From 81e9febf2a70854ddf72abe6bef957670c7daf36 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Thu, 19 Jan 2023 23:11:28 +0530 Subject: [PATCH 01/12] rm mq dynamic security, add mq username,password to config --- config/config.go | 3 +- controllers/hosts.go | 25 -- controllers/network.go | 9 - controllers/node.go | 44 +--- main.go | 6 - mq/dynsec.go | 215 ----------------- mq/dynsec_clients.go | 102 -------- mq/dynsec_helper.go | 509 ---------------------------------------- mq/mq.go | 36 +-- servercfg/serverconf.go | 23 +- 10 files changed, 24 insertions(+), 948 deletions(-) delete mode 100644 mq/dynsec.go delete mode 100644 mq/dynsec_clients.go delete mode 100644 mq/dynsec_helper.go diff --git a/config/config.go b/config/config.go index 33e3a8d3..a0878cdd 100644 --- a/config/config.go +++ b/config/config.go @@ -71,7 +71,8 @@ type ServerConfig struct { Server string `yaml:"server"` Broker string `yam:"broker"` PublicIPService string `yaml:"publicipservice"` - MQAdminPassword string `yaml:"mqadminpassword"` + MQPassword string `yaml:"mqpassword"` + MQUserName string `yaml:"mqusername"` MetricsExporter string `yaml:"metrics_exporter"` BasicAuth string `yaml:"basic_auth"` LicenseValue string `yaml:"license_value"` diff --git a/controllers/hosts.go b/controllers/hosts.go index a2b708fc..7975ade1 100644 --- a/controllers/hosts.go +++ b/controllers/hosts.go @@ -99,17 +99,6 @@ func updateHost(w http.ResponseWriter, r *http.Request) { if updateRelay { logic.UpdateHostRelay(currHost.ID.String(), currHost.RelayedHosts, newHost.RelayedHosts) } - - newNetworks := logic.GetHostNetworks(newHost.ID.String()) - if len(newNetworks) > 0 { - if err = mq.ModifyClient(&mq.MqClient{ - ID: currHost.ID.String(), - Text: currHost.Name, - Networks: newNetworks, - }); err != nil { - logger.Log(0, r.Header.Get("user"), "failed to update host networks roles in DynSec:", err.Error()) - } - } // publish host update through MQ if err := mq.HostUpdate(&models.HostUpdate{ Action: models.UpdateHost, @@ -163,10 +152,6 @@ func deleteHost(w http.ResponseWriter, r *http.Request) { logger.Log(0, r.Header.Get("user"), "failed to send delete host update: ", currHost.ID.String(), err.Error()) } - if err = mq.DeleteMqClient(currHost.ID.String()); err != nil { - logger.Log(0, "error removing DynSec credentials for host:", currHost.Name, err.Error()) - } - apiHostData := currHost.ConvertNMHostToAPI() logger.Log(2, r.Header.Get("user"), "removed host", currHost.Name) w.WriteHeader(http.StatusOK) @@ -215,16 +200,6 @@ func addHostToNetwork(w http.ResponseWriter, r *http.Request) { }); err != nil { logger.Log(0, r.Header.Get("user"), "failed to update host to join network:", hostid, network, err.Error()) } - networks := logic.GetHostNetworks(currHost.ID.String()) - if len(networks) > 0 { - if err = mq.ModifyClient(&mq.MqClient{ - ID: currHost.ID.String(), - Text: currHost.Name, - Networks: networks, - }); err != nil { - logger.Log(0, r.Header.Get("user"), "failed to update host networks roles in DynSec:", hostid, err.Error()) - } - } logger.Log(2, r.Header.Get("user"), fmt.Sprintf("added host %s to network %s", currHost.Name, network)) w.WriteHeader(http.StatusOK) diff --git a/controllers/network.go b/controllers/network.go index 6dbdd6ae..836b050e 100644 --- a/controllers/network.go +++ b/controllers/network.go @@ -372,10 +372,6 @@ func deleteNetwork(w http.ResponseWriter, r *http.Request) { return } - if err := mq.DeleteNetworkRole(network); err != nil { - logger.Log(0, fmt.Sprintf("failed to remove network DynSec role: %v", err.Error())) - } - logger.Log(1, r.Header.Get("user"), "deleted network", network) w.WriteHeader(http.StatusOK) json.NewEncoder(w).Encode("success") @@ -423,11 +419,6 @@ func createNetwork(w http.ResponseWriter, r *http.Request) { return } - if err = mq.CreateNetworkRole(network.NetID); err != nil { - logger.Log(0, r.Header.Get("user"), "failed to create network DynSec role:", - err.Error()) - } - if err = logic.AddDefaultHostsToNetwork(network.NetID, servercfg.GetServer()); err != nil { logger.Log(0, fmt.Sprintf("failed to add default hosts to network [%v]: %v", network.NetID, err.Error())) diff --git a/controllers/node.go b/controllers/node.go index e121979a..77f99f5e 100644 --- a/controllers/node.go +++ b/controllers/node.go @@ -576,8 +576,6 @@ func createNode(w http.ResponseWriter, r *http.Request) { } server := servercfg.GetServerInfo() server.TrafficKey = key - // consume password before hashing for mq client creation - hostPassword := data.Host.HostPass data.Node.Server = servercfg.GetServer() if err := logic.CreateHost(&data.Host); err != nil { if errors.Is(err, logic.ErrHostExists) { @@ -589,34 +587,12 @@ func createNode(w http.ResponseWriter, r *http.Request) { return } logic.UpdateHost(&data.Host, host) // update the in memory struct values - networks := logic.GetHostNetworks(data.Host.ID.String()) - if err := mq.ModifyClient(&mq.MqClient{ - ID: data.Host.ID.String(), - Text: data.Host.Name, - Networks: networks, - }); err != nil { - logger.Log(0, fmt.Sprintf("failed to modify DynSec client: %v", err.Error())) - logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) - return - } } else { logger.Log(0, "error creating host", err.Error()) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) return } - } else { - // Create client for this host in Mq - if err := mq.CreateMqClient(&mq.MqClient{ - ID: data.Host.ID.String(), - Text: data.Host.Name, - Password: hostPassword, - Networks: []string{networkName}, - }); err != nil { - logger.Log(0, fmt.Sprintf("failed to create DynSec client: %v", err.Error())) - logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) - return - } } err = logic.AssociateNodeToHost(&data.Node, &data.Host) @@ -1012,12 +988,7 @@ func deleteNode(w http.ResponseWriter, r *http.Request) { logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) return } - host, err := logic.GetHost(node.HostID.String()) - if err != nil { - logger.Log(0, "error retrieving host for node", node.ID.String(), err.Error()) - logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) - return - } + if r.Header.Get("ismaster") != "yes" { username := r.Header.Get("user") if username != "" && !doesUserOwnNode(username, params["network"], nodeid) { @@ -1031,16 +1002,9 @@ func deleteNode(w http.ResponseWriter, r *http.Request) { } logic.ReturnSuccessResponse(w, r, nodeid+" deleted.") logger.Log(1, r.Header.Get("user"), "Deleted node", nodeid, "from network", params["network"]) - if fromNode { // update networks for host mq client - currNets := logic.GetHostNetworks(host.ID.String()) - if len(currNets) > 0 { - mq.ModifyClient(&mq.MqClient{ - ID: host.ID.String(), - Text: host.Name, - Networks: currNets, - }) - } - } else { // notify node change + + if !fromNode { + // notify node change runUpdates(&node, false) } go func() { // notify of peer change diff --git a/main.go b/main.go index 1335ee2c..32a4da52 100644 --- a/main.go +++ b/main.go @@ -139,11 +139,6 @@ func startControllers() { logger.Log(0, "error occurred initializing DNS: ", err.Error()) } } - if servercfg.IsMessageQueueBackend() { - if err := mq.Configure(); err != nil { - logger.FatalLog("failed to configure MQ: ", err.Error()) - } - } //Run Rest Server if servercfg.IsRestBackend() { @@ -193,7 +188,6 @@ func runMessageQueue(wg *sync.WaitGroup) { defer wg.Done() brokerHost, secure := servercfg.GetMessageQueueEndpoint() logger.Log(0, "connecting to mq broker at", brokerHost, "with TLS?", fmt.Sprintf("%v", secure)) - mq.SetUpAdminClient() mq.SetupMQTT() ctx, cancel := context.WithCancel(context.Background()) go mq.Keepalive(ctx) diff --git a/mq/dynsec.go b/mq/dynsec.go deleted file mode 100644 index 4f1342ac..00000000 --- a/mq/dynsec.go +++ /dev/null @@ -1,215 +0,0 @@ -package mq - -import ( - "crypto/sha512" - "encoding/base64" - "encoding/json" - "errors" - "fmt" - "os" - "time" - - mqtt "github.com/eclipse/paho.mqtt.golang" - "github.com/gravitl/netmaker/functions" - "github.com/gravitl/netmaker/logger" - "github.com/gravitl/netmaker/logic" - "github.com/gravitl/netmaker/netclient/ncutils" - "github.com/gravitl/netmaker/servercfg" - "golang.org/x/crypto/pbkdf2" -) - -// mq client for admin -var mqAdminClient mqtt.Client - -const ( - // constant for client command - CreateClientCmd = "createClient" - // constant for disable command - DisableClientCmd = "disableClient" - // constant for delete client command - DeleteClientCmd = "deleteClient" - // constant for modify client command - ModifyClientCmd = "modifyClient" - - // constant for create role command - CreateRoleCmd = "createRole" - // constant for delete role command - DeleteRoleCmd = "deleteRole" - - // constant for admin user name - mqAdminUserName = "Netmaker-Admin" - // constant for server user name - mqNetmakerServerUserName = "Netmaker-Server" - // constant for exporter user name - mqExporterUserName = "Netmaker-Exporter" - - // DynamicSecSubTopic - constant for dynamic security subscription topic - dynamicSecSubTopic = "$CONTROL/dynamic-security/#" - // DynamicSecPubTopic - constant for dynamic security subscription topic - dynamicSecPubTopic = "$CONTROL/dynamic-security/v1" -) - -// struct for dynamic security file -type dynJSON struct { - Clients []client `json:"clients"` - Roles []role `json:"roles"` - DefaultAcl defaultAccessAcl `json:"defaultACLAccess"` -} - -// struct for client role -type clientRole struct { - Rolename string `json:"rolename"` -} - -// struct for MQ client -type client struct { - Username string `json:"username"` - TextName string `json:"textName"` - Password string `json:"password"` - Salt string `json:"salt"` - Iterations int `json:"iterations"` - Roles []clientRole `json:"roles"` -} - -// struct for MQ role -type role struct { - Rolename string `json:"rolename"` - Acls []Acl `json:"acls"` -} - -// struct for default acls -type defaultAccessAcl struct { - PublishClientSend bool `json:"publishClientSend"` - PublishClientReceive bool `json:"publishClientReceive"` - Subscribe bool `json:"subscribe"` - Unsubscribe bool `json:"unsubscribe"` -} - -// MqDynSecGroup - struct for MQ client group -type MqDynSecGroup struct { - Groupname string `json:"groupname"` - Priority int `json:"priority"` -} - -// MqDynSecRole - struct for MQ client role -type MqDynSecRole struct { - Rolename string `json:"rolename"` - Priority int `json:"priority"` -} - -// Acl - struct for MQ acls -type Acl struct { - AclType string `json:"acltype"` - Topic string `json:"topic"` - Priority int `json:"priority,omitempty"` - Allow bool `json:"allow"` -} - -// MqDynSecCmd - struct for MQ dynamic security command -type MqDynSecCmd struct { - Command string `json:"command"` - Username string `json:"username"` - Password string `json:"password"` - RoleName string `json:"rolename,omitempty"` - Acls []Acl `json:"acls,omitempty"` - Clientid string `json:"clientid"` - Textname string `json:"textname"` - Textdescription string `json:"textdescription"` - Groups []MqDynSecGroup `json:"groups"` - Roles []MqDynSecRole `json:"roles"` -} - -// MqDynsecPayload - struct for dynamic security command payload -type MqDynsecPayload struct { - Commands []MqDynSecCmd `json:"commands"` -} - -// encodePasswordToPBKDF2 - encodes the given password with PBKDF2 hashing for MQ -func encodePasswordToPBKDF2(password string, salt string, iterations int, keyLength int) string { - binaryEncoded := pbkdf2.Key([]byte(password), []byte(salt), iterations, keyLength, sha512.New) - return base64.StdEncoding.EncodeToString(binaryEncoded) -} - -// Configure - configures the dynamic initial configuration for MQ -func Configure() error { - - logger.Log(0, "Configuring MQ...") - dynConfig := dynConfigInI - path := functions.GetNetmakerPath() + ncutils.GetSeparator() + dynamicSecurityFile - - password := servercfg.GetMqAdminPassword() - if password == "" { - return errors.New("MQ admin password not provided") - } - if logic.CheckIfFileExists(path) { - data, err := os.ReadFile(path) - if err == nil { - var cfg dynJSON - err = json.Unmarshal(data, &cfg) - if err == nil { - logger.Log(0, "MQ config exists already, So Updating Existing Config...") - dynConfig = cfg - } - } - } - exporter := false - for i, cI := range dynConfig.Clients { - if cI.Username == mqAdminUserName || cI.Username == mqNetmakerServerUserName { - salt := logic.RandomString(12) - hashed := encodePasswordToPBKDF2(password, salt, 101, 64) - cI.Password = hashed - cI.Iterations = 101 - cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt)) - dynConfig.Clients[i] = cI - } else if servercfg.Is_EE && cI.Username == mqExporterUserName { - exporter = true - exporterPassword := servercfg.GetLicenseKey() - salt := logic.RandomString(12) - hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64) - cI.Password = hashed - cI.Iterations = 101 - cI.Salt = base64.StdEncoding.EncodeToString([]byte(salt)) - dynConfig.Clients[i] = cI - } - } - if servercfg.Is_EE && !exporter { - exporterPassword := servercfg.GetLicenseKey() - salt := logic.RandomString(12) - hashed := encodePasswordToPBKDF2(exporterPassword, salt, 101, 64) - exporterMQClient.Password = hashed - exporterMQClient.Iterations = 101 - exporterMQClient.Salt = base64.StdEncoding.EncodeToString([]byte(salt)) - dynConfig.Clients = append(dynConfig.Clients, exporterMQClient) - dynConfig.Roles = append(dynConfig.Roles, exporterMQRole) - } - data, err := json.MarshalIndent(dynConfig, "", " ") - if err != nil { - return err - } - return os.WriteFile(path, data, 0755) -} - -// publishes the message to dynamic security topic -func publishEventToDynSecTopic(payload MqDynsecPayload) error { - - d, err := json.Marshal(payload) - if err != nil { - return err - } - var connecterr error - if token := mqAdminClient.Publish(dynamicSecPubTopic, 2, false, d); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil { - if token.Error() == nil { - connecterr = errors.New("connect timeout") - } else { - connecterr = token.Error() - } - } - return connecterr -} - -// watchDynSecTopic - message handler for dynamic security responses -func watchDynSecTopic(client mqtt.Client, msg mqtt.Message) { - - logger.Log(1, fmt.Sprintf("----->WatchDynSecTopic Message: %+v", string(msg.Payload()))) - -} diff --git a/mq/dynsec_clients.go b/mq/dynsec_clients.go deleted file mode 100644 index 8f904247..00000000 --- a/mq/dynsec_clients.go +++ /dev/null @@ -1,102 +0,0 @@ -package mq - -// MqClient - type for taking in an MQ client's data -type MqClient struct { - ID string - Text string - Password string - Networks []string -} - -// ModifyClient - modifies an existing client's network roles -func ModifyClient(client *MqClient) error { - - roles := []MqDynSecRole{ - { - Rolename: HostGenericRole, - Priority: -1, - }, - { - Rolename: getHostRoleName(client.ID), - Priority: -1, - }, - } - - for i := range client.Networks { - roles = append(roles, MqDynSecRole{ - Rolename: client.Networks[i], - Priority: -1, - }, - ) - } - - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: ModifyClientCmd, - Username: client.ID, - Textname: client.Text, - Roles: roles, - Groups: make([]MqDynSecGroup, 0), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -// DeleteMqClient - removes a client from the DynSec system -func DeleteMqClient(hostID string) error { - deleteHostRole(hostID) - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: DeleteClientCmd, - Username: hostID, - }, - }, - } - return publishEventToDynSecTopic(event) -} - -// CreateMqClient - creates an MQ DynSec client -func CreateMqClient(client *MqClient) error { - - err := createHostRole(client.ID) - if err != nil { - return err - } - roles := []MqDynSecRole{ - { - Rolename: HostGenericRole, - Priority: -1, - }, - { - Rolename: getHostRoleName(client.ID), - Priority: -1, - }, - } - - for i := range client.Networks { - roles = append(roles, MqDynSecRole{ - Rolename: client.Networks[i], - Priority: -1, - }, - ) - } - - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: CreateClientCmd, - Username: client.ID, - Password: client.Password, - Textname: client.Text, - Roles: roles, - Groups: make([]MqDynSecGroup, 0), - }, - }, - } - - return publishEventToDynSecTopic(event) -} diff --git a/mq/dynsec_helper.go b/mq/dynsec_helper.go deleted file mode 100644 index f854dc90..00000000 --- a/mq/dynsec_helper.go +++ /dev/null @@ -1,509 +0,0 @@ -package mq - -import ( - "encoding/json" - "errors" - "fmt" - "time" - - mqtt "github.com/eclipse/paho.mqtt.golang" - "github.com/gravitl/netmaker/servercfg" -) - -const ( - // constant for admin role - adminRole = "admin" - // constant for server role - serverRole = "server" - // constant for exporter role - exporterRole = "exporter" - // constant for node role - NodeRole = "node" - // HostGenericRole constant for host role - HostGenericRole = "host" - - // const for dynamic security file - dynamicSecurityFile = "dynamic-security.json" -) - -var ( - // default configuration of dynamic security - dynConfigInI = dynJSON{ - Clients: []client{ - { - Username: mqAdminUserName, - TextName: "netmaker admin user", - Password: "", - Salt: "", - Iterations: 0, - Roles: []clientRole{ - { - Rolename: adminRole, - }, - }, - }, - { - Username: mqNetmakerServerUserName, - TextName: "netmaker server user", - Password: "", - Salt: "", - Iterations: 0, - Roles: []clientRole{ - { - Rolename: serverRole, - }, - }, - }, - exporterMQClient, - }, - Roles: []role{ - { - Rolename: adminRole, - Acls: fetchAdminAcls(), - }, - { - Rolename: serverRole, - Acls: fetchServerAcls(), - }, - { - Rolename: HostGenericRole, - Acls: fetchNodeAcls(), - }, - exporterMQRole, - }, - DefaultAcl: defaultAccessAcl{ - PublishClientSend: false, - PublishClientReceive: true, - Subscribe: false, - Unsubscribe: true, - }, - } - - exporterMQClient = client{ - Username: mqExporterUserName, - TextName: "netmaker metrics exporter", - Password: "", - Salt: "", - Iterations: 101, - Roles: []clientRole{ - { - Rolename: exporterRole, - }, - }, - } - exporterMQRole = role{ - Rolename: exporterRole, - Acls: fetchExporterAcls(), - } -) - -// DynListCLientsCmdResp - struct for list clients response from MQ -type DynListCLientsCmdResp struct { - Responses []struct { - Command string `json:"command"` - Error string `json:"error"` - Data ListClientsData `json:"data"` - } `json:"responses"` -} - -// ListClientsData - struct for list clients data -type ListClientsData struct { - Clients []string `json:"clients"` - TotalCount int `json:"totalCount"` -} - -// GetAdminClient - fetches admin client of the MQ -func GetAdminClient() (mqtt.Client, error) { - opts := mqtt.NewClientOptions() - setMqOptions(mqAdminUserName, servercfg.GetMqAdminPassword(), opts) - mqclient := mqtt.NewClient(opts) - var connecterr error - if token := mqclient.Connect(); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil { - if token.Error() == nil { - connecterr = errors.New("connect timeout") - } else { - connecterr = token.Error() - } - } - return mqclient, connecterr -} - -// ListClients - to list all clients in the MQ -func ListClients(client mqtt.Client) (ListClientsData, error) { - respChan := make(chan mqtt.Message, 10) - defer close(respChan) - command := "listClients" - resp := ListClientsData{} - msg := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: command, - }, - }, - } - client.Subscribe("$CONTROL/dynamic-security/v1/response", 2, mqtt.MessageHandler(func(c mqtt.Client, m mqtt.Message) { - respChan <- m - })) - defer client.Unsubscribe() - d, _ := json.Marshal(msg) - token := client.Publish("$CONTROL/dynamic-security/v1", 2, true, d) - if !token.WaitTimeout(30) || token.Error() != nil { - var err error - if token.Error() == nil { - err = errors.New("connection timeout") - } else { - err = token.Error() - } - return resp, err - } - - for m := range respChan { - msg := DynListCLientsCmdResp{} - json.Unmarshal(m.Payload(), &msg) - for _, mI := range msg.Responses { - if mI.Command == command { - return mI.Data, nil - } - } - } - return resp, errors.New("resp not found") -} - -// fetches host related acls -func fetchHostAcls(hostID string) []Acl { - return []Acl{ - { - AclType: "publishClientReceive", - Topic: fmt.Sprintf("peers/host/%s/#", hostID), - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: fmt.Sprintf("host/update/%s/#", hostID), - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: fmt.Sprintf("host/serverupdate/%s", hostID), - Priority: -1, - Allow: true, - }, - } -} - -// FetchNetworkAcls - fetches network acls -func FetchNetworkAcls(network string) []Acl { - return []Acl{ - { - AclType: "publishClientReceive", - Topic: fmt.Sprintf("update/%s/#", network), - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: fmt.Sprintf("peers/%s/#", network), - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: fmt.Sprintf("proxy/%s/#", network), - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - } -} - -// DeleteNetworkRole - deletes a network role from DynSec system -func DeleteNetworkRole(network string) error { - // Deletes the network role from MQ - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: DeleteRoleCmd, - RoleName: network, - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -func deleteHostRole(hostID string) error { - // Deletes the hostID role from MQ - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: DeleteRoleCmd, - RoleName: getHostRoleName(hostID), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -// CreateNetworkRole - createss a network role from DynSec system -func CreateNetworkRole(network string) error { - // Create Role with acls for the network - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: CreateRoleCmd, - RoleName: network, - Textname: "Network wide role with Acls for nodes", - Acls: FetchNetworkAcls(network), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -// creates role for the host with ID. -func createHostRole(hostID string) error { - // Create Role with acls for the host - event := MqDynsecPayload{ - Commands: []MqDynSecCmd{ - { - Command: CreateRoleCmd, - RoleName: getHostRoleName(hostID), - Textname: "host role with Acls for hosts", - Acls: fetchHostAcls(hostID), - }, - }, - } - - return publishEventToDynSecTopic(event) -} - -func getHostRoleName(hostID string) string { - return fmt.Sprintf("host-%s", hostID) -} - -// serverAcls - fetches server role related acls -func fetchServerAcls() []Acl { - return []Acl{ - { - AclType: "publishClientSend", - Topic: "peers/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "proxy/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "peers/host/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "metrics_exporter", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "host/update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "ping/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "signal/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "metrics/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "host/serverupdate/#", - Priority: -1, - Allow: true, - }, - } -} - -// fetchNodeAcls - fetches node related acls -func fetchNodeAcls() []Acl { - // keeping node acls generic as of now. - return []Acl{ - - { - AclType: "publishClientSend", - Topic: "signal/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "update/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "ping/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "metrics/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - } -} - -// fetchExporterAcls - fetch exporter role related acls -func fetchExporterAcls() []Acl { - return []Acl{ - { - AclType: "publishClientReceive", - Topic: "metrics_exporter", - Allow: true, - Priority: -1, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - } -} - -// fetchAdminAcls - fetches admin role related acls -func fetchAdminAcls() []Acl { - return []Acl{ - { - AclType: "publishClientSend", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "$CONTROL/dynamic-security/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "$SYS/#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "$SYS/#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientReceive", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "subscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "unsubscribePattern", - Topic: "#", - Priority: -1, - Allow: true, - }, - { - AclType: "publishClientSend", - Topic: "#", - Priority: -1, - Allow: true, - }, - } -} diff --git a/mq/mq.go b/mq/mq.go index d0ccc420..7d76270f 100644 --- a/mq/mq.go +++ b/mq/mq.go @@ -2,7 +2,6 @@ package mq import ( "context" - "fmt" "time" mqtt "github.com/eclipse/paho.mqtt.golang" @@ -23,39 +22,6 @@ var peer_force_send = 0 var mqclient mqtt.Client -// SetUpAdminClient - sets up admin client for the MQ -func SetUpAdminClient() { - opts := mqtt.NewClientOptions() - setMqOptions(mqAdminUserName, servercfg.GetMqAdminPassword(), opts) - mqAdminClient = mqtt.NewClient(opts) - opts.SetOnConnectHandler(func(client mqtt.Client) { - if token := client.Subscribe(dynamicSecSubTopic, 2, mqtt.MessageHandler(watchDynSecTopic)); token.WaitTimeout(MQ_TIMEOUT*time.Second) && token.Error() != nil { - client.Disconnect(240) - logger.Log(0, fmt.Sprintf("Dynamic security client subscription failed: %v ", token.Error())) - } - - opts.SetOrderMatters(true) - opts.SetResumeSubs(true) - }) - tperiod := time.Now().Add(10 * time.Second) - for { - if token := mqAdminClient.Connect(); !token.WaitTimeout(MQ_TIMEOUT*time.Second) || token.Error() != nil { - logger.Log(2, "Admin: unable to connect to broker, retrying ...") - if time.Now().After(tperiod) { - if token.Error() == nil { - logger.FatalLog("Admin: could not connect to broker, token timeout, exiting ...") - } else { - logger.FatalLog("Admin: could not connect to broker, exiting ...", token.Error().Error()) - } - } - } else { - break - } - time.Sleep(2 * time.Second) - } - -} - func setMqOptions(user, password string, opts *mqtt.ClientOptions) { broker, _ := servercfg.GetMessageQueueEndpoint() opts.AddBroker(broker) @@ -73,7 +39,7 @@ func setMqOptions(user, password string, opts *mqtt.ClientOptions) { // SetupMQTT creates a connection to broker and return client func SetupMQTT() { opts := mqtt.NewClientOptions() - setMqOptions(mqNetmakerServerUserName, servercfg.GetMqAdminPassword(), opts) + setMqOptions(servercfg.GetMqUserName(), servercfg.GetMqPassword(), opts) opts.SetOnConnectHandler(func(client mqtt.Client) { if token := client.Subscribe("ping/#", 2, mqtt.MessageHandler(Ping)); token.WaitTimeout(MQ_TIMEOUT*time.Second) && token.Error() != nil { client.Disconnect(240) diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go index 67393560..d9743e9f 100644 --- a/servercfg/serverconf.go +++ b/servercfg/serverconf.go @@ -654,13 +654,24 @@ func GetMQServerPort() string { return port } -// GetMqAdminPassword - fetches the MQ Admin password -func GetMqAdminPassword() string { +// GetMqPassword - fetches the MQ password +func GetMqPassword() string { password := "" - if os.Getenv("MQ_ADMIN_PASSWORD") != "" { - password = os.Getenv("MQ_ADMIN_PASSWORD") - } else if config.Config.Server.MQAdminPassword != "" { - password = config.Config.Server.MQAdminPassword + if os.Getenv("MQ_PASSWORD") != "" { + password = os.Getenv("MQ_PASSWORD") + } else if config.Config.Server.MQPassword != "" { + password = config.Config.Server.MQPassword + } + return password +} + +// GetMqUserName - fetches the MQ username +func GetMqUserName() string { + password := "" + if os.Getenv("MQ_USERNAME") != "" { + password = os.Getenv("MQ_USERNAME") + } else if config.Config.Server.MQUserName != "" { + password = config.Config.Server.MQUserName } return password } From fffcf6ba5d42038e0db23c661d24363593bd2480 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Fri, 20 Jan 2023 09:49:43 +0530 Subject: [PATCH 02/12] remove wait.sh,add standard username,password mq auth --- compose/docker-compose.yml | 7 +++---- docker/mosquitto.conf | 4 ++-- models/structs.go | 2 ++ scripts/nm-quick-interactive.sh | 4 +++- servercfg/serverconf.go | 2 ++ 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index b7f1bf5f..4dc8012a 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -41,7 +41,8 @@ services: VERBOSITY: "1" MANAGE_IPTABLES: "on" PORT_FORWARD_SERVICES: "dns" - MQ_ADMIN_PASSWORD: "REPLACE_MQ_ADMIN_PASSWORD" + MQ_PASSWORD: "REPLACE_MQ_PASSWORD" + MQ_USERNAME: "REPLACE_MQ_USERNAME" STUN_PORT: "3478" PROXY: "on" ports: @@ -83,13 +84,11 @@ services: depends_on: - netmaker restart: unless-stopped - command: ["/mosquitto/config/wait.sh"] environment: NETMAKER_SERVER_HOST: "https://api.NETMAKER_BASE_DOMAIN" volumes: - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf - - /root/wait.sh:/mosquitto/config/wait.sh - - mosquitto_data:/mosquitto/data + - /root/passwords.txt:/mosquitto/passwords.txt - mosquitto_logs:/mosquitto/log volumes: caddy_data: {} diff --git a/docker/mosquitto.conf b/docker/mosquitto.conf index 19597b80..29053dff 100644 --- a/docker/mosquitto.conf +++ b/docker/mosquitto.conf @@ -7,5 +7,5 @@ listener 1883 protocol websockets allow_anonymous false -plugin /usr/lib/mosquitto_dynamic_security.so -plugin_opt_config_file /mosquitto/data/dynamic-security.json +allow_anonymous false +password_file /mosquitto/passwords.txt diff --git a/models/structs.go b/models/structs.go index a3257111..cbfbf7a1 100644 --- a/models/structs.go +++ b/models/structs.go @@ -233,6 +233,8 @@ type ServerConfig struct { DNSMode string `yaml:"dnsmode"` Version string `yaml:"version"` MQPort string `yaml:"mqport"` + MQUserName string `yaml:"mq_username"` + MQPassword string `yaml:"mq_password"` Server string `yaml:"server"` Broker string `yaml:"broker"` Is_EE bool `yaml:"isee"` diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 180e6a09..a193130e 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -188,6 +188,7 @@ NETMAKER_BASE_DOMAIN=nm.$(curl -s ifconfig.me | tr . -).nip.io COREDNS_IP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p') SERVER_PUBLIC_IP=$(curl -s ifconfig.me) MASTER_KEY=$(tr -dc A-Za-z0-9 Date: Fri, 20 Jan 2023 16:54:28 +0530 Subject: [PATCH 03/12] rm mosquitto data volume --- compose/docker-compose.yml | 2 -- scripts/nm-quick-interactive.sh | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index 4dc8012a..5a7d2943 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -17,7 +17,6 @@ services: volumes: - dnsconfig:/root/config/dnsconfig - sqldata:/root/data - - mosquitto_data:/etc/netmaker environment: BROKER_NAME: "broker.NETMAKER_BASE_DOMAIN" SERVER_NAME: "NETMAKER_BASE_DOMAIN" @@ -95,5 +94,4 @@ volumes: caddy_conf: {} sqldata: {} dnsconfig: {} - mosquitto_data: {} mosquitto_logs: {} diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index a193130e..5138f9b8 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -302,7 +302,7 @@ if [ "$INSTALL_TYPE" = "ee" ]; then CADDY_URL="https://raw.githubusercontent.com/gravitl/netmaker/master/docker/Caddyfile-EE" fi -wget -O /root/docker-compose.yml $COMPOSE_URL && wget -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf && wget -O /root/Caddyfile $CADDY_URL && wget -q -O /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh && chmod +x /root/wait.sh +wget -O /root/docker-compose.yml $COMPOSE_URL && wget -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf && wget -O /root/Caddyfile $CADDY_URL mkdir -p /etc/netmaker From 6a297a819e2f299796cb1f31697ff36acb1219e6 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Fri, 20 Jan 2023 18:49:01 +0530 Subject: [PATCH 04/12] encrypt mq password using mosquitto --- compose/docker-compose.yml | 2 +- docker/mosquitto.conf | 2 +- scripts/nm-quick-interactive.sh | 21 +++++++++++---------- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index 5a7d2943..93b2e6e2 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -87,7 +87,7 @@ services: NETMAKER_SERVER_HOST: "https://api.NETMAKER_BASE_DOMAIN" volumes: - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf - - /root/passwords.txt:/mosquitto/passwords.txt + - /root/password.txt:/mosquitto/password.txt - mosquitto_logs:/mosquitto/log volumes: caddy_data: {} diff --git a/docker/mosquitto.conf b/docker/mosquitto.conf index 29053dff..eb26ac02 100644 --- a/docker/mosquitto.conf +++ b/docker/mosquitto.conf @@ -8,4 +8,4 @@ protocol websockets allow_anonymous false allow_anonymous false -password_file /mosquitto/passwords.txt +password_file /mosquitto/password.txt diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 5138f9b8..5808c78e 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -77,40 +77,40 @@ echo "checking dependencies..." OS=$(uname) if [ -f /etc/debian_version ]; then - dependencies="wireguard wireguard-tools jq docker.io docker-compose" + dependencies="wireguard wireguard-tools jq docker.io docker-compose mosquitto" update_cmd='apt update' install_cmd='apt-get install -y' elif [ -f /etc/alpine-release ]; then - dependencies="wireguard jq docker.io docker-compose" + dependencies="wireguard jq docker.io docker-compose mosquitto" update_cmd='apk update' install_cmd='apk --update add' elif [ -f /etc/centos-release ]; then - dependencies="wireguard jq docker.io docker-compose" + dependencies="wireguard jq docker.io docker-compose mosquitto" update_cmd='yum update' install_cmd='yum install -y' elif [ -f /etc/fedora-release ]; then - dependencies="wireguard jq docker.io docker-compose" + dependencies="wireguard jq docker.io docker-compose mosquitto" update_cmd='dnf update' install_cmd='dnf install -y' elif [ -f /etc/redhat-release ]; then - dependencies="wireguard jq docker.io docker-compose" + dependencies="wireguard jq docker.io docker-compose mosquitto" update_cmd='yum update' install_cmd='yum install -y' elif [ -f /etc/arch-release ]; then - dependecies="wireguard-tools jq docker.io docker-compose" + dependecies="wireguard-tools jq docker.io docker-compose mosquitto" update_cmd='pacman -Sy' install_cmd='pacman -S --noconfirm' elif [ "${OS}" = "FreeBSD" ]; then - dependencies="wireguard wget jq docker.io docker-compose" + dependencies="wireguard wget jq docker.io docker-compose mosquitto" update_cmd='pkg update' install_cmd='pkg install -y' elif [ -f /etc/turris-version ]; then - dependencies="wireguard-tools bash jq docker.io docker-compose" + dependencies="wireguard-tools bash jq docker.io docker-compose mosquitto" OS="TurrisOS" update_cmd='opkg update' install_cmd='opkg install' elif [ -f /etc/openwrt_release ]; then - dependencies="wireguard-tools bash jq docker.io docker-compose" + dependencies="wireguard-tools bash jq docker.io docker-compose mosquitto" OS="OpenWRT" update_cmd='opkg update' install_cmd='opkg install' @@ -191,7 +191,8 @@ MASTER_KEY=$(tr -dc A-Za-z0-9 /root/password.txt +mosquitto_passwd -U /root/password.txt echo "-----------------------------------------------------" echo "Would you like to use your own domain for netmaker, or an auto-generated domain?" echo "To use your own domain, add a Wildcard DNS record (e.x: *.netmaker.example.com) pointing to $SERVER_PUBLIC_IP" From aa3820d2bf9a3d4a2bec2234fb18d20d53d2f4b2 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Tue, 7 Feb 2023 14:28:04 +0400 Subject: [PATCH 05/12] merge conflicts fixes --- compose/docker-compose.yml | 2 -- controllers/hosts.go | 4 ---- 2 files changed, 6 deletions(-) diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index 5915aa0c..7cdf5cc5 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -27,8 +27,6 @@ services: MQ_PORT: "443" MQ_SERVER_PORT: "1883" VERBOSITY: "1" - MANAGE_IPTABLES: "on" - PORT_FORWARD_SERVICES: "dns" MQ_PASSWORD: "REPLACE_MQ_PASSWORD" MQ_USERNAME: "REPLACE_MQ_USERNAME" STUN_PORT: "3478" diff --git a/controllers/hosts.go b/controllers/hosts.go index f37488e1..0aefeb56 100644 --- a/controllers/hosts.go +++ b/controllers/hosts.go @@ -97,10 +97,6 @@ func updateHost(w http.ResponseWriter, r *http.Request) { if updateRelay { logic.UpdateHostRelay(currHost.ID.String(), currHost.RelayedHosts, newHost.RelayedHosts) } -<<<<<<< HEAD -======= - ->>>>>>> f4851937c1746475fdac99e9c562623128ba16b1 // publish host update through MQ if err := mq.HostUpdate(&models.HostUpdate{ Action: models.UpdateHost, From f19e3c31d0d2aab69788491b56f6be8c6aae24a4 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Tue, 7 Feb 2023 17:01:57 +0400 Subject: [PATCH 06/12] use wait script to encrypt mq password --- compose/docker-compose.yml | 6 ++++-- docker/wait.sh | 17 ++++++----------- scripts/nm-quick-interactive.sh | 5 ++--- 3 files changed, 12 insertions(+), 16 deletions(-) diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml index 7cdf5cc5..425ee25e 100644 --- a/compose/docker-compose.yml +++ b/compose/docker-compose.yml @@ -70,11 +70,13 @@ services: depends_on: - netmaker restart: unless-stopped + command: ["/mosquitto/config/wait.sh"] environment: - NETMAKER_SERVER_HOST: "https://api.NETMAKER_BASE_DOMAIN" + MQ_PASSWORD: "REPLACE_MQ_PASSWORD" + MQ_USERNAME: "REPLACE_MQ_USERNAME" volumes: - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf - - /root/password.txt:/mosquitto/password.txt + - /root/wait.sh:/mosquitto/config/wait.sh - mosquitto_logs:/mosquitto/log volumes: caddy_data: {} diff --git a/docker/wait.sh b/docker/wait.sh index caf9d29d..45b4521f 100755 --- a/docker/wait.sh +++ b/docker/wait.sh @@ -1,18 +1,13 @@ #!/bin/ash -wait_for_netmaker() { - echo "SERVER: ${NETMAKER_SERVER_HOST}" - until curl --output /dev/null --silent --fail --head \ - --location "${NETMAKER_SERVER_HOST}/api/server/health"; do - echo "Waiting for netmaker server to startup" - sleep 1 - done +encrypt_password() { + echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/passwords.txt + mosquitto_passwd -U /mosquitto/passwords.txt } main(){ - # wait for netmaker to startup - apk add curl - wait_for_netmaker + + encrypt_password echo "Starting MQ..." # Run the main container command. /docker-entrypoint.sh @@ -20,4 +15,4 @@ main(){ } -main "${@}" +main "${@}" \ No newline at end of file diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 5808c78e..1f04954d 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -191,8 +191,6 @@ MASTER_KEY=$(tr -dc A-Za-z0-9 /root/password.txt -mosquitto_passwd -U /root/password.txt echo "-----------------------------------------------------" echo "Would you like to use your own domain for netmaker, or an auto-generated domain?" echo "To use your own domain, add a Wildcard DNS record (e.x: *.netmaker.example.com) pointing to $SERVER_PUBLIC_IP" @@ -304,7 +302,8 @@ if [ "$INSTALL_TYPE" = "ee" ]; then fi wget -O /root/docker-compose.yml $COMPOSE_URL && wget -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf && wget -O /root/Caddyfile $CADDY_URL - +wget -q -O /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh +chmod +x /root/wait.sh mkdir -p /etc/netmaker echo "Setting docker-compose and Caddyfile..." From 435ce0eef1bfc442c1d73af9bb7cb454ab4f6d1d Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Tue, 7 Feb 2023 17:09:54 +0400 Subject: [PATCH 07/12] new line --- docker/wait.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/wait.sh b/docker/wait.sh index 45b4521f..f5d19f22 100755 --- a/docker/wait.sh +++ b/docker/wait.sh @@ -15,4 +15,4 @@ main(){ } -main "${@}" \ No newline at end of file +main "${@}" From ad5165e0ad17a01d218b63e03061fe3ed330bc45 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Tue, 7 Feb 2023 17:13:29 +0400 Subject: [PATCH 08/12] remove mosquitto from install binaries --- scripts/nm-quick-interactive.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 1f04954d..6bff7f3a 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -77,40 +77,40 @@ echo "checking dependencies..." OS=$(uname) if [ -f /etc/debian_version ]; then - dependencies="wireguard wireguard-tools jq docker.io docker-compose mosquitto" + dependencies="wireguard wireguard-tools jq docker.io docker-compose" update_cmd='apt update' install_cmd='apt-get install -y' elif [ -f /etc/alpine-release ]; then - dependencies="wireguard jq docker.io docker-compose mosquitto" + dependencies="wireguard jq docker.io docker-compose" update_cmd='apk update' install_cmd='apk --update add' elif [ -f /etc/centos-release ]; then - dependencies="wireguard jq docker.io docker-compose mosquitto" + dependencies="wireguard jq docker.io docker-compose" update_cmd='yum update' install_cmd='yum install -y' elif [ -f /etc/fedora-release ]; then - dependencies="wireguard jq docker.io docker-compose mosquitto" + dependencies="wireguard jq docker.io docker-compose" update_cmd='dnf update' install_cmd='dnf install -y' elif [ -f /etc/redhat-release ]; then - dependencies="wireguard jq docker.io docker-compose mosquitto" + dependencies="wireguard jq docker.io docker-compose" update_cmd='yum update' install_cmd='yum install -y' elif [ -f /etc/arch-release ]; then - dependecies="wireguard-tools jq docker.io docker-compose mosquitto" + dependecies="wireguard-tools jq docker.io docker-compose" update_cmd='pacman -Sy' install_cmd='pacman -S --noconfirm' elif [ "${OS}" = "FreeBSD" ]; then - dependencies="wireguard wget jq docker.io docker-compose mosquitto" + dependencies="wireguard wget jq docker.io docker-compose" update_cmd='pkg update' install_cmd='pkg install -y' elif [ -f /etc/turris-version ]; then - dependencies="wireguard-tools bash jq docker.io docker-compose mosquitto" + dependencies="wireguard-tools bash jq docker.io docker-compose" OS="TurrisOS" update_cmd='opkg update' install_cmd='opkg install' elif [ -f /etc/openwrt_release ]; then - dependencies="wireguard-tools bash jq docker.io docker-compose mosquitto" + dependencies="wireguard-tools bash jq docker.io docker-compose" OS="OpenWRT" update_cmd='opkg update' install_cmd='opkg install' @@ -302,7 +302,7 @@ if [ "$INSTALL_TYPE" = "ee" ]; then fi wget -O /root/docker-compose.yml $COMPOSE_URL && wget -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf && wget -O /root/Caddyfile $CADDY_URL -wget -q -O /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh +wget -O /root/wait.sh https://raw.githubusercontent.com/gravitl/netmaker/master/docker/wait.sh chmod +x /root/wait.sh mkdir -p /etc/netmaker From e575f2a6e8b9e8c475eaa36108f3154dc6fb2308 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Tue, 7 Feb 2023 17:43:07 +0400 Subject: [PATCH 09/12] prompt user for mq username and password --- scripts/nm-quick-interactive.sh | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 6bff7f3a..d8d264f2 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -188,8 +188,6 @@ NETMAKER_BASE_DOMAIN=nm.$(curl -s ifconfig.me | tr . -).nip.io COREDNS_IP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p') SERVER_PUBLIC_IP=$(curl -s ifconfig.me) MASTER_KEY=$(tr -dc A-Za-z0-9 Date: Tue, 7 Feb 2023 19:34:30 +0400 Subject: [PATCH 10/12] mq password prompt for user --- scripts/nm-quick-interactive.sh | 37 ++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index d8d264f2..7f992080 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -269,7 +269,8 @@ wait_seconds 1 unset GET_MQ_USERNAME unset GET_MQ_PASSWORD -echo "\nEnter Credentials For MQ" +unset CONFIRM_MQ_PASSWORD +echo "Enter Credentials For MQ..." read -p "MQ Username (click 'enter' to use 'netmaker'): " GET_MQ_USERNAME if [ -z "$GET_MQ_USERNAME" ]; then echo "using default username for mq" @@ -277,13 +278,33 @@ if [ -z "$GET_MQ_USERNAME" ]; then else MQ_USERNAME="$GET_MQ_USERNAME" fi -read -p "MQ Password (click 'enter' to use random password): " GET_MQ_PASSWORD -if [ -z "$GET_MQ_PASSWORD" ]; then - echo "generating random password for mq" - MQ_PASSWORD=$(tr -dc A-Za-z0-9 Date: Tue, 7 Feb 2023 20:34:38 +0400 Subject: [PATCH 11/12] mq password config fix --- docker/mosquitto.conf | 1 - docker/wait.sh | 4 ++-- scripts/nm-quick-interactive.sh | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/mosquitto.conf b/docker/mosquitto.conf index eb26ac02..eac096c4 100644 --- a/docker/mosquitto.conf +++ b/docker/mosquitto.conf @@ -7,5 +7,4 @@ listener 1883 protocol websockets allow_anonymous false -allow_anonymous false password_file /mosquitto/password.txt diff --git a/docker/wait.sh b/docker/wait.sh index f5d19f22..bf98768f 100755 --- a/docker/wait.sh +++ b/docker/wait.sh @@ -1,8 +1,8 @@ #!/bin/ash encrypt_password() { - echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/passwords.txt - mosquitto_passwd -U /mosquitto/passwords.txt + echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/password.txt + mosquitto_passwd -U /mosquitto/password.txt } main(){ diff --git a/scripts/nm-quick-interactive.sh b/scripts/nm-quick-interactive.sh index 7f992080..baa9e875 100644 --- a/scripts/nm-quick-interactive.sh +++ b/scripts/nm-quick-interactive.sh @@ -297,6 +297,7 @@ select domain_option in "Auto Generated Password" "Input Your Own Password"; do echo "wrong password entered, try again..." continue fi + MQ_PASSWORD="$GET_MQ_PASSWORD" echo "MQ Password Saved Successfully!!" break done From c1f7fcba90840805e216bb27d7646864da6f40c1 Mon Sep 17 00:00:00 2001 From: Abhishek Kondur Date: Wed, 8 Feb 2023 11:06:00 +0400 Subject: [PATCH 12/12] update ee docker compose --- compose/docker-compose.ee.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/compose/docker-compose.ee.yml b/compose/docker-compose.ee.yml index 4307ca9c..36dce77f 100644 --- a/compose/docker-compose.ee.yml +++ b/compose/docker-compose.ee.yml @@ -8,9 +8,9 @@ services: volumes: - dnsconfig:/root/config/dnsconfig - sqldata:/root/data - - mosquitto_data:/etc/netmaker environment: SERVER_NAME: "broker.NETMAKER_BASE_DOMAIN" + STUN_DOMAIN: "stun.NETMAKER_BASE_DOMAIN" SERVER_HOST: "SERVER_PUBLIC_IP" SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443" COREDNS_ADDR: "SERVER_PUBLIC_IP" @@ -24,14 +24,17 @@ services: NODE_ID: "netmaker-server-1" MQ_HOST: "mq" MQ_PORT: "443" + STUN_PORT: "3478" MQ_SERVER_PORT: "1883" VERBOSITY: "1" METRICS_EXPORTER: "on" LICENSE_KEY: "YOUR_LICENSE_KEY" NETMAKER_ACCOUNT_ID: "YOUR_ACCOUNT_ID" - MQ_ADMIN_PASSWORD: "REPLACE_MQ_ADMIN_PASSWORD" + MQ_PASSWORD: "REPLACE_MQ_PASSWORD" + MQ_USERNAME: "REPLACE_MQ_USERNAME" ports: - "51821-51830:51821-51830/udp" + - "3478:3478/udp" netmaker-ui: container_name: netmaker-ui image: gravitl/netmaker-ui:v0.17.1 @@ -70,11 +73,11 @@ services: restart: unless-stopped command: ["/mosquitto/config/wait.sh"] environment: - NETMAKER_SERVER_HOST: "https://api.NETMAKER_BASE_DOMAIN" + MQ_PASSWORD: "REPLACE_MQ_PASSWORD" + MQ_USERNAME: "REPLACE_MQ_USERNAME" volumes: - /root/mosquitto.conf:/mosquitto/config/mosquitto.conf - /root/wait.sh:/mosquitto/config/wait.sh - - mosquitto_data:/mosquitto/data - mosquitto_logs:/mosquitto/log ports: - "1883:1883" @@ -125,7 +128,6 @@ volumes: caddy_conf: {} sqldata: {} dnsconfig: {} - mosquitto_data: {} mosquitto_logs: {} prometheus_data: {} grafana_data: {}