feat(linux): Notify systemd when we've started (#3628)

Regardless of `FIREZONE_DNS_CONTROL`, always try to notify systemd that we've started. I had accidentally conflated the idea of running as a systemd service with the idea of using systemd to control DNS. They're separate, but I'll keep the service unit in here and always use `sd-notify` since it should be harmless to use even in Alpine. ~~If `FIREZONE_DNS_CONTROL` is `systemd-resolved`, try to notify systemd that we've finished startup and the tunnel is ready.~~ Also adds a CI test, including a systemd service file that is **not** ready for general use. Ready for review once it's green. --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2026-01-27 10:18:54 +00:00 · 2024-02-15 14:12:37 -06:00
parent 085351f455
commit 0fbd40fcb2
6 changed files with 82 additions and 0 deletions
--- a/scripts/tests/systemd/dns-systemd-resolved.sh
+++ b/scripts/tests/systemd/dns-systemd-resolved.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Test Linux DNS control using `systemd-resolved` directly inside the CI runner
+
+set -euo pipefail
+
+BINARY_NAME=firezone-linux-client
+
+docker compose exec client cat firezone-linux-client > "$BINARY_NAME"
+chmod u+x "$BINARY_NAME"
+sudo mv "$BINARY_NAME" "/usr/bin/$BINARY_NAME"
+# TODO: Check whether this is redundant with the systemd service file
+sudo setcap cap_net_admin+eip "/usr/bin/$BINARY_NAME"
+
+sudo cp scripts/tests/systemd/firezone-client.service /etc/systemd/system/
+systemd-analyze security firezone-client
+
+# TODO: Use DNS and not IP
+# HTTPBIN_DNS=172.21.0.100
+HTTPBIN_IP=172.20.0.100
+
+IFACE_NAME="tun-firezone"
+
+echo "# Accessing a resource should fail before the client is up"
+# TODO: For now I'm cheating and forcing curl to try the tunnel iface.
+# This doesn't test that Firezone is adding the routes.
+# If I don't do this, curl just connects through the Docker bridge.
+curl --interface "$IFACE_NAME" $HTTPBIN_IP/get && exit 1
+
+echo "# Start Firezone"
+resolvectl dns tun-firezone && exit 1
+if ! sudo systemctl start firezone-client
+then
+    sudo systemctl status firezone-client
+    exit 1
+fi
+resolvectl dns tun-firezone
+
+echo "# Accessing a resource should succeed after the client is up"
+curl --interface "$IFACE_NAME" $HTTPBIN_IP/get
--- a/scripts/tests/systemd/firezone-client.service
+++ b/scripts/tests/systemd/firezone-client.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Firezone Client
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN
+
+Environment="FIREZONE_API_URL=ws://localhost:8081"
+# Will re-enable this once systemd DNS control is ready for CI
+# Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
+Environment="FIREZONE_ID=D0455FDE-8F65-4960-A778-B934E4E85A5F"
+Environment="FIREZONE_TOKEN=n.SFMyNTY.g2gDaANtAAAAJGM4OWJjYzhjLTkzOTItNGRhZS1hNDBkLTg4OGFlZjZkMjhlMG0AAAAkN2RhN2QxY2QtMTExYy00NGE3LWI1YWMtNDAyN2I5ZDIzMGU1bQAAACtBaUl5XzZwQmstV0xlUkFQenprQ0ZYTnFJWktXQnMyRGR3XzJ2Z0lRdkZnbgYAGUmu74wBYgABUYA.UN3vSLLcAMkHeEh5VHumPOutkuue8JA6wlxM9JxJEPE"
+Environment="RUST_LOG=firezone_linux_client=trace,wire=trace,connlib_client_shared=trace,firezone_tunnel=trace,connlib_shared=trace,warn"
+
+ExecStart=firezone-linux-client
+Type=notify
+# TODO: Come back to this and cut down the permissions
+User=root
+
+[Install]
+WantedBy=default.target