v0.21.0

Changes

Run with reduced privileges when started by systemd @scareything (#614)

This is essentially @tomc797's recent PR, slightly massaged so that the socket files don't require root/wheel access (if a 'ziti' group exists), and also support the older redhat distros we still build on.

The rpm and debian packages now create a non-administrative 'ziti' user and group, and the systemd unit for the ziti-edge-tunnel service uses this user to run the ziti-edge-tunnel process. The process is granted CAP_NET_ADMIN capability so that it can create the tun device and manipulate routes. PolicyKit is also configured to permit the 'ziti' user to configure link DNS.

When running on Linux and Darwin, ziti-edge-tunnel looks for a local 'ziti' group. If found, the process effective group is changed to the 'ziti' group. This causes all created files and directories to have group 'ziti'.

Breaking Changes

The location of the IPC sockets that ziti-edge-tunnel creates has changed from "/tmp" to "/tmp/.ziti" when running on Linux and Darwin. Furthermore, the /tmp/.ziti directory must be owned by the 'ziti' group and have 0750 permissions or else the IPC servers will not be started. Processes that use the IPC sockets must be started by users that are members of the 'ziti' group.

You can create a 'ziti' group if you're starting ziti-edge-tunnel as root. and you wish to use the IPC sockets from processes that are not owned by root:

Linux

$ sudo groupadd --system ziti

Users can then be added to the ziti group with:

$ sudo usermod --append --groups ziti <USER>

Darwin

% sudo dseditgroup -o create ziti

Users can then be added to the ziti group with:

% sudo dscl . -append /groups/ziti GroupMembership <USER>

get c sdk 0.31.5 @scareything (#619)

improves logging in the bridge code, and potentially avoids a file descriptor leak.