Merge pull request #1965 from gravitl/gra-1038-compose-remove-caps

remove network capabilities from netmaker

compose/docker-compose.ee.yml

@@ -4,15 +4,6 @@ services:
   netmaker:
     container_name: netmaker
     image: gravitl/netmaker:v0.17.1-ee
-    cap_add: 
-      - NET_ADMIN
-      - NET_RAW
-      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv6.conf.all.disable_ipv6=0
-      - net.ipv6.conf.all.forwarding=1
     restart: always
     volumes:
       - dnsconfig:/root/config/dnsconfig
@@ -35,7 +26,6 @@ services:
       MQ_HOST: "mq"
       MQ_PORT: "443"
       MQ_SERVER_PORT: "1883"
-      HOST_NETWORK: "off"
       VERBOSITY: "1"
       MANAGE_IPTABLES: "on"
       PORT_FORWARD_SERVICES: "dns"

compose/docker-compose.reference.yml

@@ -4,15 +4,6 @@ services:
   netmaker: # The Primary Server for running Netmaker
     container_name: netmaker
     image: gravitl/netmaker:v0.17.1
-    cap_add: 
-      - NET_ADMIN
-      - NET_RAW
-      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv6.conf.all.disable_ipv6=0
-      - net.ipv6.conf.all.forwarding=1
     restart: always
     volumes: # Volume mounts necessary for sql, coredns, and mqtt
       - dnsconfig:/root/config/dnsconfig
@@ -26,7 +17,6 @@ services:
       COREDNS_ADDR: "SERVER_PUBLIC_IP" # Address of the CoreDNS server. Defaults to SERVER_HOST
       DNS_MODE: "on" # Enables DNS Mode, meaning all nodes will set hosts file for private dns settings.
       API_PORT: "8081" # The HTTP API port for Netmaker. Used for API calls / communication from front end. If changed, need to change port of BACKEND_URL for netmaker-ui.
-      CLIENT_MODE: "on" # Depricated. CLIENT_MODE should always be ON
       REST_BACKEND: "on" # Enables the REST backend (API running on API_PORT at SERVER_HTTP_HOST). Change to "off" to turn off.
       DISABLE_REMOTE_IP_CHECK: "off" # If turned "on", Server will not set Host based on remote IP check. This is already overridden if SERVER_HOST is set. Turned "off" by default.
       TELEMETRY: "on" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry.
@@ -39,10 +29,7 @@ services:
       MQ_HOST: "mq"  # the address of the mq server. If running from docker compose it will be "mq". Otherwise, need to input address. If using "host networking", it will find and detect the IP of the mq container.
       MQ_SERVER_PORT: "1883" # the reachable port of MQ by the server - change if internal MQ port changes (or use external port if MQ is not on the same machine)
       MQ_PORT: "443" # the reachable port of MQ - change if external MQ port changes (port on proxy, not necessarily the one exposed in docker-compose)
-      HOST_NETWORK: "off" # whether or not host networking is turned on. Only turn on if configured for host networking (see docker-compose.hostnetwork.yml). Will set host-level settings like iptables.
       VERBOSITY: "1" # logging verbosity level - 1, 2, or 3
-      MANAGE_IPTABLES: "on" # deprecated
-      PORT_FORWARD_SERVICES: "dns" # decide which services to port forward ("dns","ssh", or "mq")
       # this section is for OAuth
       AUTH_PROVIDER: "" # "<azure-ad|github|google|oidc>"
       CLIENT_ID: "" # "<client id of your oauth provider>"

compose/docker-compose.yml

@@ -4,15 +4,6 @@ services:
   netmaker:
     container_name: netmaker
     image: gravitl/netmaker:v0.17.1
-    cap_add: 
-      - NET_ADMIN
-      - NET_RAW
-      - SYS_MODULE
-    sysctls:
-      - net.ipv4.ip_forward=1
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv6.conf.all.disable_ipv6=0
-      - net.ipv6.conf.all.forwarding=1
     restart: always
     volumes:
       - dnsconfig:/root/config/dnsconfig
@@ -28,7 +19,6 @@ services:
       DNS_MODE: "on"
       SERVER_HTTP_HOST: "api.NETMAKER_BASE_DOMAIN"
       API_PORT: "8081"
-      CLIENT_MODE: "on"
       MASTER_KEY: "REPLACE_MASTER_KEY"
       CORS_ALLOWED_ORIGIN: "*"
       DISPLAY_KEYS: "on"
@@ -37,10 +27,7 @@ services:
       MQ_HOST: "mq"
       MQ_PORT: "443"
       MQ_SERVER_PORT: "1883"
-      HOST_NETWORK: "off"
       VERBOSITY: "1"
-      MANAGE_IPTABLES: "on"
-      PORT_FORWARD_SERVICES: "dns"
       MQ_ADMIN_PASSWORD: "REPLACE_MQ_ADMIN_PASSWORD"
       STUN_PORT: "3478"
       PROXY: "on"

config/config.go

@@ -63,8 +63,6 @@ type ServerConfig struct {
 	AzureTenant           string `yaml:"azuretenant"`
 	RCE                   string `yaml:"rce"`
 	Telemetry             string `yaml:"telemetry"`
-	ManageIPTables        string `yaml:"manageiptables"`
-	PortForwardServices   string `yaml:"portforwardservices"`
 	HostNetwork           string `yaml:"hostnetwork"`
 	MQPort                string `yaml:"mqport"`
 	MQServerPort          string `yaml:"mqserverport"`

go.mod

@@ -37,7 +37,6 @@ require (
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/pkg/errors v0.9.1
-	github.com/sirupsen/logrus v1.9.0
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	gortc.io/stun v1.23.0
 )

go.sum

@@ -127,8 +127,6 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@@ -208,7 +206,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

main.go

@@ -110,12 +110,6 @@ func initialize() { // Client Mode Prereq Check
 			logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.")
 		}
 	}
-	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
-	if servercfg.ManageIPTables() != "off" {
-		if err = serverctl.InitIPTables(true); err != nil {
-			logger.FatalLog("Unable to initialize iptables on host:", err.Error())
-		}
-	}
 
 	if servercfg.IsDNSMode() {
 		err := functions.SetDNSDir()

mq/publishers.go

@@ -11,7 +11,6 @@ import (
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
-	"github.com/gravitl/netmaker/serverctl"
 )
 
 // PublishPeerUpdate --- determines and publishes a peer update to all the hosts
@@ -123,13 +122,7 @@ func sendPeers() {
 	var force bool
 	peer_force_send++
 	if peer_force_send == 5 {
-
-		// run iptables update to ensure gateways work correctly and mq is forwarded if containerized
-		if servercfg.ManageIPTables() != "off" {
-			serverctl.InitIPTables(false)
-		}
 		servercfg.SetHost()
-
 		force = true
 		peer_force_send = 0
 		err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed..

nm-proxy/common/common.go

@@ -8,7 +8,6 @@ import (
 	"github.com/gravitl/netmaker/nm-proxy/models"
 )
 
-var IsHostNetwork bool
 var IsRelay bool
 var IsIngressGateway bool
 var IsRelayed bool

nm-proxy/nm-proxy.go

@@ -4,9 +4,7 @@ import (
 	"context"
 	"log"
 	"net"
-	"os"
 
-	"github.com/gravitl/netmaker/nm-proxy/common"
 	"github.com/gravitl/netmaker/nm-proxy/manager"
 	"github.com/gravitl/netmaker/nm-proxy/server"
 	"github.com/gravitl/netmaker/nm-proxy/stun"
@@ -21,7 +19,6 @@ import (
 
 func Start(ctx context.Context, mgmChan chan *manager.ManagerAction, apiServerAddr string) {
 	log.Println("Starting Proxy...")
-	common.IsHostNetwork = (os.Getenv("HOST_NETWORK") == "" || os.Getenv("HOST_NETWORK") == "on")
 	hInfo := stun.GetHostInfo(apiServerAddr)
 	stun.Host = hInfo
 	log.Printf("HOSTINFO: %+v", hInfo)

nm-proxy/proxy/proxy.go

@@ -94,19 +94,6 @@ func GetInterfaceListenAddr(port int) (*net.UDPAddr, error) {
 	if err != nil {
 		return udpAddr, err
 	}
-	if !common.IsHostNetwork {
-		addrs, err := getBoardCastAddress()
-		if err != nil {
-			return udpAddr, err
-		}
-		for _, addr := range addrs {
-			if liAddr := addr.(*net.IPNet).IP; liAddr != nil {
-				udpAddr.IP = liAddr
-				break
-			}
-		}
-	}
-
 	return udpAddr, nil
 }
 

servercfg/serverconf.go

@@ -82,9 +82,6 @@ func GetServerConfig() config.ServerConfig {
 		cfg.RCE = "off"
 	}
 	cfg.Telemetry = Telemetry()
-	cfg.ManageIPTables = ManageIPTables()
-	services := strings.Join(GetPortForwardServiceList(), ",")
-	cfg.PortForwardServices = services
 	cfg.Server = GetServer()
 	cfg.Verbosity = GetVerbosity()
 	cfg.IsEE = "no"
@@ -377,18 +374,6 @@ func Telemetry() string {
 	return telemetry
 }
 
-// ManageIPTables - checks if iptables should be manipulated on host
-func ManageIPTables() string {
-	manage := "on"
-	if os.Getenv("MANAGE_IPTABLES") == "off" {
-		manage = "off"
-	}
-	if config.Config.Server.ManageIPTables == "off" {
-		manage = "off"
-	}
-	return manage
-}
-
 // GetServer - gets the server name
 func GetServer() string {
 	server := ""
@@ -526,19 +511,6 @@ func GetPlatform() string {
 	return platform
 }
 
-// GetIPForwardServiceList - get the list of services that the server should be forwarding
-func GetPortForwardServiceList() []string {
-	//services := "mq,dns,ssh"
-	services := ""
-	if os.Getenv("PORT_FORWARD_SERVICES") != "" {
-		services = os.Getenv("PORT_FORWARD_SERVICES")
-	} else if config.Config.Server.PortForwardServices != "" {
-		services = config.Config.Server.PortForwardServices
-	}
-	serviceSlice := strings.Split(services, ",")
-	return serviceSlice
-}
-
 // GetSQLConn - get the sql connection string
 func GetSQLConn() string {
 	sqlconn := "http://"
@@ -550,17 +522,6 @@ func GetSQLConn() string {
 	return sqlconn
 }
 
-// IsHostNetwork - checks if running on host network
-func IsHostNetwork() bool {
-	ishost := false
-	if os.Getenv("HOST_NETWORK") == "on" {
-		ishost = true
-	} else if config.Config.Server.HostNetwork == "on" {
-		ishost = true
-	}
-	return ishost
-}
-
 // GetNodeID - gets the node id
 func GetNodeID() string {
 	var id string

serverctl/iptables.go

@@ -1,136 +0,0 @@
-package serverctl
-
-import (
-	"errors"
-	"net"
-	"os"
-	"os/exec"
-	"strings"
-	"time"
-
-	"github.com/gravitl/netmaker/logger"
-	"github.com/gravitl/netmaker/netclient/ncutils"
-	"github.com/gravitl/netmaker/servercfg"
-)
-
-const netmakerProcessName = "netmaker"
-
-// InitIPTables - intializes the server iptables
-func InitIPTables(force bool) error {
-	_, err := exec.LookPath("iptables")
-	if err != nil {
-		return err
-	}
-	err = setForwardPolicy()
-	if err != nil {
-		logger.Log(0, "error setting iptables forward policy: "+err.Error())
-	}
-
-	err = portForwardServices(force)
-	if err != nil {
-		return err
-	}
-	if isContainerized() && servercfg.IsHostNetwork() {
-		err = setHostCoreDNSMapping()
-	}
-	return err
-}
-
-// set up port forwarding for services listed in config
-func portForwardServices(force bool) error {
-	var err error
-	services := servercfg.GetPortForwardServiceList()
-	if len(services) == 0 || services[0] == "" {
-		return nil
-	}
-	for _, service := range services {
-		switch service {
-		case "mq":
-			err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force)
-		case "dns":
-			err = iptablesPortForward("coredns", "53", "53", false, force)
-		case "ssh":
-			err = iptablesPortForward("netmaker", "22", "22", false, force)
-		default:
-			params := strings.Split(service, ":")
-			if len(params) == 3 {
-				err = iptablesPortForward(params[0], params[1], params[2], true, force)
-			}
-		}
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// determine if process is running in container
-func isContainerized() bool {
-	fileBytes, err := os.ReadFile("/proc/1/sched")
-	if err != nil {
-		logger.Log(1, "error determining containerization: "+err.Error())
-		return false
-	}
-	fileString := string(fileBytes)
-	return strings.Contains(fileString, netmakerProcessName)
-}
-
-// make sure host allows forwarding
-func setForwardPolicy() error {
-	logger.Log(2, "setting iptables forward policy")
-	_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
-	return err
-}
-
-// port forward from an entry, can contain a dns name for lookup
-func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error {
-
-	var address string
-	if !isIP {
-	out:
-		for i := 1; i < 4; i++ {
-			ips, err := net.LookupIP(entry)
-			if err != nil && i > 2 {
-				return err
-			}
-			for _, ip := range ips {
-				if ipv4 := ip.To4(); ipv4 != nil {
-					address = ipv4.String()
-				}
-			}
-			if address != "" {
-				break out
-			}
-			time.Sleep(time.Second)
-		}
-	} else {
-		address = entry
-	}
-	if address == "" {
-		return errors.New("could not locate ip for " + entry)
-	}
-
-	if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force {
-		_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
-		if err != nil {
-			return err
-		}
-		_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
-		if err != nil {
-			return err
-		}
-		_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
-		return err
-	} else {
-		logger.Log(3, "mq forwarding is already set... skipping")
-	}
-	return nil
-}
-
-// if running in host networking mode, run iptables to map to CoreDNS container
-func setHostCoreDNSMapping() error {
-	logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
-	ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
-	_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
-	return err
-}