package main import ( "context" "crypto/ed25519" "crypto/rand" "errors" "flag" "fmt" "os" "os/signal" "runtime/debug" "strconv" "sync" "syscall" "time" "github.com/gravitl/netmaker/auth" "github.com/gravitl/netmaker/config" controller "github.com/gravitl/netmaker/controllers" "github.com/gravitl/netmaker/database" "github.com/gravitl/netmaker/functions" "github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/mq" "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/servercfg" "github.com/gravitl/netmaker/serverctl" "github.com/gravitl/netmaker/tls" ) var version = "dev" // Start DB Connection and start API Request Handler func main() { absoluteConfigPath := flag.String("c", "", "absolute path to configuration file") flag.Parse() setupConfig(*absoluteConfigPath) servercfg.SetVersion(version) fmt.Println(models.RetrieveLogo()) // print the logo initialize() // initial db and acls; gen cert if required setGarbageCollection() defer database.CloseDB() startControllers() // start the api endpoint and mq } func setupConfig(absoluteConfigPath string) { if len(absoluteConfigPath) > 0 { cfg, err := config.ReadConfig(absoluteConfigPath) if err != nil { logger.Log(0, fmt.Sprintf("failed parsing config at: %s", absoluteConfigPath)) return } config.Config = cfg } } func initialize() { // Client Mode Prereq Check var err error if servercfg.GetMasterKey() == "" { logger.Log(0, "warning: MASTER_KEY not set, this could make account recovery difficult") } if servercfg.GetNodeID() == "" { logger.FatalLog("error: must set NODE_ID, currently blank") } if err = database.InitializeDatabase(); err != nil { logger.FatalLog("Error connecting to database") } logger.Log(0, "database successfully connected") logic.SetJWTSecret() err = logic.TimerCheckpoint() if err != nil { logger.Log(1, "Timer error occurred: ", err.Error()) } var authProvider = auth.InitializeAuthProvider() if authProvider != "" { logger.Log(0, "OAuth provider,", authProvider+",", "initialized") } else { logger.Log(0, "no OAuth provider found or not configured, continuing without OAuth") } err = serverctl.SetDefaultACLS() if err != nil { logger.FatalLog("error setting default acls: ", err.Error()) } if servercfg.IsClientMode() != "off" { output, err := ncutils.RunCmd("id -u", true) if err != nil { logger.FatalLog("Error running 'id -u' for prereq check. Please investigate or disable client mode.", output, err.Error()) } uid, err := strconv.Atoi(string(output[:len(output)-1])) if err != nil { logger.FatalLog("Error retrieving uid from 'id -u' for prereq check. Please investigate or disable client mode.", err.Error()) } if uid != 0 { logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.") } if err := serverctl.InitServerNetclient(); err != nil { logger.FatalLog("Did not find netclient to use CLIENT_MODE") } } // initialize iptables to ensure gateways work correctly and mq is forwarded if containerized if servercfg.ManageIPTables() != "off" { if err = serverctl.InitIPTables(true); err != nil { logger.FatalLog("Unable to initialize iptables on host:", err.Error()) } } if servercfg.IsDNSMode() { err := functions.SetDNSDir() if err != nil { logger.FatalLog(err.Error()) } } genCerts() if servercfg.IsMessageQueueBackend() { if err = mq.ServerStartNotify(); err != nil { logger.Log(0, "error occurred when notifying nodes of startup", err.Error()) } } logic.InitalizeZombies() } func startControllers() { var waitnetwork sync.WaitGroup if servercfg.IsDNSMode() { err := logic.SetDNS() if err != nil { logger.Log(0, "error occurred initializing DNS: ", err.Error()) } } //Run Rest Server if servercfg.IsRestBackend() { if !servercfg.DisableRemoteIPCheck() && servercfg.GetAPIHost() == "127.0.0.1" { err := servercfg.SetHost() if err != nil { logger.FatalLog("Unable to Set host. Exiting...", err.Error()) } } waitnetwork.Add(1) go controller.HandleRESTRequests(&waitnetwork) } //Run MessageQueue if servercfg.IsMessageQueueBackend() { waitnetwork.Add(1) go runMessageQueue(&waitnetwork) } if !servercfg.IsAgentBackend() && !servercfg.IsRestBackend() && !servercfg.IsMessageQueueBackend() { logger.Log(0, "No Server Mode selected, so nothing is being served! Set Agent mode (AGENT_BACKEND) or Rest mode (REST_BACKEND) or MessageQueue (MESSAGEQUEUE_BACKEND) to 'true'.") } waitnetwork.Wait() } // Should we be using a context vice a waitgroup???????????? func runMessageQueue(wg *sync.WaitGroup) { defer wg.Done() logger.Log(0, "connecting to mq broker at", servercfg.GetMessageQueueEndpoint()) var client = mq.SetupMQTT(false) // Set up the subscription listener ctx, cancel := context.WithCancel(context.Background()) go mq.Keepalive(ctx) go logic.ManageZombies(ctx) quit := make(chan os.Signal, 1) signal.Notify(quit, syscall.SIGTERM, os.Interrupt) <-quit cancel() logger.Log(0, "Message Queue shutting down") client.Disconnect(250) } func setGarbageCollection() { _, gcset := os.LookupEnv("GOGC") if !gcset { debug.SetGCPercent(ncutils.DEFAULT_GC_PERCENT) } } func genCerts() error { logger.Log(0, "checking keys and certificates") var private *ed25519.PrivateKey var err error private, err = tls.ReadKey(functions.GetNetmakerPath() + "/root.key") if errors.Is(err, os.ErrNotExist) { logger.Log(0, "generating new root key") _, newKey, err := ed25519.GenerateKey(rand.Reader) if err != nil { return err } if err := tls.SaveKey(functions.GetNetmakerPath(), "/root.key", newKey); err != nil { return err } private = &newKey } else if err != nil { return err } ca, err := tls.ReadCert(functions.GetNetmakerPath() + ncutils.GetSeparator() + "root.pem") //if cert doesn't exist or will expire within 10 days --- but can't do this as clients won't be able to connect //if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { if errors.Is(err, os.ErrNotExist) { logger.Log(0, "generating new root CA") caName := tls.NewName("CA Root", "US", "Gravitl") csr, err := tls.NewCSR(*private, caName) if err != nil { return err } rootCA, err := tls.SelfSignedCA(*private, csr, tls.CERTIFICATE_VALIDITY) if err != nil { return err } if err := tls.SaveCert(functions.GetNetmakerPath(), ncutils.GetSeparator()+"root.pem", rootCA); err != nil { return err } ca = rootCA } else if err != nil { return err } cert, err := tls.ReadCert(functions.GetNetmakerPath() + "/server.pem") if errors.Is(err, os.ErrNotExist) || cert.NotAfter.Before(time.Now().Add(time.Hour*24*10)) { //gen new key logger.Log(0, "generating new server key/certificate") _, key, err := ed25519.GenerateKey(rand.Reader) if err != nil { return err } serverName := tls.NewCName(servercfg.GetServer()) csr, err := tls.NewCSR(key, serverName) if err != nil { return err } cert, err := tls.NewEndEntityCert(*private, csr, ca, tls.CERTIFICATE_VALIDITY) if err != nil { return err } if err := tls.SaveKey(functions.GetNetmakerPath(), "/server.key", key); err != nil { return err } if err := tls.SaveCert(functions.GetNetmakerPath(), "/server.pem", cert); err != nil { return err } } else if err != nil { return err } return nil }