remove network capabilities from netmaker

remove NET_ADMIN, NET_RAW, SYS_MODULE capabilities from docker-compose files remove sysctls from dockerfiles remove ManageIPTables and PortForwardServices from ServerConfig remove functions related to removed attributes
2025-10-30 16:08:21 +08:00 · 2023-01-23 12:37:07 -05:00 · 2023-01-23 12:37:07 -05:00 · 9b072e1050
commit 9b072e1050
parent ff0a770174
10 changed files with 0 additions and 210 deletions
--- a/compose/docker-compose.ee.yml
+++ b/compose/docker-compose.ee.yml
@ -4,15 +4,6 @@ services:
  netmaker:
    container_name: netmaker
    image: gravitl/netmaker:v0.17.1-ee
    cap_add: 
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
    restart: always
    volumes:
      - dnsconfig:/root/config/dnsconfig
--- a/compose/docker-compose.reference.yml
+++ b/compose/docker-compose.reference.yml
@ -4,15 +4,6 @@ services:
  netmaker: # The Primary Server for running Netmaker
    container_name: netmaker
    image: gravitl/netmaker:v0.17.1
    cap_add: 
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
    restart: always
    volumes: # Volume mounts necessary for sql, coredns, and mqtt
      - dnsconfig:/root/config/dnsconfig
--- a/compose/docker-compose.yml
+++ b/compose/docker-compose.yml
@ -4,15 +4,6 @@ services:
  netmaker:
    container_name: netmaker
    image: gravitl/netmaker:v0.17.1
    cap_add: 
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.all.forwarding=1
    restart: always
    volumes:
      - dnsconfig:/root/config/dnsconfig
--- a/config/config.go
+++ b/config/config.go
@ -63,8 +63,6 @@ type ServerConfig struct {
 	AzureTenant           string `yaml:"azuretenant"`
 	RCE                   string `yaml:"rce"`
 	Telemetry             string `yaml:"telemetry"`
 	ManageIPTables        string `yaml:"manageiptables"`
 	PortForwardServices   string `yaml:"portforwardservices"`
 	HostNetwork           string `yaml:"hostnetwork"`
 	MQPort                string `yaml:"mqport"`
 	MQServerPort          string `yaml:"mqserverport"`
--- a/go.mod
+++ b/go.mod
@ -37,7 +37,6 @@ require (
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	gortc.io/stun v1.23.0
 )
--- a/go.sum
+++ b/go.sum
@ -127,8 +127,6 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@ -208,7 +206,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
--- a/main.go
+++ b/main.go
@ -110,12 +110,6 @@ func initialize() { // Client Mode Prereq Check
 			logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.")
 		}
 	}
 	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
 	if servercfg.ManageIPTables() != "off" {
 		if err = serverctl.InitIPTables(true); err != nil {
 			logger.FatalLog("Unable to initialize iptables on host:", err.Error())
 		}
 	}
 	if servercfg.IsDNSMode() {
 		err := functions.SetDNSDir()
--- a/mq/publishers.go
+++ b/mq/publishers.go
@ -11,7 +11,6 @@ import (
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 	"github.com/gravitl/netmaker/serverctl"
 )
 // PublishPeerUpdate --- determines and publishes a peer update to all the hosts
@ -123,13 +122,7 @@ func sendPeers() {
 	var force bool
 	peer_force_send++
 	if peer_force_send == 5 {
 		// run iptables update to ensure gateways work correctly and mq is forwarded if containerized
 		if servercfg.ManageIPTables() != "off" {
 			serverctl.InitIPTables(false)
 		}
 		servercfg.SetHost()
 		force = true
 		peer_force_send = 0
 		err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed..
--- a/servercfg/serverconf.go
+++ b/servercfg/serverconf.go
@ -82,9 +82,6 @@ func GetServerConfig() config.ServerConfig {
 		cfg.RCE = "off"
 	}
 	cfg.Telemetry = Telemetry()
 	cfg.ManageIPTables = ManageIPTables()
 	services := strings.Join(GetPortForwardServiceList(), ",")
 	cfg.PortForwardServices = services
 	cfg.Server = GetServer()
 	cfg.Verbosity = GetVerbosity()
 	cfg.IsEE = "no"
@ -377,18 +374,6 @@ func Telemetry() string {
 	return telemetry
 }
 // ManageIPTables - checks if iptables should be manipulated on host
 func ManageIPTables() string {
 	manage := "on"
 	if os.Getenv("MANAGE_IPTABLES") == "off" {
 		manage = "off"
 	}
 	if config.Config.Server.ManageIPTables == "off" {
 		manage = "off"
 	}
 	return manage
 }
 // GetServer - gets the server name
 func GetServer() string {
 	server := ""
@ -526,19 +511,6 @@ func GetPlatform() string {
 	return platform
 }
 // GetIPForwardServiceList - get the list of services that the server should be forwarding
 func GetPortForwardServiceList() []string {
 	//services := "mq,dns,ssh"
 	services := ""
 	if os.Getenv("PORT_FORWARD_SERVICES") != "" {
 		services = os.Getenv("PORT_FORWARD_SERVICES")
 	} else if config.Config.Server.PortForwardServices != "" {
 		services = config.Config.Server.PortForwardServices
 	}
 	serviceSlice := strings.Split(services, ",")
 	return serviceSlice
 }
 // GetSQLConn - get the sql connection string
 func GetSQLConn() string {
 	sqlconn := "http://"
--- a/serverctl/iptables.go
+++ b/serverctl/iptables.go
@ -1,136 +0,0 @@
 package serverctl
 import (
 	"errors"
 	"net"
 	"os"
 	"os/exec"
 	"strings"
 	"time"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/netclient/ncutils"
 	"github.com/gravitl/netmaker/servercfg"
 )
 const netmakerProcessName = "netmaker"
 // InitIPTables - intializes the server iptables
 func InitIPTables(force bool) error {
 	_, err := exec.LookPath("iptables")
 	if err != nil {
 		return err
 	}
 	err = setForwardPolicy()
 	if err != nil {
 		logger.Log(0, "error setting iptables forward policy: "+err.Error())
 	}
 	err = portForwardServices(force)
 	if err != nil {
 		return err
 	}
 	if isContainerized() && servercfg.IsHostNetwork() {
 		err = setHostCoreDNSMapping()
 	}
 	return err
 }
 // set up port forwarding for services listed in config
 func portForwardServices(force bool) error {
 	var err error
 	services := servercfg.GetPortForwardServiceList()
 	if len(services) == 0 || services[0] == "" {
 		return nil
 	}
 	for _, service := range services {
 		switch service {
 		case "mq":
 			err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force)
 		case "dns":
 			err = iptablesPortForward("coredns", "53", "53", false, force)
 		case "ssh":
 			err = iptablesPortForward("netmaker", "22", "22", false, force)
 		default:
 			params := strings.Split(service, ":")
 			if len(params) == 3 {
 				err = iptablesPortForward(params[0], params[1], params[2], true, force)
 			}
 		}
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // determine if process is running in container
 func isContainerized() bool {
 	fileBytes, err := os.ReadFile("/proc/1/sched")
 	if err != nil {
 		logger.Log(1, "error determining containerization: "+err.Error())
 		return false
 	}
 	fileString := string(fileBytes)
 	return strings.Contains(fileString, netmakerProcessName)
 }
 // make sure host allows forwarding
 func setForwardPolicy() error {
 	logger.Log(2, "setting iptables forward policy")
 	_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
 	return err
 }
 // port forward from an entry, can contain a dns name for lookup
 func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error {
 	var address string
 	if !isIP {
 	out:
 		for i := 1; i < 4; i++ {
 			ips, err := net.LookupIP(entry)
 			if err != nil && i > 2 {
 				return err
 			}
 			for _, ip := range ips {
 				if ipv4 := ip.To4(); ipv4 != nil {
 					address = ipv4.String()
 				}
 			}
 			if address != "" {
 				break out
 			}
 			time.Sleep(time.Second)
 		}
 	} else {
 		address = entry
 	}
 	if address == "" {
 		return errors.New("could not locate ip for " + entry)
 	}
 	if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force {
 		_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
 		if err != nil {
 			return err
 		}
 		_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
 		if err != nil {
 			return err
 		}
 		_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
 		return err
 	} else {
 		logger.Log(3, "mq forwarding is already set... skipping")
 	}
 	return nil
 }
 // if running in host networking mode, run iptables to map to CoreDNS container
 func setHostCoreDNSMapping() error {
 	logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
 	ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
 	_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
 	return err
 }