add boringtun to docker file

liqotech · Dec 21, 2020 · 08db765 · 08db765
1 parent 2d61692
commit 08db765
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 8 deletions.
diff --git a/build/liqonet/Dockerfile b/build/liqonet/Dockerfile
@@ -1,4 +1,11 @@
-FROM golang:1.14-alpine as builder
+FROM ekidd/rust-musl-builder as rustBuilder
+WORKDIR /home/rust/src
+RUN git clone https://github.com/cloudflare/boringtun.git
+WORKDIR boringtun
+RUN rustup target add x86_64-unknown-linux-musl
+RUN cargo build --bin boringtun --release
+
+FROM golang:1.14-alpine AS goBuilder
 ENV PATH /go/bin:/usr/local/go/bin:$PATH
 ENV GOPATH /go
 RUN apk update && apk add git make
@@ -12,6 +19,7 @@ RUN make install
 
 FROM alpine
 RUN apk update && apk add iptables bash wireguard-tools tcpdump
-COPY --from=builder /usr/bin/liqonet /usr/bin/liqonet
-COPY --from=builder /usr/bin/wireguard-go /usr/bin/wireguard-go
+COPY --from=goBuilder /usr/bin/liqonet /usr/bin/liqonet
+COPY --from=goBuilder /usr/bin/wireguard-go /usr/bin/wireguard-go
+COPY --from=rustBuilder /home/rust/src/boringtun/target/x86_64-unknown-linux-musl/release/boringtun /usr/bin/boringtun
 ENTRYPOINT [ "/usr/bin/liqonet" ]
diff --git a/deployments/liqo/subcharts/tunnelEndpointCreator/templates/tunnelEndpointCreator.yaml b/deployments/liqo/subcharts/tunnelEndpointCreator/templates/tunnelEndpointCreator.yaml
@@ -147,9 +147,17 @@ spec:
         - image: {{ .Values.image.repository }}{{ .Values.global.suffix | default .Values.suffix }}:{{ .Values.global.version | default .Values.version }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           name: tunnelendpointcreator-operator
+          securityContext:
+            privileged: true
+            capabilities:
+              add:
+                - NET_ADMIN
           command: ["/usr/bin/liqonet"]
           args:
             - "-run-as=tunnelEndpointCreator-operator"
+          volumeMounts:
+          - mountPath: /dev/net/tun
+            name: dev-net-tun
           resources:
             limits:
               cpu: 20m
@@ -158,4 +166,8 @@ spec:
               cpu: 20m
               memory: 50M
       restartPolicy: Always
+      volumes:
+      - name: dev-net-tun
+        hostPath:
+          path: /dev/net/tun
 status: {}
diff --git a/internal/liqonet/route-operator/serviceWatcher.go b/internal/liqonet/route-operator/serviceWatcher.go
@@ -57,6 +57,7 @@ func (r *RouteController) serviceHandlerAdd(obj interface{}) {
 		klog.Infof("overlay public key has not been set yep in service %s", s.Name)
 		return
 	}
+	//check if the peer has been configured
 	err = r.wg.AddPeer(pubKey, endpointIP, endpointPort, []string{"0.0.0.0/0"}, &keepalive)
 	if err != nil {
 		klog.Error(err)

diff --git a/pkg/liqonet/tunnel/wireguard/driver.go b/pkg/liqonet/tunnel/wireguard/driver.go
@@ -154,6 +154,15 @@ func (w *wireguard) ConnectToEndpoint(tep *netv1alpha1.TunnelEndpoint) (*netv1al
 			return oldCon, nil
 		}
 		klog.Infof("updating peer configuration for cluster %s", tep.Spec.ClusterID)
+		err = w.client.ConfigureDevice(deviceName, wgtypes.Config{
+			ReplacePeers: false,
+			Peers: []wgtypes.PeerConfig{{PublicKey: *remoteKey,
+				Remove: true,
+			}},
+		})
+		if err != nil {
+			return newConnectionOnError(err.Error()), fmt.Errorf("failed to configure peer with clusterID %s: %v", tep.Spec.ClusterID, err)
+		}
 	} else {
 		klog.Infof("Connecting cluster %s endpoint %s with publicKey %s",
 			tep.Spec.ClusterID, endpoint.IP.String(), remoteKey)
@@ -185,6 +194,7 @@ func (w *wireguard) ConnectToEndpoint(tep *netv1alpha1.TunnelEndpoint) (*netv1al
 		PeerConfiguration: map[string]string{ListeningPort: strconv.Itoa(endpoint.Port), EndpointIP: endpoint.IP.String(),
 			AllowedIPs: allowedIPs.String(), PublicKey: remoteKey.String()},
 	}
+	w.connections[tep.Spec.ClusterID] = c
 	klog.Infof("Done connecting cluster peer %s@%s", tep.Spec.ClusterID, endpoint.String())
 	return c, nil
 }
@@ -262,7 +272,7 @@ func (w *wireguard) setWGLink() error {
 	}
 	if err == unix.EOPNOTSUPP {
 		klog.Warningf("wireguard kernel module not present, falling back to the userspace implementation")
-		cmd := exec.Command("/usr/bin/wireguard-go", deviceName)
+		cmd := exec.Command("/usr/bin/boringtun", deviceName, "--disable-drop-privileges", "true")
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr

diff --git a/pkg/liqonet/wireguard/wireguard.go b/pkg/liqonet/wireguard/wireguard.go
@@ -3,21 +3,21 @@ package wireguard
 import (
 	"bytes"
 	"fmt"
+	"github.com/liqotech/liqo/internal/utils/errdefs"
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"k8s.io/klog/v2"
 	"net"
 	"os/exec"
+	"reflect"
 	"strconv"
 	"time"
 )
 
 const (
 	wgLinkType = "wireguard"
-	PublicKey  = "publicKey"  // PublicKey is the key of publicKey entry in back-end map and also for the secret containing the wireguard keys
-	PrivateKey = "privateKey" // PrivateKey is the key of private for the secret containing the wireguard keys
 )
 
 type WgConfig struct {
@@ -98,6 +98,25 @@ func (w *Wireguard) AddPeer(pubkey, endpointIP, listeningPort string, allowedIPs
 		}
 		IPs = append(IPs, *s)
 	}
+	//check if the peer exists
+	oldPeer, err := w.getPeer(pubkey)
+	if err != nil && !errdefs.IsNotFound(err) {
+		return err
+	}
+	if !errdefs.IsNotFound(err) {
+		if epIP.String() != oldPeer.Endpoint.IP.String() || int(port) != oldPeer.Endpoint.Port || reflect.DeepEqual(IPs, oldPeer.AllowedIPs) {
+			err = w.client.ConfigureDevice(w.GetDeviceName(), wgtypes.Config{
+				ReplacePeers: false,
+				Peers: []wgtypes.PeerConfig{{PublicKey: key,
+					Remove: true,
+				}},
+			})
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	err = w.client.ConfigureDevice(w.GetDeviceName(), wgtypes.Config{
 		ReplacePeers: false,
 		Peers: []wgtypes.PeerConfig{{
@@ -163,7 +182,7 @@ func (w *Wireguard) getPeer(pubKey string) (wgtypes.Peer, error) {
 			return p, nil
 		}
 	}
-	return peer, fmt.Errorf("peer with public key '%s' not found for wireguard device '%s'", pubKey, w.GetDeviceName())
+	return peer, errdefs.NotFoundf("peer with public key '%s' not found for wireguard device '%s'", pubKey, w.GetDeviceName())
 }
 
 // get name of the wireguard device
@@ -203,7 +222,7 @@ func (w *Wireguard) setWGLink(deviceName string) error {
 	}
 	if err == unix.EOPNOTSUPP {
 		klog.Warningf("wireguard kernel module not present, falling back to the userspace implementation")
-		cmd := exec.Command("/usr/bin/wireguard-go", deviceName)
+		cmd := exec.Command("/usr/bin/boringtun", deviceName, "--disable-drop-privileges", "true")
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr