-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(linux-client): remove FIREZONE_ID from example systemd file #4714
Changes from all commits
a873d23
c8e90f7
a009581
7d2a535
6ca33e9
754075c
c346aeb
ef3fbe1
dad9c16
f514b51
51b5c0d
196701f
5c9d765
3637af5
6cdb884
f6a4fb4
c336aaf
6c1a455
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,13 +24,6 @@ use tokio_util::codec::LengthDelimitedCodec; | |
const ROOT_GROUP: u32 = 0; | ||
const ROOT_USER: u32 = 0; | ||
|
||
/// The path for our Unix Domain Socket | ||
/// | ||
/// Docker keeps theirs in `/run` and also appears to use filesystem permissions | ||
/// for security, so we're following their lead. `/run` and `/var/run` are symlinked | ||
/// on some systems, `/run` should be the newer version. | ||
const SOCK_PATH: &str = "/run/firezone-client.sock"; | ||
|
||
pub fn default_token_path() -> PathBuf { | ||
PathBuf::from("/etc") | ||
.join(connlib_shared::BUNDLE_ID) | ||
|
@@ -299,13 +292,27 @@ fn parse_resolvectl_output(s: &str) -> Vec<IpAddr> { | |
.collect() | ||
} | ||
|
||
/// The path for our Unix Domain Socket | ||
/// | ||
/// Docker keeps theirs in `/run` and also appears to use filesystem permissions | ||
/// for security, so we're following their lead. `/run` and `/var/run` are symlinked | ||
/// on some systems, `/run` should be the newer version. | ||
/// | ||
/// Also systemd can create this dir with the `RuntimeDir=` directive which is nice. | ||
fn sock_path() -> PathBuf { | ||
PathBuf::from("/run") | ||
.join(connlib_shared::BUNDLE_ID) | ||
.join("ipc.sock") | ||
} | ||
|
||
fn run_debug_ipc_client(_cli: Cli) -> Result<()> { | ||
let rt = tokio::runtime::Runtime::new()?; | ||
rt.block_on(async { | ||
tracing::info!(pid = std::process::id(), "run_debug_ipc_client"); | ||
let stream = UnixStream::connect(SOCK_PATH) | ||
let sock_path = sock_path(); | ||
let stream = UnixStream::connect(&sock_path) | ||
.await | ||
.with_context(|| format!("couldn't connect to UDS at {SOCK_PATH}"))?; | ||
.with_context(|| format!("couldn't connect to UDS at {}", sock_path.display()))?; | ||
let mut stream = IpcStream::new(stream, LengthDelimitedCodec::new()); | ||
|
||
stream.send(serde_json::to_string("Hello")?.into()).await?; | ||
|
@@ -328,9 +335,10 @@ async fn ipc_listen() -> Result<()> { | |
.gid; | ||
|
||
// Remove the socket if a previous run left it there | ||
tokio::fs::remove_file(SOCK_PATH).await.ok(); | ||
let listener = UnixListener::bind(SOCK_PATH).context("Couldn't bind UDS")?; | ||
std::os::unix::fs::chown(SOCK_PATH, Some(ROOT_USER), Some(fz_gid.into())) | ||
let sock_path = sock_path(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know some services use this as a guard against accidentally launching the service twice. Should we just bail out if we find an existing sock file here and ask the user to remove it instead? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe. If we can have systemd create it for us that would be cool, then it can also clean it up. I made an issue to look into it soon |
||
tokio::fs::remove_file(&sock_path).await.ok(); | ||
let listener = UnixListener::bind(&sock_path).context("Couldn't bind UDS")?; | ||
std::os::unix::fs::chown(&sock_path, Some(ROOT_USER), Some(fz_gid.into())) | ||
.context("can't set firezone as the group for the UDS")?; | ||
sd_notify::notify(true, &[sd_notify::NotifyState::Ready])?; | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
[Unit] | ||
Description=Firezone Client | ||
|
||
[Service] | ||
AmbientCapabilities=CAP_NET_ADMIN | ||
CapabilityBoundingSet=CAP_NET_ADMIN | ||
DeviceAllow=/dev/net/tun | ||
LockPersonality=true | ||
MemoryDenyWriteExecute=true | ||
NoNewPrivileges=true | ||
PrivateMounts=true | ||
PrivateTmp=true | ||
# We need to be real root, not just root in our cgroup | ||
PrivateUsers=false | ||
ProcSubset=pid | ||
ProtectClock=true | ||
ProtectControlGroups=true | ||
ProtectHome=true | ||
ProtectHostname=true | ||
ProtectKernelLogs=true | ||
ProtectKernelModules=true | ||
ProtectKernelTunables=true | ||
# Docs say it's useless when running as root, but defense-in-depth | ||
ProtectProc=invisible | ||
ProtectSystem=strict | ||
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved` | ||
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX | ||
RestrictNamespaces=true | ||
RestrictRealtime=true | ||
RestrictSUIDSGID=true | ||
StateDirectory=dev.firezone.client | ||
SystemCallArchitectures=native | ||
# TODO: Minimize | ||
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service | ||
UMask=077 | ||
|
||
Environment="FIREZONE_API_URL=ws://localhost:8081" | ||
Environment="FIREZONE_DNS_CONTROL=systemd-resolved" | ||
Environment="RUST_LOG=info" | ||
|
||
ExecStart=firezone-linux-client standalone | ||
Type=notify | ||
# Unfortunately we may need root to control DNS | ||
User=root | ||
|
||
[Install] | ||
WantedBy=default.target |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran into #4461 while working on this PR and this diff closes it