Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(gui-client/linux): use the same systemd service file in CI as in production #4832

Merged
merged 3 commits into from
May 1, 2024
Merged

refactor(gui-client/linux): use the same systemd service file in CI as in production #4832

merged 3 commits into from
May 1, 2024

Conversation

ReactorScram
Copy link
Collaborator

@ReactorScram ReactorScram commented Apr 30, 2024
edited
Loading

This will keep the files from going out of sync.

This PR also checks that the IPC service creates the IPC socket with root:firezone as the owner and group, when running under systemd.

@ReactorScram ReactorScram added area/ci Changes to the CI pipeline / Github Actions kind/refactor Code refactoring area/rust_gui_client The Windows and Linux Rust GUI clients labels Apr 30, 2024
@ReactorScram ReactorScram added this to the 05/24 milestone Apr 30, 2024
@ReactorScram ReactorScram self-assigned this Apr 30, 2024
@vercel Vercel
Copy link

vercel bot commented Apr 30, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
firezone ⬜️ Ignored (Inspect) Visit Preview Apr 30, 2024 5:09pm

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 30, 2024
edited
Loading

Terraform Cloud Plan Output

Plan: 15 to add, 15 to change, 15 to destroy.

Terraform Cloud Plan

@ReactorScram ReactorScram mentioned this pull request Apr 30, 2024
Merged
@github-actions GitHub Actions
Copy link

Performance Test Results

TCP

Test Name Received/s Sent/s Retransmits
direct-tcp-client2server 238.0 MiB (-2%) 240.1 MiB (-2%) 134 (-50%)
direct-tcp-server2client 244.0 MiB (+2%) 245.9 MiB (+2%) 434 (+46%)
relayed-tcp-client2server 224.4 MiB (-2%) 225.5 MiB (-2%) 241 (-9%)
relayed-tcp-server2client 237.7 MiB (-0%) 238.4 MiB (-0%) 465 (+38%)

UDP

Test Name Total/s Jitter Lost
direct-udp-client2server 500.0 MiB (-0%) 0.21ms (+469%) 40.33% (-4%)
direct-udp-server2client 500.0 MiB (-0%) 0.01ms (-2%) 23.69% (+6%)
relayed-udp-client2server 500.0 MiB (+0%) 0.03ms (+35%) 55.86% (+0%)
relayed-udp-server2client 500.0 MiB (+0%) 0.02ms (-18%) 42.94% (+4%)

ReactorScram
ReactorScram commented Apr 30, 2024
View reviewed changes
rust/gui-client/src-tauri/firezone-client-ipc.service
@@ -38,6 +38,7 @@ UMask=077
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
Environment="LOG_DIR=/var/log/dev.firezone.client"
Environment="RUST_LOG=info"
EnvironmentFile="/etc/default/firezone-client-ipc"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ID and token could actually go in this type of file for the headless Clients, if we end up setting them up as deb packages and put the systemd service file in /usr/lib

@ReactorScram ReactorScram marked this pull request as ready for review April 30, 2024 17:28
jamilbk
jamilbk approved these changes May 1, 2024
View reviewed changes
Copy link
Member

@jamilbk jamilbk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Can't remember if you checked already, but maybe there's a capability we can set that will avoid running as root?

https://man7.org/linux/man-pages/man7/capabilities.7.html

@ReactorScram ReactorScram added this pull request to the merge queue May 1, 2024
Merged via the queue into main with commit be4053f May 1, 2024
134 checks passed
@ReactorScram ReactorScram deleted the chore/use-prod-systemd-file branch May 1, 2024 14:49
@ReactorScram
Copy link
Collaborator Author

ReactorScram commented May 1, 2024
edited
Loading

Here's what I checked:

  • Capabilities, NETADMIN doesn't do DNS and no other cap mentions "DNS", "domain", "name", or "resolve"
  • Adding a user to the group systemd-network or systemd-resolve doesn't work, even if I reboot

These others remain:

  • I could run connlib in the GUI and only use the IPC service to set DNS. This isn't a strict improvement but it's different.
  • See if there's some kind of d-bus policy I could set or something

github-merge-queue bot pushed a commit that referenced this pull request May 1, 2024
@ReactorScram
chore(linux-client): make headless client / IPC service logs group-re…
438469f 
…adable (#4825)

```[tasklist]
# Before merging
- [x] Add CI test to check that the Unix domain socket is owned by `root:firezone` (#4832 will do this)
```

This allows the GUI (running as a normal user who belongs to the
`firezone` group) to read back the connlib logs and export them in the
zip file.

<img width="716" alt="image"
src="https://github.com/firezone/firezone/assets/13400041/59cb7cc5-fd6a-4b27-a311-1b9c56b7b23e">
@ReactorScram
Copy link
Collaborator Author

It kinda looks like normal users already have permission to send requests to the resolve service, it just refuses anything destructive if you're not root. If I knew more about d-bus this might make sense to me but unfortunately it doesn't

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamilbk jamilbk jamilbk approved these changes

Assignees

@ReactorScram ReactorScram

Labels
area/ci Changes to the CI pipeline / Github Actions area/rust_gui_client The Windows and Linux Rust GUI clients kind/refactor Code refactoring
Projects
None yet
Milestone
06/24
Development

Successfully merging this pull request may close these issues.
2 participants
@ReactorScram @jamilbk