Skip to content

Latest commit

 

History

History
61 lines (39 loc) · 2.93 KB

README.md

File metadata and controls

61 lines (39 loc) · 2.93 KB
Raw

Nebula Snap package

This is an atempt at creating a snap package for the Nebula overlay networking tool.

Current state:

  • Nebula binary is running in strict confinement. For this to work you will have to provide:
    • config.yaml in /var/snap/nebula/common/config
    • ca.crt in /var/snap/nebula/common/certs
    • nebula-node.crt and nebula-node.key in /var/snap/nebula/common/certs
  • CA creation and certificate signing is working. However, the name of the produced certs are hardcoded to:
    • ca.crt
    • ca.key
    • nebula-node.crt
    • nebula-node.key
  • Since created certs are placed in /var/snap/nebula/common/certs the cert-functionality needs sudo permissions. Not optimal perhaps, but necessary.

To bypass the above restrictions the snap can be installed with --devmode, thereby circumventing the sandboxing in place:

sudo snap install --devmode nebula

Usage

Starting Nebula

After placing a config.yaml in /var/snap/nebula/common/config you can either start Nebula manually or use the provided daemon

See here for instructions on the config file. Also, the Nebula github page is a good resource. An example config.yaml can be found there.

Start manually:

sudo nebula

You can NOT provide a location for the config.yaml file. It is hardcoded to /var/snap/nebula/common/config

⚠️ There seems to be an issue with the daemon after a reboot if the address to the lighthouse is stated as a domain name (e g lighthouse.example.com). The daemon is supposed to be started automatically on boot and it gets started. However, Nebula does not get a connection to the lighthouse. A manual restart of the daemon fixes this: sudo snap restart nebula.daemon This problem does not, however, occur if the ip of the lighthouse is put into the config file. (See here)

This issue should be fixed in the next release, 1.7.0, as a result of the merged commit here. For now, you can add an IP address in place of a domain, or restart the nebula daemon on boot/reboot.

Once the configuration is proven, start the snap proper: sudo snap start nebula

To check if the daemon started as expected: sudo snap logs nebula

or using systemd:s logging facilities: sudo journalctl -r -u snap.nebula.daemon.service

Certificate creation

Generate a Certificate Authority:

sudo nebula.cert-ca -name <ORGANIZATION_NAME>

This will generate ca.crt and ca.key Again, paths are hardcoded to /var/snap/nebula/common/certs so NOT possible to change this at the moment.

Generate node certificates and sign them with the above created CA key:

sudo nebula.cert-sign -name <CLIENT_NAME> -ip <CLIENT_IP_ADDRESS>

This will generate nebula-node.crt and nebula-node.key placed in /var/snap/nebula/common/certs