From 4dc8cdf908c0f4ee38ee4b8378bf85d9ef9e8dd1 Mon Sep 17 00:00:00 2001 From: Andrew Dryga Date: Mon, 19 Feb 2024 14:03:14 -0600 Subject: [PATCH] Revert "fix(gateway): Remove `/dev/net/tun` requirement and clean up upgrade script (#3691) This reverts PR #3392. This reverts commit 16f5401a73927a748ff5a91f808f8f2c94c9bd6a. --- docker-compose.yml | 4 ++++ elixir/apps/web/lib/web/live/relay_groups/new_token.ex | 1 + elixir/apps/web/lib/web/live/sites/new_token.ex | 1 + scripts/gateway-docker-upgrade.sh | 1 + terraform/modules/aws/gateway/templates/cloud-init.yaml | 2 +- .../gateway-google-cloud-compute/templates/cloud-init.yaml | 2 +- 6 files changed, 9 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index c4aff49a7..f89b1165d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -128,6 +128,8 @@ services: - NET_ADMIN sysctls: - net.ipv6.conf.all.disable_ipv6=0 + devices: + - "/dev/net/tun:/dev/net/tun" depends_on: api: condition: "service_healthy" @@ -161,6 +163,8 @@ services: - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.default.forwarding=1 + devices: + - "/dev/net/tun:/dev/net/tun" depends_on: api: condition: "service_healthy" diff --git a/elixir/apps/web/lib/web/live/relay_groups/new_token.ex b/elixir/apps/web/lib/web/live/relay_groups/new_token.ex index 0d8a3c8e8..9e67ae5f8 100644 --- a/elixir/apps/web/lib/web/live/relay_groups/new_token.ex +++ b/elixir/apps/web/lib/web/live/relay_groups/new_token.ex @@ -268,6 +268,7 @@ defmodule Web.RelayGroups.NewToken do "--sysctl net.ipv6.conf.all.disable_ipv6=0", "--sysctl net.ipv6.conf.all.forwarding=1", "--sysctl net.ipv6.conf.default.forwarding=1", + "--device=\"/dev/net/tun:/dev/net/tun\"", Enum.map(env, fn {key, value} -> "--env #{key}=\"#{value}\"" end), "--env FIREZONE_NAME=$(hostname)", "#{Domain.Config.fetch_env!(:domain, :docker_registry)}/relay:#{major_minor_version()}" diff --git a/elixir/apps/web/lib/web/live/sites/new_token.ex b/elixir/apps/web/lib/web/live/sites/new_token.ex index 3fa260d7f..f7ce4ca6b 100644 --- a/elixir/apps/web/lib/web/live/sites/new_token.ex +++ b/elixir/apps/web/lib/web/live/sites/new_token.ex @@ -180,6 +180,7 @@ defmodule Web.Sites.NewToken do "--sysctl net.ipv6.conf.all.disable_ipv6=0", "--sysctl net.ipv6.conf.all.forwarding=1", "--sysctl net.ipv6.conf.default.forwarding=1", + "--device=\"/dev/net/tun:/dev/net/tun\"", Enum.map(env ++ [{"FIREZONE_ENABLE_MASQUERADE", "1"}], fn {key, value} -> "--env #{key}=\"#{value}\"" end), diff --git a/scripts/gateway-docker-upgrade.sh b/scripts/gateway-docker-upgrade.sh index f8db17763..dde553343 100755 --- a/scripts/gateway-docker-upgrade.sh +++ b/scripts/gateway-docker-upgrade.sh @@ -38,6 +38,7 @@ do --sysctl net.ipv6.conf.all.disable_ipv6=0 \ --sysctl net.ipv6.conf.all.forwarding=1 \ --sysctl net.ipv6.conf.default.forwarding=1 \ + --device="/dev/net/tun:/dev/net/tun" \ "$TARGET_IMAGE" rm variables.env echo "Container upgraded" diff --git a/terraform/modules/aws/gateway/templates/cloud-init.yaml b/terraform/modules/aws/gateway/templates/cloud-init.yaml index 2da61cae1..dfd13630a 100644 --- a/terraform/modules/aws/gateway/templates/cloud-init.yaml +++ b/terraform/modules/aws/gateway/templates/cloud-init.yaml @@ -24,7 +24,7 @@ write_files: ExecStartPre=-/usr/bin/docker stop ${container_name} ExecStartPre=-/usr/bin/docker rm ${container_name} ExecStartPre=/usr/bin/docker pull ${container_image} - ExecStart=/bin/sh -c 'docker run --rm --name=${container_name} --cap-add=NET_ADMIN --volume /etc/firezone --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv4.conf.all.src_valid_mark=1 --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.default.forwarding=1 --env FIREZONE_NAME=$(hostname) --env FIREZONE_ID=$(echo $RANDOM$(hostname) | md5sum | head -c 20; echo;) --env-file="/etc/firezone-gateway/env" ${container_image}' + ExecStart=/bin/sh -c 'docker run --rm --name=${container_name} --cap-add=NET_ADMIN --volume /etc/firezone --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv4.conf.all.src_valid_mark=1 --sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.all.forwarding=1 --sysctl net.ipv6.conf.default.forwarding=1 --device="/dev/net/tun:/dev/net/tun" --env FIREZONE_NAME=$(hostname) --env FIREZONE_ID=$(echo $RANDOM$(hostname) | md5sum | head -c 20; echo;) --env-file="/etc/firezone-gateway/env" ${container_image}' ExecStop=/usr/bin/docker stop gateway ExecStopPost=/usr/bin/docker rm gateway diff --git a/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml b/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml index 61b65b2dc..c5fc60f69 100644 --- a/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml +++ b/terraform/modules/gateway-google-cloud-compute/templates/cloud-init.yaml @@ -107,7 +107,7 @@ write_files: TimeoutStartSec=0 Restart=always ExecStartPre=/usr/bin/docker pull ${container_image} - ExecStart=/bin/sh -c 'docker run --rm --name=${container_name} --cap-add=NET_ADMIN --volume /etc/firezone --env FIREZONE_NAME=$(hostname) --env FIREZONE_ID=$(echo $RANDOM$(hostname) | md5sum | head -c 20; echo;) --env-file="/etc/firezone-gateway/.env" ${container_image}' + ExecStart=/bin/sh -c 'docker run --rm --name=${container_name} --cap-add=NET_ADMIN --volume /etc/firezone --device="/dev/net/tun:/dev/net/tun" --env FIREZONE_NAME=$(hostname) --env FIREZONE_ID=$(echo $RANDOM$(hostname) | md5sum | head -c 20; echo;) --env-file="/etc/firezone-gateway/.env" ${container_image}' ExecStop=/usr/bin/docker stop gateway ExecStopPost=/usr/bin/docker rm gateway