Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

remove network capabilities from netmaker

remove NET_ADMIN, NET_RAW, SYS_MODULE capabilities from docker-compose
files
remove sysctls from dockerfiles
remove ManageIPTables and PortForwardServices from ServerConfig
remove functions related to removed attributes
Matthew R Kasun 2 years ago
parent
ff0a770174
commit
9b072e1050
10 changed files with 0 additions and 210 deletions
Unified View Show Diff Stats
  1. 0 9
      compose/docker-compose.ee.yml
  2. 0 9
      compose/docker-compose.reference.yml
  3. 0 9
      compose/docker-compose.yml
  4. 0 2
      config/config.go
  5. 0 1
      go.mod
  6. 0 3
      go.sum
  7. 0 6
      main.go
  8. 0 7
      mq/publishers.go
  9. 0 28
      servercfg/serverconf.go
  10. 0 136
      serverctl/iptables.go

+ 0 - 9
compose/docker-compose.ee.yml
View File 

@@ -4,15 +4,6 @@ services:
 
   netmaker:
 
   netmaker:
 
     container_name: netmaker
 
     container_name: netmaker
 
     image: gravitl/netmaker:v0.17.1-ee
 
     image: gravitl/netmaker:v0.17.1-ee
 
-    cap_add: 
-      - NET_ADMIN
 
-      - NET_RAW
 
-      - SYS_MODULE
 
-    sysctls:
 
-      - net.ipv4.ip_forward=1
 
-      - net.ipv4.conf.all.src_valid_mark=1
 
-      - net.ipv6.conf.all.disable_ipv6=0
 
-      - net.ipv6.conf.all.forwarding=1
 
     restart: always
 
     restart: always
 
     volumes:
 
     volumes:
 
       - dnsconfig:/root/config/dnsconfig
 
       - dnsconfig:/root/config/dnsconfig

+ 0 - 9
compose/docker-compose.reference.yml
View File 

@@ -4,15 +4,6 @@ services:
 
   netmaker: # The Primary Server for running Netmaker
 
   netmaker: # The Primary Server for running Netmaker
 
     container_name: netmaker
 
     container_name: netmaker
 
     image: gravitl/netmaker:v0.17.1
 
     image: gravitl/netmaker:v0.17.1
 
-    cap_add: 
-      - NET_ADMIN
 
-      - NET_RAW
 
-      - SYS_MODULE
 
-    sysctls:
 
-      - net.ipv4.ip_forward=1
 
-      - net.ipv4.conf.all.src_valid_mark=1
 
-      - net.ipv6.conf.all.disable_ipv6=0
 
-      - net.ipv6.conf.all.forwarding=1
 
     restart: always
 
     restart: always
 
     volumes: # Volume mounts necessary for sql, coredns, and mqtt
 
     volumes: # Volume mounts necessary for sql, coredns, and mqtt
 
       - dnsconfig:/root/config/dnsconfig
 
       - dnsconfig:/root/config/dnsconfig

+ 0 - 9
compose/docker-compose.yml
View File 

@@ -4,15 +4,6 @@ services:
 
   netmaker:
 
   netmaker:
 
     container_name: netmaker
 
     container_name: netmaker
 
     image: gravitl/netmaker:v0.17.1
 
     image: gravitl/netmaker:v0.17.1
 
-    cap_add: 
-      - NET_ADMIN
 
-      - NET_RAW
 
-      - SYS_MODULE
 
-    sysctls:
 
-      - net.ipv4.ip_forward=1
 
-      - net.ipv4.conf.all.src_valid_mark=1
 
-      - net.ipv6.conf.all.disable_ipv6=0
 
-      - net.ipv6.conf.all.forwarding=1
 
     restart: always
 
     restart: always
 
     volumes:
 
     volumes:
 
       - dnsconfig:/root/config/dnsconfig
 
       - dnsconfig:/root/config/dnsconfig

+ 0 - 2
config/config.go
View File 

@@ -63,8 +63,6 @@ type ServerConfig struct {
 
 	AzureTenant           string `yaml:"azuretenant"`
 
 	AzureTenant           string `yaml:"azuretenant"`
 
 	RCE                   string `yaml:"rce"`
 
 	RCE                   string `yaml:"rce"`
 
 	Telemetry             string `yaml:"telemetry"`
 
 	Telemetry             string `yaml:"telemetry"`
 
-	ManageIPTables        string `yaml:"manageiptables"`
 
-	PortForwardServices   string `yaml:"portforwardservices"`
 
 	HostNetwork           string `yaml:"hostnetwork"`
 
 	HostNetwork           string `yaml:"hostnetwork"`
 
 	MQPort                string `yaml:"mqport"`
 
 	MQPort                string `yaml:"mqport"`
 
 	MQServerPort          string `yaml:"mqserverport"`
 
 	MQServerPort          string `yaml:"mqserverport"`

+ 0 - 1
go.mod
View File 

@@ -37,7 +37,6 @@ require (
 
 	github.com/coreos/go-oidc/v3 v3.5.0
 
 	github.com/coreos/go-oidc/v3 v3.5.0
 
 	github.com/gorilla/websocket v1.5.0
 
 	github.com/gorilla/websocket v1.5.0
 
 	github.com/pkg/errors v0.9.1
 
 	github.com/pkg/errors v0.9.1
 
-	github.com/sirupsen/logrus v1.9.0
 
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 
 	gortc.io/stun v1.23.0
 
 	gortc.io/stun v1.23.0
 
 )
 
 )

+ 0 - 3
go.sum
View File 

@@ -127,8 +127,6 @@ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR
 
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 
@@ -208,7 +206,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

+ 0 - 6
main.go
View File 

@@ -110,12 +110,6 @@ func initialize() { // Client Mode Prereq Check
 
 			logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.")
 
 			logger.FatalLog("To run in client mode requires root privileges. Either disable client mode or run with sudo.")
 
 		}
 
 		}
 
 	}
 
 	}
 
-	// initialize iptables to ensure gateways work correctly and mq is forwarded if containerized
 
-	if servercfg.ManageIPTables() != "off" {
 
-		if err = serverctl.InitIPTables(true); err != nil {
 
-			logger.FatalLog("Unable to initialize iptables on host:", err.Error())
 
-		}
 
-	}
 
 
 
 	if servercfg.IsDNSMode() {
 
 	if servercfg.IsDNSMode() {
 
 		err := functions.SetDNSDir()
 
 		err := functions.SetDNSDir()

+ 0 - 7
mq/publishers.go
View File 

@@ -11,7 +11,6 @@ import (
 
 	"github.com/gravitl/netmaker/logic"
 
 	"github.com/gravitl/netmaker/logic"
 
 	"github.com/gravitl/netmaker/models"
 
 	"github.com/gravitl/netmaker/models"
 
 	"github.com/gravitl/netmaker/servercfg"
 
 	"github.com/gravitl/netmaker/servercfg"
 
-	"github.com/gravitl/netmaker/serverctl"
 
 )
 
 )
 
 
 
 // PublishPeerUpdate --- determines and publishes a peer update to all the hosts
 
 // PublishPeerUpdate --- determines and publishes a peer update to all the hosts
 
@@ -123,13 +122,7 @@ func sendPeers() {
 
 	var force bool
 
 	var force bool
 
 	peer_force_send++
 
 	peer_force_send++
 
 	if peer_force_send == 5 {
 
 	if peer_force_send == 5 {
 
-
 
-		// run iptables update to ensure gateways work correctly and mq is forwarded if containerized
 
-		if servercfg.ManageIPTables() != "off" {
 
-			serverctl.InitIPTables(false)
 
-		}
 
 		servercfg.SetHost()
 
 		servercfg.SetHost()
 
-
 
 		force = true
 
 		force = true
 
 		peer_force_send = 0
 
 		peer_force_send = 0
 
 		err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed..
 
 		err := logic.TimerCheckpoint() // run telemetry & log dumps if 24 hours has passed..

+ 0 - 28
servercfg/serverconf.go
View File 

@@ -82,9 +82,6 @@ func GetServerConfig() config.ServerConfig {
 
 		cfg.RCE = "off"
 
 		cfg.RCE = "off"
 
 	}
 
 	}
 
 	cfg.Telemetry = Telemetry()
 
 	cfg.Telemetry = Telemetry()
 
-	cfg.ManageIPTables = ManageIPTables()
 
-	services := strings.Join(GetPortForwardServiceList(), ",")
 
-	cfg.PortForwardServices = services
 
 	cfg.Server = GetServer()
 
 	cfg.Server = GetServer()
 
 	cfg.Verbosity = GetVerbosity()
 
 	cfg.Verbosity = GetVerbosity()
 
 	cfg.IsEE = "no"
 
 	cfg.IsEE = "no"
 
@@ -377,18 +374,6 @@ func Telemetry() string {
 
 	return telemetry
 
 	return telemetry
 
 }
 
 }
 
 
 
-// ManageIPTables - checks if iptables should be manipulated on host
 
-func ManageIPTables() string {
 
-	manage := "on"
 
-	if os.Getenv("MANAGE_IPTABLES") == "off" {
 
-		manage = "off"
 
-	}
 
-	if config.Config.Server.ManageIPTables == "off" {
 
-		manage = "off"
 
-	}
 
-	return manage
 
-}
 
-
 
 // GetServer - gets the server name
 
 // GetServer - gets the server name
 
 func GetServer() string {
 
 func GetServer() string {
 
 	server := ""
 
 	server := ""
 
@@ -526,19 +511,6 @@ func GetPlatform() string {
 
 	return platform
 
 	return platform
 
 }
 
 }
 
 
 
-// GetIPForwardServiceList - get the list of services that the server should be forwarding
 
-func GetPortForwardServiceList() []string {
 
-	//services := "mq,dns,ssh"
 
-	services := ""
 
-	if os.Getenv("PORT_FORWARD_SERVICES") != "" {
 
-		services = os.Getenv("PORT_FORWARD_SERVICES")
 
-	} else if config.Config.Server.PortForwardServices != "" {
 
-		services = config.Config.Server.PortForwardServices
 
-	}
 
-	serviceSlice := strings.Split(services, ",")
 
-	return serviceSlice
 
-}
 
-
 
 // GetSQLConn - get the sql connection string
 
 // GetSQLConn - get the sql connection string
 
 func GetSQLConn() string {
 
 func GetSQLConn() string {
 
 	sqlconn := "http://"
 
 	sqlconn := "http://"

+ 0 - 136
serverctl/iptables.go
View File 

@@ -1,136 +0,0 @@
 
-package serverctl
 
-
 
-import (
 
-	"errors"
 
-	"net"
 
-	"os"
 
-	"os/exec"
 
-	"strings"
 
-	"time"
 
-
 
-	"github.com/gravitl/netmaker/logger"
 
-	"github.com/gravitl/netmaker/netclient/ncutils"
 
-	"github.com/gravitl/netmaker/servercfg"
 
-)
 
-
 
-const netmakerProcessName = "netmaker"
 
-
 
-// InitIPTables - intializes the server iptables
 
-func InitIPTables(force bool) error {
 
-	_, err := exec.LookPath("iptables")
 
-	if err != nil {
 
-		return err
 
-	}
 
-	err = setForwardPolicy()
 
-	if err != nil {
 
-		logger.Log(0, "error setting iptables forward policy: "+err.Error())
 
-	}
 
-
 
-	err = portForwardServices(force)
 
-	if err != nil {
 
-		return err
 
-	}
 
-	if isContainerized() && servercfg.IsHostNetwork() {
 
-		err = setHostCoreDNSMapping()
 
-	}
 
-	return err
 
-}
 
-
 
-// set up port forwarding for services listed in config
 
-func portForwardServices(force bool) error {
 
-	var err error
 
-	services := servercfg.GetPortForwardServiceList()
 
-	if len(services) == 0 || services[0] == "" {
 
-		return nil
 
-	}
 
-	for _, service := range services {
 
-		switch service {
 
-		case "mq":
 
-			err = iptablesPortForward("mq", servercfg.GetMQServerPort(), servercfg.GetMQServerPort(), false, force)
 
-		case "dns":
 
-			err = iptablesPortForward("coredns", "53", "53", false, force)
 
-		case "ssh":
 
-			err = iptablesPortForward("netmaker", "22", "22", false, force)
 
-		default:
 
-			params := strings.Split(service, ":")
 
-			if len(params) == 3 {
 
-				err = iptablesPortForward(params[0], params[1], params[2], true, force)
 
-			}
 
-		}
 
-		if err != nil {
 
-			return err
 
-		}
 
-	}
 
-	return nil
 
-}
 
-
 
-// determine if process is running in container
 
-func isContainerized() bool {
 
-	fileBytes, err := os.ReadFile("/proc/1/sched")
 
-	if err != nil {
 
-		logger.Log(1, "error determining containerization: "+err.Error())
 
-		return false
 
-	}
 
-	fileString := string(fileBytes)
 
-	return strings.Contains(fileString, netmakerProcessName)
 
-}
 
-
 
-// make sure host allows forwarding
 
-func setForwardPolicy() error {
 
-	logger.Log(2, "setting iptables forward policy")
 
-	_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
 
-	return err
 
-}
 
-
 
-// port forward from an entry, can contain a dns name for lookup
 
-func iptablesPortForward(entry string, inport string, outport string, isIP, force bool) error {
 
-
 
-	var address string
 
-	if !isIP {
 
-	out:
 
-		for i := 1; i < 4; i++ {
 
-			ips, err := net.LookupIP(entry)
 
-			if err != nil && i > 2 {
 
-				return err
 
-			}
 
-			for _, ip := range ips {
 
-				if ipv4 := ip.To4(); ipv4 != nil {
 
-					address = ipv4.String()
 
-				}
 
-			}
 
-			if address != "" {
 
-				break out
 
-			}
 
-			time.Sleep(time.Second)
 
-		}
 
-	} else {
 
-		address = entry
 
-	}
 
-	if address == "" {
 
-		return errors.New("could not locate ip for " + entry)
 
-	}
 
-
 
-	if output, err := ncutils.RunCmd("iptables -t nat -C PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false); output != "" || err != nil || force {
 
-		_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
 
-		if err != nil {
 
-			return err
 
-		}
 
-		_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
 
-		if err != nil {
 
-			return err
 
-		}
 
-		_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
 
-		return err
 
-	} else {
 
-		logger.Log(3, "mq forwarding is already set... skipping")
 
-	}
 
-	return nil
 
-}
 
-
 
-// if running in host networking mode, run iptables to map to CoreDNS container
 
-func setHostCoreDNSMapping() error {
 
-	logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
 
-	ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
 
-	_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
 
-	return err
 
-}