Merge pull request #48 from NethServer/fix-wg

Migration tool fixes and enhancements

README.rst

@@ -252,8 +252,7 @@ To remove the tool and its dependencies (if they are not required by other packa
 
 Clean up configuration database: ::
 
-  config delete wg-quick@wg0
-  config delete agent
+  config delete wg-quick@ns8
   config delete ns8
 
 Post-migration step back

api/connection/read

@@ -32,13 +32,7 @@ def get_config():
     output, error = process.communicate()
     ns8_config = simplejson.loads(output)
 
-    # agent config
-    bash_command = "/sbin/e-smith/config getjson agent"
-    process = subprocess.Popen(bash_command.split(), stdout=subprocess.PIPE)
-    output, error = process.communicate()
-    agent_config = simplejson.loads(output)
-
-    return {"ns8": ns8_config, "agent": agent_config}
+    return {"ns8": ns8_config}
 
 
 try:

api/migration/read

@@ -110,10 +110,10 @@ def get_account_provider_info():
         except:
             pass
 
-        # The VPN address (wg0) is not eligible for the DC migration if
+        # The VPN address (ns8) is not eligible for the DC migration if
         # file server migration is enabled:
         if get_samba_info() and get_migration_status("nethserver-samba") != "skipped":
-            ip_addresses = list(filter(lambda el: el["label"] != "wg0", ip_addresses))
+            ip_addresses = list(filter(lambda el: el["label"] != "ns8", ip_addresses))
 
     return {
         "id": "account-provider",
@@ -240,13 +240,7 @@ def check_user_domains():
     bash_command = "/usr/sbin/ns8-action cluster list-user-domains"
     process = subprocess.Popen(bash_command.split(), stdout=subprocess.PIPE)
     output, error = process.communicate()
-    try:
-        obj = simplejson.loads(output)
-    except:
-        # can't access remote domain info, something is wrong
-        return False
-
-
+    obj = simplejson.loads(output)
     if local_config["IsLocal"]:
         # is source account provider is internal, NS8 must not contain the same provider
         for domain in obj['data']['output']['domains']:

createlinks

@@ -46,13 +46,12 @@ event_services($event, qw(
 $event = "nethserver-ns8-migration-save";
 
 event_templates($event, qw(
-    /etc/wireguard/wg0.conf
+    /etc/wireguard/ns8.conf
     /etc/httpd/conf.d/00ns8migration.conf
 ));
 
 event_services($event, qw(
-    wg-quick@wg0 restart
-    agent restart
+    wg-quick@ns8 restart
     httpd reload
 ));
 
@@ -63,5 +62,5 @@ event_services($event, qw(
 $event = "interface-update";
 
 event_services($event, qw(
-    wg-quick@wg0 try-restart
+    wg-quick@ns8 try-restart
 ));

nethserver-ns8-migration.spec

@@ -9,7 +9,6 @@ Source: %{name}-%{version}.tar.gz
 Source1: %{name}-cockpit.tar.gz
 
 %global debug_package %{nil} 
-Source2: agent
 
 BuildRequires: nethserver-devtools
 Requires: wireguard-tools, kmod-wireguard
@@ -37,7 +36,6 @@ mkdir -p %{buildroot}/usr/libexec/nethserver/api/%{name}/
 tar xvf %{SOURCE1} -C %{buildroot}/usr/share/cockpit/%{name}/
 cp -a %{name}.json %{buildroot}/usr/share/cockpit/nethserver/applications/
 cp -a api/* %{buildroot}/usr/libexec/nethserver/api/%{name}/
-install -D -m 0755 %{SOURCE2} %{buildroot}/%{_bindir}/agent
 
 %{genfilelist} %{buildroot} --file /etc/sudoers.d/50_nsapi_nethserver_ns8_migration 'attr(0440,root,root)' > e-smith-%{version}-filelist
 

prep-sources

@@ -6,31 +6,6 @@
 
 set -e
 
-# Download ns8-core
-rm -f main.tar.gz
-wget https://github.com/NethServer/ns8-core/archive/refs/heads/main.tar.gz
-tar xvzf main.tar.gz
-
-# Reuse existing gobuilder-core container, to speed up builds
-if ! buildah containers --format "{{.ContainerName}}" | grep -q gobuilder-core; then
-    echo "Pulling Golang runtime..."
-    golang_cache_path="${PWD}/.golang-cache"
-    mkdir -vp "${golang_cache_path}/{mcache,bcache}"
-    buildah from --name gobuilder-tmp docker.io/library/golang:1.18-alpine
-    buildah run gobuilder-tmp apk add g++ gcc
-    buildah config --env GOCACHE=/var/lib/misc/bcache --env GOMODCACHE=/var/lib/misc/mcache gobuilder-tmp
-    buildah commit --rm gobuilder-tmp gobuilder-image
-    buildah from --name gobuilder-core \
-        -v "${golang_cache_path}:/var/lib/misc:z" \
-        -v "${PWD}/ns8-core-main/core:/usr/src/core:z" \
-        localhost/gobuilder-image
-fi
-
-# Build the agent
-buildah run gobuilder-core sh -c "cd /usr/src/core/agent && CGO_ENABLED=0 go build -v ."
-# Copy out the binary
-buildah run gobuilder-core sh -c "cd /usr/src/core/agent; cat agent" > agent
-
 # Build UI
 NODE_OPTIONS="--openssl-legacy-provider"
 export NODE_OPTIONS

root/etc/e-smith/events/actions/nethserver-ns8-migration-conf

@@ -20,11 +20,7 @@
 # along with NethServer.  If not, see COPYING.
 #
 
-priv=$(/sbin/e-smith/config getprop wg-quick@wg0 SecretKey)
-
-if [ -z "$priv" ]; then
-    priv=$(wg genkey | tee /etc/wireguard/private.key)
-    /sbin/e-smith/config setprop wg-quick@wg0 SecretKey "$priv"
+if [[ ! -f /var/lib/nethserver/secrets/ns8wg ]]; then
+    # Generate a secret key for this host
+    ( umask 077 ; wg genkey > /var/lib/nethserver/secrets/ns8wg )
 fi
-echo "$priv" | wg pubkey > /etc/wireguard/public.key
-chmod 0600 /etc/wireguard/private.key /etc/wireguard/public.key

root/etc/e-smith/templates/etc/shorewall/interfaces/50wireguard

@@ -1,4 +1,4 @@
 #
 # wireguard VPN
 #
-loc    wg+    optional
+loc    ns8    optional

root/etc/e-smith/templates/etc/wireguard/ns8.conf/10base

@@ -0,0 +1,11 @@
+{
+    use NethServer::Password;
+    '';
+}[Interface]
+Address = {${'wg-quick@ns8'}{'Address'}}
+PrivateKey = {NethServer::Password::store('ns8wg')}
+
+[Peer]
+PublicKey = {${'wg-quick@ns8'}{'RemoteKey'}}
+AllowedIPs = {${'wg-quick@ns8'}{'RemoteNetwork'}}
+Endpoint = {${'wg-quick@ns8'}{'RemoteEndpoint'}}

root/etc/e-smith/templates/var/lib/machines/nsdc/etc/systemd/network/green.network/20wg_route

@@ -1,7 +1,7 @@
 {
     use esmith::NetworksDB;
     my $ndb = esmith::NetworksDB->open();
-    my $network = ${'wg-quick@wg0'}{'RemoteNetwork'} || '';
+    my $network = ${'wg-quick@ns8'}{'RemoteNetwork'} || '';
     my $bridge = $nsdc{'bridge'} || die ("[ERROR] There is no network bridge for NethServer domain controller");
     my $gateway = $ndb->get_prop($bridge, 'ipaddr') || '';
 

root/usr/sbin/ns8-join

@@ -109,10 +109,29 @@ account_provider_json = subprocess.check_output(['/usr/sbin/account-provider-tes
 account_provider_config = json.loads(account_provider_json)
 
 # Prepare arguments for add-node
-priv_key = subprocess.check_output(['/sbin/e-smith/config', 'getprop', 'wg-quick@wg0', 'SecretKey']).decode('ASCII').rstrip()
+priv_key = subprocess.check_output(['cat', '/var/lib/nethserver/secrets/ns8wg']).decode('ASCII').rstrip()
 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ASCII')).decode('ASCII').rstrip()
 node_pw = str(uuid.uuid4())
 node_pwh = hashlib.sha256(node_pw.encode('ASCII')).hexdigest()
+
+#
+# Ensure we never joined this cluster. If a node with the same public key
+# exists, remove it:
+#
+ret_cstatus = call(api_endpoint, "get-cluster-status", payload['token'], {}, args.tlsverify)
+if not ret_cstatus['code'] == 200:
+    print("Request get-cluster-status has failed: {}".format(ret_cstatus), file=sys.stderr)
+    sys.exit(3)
+
+if not ret_cstatus['data']['exit_code'] == 0:
+    print("Task get-cluster-status has failed: {}".format(ret_cstatus['data']), file=sys.stderr)
+    sys.exit(3)
+
+for onode in ret_cstatus['data']['output']['nodes']:
+    if onode['vpn']['public_key'] == pub_key:
+        # Remove the old node with our public key
+        call(api_endpoint, "remove-node", payload['token'], {"node_id", onode['id']}, args.tlsverify)
+
 data = {
     "node_pwh": node_pwh,
     "public_key": pub_key,
@@ -133,8 +152,7 @@ if not ret['data']['exit_code'] == 0:
 ret = ret['data']['output']
 
 # Save config inside config db
-subprocess.run(["/sbin/e-smith/config", "setprop", "wg-quick@wg0", "Address", ret["ip_address"], "RemoteEndpoint", ret["leader_endpoint"], "RemoteKey", ret["leader_public_key"], "RemoteNetwork", ret['network'], "status", "enabled"], check=True)
-subprocess.run(["/sbin/e-smith/config", "setprop", "agent", "status", "enabled"], check=True)
+subprocess.run(["/sbin/e-smith/config", "setprop", "wg-quick@ns8", "Address", ret["ip_address"], "RemoteEndpoint", ret["leader_endpoint"], "RemoteKey", ret["leader_public_key"], "RemoteNetwork", ret['network'], "status", "enabled"], check=True)
 subprocess.run(["/sbin/e-smith/config", "setprop", "ns8", "Host", args.host, "User", args.username, "Password", args.password, "TLSVerify", "enabled" if args.tlsverify else "disabled", "LeaderIpAddress", ret['leader_ip_address']], check=True)
 
 # Save agent environment
@@ -147,7 +165,7 @@ with open('/var/lib/nethserver/nethserver-ns8-migration/agent.env', 'w') as fp:
 with open('/var/lib/nethserver/nethserver-ns8-migration/environment', 'w') as fp:
     fp.write(f"NODE_ID={ret['node_id']}\n")
 
-# Start the VPN on device wg0
+# Start the VPN on device ns8
 subprocess.run(['/sbin/e-smith/signal-event', '-j', 'nethserver-ns8-migration-save'], check=True)
 
 # Endpoint switch: pass through the VPN
@@ -189,6 +207,7 @@ if account_provider_config['isAD'] == '1':
             "tls": True,
             "tls_verify": False,
         }
+        call(api_endpoint, "remove-external-domain", payload['token'], {"domain": account_provider_domain}, False)
         add_external_domain_response = call(api_endpoint, "add-external-domain", payload['token'], add_external_domain_request, False)
         if add_external_domain_response['data']['exit_code'] != 0:
             print("Task add_external_domain has failed:", add_external_domain_response, file=sys.stderr)
@@ -211,6 +230,7 @@ elif account_provider_config['isLdap'] == '1' and '127.0.0.1' in account_provide
         "tls": True,
         "tls_verify": False,
     }
+    call(api_endpoint, "remove-external-domain", payload['token'], {"domain": account_provider_domain}, False)
     add_external_domain_response = call(api_endpoint, "add-external-domain", payload['token'], add_external_domain_request, False)
     if add_external_domain_response['data']['exit_code'] != 0:
         print("Task add_external_domain has failed:", add_external_domain_response, file=sys.stderr)

root/usr/sbin/ns8-leave

@@ -32,8 +32,7 @@ fi
 
 # reset DB props
 /sbin/e-smith/config setprop ns8 Host "" User "" Password "" TLSVerify enabled LeaderIpAddress ""
-/sbin/e-smith/config setprop agent status disabled
-/sbin/e-smith/config setprop wg-quick@wg0 status disabled Address "" RemoteEndpoint "" RemoteKey "" RemoteNetwork ""
+/sbin/e-smith/config setprop wg-quick@ns8 status disabled Address "" RemoteEndpoint "" RemoteKey "" RemoteNetwork ""
 
 # reset nsdc routes
 if [ -f /var/lib/machines/nsdc/etc/systemd/network/green.network ]; then

ui/src/views/Dashboard.vue

@@ -1132,6 +1132,7 @@ export default {
     },
     connectionLogout() {
       this.loading.connectionUpdate = true;
+      this.error.connectionUpdate = "";
 
       nethserver.notifications.success = this.$i18n.t(
         "dashboard.logout_successful"
@@ -1179,9 +1180,8 @@ export default {
       );
     },
     connectionReadSuccess(output) {
-      const agentStatus = output.configuration.agent.props.status;
-      this.config.isConnected = agentStatus == "enabled";
       const ns8Config = output.configuration.ns8.props;
+      this.config.isConnected = ns8Config.Host != "";
       this.config.leaderNode = ns8Config.Host;
       this.config.adminUsername = ns8Config.User;
       this.config.adminPassword = ns8Config.Password;
@@ -1202,6 +1202,7 @@ export default {
       this.error.adminPassword = "";
       this.error.leaderNode = "";
       this.loading.connectionUpdate = true;
+      this.error.connectionUpdate = "";
 
       var validateObj = {
         action: "login",