fix: add --service and --service-status-file flags for running th…

…e script as service and healthcheck based on status file created by the service respectively. `--container` flag is deprecated but left as an alias in both cases to preserve backward compatibility.
tprasadtp · Apr 19, 2024 · 3e17350 · 3e17350
1 parent a4c30d9
commit 3e17350
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 79 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -34,4 +34,4 @@ RUN ln -s /usr/bin/protonwire /usr/bin/protonvpn
 
 ENTRYPOINT [ "/usr/bin/protonwire" ]
 
-CMD [ "connect", "--container" ]
+CMD [ "connect", "--service" ]
diff --git a/README.md b/README.md
@@ -131,60 +131,14 @@ flag is **ALSO** specified.
 
 <!--diana::dynamic:protonwire-help:begin-->
 <pre>
-
-ProtonVPN WireGuard Client
-
-Usage: protonwire [OPTIONS...]
-or: protonwire [OPTIONS...] c|connect [SERVER]
-or: protonwire [OPTIONS...] d|disconnect
-or: protonwire [OPTIONS...] check
-or: protonwire [OPTIONS...] disable-killswitch
-or: protonwire [OPTIONS...] server-info [SERVER]
-
-Options:
-  -k, --private-key FILE|KEY    Wireguard private key or
-                                file containing private key
-      --container               Run as container
-      --metadata-url URL        Server metadata endpoint URL
-      --check-interval INT      IP check interval in seconds (default 60)
-      --check-url URL           IP check endpoint URL
-      --skip-dns-config         Skip configuring DNS.
-                                (Useful for Kubernetes and Consul)
-      --kill-switch             Enable killswitch (Experimental)
-      --p2p                     Verify if specified server supports P2P
-      --streaming               Verify if specified server supports streaming
-      --tor                     Verify if specified server supports Tor
-      --secure-core             Verify if specified server supports secure core
-  -q, --quiet                   Show only errors
-  -v, --verbose                 Show debug logs
-  -h, --help                    Display this help and exit
-      --version                 Display version and exit
-
-Examples:
-  protonwire connect nl-1       Connect to server nl-1
-  protonwire d --kill-switch    Disconnect from current server and disable kill-switch
-  protonwire verify [SERVER]    Check if connected to a server
-
-Files:
-  /etc/protonwire/private-key   WireGuard private key
-
-Environment:
-  WIREGUARD_PRIVATE_KEY         WireGuard private key or file
-  PROTONVPN_SERVER              ProtonVPN server
-  IPCHECK_INTERVAL              Custom IP check interval in seconds (default 60)
-  IPCHECK_URL                   IP check endpoint URL (must be https://)
-  SKIP_DNS_CONFIG               Set to '1' to skip configuring DNS
-  KILL_SWITCH                   Set to '1' to enable killswitch (Experimental)
-  DEBUG                         Set to '1' to enable debug logs
-</pre>
 <!--diana::dynamic:protonwire-help:end-->
 
 ## Health-checks
 
 - Script supports `healthcheck` sub-command. By default, when running as a service,
 script will keep checking every `IPCHECK_INTERVAL` _(default=60)_ seconds using the
 `IPCHECK_URL` api endpoint. To disable healthchecks entirely set `IPCHECK_INTERVAL` to `0`
-- Use `protonwire healthcheck --silent --container` as the `HEALTHCHECK` command.
+- Use `protonwire healthcheck --silent --service` as the `HEALTHCHECK` command.
 Same can be used as liveness probe and readiness probe for Kubernetes.
 
 ## Docker Compose
@@ -289,10 +243,10 @@ This section covers running containers via podman. But for deployments use
         --sysctl=net.ipv6.conf.all.disable_ipv6=1 \
         --publish=8000:8000 \
         --health-start-period=20s \
-        --health-cmd="protonwire check --container --silent" \
+        --health-cmd="protonwire check --service --silent" \
         --health-interval=120s \
         --health-on-failure=stop \
-        ghcr.io/tprasadtp/protonwire:7
+        ghcr.io/tprasadtp/protonwire:latest
     ```
 
 - Create app(s) sharing network namespace with `protonwire` container. As an example,
@@ -374,6 +328,22 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/
 
 See [Troubleshooting][] and [FAQ][]
 
+## SLSA Provenance
+
+<div align="center">
+
+[![slsa-badge-level3][slsa-badge-level3]][slsa-level3]
+
+</div>
+
+All _artifacts_ provided by this repository meet [SLSA L3][slsa-level3].
+See [docs](./docs/slsa.md) for more info.
+
+## Cosign Images
+
+All artifacts provided by this repository are signed using [cosign].
+See [docs](./docs/cosign.md) for more info.
+
 ## Building
 
 Building requires [`task`](https://taskfile.dev/installation/),
@@ -400,4 +370,7 @@ Building requires [`task`](https://taskfile.dev/installation/),
 [Troubleshooting]: ./docs/help.md
 [FAQ]: ./docs/faq.md
 [slsa-verify-docs]: ./docs/slsa.md
+[slsa-badge-level3]: ./docs/images/slsa-level3-logo.svg
+[slsa-level3]: https://slsa.dev/spec/v1.0/levels#build-l3
+
 [slsa-badge]: https://img.shields.io/badge/SLSA-level%203-39AC60?labelColor=3a3a3a&logoColor=959da5&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAMAAAAolt3jAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAABMlBMVEXvMQDvMADwMQDwMADwMADvMADvMADwMADwMQDvMQDvMQDwMADwMADvMADwMADwMADwMQDvMQDvMQDwMQDvMQDwMQDwMADwMADwMQDwMADwMADvMADvMQDvMQDwMADwMQDwMADvMQDwMADwMQDwMADwMADwMADwMADwMADwMADvMQDvMQDwMADwMQDwMADvMQDvMQDwMADvMQDvMQDwMADwMQDwMQDwMQDvMQDwMADvMADwMADwMQDvMQDwMADwMQDwMQDwMQDwMQDvMQDvMQDvMADwMADvMADvMADvMADwMQDwMQDvMADvMQDvMQDvMADvMADvMQDwMQDvMQDvMADvMADvMADvMQDwMQDvMQDvMQDvMADvMADwMADvMQDvMQDvMQDvMADwMADwMQDwMAAAAAA/HoSwAAAAY3RSTlMpsvneQlQrU/LQSWzvM5DzmzeF9Pi+N6vvrk9HuP3asTaPgkVFmO3rUrMjqvL6d0LLTVjI/PuMQNSGOWa/6YU8zNuDLihJ0e6aMGzl8s2IT7b6lIFkRj1mtvQ0eJW95rG0+Sid59x/AAAAAWJLR0Rltd2InwAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAAd0SU1FB+YHGg0tGLrTaD4AAACqSURBVAjXY2BgZEqGAGYWVjYGdg4oj5OLm4eRgZcvBcThFxAUEk4WYRAVE09OlpCUkpaRTU6WY0iWV1BUUlZRVQMqUddgSE7W1NLS1gFp0NXTB3KTDQyNjE2Sk03NzC1A3GR1SytrG1s7e4dkBogtjk7OLq5uyTCuu4enl3cyhOvj66fvHxAIEmYICg4JDQuPiAQrEmGIio6JjZOFOjSegSHBBMpOToxPAgCJfDZC/m2KHgAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMi0wNy0yNlQxMzo0NToyNCswMDowMC8AywoAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjItMDctMjZUMTM6NDU6MjQrMDA6MDBeXXO2AAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAABJRU5ErkJggg==
diff --git a/docs/faq.md b/docs/faq.md
@@ -195,31 +195,22 @@ your pod are using the VPN. Do note that `.cluster` domains like `<service>.<nam
 
 Port forwarding is not supported directly, but the image includes tools required to setup via custom
 script(`socat` and `natpmpc` etc). It is being tracked via [#125](https://github.com/tprasadtp/protonvpn-docker/issues/125). It might be necessary to write your `service` loop which keeps port forwarding updated. Following commands can be used to setup VPN connection and check it regularly.
-Do note that script will still take into consideration `IPCHECK_INTERVAL` for healthchecks, so keep
-your custom script compatible with it.
 
 - Connect to VPN server with kill-switch.
 
     ```bash
     protonwire connect --ks
     ```
 
-- Verify that connection is active. **DO NOT** use `--container` flag, as it
+- Verify that connection is active. **DO NOT** use `--service` flag, as it
 depends on protonwire running in the background.
 
     ```bash
     protonwire verify
     ```
 
-- Setup your port forwarding using `natpmpc` and write mapped port to a shared volume.
-
-- In a loop verify the connection and keep refreshing port forwarding.
-
-    ```bash
-    protonwire verify || exit 1
-    natpmpc <args as required> || exit 1
-    ```
-
+- Setup your port forwarding using `natpmpc` and write mapped port to a shared volume
+- In a loop verify the connection and keep refreshing port forwarding at regular intervals.
 - To disconnect, run
 
     ```bash

diff --git a/docs/slsa.md b/docs/slsa.md
@@ -30,11 +30,6 @@ All _artifacts_ provided by this repository meet [SLSA L3][slsa-level3].
         ghcr.io/tprasadtp/protonwire@<IMAGE_DIGEST>
     ```
 
-## SLSA provenance for metadata
-
-Generating slsa provenance for metadata is tricky without leaking all the server names.
-As slsa L3 workflows need to save intermediate artifacts which contain server names.
-
 [cosign]: https://docs.sigstore.dev/system_config/installation/
 [slsa-verifier]: https://github.com/slsa-framework/slsa-verifier
 [slsa-badge-level3]: ./images/slsa-level3-logo.svg

diff --git a/protonwire b/protonwire
@@ -2410,7 +2410,10 @@ or: protonwire [OPTIONS...] server-info [SERVER]
 Options:
   -k, --private-key FILE|KEY    Wireguard private key or
                                 file containing private key
-      --container               Run as container
+      --service                 Run as service
+      --service-status-file     Use status file created by --service
+                                for healthchecks. Only valid when both process
+                                are running within the same container.
       --metadata-url URL        Server metadata endpoint URL
       --check-interval INT      IP check interval in seconds (default 60)
       --check-url URL           IP check endpoint URL
@@ -2449,10 +2452,10 @@ function main() {
     declare -i log_lvl_v_lock=0
     declare -i log_lvl_q_lock=0
     declare -i cmd_lock=0
-    declare -i looper_lock=0
     local color_mode="auto"
     local cmd_mode="HELP"
-    local container_flag="false"
+    local looper_flag="false"
+    local healthcheck_service_status_file="false"
 
     if __is_bool_true "${DEBUG}"; then
         LOG_LVL="0"
@@ -2463,7 +2466,7 @@ function main() {
         -h | --help | help)
             cmd_mode="HELP"
             ;;
-        --version|version)
+        --version | version)
             cmd_mode="VERSION"
             ;;
         --verbose | --debug | -v)
@@ -2525,9 +2528,13 @@ function main() {
             shift
             __PROTONWIRE_FEATURE_COUNTRY="$1"
             ;;
-        --container)
-            ((++looper_lock))
-            container_flag="true"
+        # --container flag is deprecated, but is left here for
+        # CLI compatibility reasons.
+        --container | --service)
+            looper_flag="true"
+            ;;
+        --service-status-file)
+            healthcheck_service_status_file="true"
             ;;
         connect | c)
             ((++cmd_lock))
@@ -2541,7 +2548,7 @@ function main() {
             cmd_mode="HEALTHCHECK"
             ((++cmd_lock))
             ;;
-        lookup | server-info | server-lookup)
+        lookup | server-info | server-lookup | lookup-server)
             cmd_mode="SERVER_LOOKUP"
             ((++cmd_lock))
             ;;
@@ -2605,11 +2612,16 @@ function main() {
         fi
     fi
 
-    if [[ $cmd_mode == "HEALTHCHECK" ]] && [[ $container_flag == "true" ]]; then
-        cmd_mode="HEALTHCHECK_CONTAINER"
+    if [[ $cmd_mode == "HEALTHCHECK" ]]; then
+        if [[ $looper_flag == "true" ]]; then
+            cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
+        fi
+        if [[ $healthcheck_service_status_file == "true" ]]; then
+            cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
+        fi
     fi
 
-    if [[ $cmd_mode == "CONNECT" ]] && [[ $container_flag == "true" ]]; then
+    if [[ $cmd_mode == "CONNECT" ]] && [[ $looper_flag == "true" ]]; then
         cmd_mode="LOOPER"
     fi
 
@@ -2659,7 +2671,7 @@ function main() {
         protonvpn_verify_cmd
         exit $?
         ;;
-    HEALTHCHECK_CONTAINER)
+    HEALTHCHECK_SERVICE_STATUS_FILE)
         protonvpn_healthcheck_status_file
         exit $?
         ;;