From 9b072e1050c774e2ce33bcc7b5d68d7d138d246f Mon Sep 17 00:00:00 2001 From: Matthew R Kasun Date: Mon, 23 Jan 2023 12:37:07 -0500 Subject: [PATCH] remove network capabilities from netmaker remove NET_ADMIN, NET_RAW, SYS_MODULE capabilities from docker-compose files remove sysctls from dockerfiles remove ManageIPTables and PortForwardServices from ServerConfig remove functions related to removed attributes --- compose/docker-compose.ee.yml | 9 -- compose/docker-compose.reference.yml | 9 -- compose/docker-compose.yml | 9 -- config/config.go | 2 - go.mod | 1 - go.sum | 3 - main.go | 6 -- mq/publishers.go | 7 -- servercfg/serverconf.go | 28 ------ serverctl/iptables.go | 136 --------------------------- 10 files changed, 210 deletions(-) delete mode 100644 serverctl/iptables.go diff --git a/compose/docker-compose.ee.yml b/compose/docker-compose.ee.yml index dd0669fe..7d0e6697 100644 --- a/compose/docker-compose.ee.yml +++ b/compose/docker-compose.ee.yml @@ -4,15 +4,6 @@ services: netmaker: container_name: netmaker image: gravitl/netmaker:v0.17.1-ee - cap_add: - - NET_ADMIN - - NET_RAW - - SYS_MODULE - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.src_valid_mark=1 - - net.ipv6.conf.all.disable_ipv6=0 - - net.ipv6.conf.all.forwarding=1 restart: always volumes: - dnsconfig:/root/config/dnsconfig diff --git a/compose/docker-compose.reference.yml b/compose/docker-compose.reference.yml index 67b43d09..03e13c65 100644 --- a/compose/docker-compose.reference.yml +++ b/compose/docker-compose.reference.yml @@ -4,15 +4,6 @@ services: netmaker: # The Primary Server for running Netmaker container_name: netmaker image: gravitl/netmaker:v0.17.1 - cap_add: - - NET_ADMIN - - NET_RAW - - SYS_MODULE - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.src_valid_mark=1 - - net.ipv6.conf.all.disable_ipv6=0 - - net.ipv6.conf.all.forwarding=1 restart: always volumes: # Volume mounts necessary for sql, coredns, and mqtt - dnsconfig:/root/config/dnsconfig diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index b7f1bf5f..ba10ee48 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -4,15 +4,6 @@ services: netmaker: container_name: netmaker image: gravitl/netmaker:v0.17.1 - cap_add: - - NET_ADMIN - - NET_RAW - - SYS_MODULE - sysctls: - - net.ipv4.ip_forward=1 - - net.ipv4.conf.all.src_valid_mark=1 - - net.ipv6.conf.all.disable_ipv6=0 - - net.ipv6.conf.all.forwarding=1 restart: always volumes: - dnsconfig:/root/config/dnsconfig diff --git a/config/config.go b/config/config.go index 33e3a8d3..90232862 100644 --- a/config/config.go +++ b/config/config.go @@ -63,8 +63,6 @@ type ServerConfig struct { AzureTenant string `yaml:"azuretenant"` RCE string `yaml:"rce"` Telemetry string `yaml:"telemetry"` - ManageIPTables string `yaml:"manageiptables"` - PortForwardServices string `yaml:"portforwardservices"` HostNetwork string `yaml:"hostnetwork"` MQPort string `yaml:"mqport"` MQServerPort string `yaml:"mqserverport"` diff --git a/go.mod b/go.mod index 228bde33..ef45d207 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,6 @@ require ( github.com/coreos/go-oidc/v3 v3.5.0 github.com/gorilla/websocket v1.5.0 github.com/pkg/errors v0.9.1 - github.com/sirupsen/logrus v1.9.0 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e gortc.io/stun v1.23.0 ) diff --git a/go.sum b/go.sum index dab4f5a4..6972718d 100644 --- a/go.sum +++ b/go.sum @@ -127,8 +127,6 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0= github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= @@ -208,7 +206,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/main.go b/main.go index 1335ee2c..8bf2f290 100644 --- a/main.go +++ b/main.go @@ -110,12 +110,6 @@ func initialize() { // Client Mode Prereq Check logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.") } } - // initialize iptables to ensure gateways work correctly and mq is forwarded if containerized - if servercfg.ManageIPTables() != "off" { - if err = serverctl.InitIPTables(true); err != nil { - logger.FatalLog("Unable to initialize iptables on host:", err.Error()) - } - } if servercfg.IsDNSMode() { err := functions.SetDNSDir() diff --git a/mq/publishers.go b/mq/publishers.go index e2423544..8702f189 100644 --- a/mq/publishers.go +++ b/mq/publishers.go @@ -11,7 +11,6 @@ import ( "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/servercfg" - "github.com/gravitl/netmaker/serverctl" ) // PublishPeerUpdate --- determines and publishes a peer update to all the hosts @@ -123,13 +122,7 @@ func sendPeers() { var force bool peer_force_send++ if peer_force_send == 5 { - - // run iptables update to ensure gateways work correctly and mq is forwarded if containerized - if servercfg.ManageIPTables() != "off" { - serverctl.InitIPTables(false) - } servercfg.SetHost() - force = true peer_force_send = 0 err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed.. diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go index 67393560..7554eb7c 100644 --- a/servercfg/serverconf.go +++ b/servercfg/serverconf.go @@ -82,9 +82,6 @@ func GetServerConfig() config.ServerConfig { cfg.RCE = "off" } cfg.Telemetry = Telemetry() - cfg.ManageIPTables = ManageIPTables() - services := strings.Join(GetPortForwardServiceList(), ",") - cfg.PortForwardServices = services cfg.Server = GetServer() cfg.Verbosity = GetVerbosity() cfg.IsEE = "no" @@ -377,18 +374,6 @@ func Telemetry() string { return telemetry } -// ManageIPTables - checks if iptables should be manipulated on host -func ManageIPTables() string { - manage := "on" - if os.Getenv("MANAGE_IPTABLES") == "off" { - manage = "off" - } - if config.Config.Server.ManageIPTables == "off" { - manage = "off" - } - return manage -} - // GetServer - gets the server name func GetServer() string { server := "" @@ -526,19 +511,6 @@ func GetPlatform() string { return platform } -// GetIPForwardServiceList - get the list of services that the server should be forwarding -func GetPortForwardServiceList() []string { - //services := "mq,dns,ssh" - services := "" - if os.Getenv("PORT_FORWARD_SERVICES") != "" { - services = os.Getenv("PORT_FORWARD_SERVICES") - } else if config.Config.Server.PortForwardServices != "" { - services = config.Config.Server.PortForwardServices - } - serviceSlice := strings.Split(services, ",") - return serviceSlice -} - // GetSQLConn - get the sql connection string func GetSQLConn() string { sqlconn := "http://" diff --git a/serverctl/iptables.go b/serverctl/iptables.go deleted file mode 100644 index 8407da06..00000000 --- a/serverctl/iptables.go +++ /dev/null @@ -1,136 +0,0 @@ -package serverctl - -import ( - "errors" - "net" - "os" - "os/exec" - "strings" - "time" - - "github.com/gravitl/netmaker/logger" - "github.com/gravitl/netmaker/netclient/ncutils" - "github.com/gravitl/netmaker/servercfg" -) - -const netmakerProcessName = "netmaker" - -// InitIPTables - intializes the server iptables -func InitIPTables(force bool) error { - _, err := exec.LookPath("iptables") - if err != nil { - return err - } - err = setForwardPolicy() - if err != nil { - logger.Log(0, "error setting iptables forward policy: "+err.Error()) - } - - err = portForwardServices(force) - if err != nil { - return err - } - if isContainerized() && servercfg.IsHostNetwork() { - err = setHostCoreDNSMapping() - } - return err -} - -// set up port forwarding for services listed in config -func portForwardServices(force bool) error { - var err error - services := servercfg.GetPortForwardServiceList() - if len(services) == 0 || services[0] == "" { - return nil - } - for _, service := range services { - switch service { - case "mq": - err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force) - case "dns": - err = iptablesPortForward("coredns", "53", "53", false, force) - case "ssh": - err = iptablesPortForward("netmaker", "22", "22", false, force) - default: - params := strings.Split(service, ":") - if len(params) == 3 { - err = iptablesPortForward(params[0], params[1], params[2], true, force) - } - } - if err != nil { - return err - } - } - return nil -} - -// determine if process is running in container -func isContainerized() bool { - fileBytes, err := os.ReadFile("/proc/1/sched") - if err != nil { - logger.Log(1, "error determining containerization: "+err.Error()) - return false - } - fileString := string(fileBytes) - return strings.Contains(fileString, netmakerProcessName) -} - -// make sure host allows forwarding -func setForwardPolicy() error { - logger.Log(2, "setting iptables forward policy") - _, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false) - return err -} - -// port forward from an entry, can contain a dns name for lookup -func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error { - - var address string - if !isIP { - out: - for i := 1; i < 4; i++ { - ips, err := net.LookupIP(entry) - if err != nil && i > 2 { - return err - } - for _, ip := range ips { - if ipv4 := ip.To4(); ipv4 != nil { - address = ipv4.String() - } - } - if address != "" { - break out - } - time.Sleep(time.Second) - } - } else { - address = entry - } - if address == "" { - return errors.New("could not locate ip for " + entry) - } - - if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force { - _, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false) - if err != nil { - return err - } - _, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false) - if err != nil { - return err - } - _, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false) - return err - } else { - logger.Log(3, "mq forwarding is already set... skipping") - } - return nil -} - -// if running in host networking mode, run iptables to map to CoreDNS container -func setHostCoreDNSMapping() error { - logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053") - ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true) - _, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true) - return err -}