
|
||||
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
|
||||
return err
|
||||
} else {
|
||||
logger.Log(3, "mq forwarding is already set... skipping")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// if running in host networking mode, run iptables to map to CoreDNS container
|
||||
func setHostCoreDNSMapping() error {
|
||||
logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
|
||||
ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
|
||||
_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
|
||||
return err
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue