Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(gateway): Handle edge cases where gateway binary couldn't be downloaded #4783

Merged
merged 1 commit into from
Apr 25, 2024
Merged

chore(gateway): Handle edge cases where gateway binary couldn't be downloaded #4783

merged 1 commit into from
Apr 25, 2024

Conversation

jamilbk
Copy link
Member

@jamilbk jamilbk commented Apr 25, 2024

Increases robustness of the systemd gateway upgrade mechanism.

@vercel Vercel
Copy link

vercel bot commented Apr 25, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated (UTC)
firezone ⬜️ Ignored (Inspect) Apr 25, 2024 5:34am

@github-actions github-actions bot added the kind/chore Issues related to repository cleanup or maintenance label Apr 25, 2024
@github-actions GitHub Actions
Copy link

Terraform Cloud Plan Output

Plan: 15 to add, 14 to change, 15 to destroy.

Terraform Cloud Plan

@jamilbk
Copy link
Member Author

jamilbk commented Apr 25, 2024
edited

Instructions for users with existing systemd-installed Gateways

If you installed a systemd-based Gateway prior to Apr 24, 2024, 4:42 PM UTC, you'll need to update the /usr/local/bin/firezone-gateway-init script that handles Gateway upgrades.

NOTE: If you installed a Docker-based Gateway, there is nothing you need to do.

Copy and paste the following commands to do so:

# Create ExecStartPre script
cat <<EOF | sudo tee /usr/local/bin/firezone-gateway-init
#!/bin/sh

set -ue

# Download latest version of the gateway if it doesn't already exist
if [ ! -e /usr/local/bin/firezone-gateway ]; then
  echo "/usr/local/bin/firezone-gateway not found. Downloading latest version..."
  arch=\$(uname -m)

  # See https://www.github.com/firezone/firezone/releases for available binaries
  curl -fsSL https://www.firezone.dev/dl/firezone-gateway/latest/\$arch -o /tmp/firezone-gateway

  if file /tmp/firezone-gateway | grep -q "executable"; then
    mv /tmp/firezone-gateway /usr/local/bin/firezone-gateway
  else
    echo "/tmp/firezone-gateway is not an executable!"
    echo "Ensure 'https://www.firezone.dev/dl/firezone-gateway/latest/\$arch' is accessible from this machine,"
    echo "or download binary manually and install to /usr/local/bin/firezone-gateway."
    exit 1
  fi
else
  echo "/usr/local/bin/firezone-gateway found. Skipping download."
fi

# Set proper capabilities and permissions on each start
chgrp firezone /usr/local/bin/firezone-gateway
chmod 0750 /usr/local/bin/firezone-gateway
setcap 'cap_net_admin+eip' /usr/local/bin/firezone-gateway
mkdir -p /var/lib/firezone
chown firezone:firezone /var/lib/firezone
chmod 0775 /var/lib/firezone

# Enable masquerading for ethernet and wireless interfaces
iptables -C FORWARD -i tun-firezone -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -i tun-firezone -j ACCEPT
iptables -C FORWARD -o tun-firezone -j ACCEPT > /dev/null 2>&1 || iptables -A FORWARD -o tun-firezone -j ACCEPT
iptables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o e+ -j MASQUERADE
iptables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || iptables -t nat -A POSTROUTING -o w+ -j MASQUERADE
ip6tables -C FORWARD -i tun-firezone -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -i tun-firezone -j ACCEPT
ip6tables -C FORWARD -o tun-firezone -j ACCEPT > /dev/null 2>&1 || ip6tables -A FORWARD -o tun-firezone -j ACCEPT
ip6tables -t nat -C POSTROUTING -o e+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o e+ -j MASQUERADE
ip6tables -t nat -C POSTROUTING -o w+ -j MASQUERADE > /dev/null 2>&1 || ip6tables -t nat -A POSTROUTING -o w+ -j MASQUERADE

# Enable packet forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.src_valid_mark=1
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv6.conf.default.forwarding=1
EOF

# Make ExecStartPre script executable
sudo chmod +x /usr/local/bin/firezone-gateway-init

Performing Gateway upgrades

The upgrade process for Gateways has not changed. See our docs for how to do this for both Docker and systemd-based Gateways.

@github-actions GitHub Actions
Copy link

Performance Test Results

TCP

Test Name Received/s Sent/s Retransmits
direct-tcp-client2server 242.8 MiB (-2%) 244.5 MiB (-2%) 184 (-54%)
direct-tcp-server2client 240.8 MiB (-2%) 242.2 MiB (-2%) 399 (-26%)
relayed-tcp-client2server 222.2 MiB (-1%) 223.2 MiB (-1%) 261 (-2%)
relayed-tcp-server2client 240.4 MiB (+1%) 240.9 MiB (+1%) 385 (-15%)

UDP

Test Name Total/s Jitter Lost
direct-udp-client2server 50.0 MiB (+0%) 0.02ms (-94%) 0.00% (NaN%)
direct-udp-server2client 50.0 MiB (-0%) 0.02ms (+81%) 0.00% (NaN%)
relayed-udp-client2server 50.0 MiB (-0%) 0.10ms (+99%) 0.00% (NaN%)
relayed-udp-server2client 50.0 MiB (+0%) 0.01ms (-27%) 0.00% (NaN%)

@jamilbk jamilbk merged commit 4471a42 into main Apr 25, 2024
134 checks passed
@jamilbk jamilbk deleted the fix/gateway-init branch April 25, 2024 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind/chore Issues related to repository cleanup or maintenance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@jamilbk