-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(linux-client): generate firezone-id (device ID) automatically if it's not provided at launch #3920
Conversation
…ed when it's not there already
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
Terraform Cloud Plan Output
|
Performance Test ResultsTCP
UDP
|
@@ -113,7 +113,6 @@ services: | |||
FIREZONE_TOKEN: "n.SFMyNTY.g2gDaANtAAAAJGM4OWJjYzhjLTkzOTItNGRhZS1hNDBkLTg4OGFlZjZkMjhlMG0AAAAkN2RhN2QxY2QtMTExYy00NGE3LWI1YWMtNDAyN2I5ZDIzMGU1bQAAACtBaUl5XzZwQmstV0xlUkFQenprQ0ZYTnFJWktXQnMyRGR3XzJ2Z0lRdkZnbgYAGUmu74wBYgABUYA.UN3vSLLcAMkHeEh5VHumPOutkuue8JA6wlxM9JxJEPE" | |||
RUST_LOG: firezone_linux_client=trace,wire=trace,connlib_client_shared=trace,firezone_tunnel=trace,connlib_shared=trace,boringtun=debug,snownet=debug,str0m=debug,info | |||
FIREZONE_API_URL: ws://api:8081 | |||
FIREZONE_ID: D0455FDE-8F65-4960-A778-B934E4E85A5F |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove FIREZONE_ID
from docker-compose to prove that the change works.
@@ -1,7 +1,7 @@ | |||
use tokio::fs; | |||
use std::fs; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gave up on tokio::fs
for this since the Linux CLI client doesn't have a Tokio runtime. I personally like async FS operations but it's not a big deal, especially since it's only used at startup.
@@ -9,6 +9,7 @@ pub mod control; | |||
pub mod error; | |||
pub mod messages; | |||
|
|||
pub mod device_id; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module moved upstream to connlib_shared
so that the Linux CLI, Linux GUI, and Windows GUI can all share it.
@@ -19,10 +19,16 @@ fn main() -> Result<()> { | |||
handle, | |||
}; | |||
|
|||
// AKA "Device ID", not the Firezone slug |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just in case I forget again
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
…one into feat/generate-firezone-id
@@ -54,6 +54,7 @@ pub(crate) fn setup(log_filter: &str) -> Result<Handles, Error> { | |||
); | |||
} | |||
LogTracer::init()?; | |||
tracing::debug!(?log_path, "Log path"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Used to debug CI. Switching between sudo and non-sudo makes the logs show up in different places, and it's easier just to double-check in stderr on a dev system with a terminal.
@@ -110,7 +110,8 @@ pub(crate) async fn save(settings: &AdvancedSettings) -> Result<()> { | |||
.parent() | |||
.context("settings path should have a parent")?; | |||
tokio::fs::create_dir_all(dir).await?; | |||
tokio::fs::write(path, serde_json::to_string(settings)?).await?; | |||
tokio::fs::write(&path, serde_json::to_string(settings)?).await?; | |||
tracing::debug!(?path, "Saved settings"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Used for CI debugging
Makes sense. This will be needed in #3713 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work! I'll leave the approval to @conectado for the Rust bits.
/// Only properly implemented on Linux and Windows (platforms with Tauri and headless client) | ||
pub mod device_id; | ||
|
||
// Must be compiled on Mac so the Mac runner can do `version-check` on `linux-client` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I can refactor that if it continues to be a nuissance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't remember what I needed it for, but I did just stub out the Tauri client for macOS in #3977 so I can do some of the checks locally without waiting on CI. So that might go in soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could rename linux-client
to cli-client
too so it's not weird to say that a Mac might compile the "Linux" client even if headless Mac clients are not supported for production.
This would allow me to fix compile / check / fmt errors from macOS CI runners locally, e.g. #3920 (comment) It can't sign in or start connlib, but it shows the GUI ![image](https://github.com/firezone/firezone/assets/13400041/5307b66e-9874-4fe5-a6a6-43082dd6e385) --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> Co-authored-by: User <user@Users-MacBook-Pro.local> Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Taking this back to drafts since Jamil reminded me that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just left a couple of comments
// Try to read it from the disk | ||
if let Some(j) = fs::read_to_string(&path) | ||
.ok() | ||
.and_then(|s| serde_json::from_str::<DeviceIdJson>(&s).ok()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any point on using DeviceIdJson
it seems that we only read and write the id we could just use a plain string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking in case we ever need to add other fields or version it for any reason. I can change it to a string but I'll have to delete the ID file on my dev systems and ask any beta customers who have used it to do the same, or the whole JSON object will be the ID. (Which the portal can probably handle, it'll just look odd)
Or I could stick a schema version in advanced_settings and then it can do the migration automatically (If there's no version stored, rewrite firezone-id, if there is a version, leave it alone) but then it's not atomic since it's two files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JSON is probably fine, we use it already for log storage.
Not sure how the other settings are stored, but you could even stick it in there theoretically if we want to persist settings across installs
@@ -28,7 +29,7 @@ resolv-conf = "0.7.0" | |||
serde = { version = "1.0", default-features = false, features = ["derive", "std"] } | |||
serde_json = { version = "1.0", default-features = false, features = ["std"] } | |||
thiserror = { version = "1.0", default-features = false } | |||
tokio = { version = "1.36", default-features = false, features = ["rt", "rt-multi-thread"]} | |||
tokio = { version = "1.36", default-features = false, features = ["fs", "rt", "rt-multi-thread"]} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't part of the change but I noticed it when running Cargo clippy, I guess the dependency solver had been adding fs
to Tokio but this crate wasn't asking for it directly.
Is there a way to find these problems automatically?
// Must use `eprintln` here because `tracing` won't be initialized yet. | ||
|
||
let user = std::env::var("USER").context("USER env var should be set")?; | ||
if user != "root" { | ||
eprintln!("Firezone must run with root permissions to set up DNS. Re-run it with `sudo --preserve-env`"); | ||
return Ok(false); | ||
} | ||
let home = std::env::var("HOME").context("HOME env var should be set")?; | ||
if home == "/root" { | ||
eprintln!("If Firezone is run with `$HOME == /root`, deep links will not work. Re-run it with `sudo --preserve-env`"); | ||
// If we don't bail out here, this message will probably never be read. | ||
return Ok(false); | ||
} | ||
Ok(true) | ||
} | ||
|
||
pub(crate) fn elevate() -> Result<()> { | ||
todo!() | ||
anyhow::bail!("Firezone does not self-elevate on Linux."); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added all this stuff as part of debugging, when trying to get sudo
working just right in CI. It's not directly related to firezone-id but it should go into main eventually.
Closes #3961 No tests yet, might be tricky to test since it's all I/O. I cued it off the device ID being generated, so it will have a minor merge conflict with #3920 ```[tasklist] ### Before merging - [ ] UI polish, or disable the welcome screen temporarily ``` <img width="664" alt="image" src="https://github.com/firezone/firezone/assets/13400041/d5def59c-b075-4135-91e5-85f9f9212fa5"> --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
Closes #3815
Changes that are breaking (but these aren't in production so it should be okay)
device_id.json
tofirezone-id.json
to match the rest of the code/var/lib
instead of under$HOME
sudo --preserve-env
by detecting$HOME == root
or$USER != root