Mirrors
/
nebula
mirror of https://github.com/slackhq/nebula.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nebula/main.go

412 lines
13 KiB
Go
Raw Normal View History

Public Release
2019-11-19 10:00:20 -07:00
package nebula
import (
"encoding/binary"
"fmt"
"net"
"strconv"
"strings"
"time"
enforce the use of goimports (#248) * enforce the use of goimports Instead of enforcing `gofmt`, enforce `goimports`, which also asserts a separate section for non-builtin packages. * run `goimports` everywhere * exclude generated .pb.go files
2020-06-30 16:53:30 -06:00
"github.com/sirupsen/logrus"
"github.com/slackhq/nebula/sshd"
"gopkg.in/yaml.v2"
Public Release
2019-11-19 10:00:20 -07:00
)
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
// The caller should provide a real logger, we have one just in case
Public Release
2019-11-19 10:00:20 -07:00
var l = logrus.New()
type m map[string]interface{}
More like a library (#279)
2020-09-18 08:20:09 -06:00
func Main(config *Config, configTest bool, buildVersion string, logger *logrus.Logger, tunFd *int) (*Control, error) {
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
l = logger
Public Release
2019-11-19 10:00:20 -07:00
l.Formatter = &logrus.TextFormatter{
FullTimestamp: true,
}
// Print the config if in test, the exit comes later
if configTest {
b, err := yaml.Marshal(config.Settings)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, err
Public Release
2019-11-19 10:00:20 -07:00
}
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
// Print the final config
Public Release
2019-11-19 10:00:20 -07:00
l.Println(string(b))
}
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
err := configLogger(config)
Public Release
2019-11-19 10:00:20 -07:00
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to configure the logger", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
config.RegisterReloadCallback(func(c *Config) {
err := configLogger(c)
if err != nil {
l.WithError(err).Error("Failed to configure the logger")
}
})
// trustedCAs is currently a global, so loadCA operates on that global directly
trustedCAs, err = loadCAFromConfig(config)
if err != nil {
//The errors coming out of loadCA are already nicely formatted
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to load ca from config", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
l.WithField("fingerprints", trustedCAs.GetFingerprints()).Debug("Trusted CA fingerprints")
cs, err := NewCertStateFromConfig(config)
if err != nil {
//The errors coming out of NewCertStateFromConfig are already nicely formatted
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to load certificate from config", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
l.WithField("cert", cs.certificate).Debug("Client nebula certificate")
fw, err := NewFirewallFromConfig(cs.certificate, config)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Error while loading firewall rules", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
l.WithField("firewallHash", fw.GetRuleHash()).Info("Firewall started")
// TODO: make sure mask is 4 bytes
tunCidr := cs.certificate.Details.Ips[0]
routes, err := parseRoutes(config, tunCidr)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Could not parse tun.routes", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
don't steal error
2019-12-12 10:31:22 -07:00
unsafeRoutes, err := parseUnsafeRoutes(config, tunCidr)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Could not parse tun.unsafe_routes", nil, err)
don't steal error
2019-12-12 10:31:22 -07:00
}
Public Release
2019-11-19 10:00:20 -07:00
ssh, err := sshd.NewSSHServer(l.WithField("subsystem", "sshd"))
wireSSHReload(ssh, config)
if config.GetBool("sshd.enabled", false) {
err = configSSH(ssh, config)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Error while configuring the sshd", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// All non system modifying configuration consumption should live above this line
// tun config, listeners, anything modifying the computer should be below
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
var routines int
// If `routines` is set, use that and ignore the specific values
if routines = config.GetInt("routines", 0); routines != 0 {
if routines < 1 {
routines = 1
}
if routines > 1 {
l.WithField("routines", routines).Info("Using multiple routines")
}
} else {
// deprecated and undocumented
tunQueues := config.GetInt("tun.routines", 1)
udpQueues := config.GetInt("listen.routines", 1)
if tunQueues > udpQueues {
routines = tunQueues
} else {
routines = udpQueues
}
if routines != 1 {
l.WithField("routines", routines).Warn("Setting tun.routines and listen.routines is deprecated. Use `routines` instead")
}
}
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user.
2020-08-10 07:15:55 -06:00
var tun Inside
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
if !configTest {
config.CatchHUP()
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user.
2020-08-10 07:15:55 -06:00
switch {
case config.GetBool("tun.disabled", false):
tun_disabled: reply to ICMP Echo Request (#342) This change allows a server running with `tun.disabled: true` (usually a lighthouse) to still reply to ICMP EchoRequest packets. This allows you to "ping" the lighthouse Nebula IP as a quick check to make sure the tunnel is up, even when running with tun.disabled. This is still gated by allowing `icmp` packets in the inbound firewall rules.
2021-03-01 09:09:41 -07:00
tun = newDisabledTun(tunCidr, config.GetInt("tun.tx_queue", 500), config.GetBool("stats.message_metrics", false), l)
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user.
2020-08-10 07:15:55 -06:00
case tunFd != nil:
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
tun, err = newTunFromFd(
*tunFd,
tunCidr,
config.GetInt("tun.mtu", DEFAULT_MTU),
routes,
unsafeRoutes,
config.GetInt("tun.tx_queue", 500),
)
Support startup without a tun device (#269) This commit adds support for Nebula to be started without creating a tun device. A node started in this mode still has a full "control plane", but no effective "data plane". Its use is suited to a lighthouse that has no need to partake in the mesh VPN. Consequently, creation of the tun device is the only reason nebula neesd to be started with elevated privileged, so this example lighthouse can also be run as a non-root user.
2020-08-10 07:15:55 -06:00
default:
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
tun, err = newTun(
config.GetString("tun.dev", ""),
tunCidr,
config.GetInt("tun.mtu", DEFAULT_MTU),
routes,
unsafeRoutes,
config.GetInt("tun.tx_queue", 500),
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
routines > 1,
Be more like a library to support mobile (#247)
2020-06-30 12:48:58 -06:00
)
}
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to get a tun/tap device", nil, err)
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
}
Public Release
2019-11-19 10:00:20 -07:00
}
// set up our UDP listener
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
udpConns := make([]*udpConn, routines)
port := config.GetInt("listen.port", 0)
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
if !configTest {
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
for i := 0; i < routines; i++ {
udpServer, err := NewListener(config.GetString("listen.host", "0.0.0.0"), port, routines > 1)
if err != nil {
return nil, NewContextualError("Failed to open udp listener", m{"queue": i}, err)
}
udpServer.reloadConfig(config)
udpConns[i] = udpServer
// If port is dynamic, discover it
if port == 0 {
uPort, err := udpServer.LocalAddr()
if err != nil {
return nil, NewContextualError("Failed to get listening port", nil, err)
}
port = int(uPort.Port)
}
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
}
Public Release
2019-11-19 10:00:20 -07:00
}
// Set up my internal host map
var preferredRanges []*net.IPNet
rawPreferredRanges := config.GetStringSlice("preferred_ranges", []string{})
// First, check if 'preferred_ranges' is set and fallback to 'local_range'
if len(rawPreferredRanges) > 0 {
for _, rawPreferredRange := range rawPreferredRanges {
_, preferredRange, err := net.ParseCIDR(rawPreferredRange)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to parse preferred ranges", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
preferredRanges = append(preferredRanges, preferredRange)
}
}
// local_range was superseded by preferred_ranges. If it is still present,
// merge the local_range setting into preferred_ranges. We will probably
// deprecate local_range and remove in the future.
rawLocalRange := config.GetString("local_range", "")
if rawLocalRange != "" {
_, localRange, err := net.ParseCIDR(rawLocalRange)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to parse local_range", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
// Check if the entry for local_range was already specified in
// preferred_ranges. Don't put it into the slice twice if so.
var found bool
for _, r := range preferredRanges {
if r.String() == localRange.String() {
found = true
break
}
}
if !found {
preferredRanges = append(preferredRanges, localRange)
}
}
hostMap := NewHostMap("main", tunCidr, preferredRanges)
hostMap.SetDefaultRoute(ip2int(net.ParseIP(config.GetString("default_route", "0.0.0.0"))))
subnet support
2019-12-12 09:34:17 -07:00
hostMap.addUnsafeRoutes(&unsafeRoutes)
add meta packet statistics (#230) This change add more metrics around "meta" (non "message" type packets). For lighthouse packets, we also record statistics around the specific lighthouse meta type. We don't keep statistics for the "message" type so that we don't slow down the fast path (and you can just look at metrics on the tun interface to find that information).
2020-06-26 11:45:48 -06:00
hostMap.metricsEnabled = config.GetBool("stats.message_metrics", false)
subnet support
2019-12-12 09:34:17 -07:00
Public Release
2019-11-19 10:00:20 -07:00
l.WithField("network", hostMap.vpnCIDR).WithField("preferredRanges", hostMap.preferredRanges).Info("Main HostMap created")
/*
config.SetDefault("promoter.interval", 10)
go hostMap.Promoter(config.GetInt("promoter.interval"))
*/
add configurable punching delay because of race-condition-y conntracks (#210) * add configurable punching delay because of race-condition-y conntracks * add changelog * fix tests * only do one punch per query * Coalesce punchy config * It is not is not set * Add tests Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2020-03-27 12:26:39 -06:00
punchy := NewPunchyFromConfig(config)
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
if punchy.Punch && !configTest {
Public Release
2019-11-19 10:00:20 -07:00
l.Info("UDP hole punching enabled")
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
go hostMap.Punchy(udpConns[0])
Public Release
2019-11-19 10:00:20 -07:00
}
amLighthouse := config.GetBool("lighthouse.am_lighthouse", false)
Adds am_lighthouse warning msg (#43) * add warning message when am_lighthouse is enabled; update config templating
2019-11-24 10:32:08 -07:00
// warn if am_lighthouse is enabled but upstream lighthouses exists
Fail with a better error message if lh a hosts is unparsable
2019-12-09 17:53:56 -07:00
rawLighthouseHosts := config.GetStringSlice("lighthouse.hosts", []string{})
if amLighthouse && len(rawLighthouseHosts) != 0 {
Adds am_lighthouse warning msg (#43) * add warning message when am_lighthouse is enabled; update config templating
2019-11-24 10:32:08 -07:00
l.Warn("lighthouse.am_lighthouse enabled on node but upstream lighthouses exist in config")
}
Fail with a better error message if lh a hosts is unparsable
2019-12-09 17:53:56 -07:00
lighthouseHosts := make([]uint32, len(rawLighthouseHosts))
for i, host := range rawLighthouseHosts {
ip := net.ParseIP(host)
if ip == nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Unable to parse lighthouse host entry", m{"host": host, "entry": i + 1}, nil)
Fail with a better error message if lh a hosts is unparsable
2019-12-09 17:53:56 -07:00
}
validate lighthouses and static hosts are in our subnet (#170) Validate all lighthouse.hosts and static_host_map VPN IPs are in the subnet defined in our cert. Exit with a fatal error if they are not in our subnet, as this is an invalid configuration (we will not have the proper routes set up to communicate with these hosts). This error case could occur for the following invalid example: nebula-cert sign -name "lighthouse" -ip "10.0.1.1/24" nebula-cert sign -name "host" -ip "10.0.2.1/24" config.yaml: static_host_map: "10.0.1.1": ["lighthouse.local:4242"] lighthouse: hosts: - "10.0.1.1" We will now return a fatal error for this config, since `10.0.1.1` is not in the host cert's subnet of `10.0.2.1/24`
2020-01-20 13:52:55 -07:00
if !tunCidr.Contains(ip) {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("lighthouse host is not in our subnet, invalid", m{"vpnIp": ip, "network": tunCidr.String()}, nil)
validate lighthouses and static hosts are in our subnet (#170) Validate all lighthouse.hosts and static_host_map VPN IPs are in the subnet defined in our cert. Exit with a fatal error if they are not in our subnet, as this is an invalid configuration (we will not have the proper routes set up to communicate with these hosts). This error case could occur for the following invalid example: nebula-cert sign -name "lighthouse" -ip "10.0.1.1/24" nebula-cert sign -name "host" -ip "10.0.2.1/24" config.yaml: static_host_map: "10.0.1.1": ["lighthouse.local:4242"] lighthouse: hosts: - "10.0.1.1" We will now return a fatal error for this config, since `10.0.1.1` is not in the host cert's subnet of `10.0.2.1/24`
2020-01-20 13:52:55 -07:00
}
Fail with a better error message if lh a hosts is unparsable
2019-12-09 17:53:56 -07:00
lighthouseHosts[i] = ip2int(ip)
}
Public Release
2019-11-19 10:00:20 -07:00
lightHouse := NewLightHouse(
amLighthouse,
ip2int(tunCidr.IP),
Fail with a better error message if lh a hosts is unparsable
2019-12-09 17:53:56 -07:00
lighthouseHosts,
Public Release
2019-11-19 10:00:20 -07:00
//TODO: change to a duration
config.GetInt("lighthouse.interval", 10),
port,
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
udpConns[0],
add configurable punching delay because of race-condition-y conntracks (#210) * add configurable punching delay because of race-condition-y conntracks * add changelog * fix tests * only do one punch per query * Coalesce punchy config * It is not is not set * Add tests Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2020-03-27 12:26:39 -06:00
punchy.Respond,
punchy.Delay,
add meta packet statistics (#230) This change add more metrics around "meta" (non "message" type packets). For lighthouse packets, we also record statistics around the specific lighthouse meta type. We don't keep statistics for the "message" type so that we don't slow down the fast path (and you can just look at metrics on the tun interface to find that information).
2020-06-26 11:45:48 -06:00
config.GetBool("stats.lighthouse_metrics", false),
Public Release
2019-11-19 10:00:20 -07:00
)
fix config name for {remote,local}_allow_list (#219) This config option should be snake_case, not camelCase.
2020-04-08 14:20:12 -06:00
remoteAllowList, err := config.GetAllowList("lighthouse.remote_allow_list", false)
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Invalid lighthouse.remote_allow_list", nil, err)
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
}
lightHouse.SetRemoteAllowList(remoteAllowList)
fix config name for {remote,local}_allow_list (#219) This config option should be snake_case, not camelCase.
2020-04-08 14:20:12 -06:00
localAllowList, err := config.GetAllowList("lighthouse.local_allow_list", true)
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Invalid lighthouse.local_allow_list", nil, err)
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true
2020-04-08 13:36:43 -06:00
}
lightHouse.SetLocalAllowList(localAllowList)
add tests and improve error
2019-11-23 16:55:23 -07:00
//TODO: Move all of this inside functions in lighthouse.go
Public Release
2019-11-19 10:00:20 -07:00
for k, v := range config.GetMap("static_host_map", map[interface{}]interface{}{}) {
vpnIp := net.ParseIP(fmt.Sprintf("%v", k))
validate lighthouses and static hosts are in our subnet (#170) Validate all lighthouse.hosts and static_host_map VPN IPs are in the subnet defined in our cert. Exit with a fatal error if they are not in our subnet, as this is an invalid configuration (we will not have the proper routes set up to communicate with these hosts). This error case could occur for the following invalid example: nebula-cert sign -name "lighthouse" -ip "10.0.1.1/24" nebula-cert sign -name "host" -ip "10.0.2.1/24" config.yaml: static_host_map: "10.0.1.1": ["lighthouse.local:4242"] lighthouse: hosts: - "10.0.1.1" We will now return a fatal error for this config, since `10.0.1.1` is not in the host cert's subnet of `10.0.2.1/24`
2020-01-20 13:52:55 -07:00
if !tunCidr.Contains(vpnIp) {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("static_host_map key is not in our subnet, invalid", m{"vpnIp": vpnIp, "network": tunCidr.String()}, nil)
validate lighthouses and static hosts are in our subnet (#170) Validate all lighthouse.hosts and static_host_map VPN IPs are in the subnet defined in our cert. Exit with a fatal error if they are not in our subnet, as this is an invalid configuration (we will not have the proper routes set up to communicate with these hosts). This error case could occur for the following invalid example: nebula-cert sign -name "lighthouse" -ip "10.0.1.1/24" nebula-cert sign -name "host" -ip "10.0.2.1/24" config.yaml: static_host_map: "10.0.1.1": ["lighthouse.local:4242"] lighthouse: hosts: - "10.0.1.1" We will now return a fatal error for this config, since `10.0.1.1` is not in the host cert's subnet of `10.0.2.1/24`
2020-01-20 13:52:55 -07:00
}
Public Release
2019-11-19 10:00:20 -07:00
vals, ok := v.([]interface{})
if ok {
for _, v := range vals {
parts := strings.Split(fmt.Sprintf("%v", v), ":")
addr, err := net.ResolveIPAddr("ip", parts[0])
if err == nil {
ip := addr.IP
port, err := strconv.Atoi(parts[1])
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Static host address could not be parsed", m{"vpnIp": vpnIp}, err)
Public Release
2019-11-19 10:00:20 -07:00
}
lightHouse.AddRemote(ip2int(vpnIp), NewUDPAddr(ip2int(ip), uint16(port)), true)
}
}
} else {
//TODO: make this all a helper
parts := strings.Split(fmt.Sprintf("%v", v), ":")
addr, err := net.ResolveIPAddr("ip", parts[0])
if err == nil {
ip := addr.IP
port, err := strconv.Atoi(parts[1])
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Static host address could not be parsed", m{"vpnIp": vpnIp}, err)
Public Release
2019-11-19 10:00:20 -07:00
}
lightHouse.AddRemote(ip2int(vpnIp), NewUDPAddr(ip2int(ip), uint16(port)), true)
}
}
}
add tests and improve error
2019-11-23 16:55:23 -07:00
err = lightHouse.ValidateLHStaticEntries()
add an error (non fatal) when a lighthouse host has no static entry
2019-11-23 14:46:45 -07:00
if err != nil {
add tests and improve error
2019-11-23 16:55:23 -07:00
l.WithError(err).Error("Lighthouse unreachable")
add an error (non fatal) when a lighthouse host has no static entry
2019-11-23 14:46:45 -07:00
}
add meta packet statistics (#230) This change add more metrics around "meta" (non "message" type packets). For lighthouse packets, we also record statistics around the specific lighthouse meta type. We don't keep statistics for the "message" type so that we don't slow down the fast path (and you can just look at metrics on the tun interface to find that information).
2020-06-26 11:45:48 -06:00
var messageMetrics *MessageMetrics
if config.GetBool("stats.message_metrics", false) {
messageMetrics = newMessageMetrics()
} else {
messageMetrics = newMessageMetricsOnlyRecvError()
}
add configuration options for HandshakeManager (#179) This change exposes the current constants we have defined for the handshake manager as configuration options. This will allow us to test and tweak with different intervals and wait rotations. # Handshake Manger Settings handshakes: # Total time to try a handshake = sequence of `try_interval * retries` # With 100ms interval and 20 retries it is 23.5 seconds try_interval: 100ms retries: 20 # wait_rotation is the number of handshake attempts to do before starting to try non-local IP addresses wait_rotation: 5
2020-02-21 14:25:11 -07:00
handshakeConfig := HandshakeConfig{
trigger handshakes when lighthouse reply arrives (#246) Currently, we wait until the next timer tick to act on the lighthouse's reply to our HostQuery. This means we can easily add hundreds of milliseconds of unnecessary delay to the handshake. To fix this, we can introduce a channel to trigger an outbound handshake without waiting for the next timer tick. A few samples of cold ping time between two hosts that require a lighthouse lookup: before (v1.2.0): time=156 ms time=252 ms time=12.6 ms time=301 ms time=352 ms time=49.4 ms time=150 ms time=13.5 ms time=8.24 ms time=161 ms time=355 ms after: time=3.53 ms time=3.14 ms time=3.08 ms time=3.92 ms time=7.78 ms time=3.59 ms time=3.07 ms time=3.22 ms time=3.12 ms time=3.08 ms time=8.04 ms I recommend reviewing this PR by looking at each commit individually, as some refactoring was required that makes the diff a bit confusing when combined together.
2020-07-22 08:35:10 -06:00
tryInterval: config.GetDuration("handshakes.try_interval", DefaultHandshakeTryInterval),
retries: config.GetInt("handshakes.retries", DefaultHandshakeRetries),
waitRotation: config.GetInt("handshakes.wait_rotation", DefaultHandshakeWaitRotation),
triggerBuffer: config.GetInt("handshakes.trigger_buffer", DefaultHandshakeTriggerBuffer),
add meta packet statistics (#230) This change add more metrics around "meta" (non "message" type packets). For lighthouse packets, we also record statistics around the specific lighthouse meta type. We don't keep statistics for the "message" type so that we don't slow down the fast path (and you can just look at metrics on the tun interface to find that information).
2020-06-26 11:45:48 -06:00
messageMetrics: messageMetrics,
add configuration options for HandshakeManager (#179) This change exposes the current constants we have defined for the handshake manager as configuration options. This will allow us to test and tweak with different intervals and wait rotations. # Handshake Manger Settings handshakes: # Total time to try a handshake = sequence of `try_interval * retries` # With 100ms interval and 20 retries it is 23.5 seconds try_interval: 100ms retries: 20 # wait_rotation is the number of handshake attempts to do before starting to try non-local IP addresses wait_rotation: 5
2020-02-21 14:25:11 -07:00
}
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
handshakeManager := NewHandshakeManager(tunCidr, preferredRanges, hostMap, lightHouse, udpConns[0], handshakeConfig)
trigger handshakes when lighthouse reply arrives (#246) Currently, we wait until the next timer tick to act on the lighthouse's reply to our HostQuery. This means we can easily add hundreds of milliseconds of unnecessary delay to the handshake. To fix this, we can introduce a channel to trigger an outbound handshake without waiting for the next timer tick. A few samples of cold ping time between two hosts that require a lighthouse lookup: before (v1.2.0): time=156 ms time=252 ms time=12.6 ms time=301 ms time=352 ms time=49.4 ms time=150 ms time=13.5 ms time=8.24 ms time=161 ms time=355 ms after: time=3.53 ms time=3.14 ms time=3.08 ms time=3.92 ms time=7.78 ms time=3.59 ms time=3.07 ms time=3.22 ms time=3.12 ms time=3.08 ms time=8.04 ms I recommend reviewing this PR by looking at each commit individually, as some refactoring was required that makes the diff a bit confusing when combined together.
2020-07-22 08:35:10 -06:00
lightHouse.handshakeTrigger = handshakeManager.trigger
Public Release
2019-11-19 10:00:20 -07:00
remove old hmac function. superceded by ix_psk0
2019-11-23 09:50:36 -07:00
//TODO: These will be reused for psk
//handshakeMACKey := config.GetString("handshake_mac.key", "")
//handshakeAcceptedMACKeys := config.GetStringSlice("handshake_mac.accepted_keys", []string{})
Public Release
2019-11-19 10:00:20 -07:00
Allow configuration of dns listener host/port (#74) * Allow configuration of dns listener host/port * Make DNS listen host/port configuration HUP-able
2019-12-11 18:42:55 -07:00
serveDns := config.GetBool("lighthouse.serve_dns", false)
Public Release
2019-11-19 10:00:20 -07:00
checkInterval := config.GetInt("timers.connection_alive_interval", 5)
pendingDeletionInterval := config.GetInt("timers.pending_deletion_interval", 10)
ifConfig := &InterfaceConfig{
remove old hmac function. superceded by ix_psk0
2019-11-23 09:50:36 -07:00
HostMap: hostMap,
Inside: tun,
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
Outside: udpConns[0],
remove old hmac function. superceded by ix_psk0
2019-11-23 09:50:36 -07:00
certState: cs,
Cipher: config.GetString("cipher", "aes"),
Firewall: fw,
ServeDns: serveDns,
HandshakeManager: handshakeManager,
lightHouse: lightHouse,
checkInterval: checkInterval,
pendingDeletionInterval: pendingDeletionInterval,
DropLocalBroadcast: config.GetBool("tun.drop_local_broadcast", false),
DropMulticast: config.GetBool("tun.drop_multicast", false),
UDPBatchSize: config.GetInt("listen.batch", 64),
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
routines: routines,
add meta packet statistics (#230) This change add more metrics around "meta" (non "message" type packets). For lighthouse packets, we also record statistics around the specific lighthouse meta type. We don't keep statistics for the "message" type so that we don't slow down the fast path (and you can just look at metrics on the tun interface to find that information).
2020-06-26 11:45:48 -06:00
MessageMetrics: messageMetrics,
More like a library (#279)
2020-09-18 08:20:09 -06:00
version: buildVersion,
Public Release
2019-11-19 10:00:20 -07:00
}
switch ifConfig.Cipher {
case "aes":
Correct typos in noise.go (#205)
2020-03-30 12:23:55 -06:00
noiseEndianness = binary.BigEndian
Public Release
2019-11-19 10:00:20 -07:00
case "chachapoly":
Correct typos in noise.go (#205)
2020-03-30 12:23:55 -06:00
noiseEndianness = binary.LittleEndian
Public Release
2019-11-19 10:00:20 -07:00
default:
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, fmt.Errorf("unknown cipher: %v", ifConfig.Cipher)
Public Release
2019-11-19 10:00:20 -07:00
}
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
var ifce *Interface
if !configTest {
ifce, err = NewInterface(ifConfig)
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, fmt.Errorf("failed to initialize interface: %s", err)
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
}
Public Release
2019-11-19 10:00:20 -07:00
Proper multiqueue support for tun devices (#382) This change is for Linux only. Previously, when running with multiple tun.routines, we would only have one file descriptor. This change instead sets IFF_MULTI_QUEUE and opens a file descriptor for each routine. This allows us to process with multiple threads while preventing out of order packet reception issues. To attempt to distribute the flows across the queues, we try to write to the tun/UDP queue that corresponds with the one we read from. So if we read a packet from tun queue "2", we will write the outgoing encrypted packet to UDP queue "2". Because of the nature of how multi queue works with flows, a given host tunnel will be sticky to a given routine (so if you try to performance benchmark by only using one tunnel between two hosts, you are only going to be using a max of one thread for each direction). Because this system works much better when we can correlate flows between the tun and udp routines, we are deprecating the undocumented "tun.routines" and "listen.routines" parameters and introducing a new "routines" parameter that sets the value for both. If you use the old undocumented parameters, the max of the values will be used and a warning logged. Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2021-02-25 13:01:14 -07:00
// TODO: Better way to attach these, probably want a new interface in InterfaceConfig
// I don't want to make this initial commit too far-reaching though
ifce.writers = udpConns
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
ifce.RegisterConfigChangeCallbacks(config)
Public Release
2019-11-19 10:00:20 -07:00
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
go handshakeManager.Run(ifce)
go lightHouse.LhUpdateWorker(ifce)
}
Public Release
2019-11-19 10:00:20 -07:00
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
err = startStats(config, configTest)
Public Release
2019-11-19 10:00:20 -07:00
if err != nil {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, NewContextualError("Failed to start stats emitter", nil, err)
Public Release
2019-11-19 10:00:20 -07:00
}
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
if configTest {
More like a library (#279)
2020-09-18 08:20:09 -06:00
return nil, nil
Better config test (#177) * Better config test Previously, when using the config test option `-test`, we quit fairly earlier in the process and would not catch a variety of additional parsing errors (such as lighthouse IP addresses, local_range, the new check to make sure static hosts are in the certificate's subnet, etc). * run config test as part of smoke test * don't need privileges for configtest Co-authored-by: Nathan Brown <nate@slack-corp.com>
2020-04-06 12:35:32 -06:00
}
Public Release
2019-11-19 10:00:20 -07:00
//TODO: check if we _should_ be emitting stats
go ifce.emitStats(config.GetDuration("stats.interval", time.Second*10))
attachCommands(ssh, hostMap, handshakeManager.pendingHostMap, lightHouse, ifce)
Allow configuration of dns listener host/port (#74) * Allow configuration of dns listener host/port * Make DNS listen host/port configuration HUP-able
2019-12-11 18:42:55 -07:00
// Start DNS server last to allow using the nebula IP as lighthouse.dns.host
if amLighthouse && serveDns {
l.Debugln("Starting dns server")
go dnsMain(hostMap, config)
}
More like a library (#279)
2020-09-18 08:20:09 -06:00
return &Control{ifce, l}, nil
Public Release
2019-11-19 10:00:20 -07:00
}