Fix/docker compose up (#1705)

This PR fixes `docker compose up` but it doesn't have the test client ->
resource flow working but it prevent anything from erroring at startup.

This fixes:
* tokens (use the correct token for the client user agent we are using)
* randomize `name_suffix` at start up for connlib (we will eventually
allow options to set it manually)
* remove port ranges for relay (see firezone/product#613)

docker-compose.yml

@@ -118,7 +118,7 @@ services:
   client:
     environment:
       FZ_URL: "ws://api:8081/"
-      FZ_SECRET: "SFMyNTY.g2gDaANkAAhpZGVudGl0eW0AAAAkN2RhN2QxY2QtMTExYy00NGE3LWI1YWMtNDAyN2I5ZDIzMGU1bQAAACDZI3ehOZSu3JOSMREkvzrtKjs8jkrW6fpbVw9opDYmi24GANjCD-qIAWIB4TOA.XhoLEDjIzuv1SXEVUV6lfIHW12n5-J5aBDUKCl8ovMk"
+      FZ_SECRET: "SFMyNTY.g2gDaANkAAhpZGVudGl0eW0AAAAkN2RhN2QxY2QtMTExYy00NGE3LWI1YWMtNDAyN2I5ZDIzMGU1bQAAACAZ_F7tY7RZcWcaeGbwM9H9EBDdj2U4QPu2sBzD8Z_7R24GAMH8mfqIAWIB4TOA.2IZ089fjvNLoCsirq2PwNTfMHXf3285F6YcNquk6niU"
     build:
       context: rust
       dockerfile: Dockerfile.dev
@@ -140,7 +140,7 @@ services:
   gateway:
     environment:
       FZ_URL: "ws://api:8081/"
-      FZ_SECRET: "SFMyNTY.g2gDaAJtAAAAJDNjZWYwNTY2LWFkZmQtNDhmZS1hMGYxLTU4MDY3OTYwOGY2Zm0AAABAamp0enhSRkpQWkdCYy1vQ1o5RHkyRndqd2FIWE1BVWRwenVScjJzUnJvcHg3NS16bmhfeHBfNWJUNU9uby1yYm4GAJXr4emIAWIAAVGA.jz0s-NohxgdAXeRMjIQ9kLBOyd7CmKXWi2FHY-Op8GM"
+      FZ_SECRET: "SFMyNTY.g2gDaAJtAAAAJDNjZWYwNTY2LWFkZmQtNDhmZS1hMGYxLTU4MDY3OTYwOGY2Zm0AAABAamp0enhSRkpQWkdCYy1vQ1o5RHkyRndqd2FIWE1BVWRwenVScjJzUnJvcHg3NS16bmhfeHBfNWJUNU9uby1yYm4GAFvAb_mIAWIAAVGA.1DaY3H3fKzW5sqcciJqlHyG0uFctzOewofsVRGS7NrQ"
     build:
       context: rust
       dockerfile: Dockerfile.dev
@@ -159,16 +159,22 @@ services:
       - api
     networks:
       - app
+      - resources
+
+  resource:
+    image: alpine:3.18
+    command: tail -f /dev/null
+    networks:
+      - resources
 
   relay:
     environment:
       PUBLIC_IP4_ADDR: 172.28.0.101
       LISTEN_IP4_ADDR: 172.28.0.101
       PORTAL_WS_URL: "ws://api:8081/"
-      PORTAL_TOKEN: "SFMyNTY.g2gDaAJtAAAAJDcyODZiNTNkLTA3M2UtNGM0MS05ZmYxLWNjODQ1MWRhZDI5OW0AAABARVg3N0dhMEhLSlVWTGdjcE1yTjZIYXRkR25mdkFEWVFyUmpVV1d5VHFxdDdCYVVkRVUzbzktRmJCbFJkSU5JS24GAMDq4emIAWIAAVGA.fLlZsUMS0VJ4RCN146QzUuINmGubpsxoyIf3uhRHdiQ"
-    ports:
-    - "3478/udp"
-    - "49152-65535/udp"
+      PORTAL_TOKEN: "SFMyNTY.g2gDaAJtAAAAJDcyODZiNTNkLTA3M2UtNGM0MS05ZmYxLWNjODQ1MWRhZDI5OW0AAABARVg3N0dhMEhLSlVWTGdjcE1yTjZIYXRkR25mdkFEWVFyUmpVV1d5VHFxdDdCYVVkRVUzbzktRmJCbFJkSU5JS24GAJZ5vfiIAWIAAVGA.F1J6PxmFwmlSYtsUnkw2Z7IjpMkB1oS7wxtzQBqlFFM"
+      RUST_LOG: "debug"
+      RUST_BACKTRACE: 1
     build:
       context: rust
       dockerfile: Dockerfile.dev
@@ -176,7 +182,8 @@ services:
         PACKAGE: relay
     image: firezone-relay
     depends_on:
-      - api
+      api:
+        condition: 'service_healthy'
     networks:
       app:
         ipv4_address: 172.28.0.101
@@ -239,6 +246,16 @@ services:
         condition: 'service_healthy'
       postgres:
         condition: 'service_healthy'
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -f localhost:8081/healthz"
+        ]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
     networks:
       - app
 
@@ -312,6 +329,10 @@ services:
       - app
 
 networks:
+  resources:
+    ipam:
+      config:
+        - subnet: 172.20.0.0/16
   app:
     enable_ipv6: true
     ipam:

elixir/apps/domain/priv/repo/seeds.exs

@@ -91,8 +91,8 @@ unprivileged_subject =
   Auth.build_subject(
     unprivileged_actor_userpass_identity,
     DateTime.utc_now() |> DateTime.add(365, :day),
-    "iOS/12.5 (iPhone) connlib/0.7.412",
-    {172, 28, 0, 1}
+    "Debian/11.0.0 connlib/0.1.0",
+    {172, 28, 0, 100}
   )
 
 admin_subject =
@@ -198,7 +198,7 @@ IO.puts("")
   Resources.create_resource(
     %{
       type: :cidr,
-      address: "172.172.0.1/16",
+      address: "172.20.0.1/16",
       connections: [%{gateway_group_id: gateway_group.id}]
     },
     admin_subject

rust/Cargo.lock

@@ -1549,6 +1549,7 @@ dependencies = [
  "futures-util",
  "ip_network",
  "os_info",
+ "rand",
  "rand_core 0.6.4",
  "rtnetlink",
  "serde",

rust/Dockerfile

@@ -18,4 +18,13 @@ COPY --from=BUILDER /usr/local/bin/$PACKAGE .
 ENV RUST_BACKTRACE=1
 ENV PATH "/app:$PATH"
 ENV PACKAGE_NAME ${PACKAGE}
-CMD ${PACKAGE_NAME}
+# Some black magics here:
+# we need to use `/bin/sh -c` so that the env variable is correctly replaced
+# but then everything in `CMD` is placed after the executed string, so we need
+# to move it inside, these are passed as the variables `$0`, `$1`, `$2`, etc...
+# this means that this will ignore after the first arguments
+# if we ever combine this with `CMD` in exec form  so always use shell form
+# (Note we could use shell-form here, but this is the same made explicit)
+ENTRYPOINT ["/bin/sh", "-c", "$PACKAGE_NAME $0"]
+# *sigh* if we don't add this $0 becomes /bin/sh in the command above
+CMD [""]

rust/Dockerfile.dev

@@ -17,4 +17,13 @@ COPY --from=BUILDER /usr/local/bin/$PACKAGE .
 ENV RUST_BACKTRACE=1
 ENV PATH "/app:$PATH"
 ENV PACKAGE_NAME ${PACKAGE}
-CMD ${PACKAGE_NAME}
+# Some black magics here:
+# we need to use `/bin/sh -c` so that the env variable is correctly replaced
+# but then everything in `CMD` is placed after the executed string, so we need
+# to move it inside, these are passed as the variables `$0`, `$1`, `$2`, etc...
+# this means that this will ignore after the first arguments
+# if we ever combine this with `CMD` in exec form  so always use shell form
+# (Note we could use shell-form here, but this is the same made explicit)
+ENTRYPOINT ["/bin/sh", "-c", "$PACKAGE_NAME $0"]
+# *sigh* if we don't add this $0 becomes /bin/sh in the command above
+CMD [""]

rust/connlib/libs/common/Cargo.toml

@@ -26,6 +26,7 @@ backoff = { version = "0.4", default-features = false }
 ip_network = { version = "0.4", default-features = false, features = ["serde"] }
 boringtun = { workspace = true }
 os_info = { version = "3", default-features = false }
+rand = { version = "0.8", default-features = false, features = ["std"] }
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 swift-bridge = { workspace = true }

rust/connlib/libs/common/src/session.rs

@@ -1,6 +1,7 @@
 use async_trait::async_trait;
 use backoff::{backoff::Backoff, ExponentialBackoffBuilder};
 use boringtun::x25519::{PublicKey, StaticSecret};
+use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use rand_core::OsRng;
 use std::{
     marker::PhantomData,
@@ -126,8 +127,9 @@ where
         runtime.spawn(async move {
                 let private_key = StaticSecret::random_from_rng(OsRng);
                 let self_id = uuid::Uuid::new_v4();
+                let name_suffix: String = thread_rng().sample_iter(&Alphanumeric).take(8).map(char::from).collect();
 
-                let connect_url = fatal_error!(get_websocket_path(portal_url, token, T::socket_path(), &Key(PublicKey::from(&private_key).to_bytes()), &self_id.to_string()), callbacks);
+                let connect_url = fatal_error!(get_websocket_path(portal_url, token, T::socket_path(), &Key(PublicKey::from(&private_key).to_bytes()), &self_id.to_string(), &name_suffix), callbacks);
 
                 let (sender, mut receiver) = fatal_error!(T::start(private_key, callbacks.clone()).await, callbacks);
 
@@ -223,6 +225,7 @@ fn get_websocket_path(
     mode: &str,
     public_key: &Key,
     external_id: &str,
+    name_suffix: &str,
 ) -> Result<Url> {
     {
         let mut paths = url.path_segments_mut().map_err(|_| Error::UriError)?;
@@ -237,7 +240,7 @@ fn get_websocket_path(
         query_pairs.append_pair("token", &secret);
         query_pairs.append_pair("public_key", &public_key.to_string());
         query_pairs.append_pair("external_id", external_id);
-        query_pairs.append_pair("name_suffix", "todo");
+        query_pairs.append_pair("name_suffix", name_suffix);
     }
 
     Ok(url)