Regardless of `FIREZONE_DNS_CONTROL`, always try to notify systemd that
we've started.
I had accidentally conflated the idea of running as a systemd service
with the idea of using systemd to control DNS. They're separate, but
I'll keep the service unit in here and always use `sd-notify` since it
should be harmless to use even in Alpine.
~~If `FIREZONE_DNS_CONTROL` is `systemd-resolved`, try to notify systemd
that we've finished startup and the tunnel is ready.~~
Also adds a CI test, including a systemd service file that is **not**
ready for general use.
Ready for review once it's green.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Running perf byitself should be enough to establish a connection, we
don't need to explicitly do that before.
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Only user-facing if users are using the Docker image for the Linux
client.
I split off a module for `/etc/resolv.conf` since the code and unit
tests are about 300 lines and aren't related to the rest of the
`tun_linux.rs` code.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
This improves maintenance because we can now use a regular matrix for
the integration tests and one can locally use tools like shellcheck or a
`bash-lsp` during development.
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Fixes#3578Fixes#3551
The issue turned out to be a bunk Repository. Upon unraveling that ball
of yarn, I decided to clean up the Tunnel implementation altogether. It
uses the existing tunnel in-memory store for pushing updates to a
connected SessionActivity.
This PR includes many bug fixes as well.
Closes#3534
I'm running it in another job in parallel. It doesn't work in release
mode for Windows reasons, and I'm not sure how to share it with the
`cargo test` jobs.
So the overall time for `ci.yml` is only 11 minutes, which seems
typical. However it is using up another CI runner unit to build the
whole Tauri app from scratch in debug mode.
```[tasklist]
- [x] Skip the WebView2 error dialog if we're in smoke-test mode
- [x] Research if there's any Github action to install WebView2 in the runner
```
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
This increases our app bundle size with no real benefit. ~~I'm also
encountering an issue where the `x86` shared library is being loaded
instead of the appropriate x86_64 one, causing a crash.~~ Edit: The
crash appears to be coming from somewhere else, still investigating.
Still it would be good to remove this as the Rust dependency in the
Android build is built serially.
Bumps
[marocchino/tool-versions-action](https://github.com/marocchino/tool-versions-action)
from 1.1.1 to 1.2.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/marocchino/tool-versions-action/releases">marocchino/tool-versions-action's
releases</a>.</em></p>
<blockquote>
<h2>v1.2.0</h2>
<ul>
<li>Update deps</li>
<li>Use node 20</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="18a164fa2b"><code>18a164f</code></a>
Merge pull request <a
href="https://redirect.github.com/marocchino/tool-versions-action/issues/82">#82</a>
from kokuyouwind/node-20</li>
<li><a
href="36be1edcfd"><code>36be1ed</code></a>
npm run packages</li>
<li><a
href="b5347e5e3e"><code>b5347e5</code></a>
change <code>@zeit/ncc</code> to <code>@vercel/ncc</code></li>
<li><a
href="86aa9d20a7"><code>86aa9d2</code></a>
use tool-versions to install nodejs itself</li>
<li><a
href="9d12e087da"><code>9d12e08</code></a>
update Node.js from 16 to 20</li>
<li><a
href="c6d46545c4"><code>c6d4654</code></a>
Merge pull request <a
href="https://redirect.github.com/marocchino/tool-versions-action/issues/80">#80</a>
from marocchino/dependabot/npm_and_yarn/eslint-8.56.0</li>
<li><a
href="97205afc5e"><code>97205af</code></a>
Bump eslint from 8.55.0 to 8.56.0</li>
<li><a
href="7ede3990ac"><code>7ede399</code></a>
Merge pull request <a
href="https://redirect.github.com/marocchino/tool-versions-action/issues/79">#79</a>
from marocchino/dependabot/github_actions/github/codeq...</li>
<li><a
href="7544aae7d8"><code>7544aae</code></a>
Bump github/codeql-action from 2 to 3</li>
<li><a
href="9a54510d5d"><code>9a54510</code></a>
Merge pull request <a
href="https://redirect.github.com/marocchino/tool-versions-action/issues/78">#78</a>
from marocchino/dependabot/npm_and_yarn/eslint-8.55.0</li>
<li>Additional commits viewable in <a
href="https://github.com/marocchino/tool-versions-action/compare/v1.1.1...v1.2.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[gradle/gradle-build-action](https://github.com/gradle/gradle-build-action)
from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/gradle/gradle-build-action/releases">gradle/gradle-build-action's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<p>This is the first release of <code>gradle/gradle-build-action</code>
available with the <code>v3</code> version tag.</p>
<blockquote>
<p>[!IMPORTANT]
As of <code>v3</code> this action has been superceded by
<code>gradle/actions/setup-gradle</code>.
Any workflow that uses <code>gradle/gradle-build-action@v3</code> will
transparently delegate to
<code>gradle/actions/setup-gradle@v3</code>.</p>
<p>Users are encouraged to update their workflows, replacing:</p>
<pre><code>uses: gradle/gradle-build-action@v3
</code></pre>
<p>with</p>
<pre><code>uses: gradle/actions/setup-gradle@v3
</code></pre>
<p>See the <a
href="https://github.com/gradle/actions/tree/main/setup-gradle">setup-gradle
documentation</a> for up-to-date documentation for
<code>gradle/actions/setup-gradle</code>.</p>
</blockquote>
<h2>Changes from <code>gradle-build-action@v2</code></h2>
<p>This release brings some useful and much requested features,
including:</p>
<ul>
<li>save and restore the Gradle configuration-cache data</li>
<li>add the Job summary content as a PR comment</li>
<li>easily publish Build Scans® to the free <a
href="https://scans.gradle.com">Gradle Build Scan service</a></li>
<li>compatibility with Node 20</li>
</ul>
<p>The only major breaking change from
<code>gradle-build-action@v2.12.0</code> is the update to require a Node
20 runtime environment.
Aside from that change, this release should generally serve as a drop-in
replacement for <code>gradle-build-action@v2</code>.</p>
<h3>Changelog</h3>
<ul>
<li>[NEW] - Run with NodeJs 20.x (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/946">gradle/gradle-build-action#946</a>)</li>
<li>[NEW] - Support for save & restore of configuration-cache data
(<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/966">gradle/gradle-build-action#966</a>)</li>
<li>[NEW] - Support for automatic adding PR comment with Job Summary
content (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1020">gradle/gradle-build-action#1020</a>)</li>
<li>[NEW] - Make it easy to publish a Build Scan® to <a
href="https://scans.gradle.com">https://scans.gradle.com</a> (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1044">gradle/gradle-build-action#1044</a>)</li>
<li>[NEW] - Added <code>dependency-graph-continue-on-failure</code>
input, which can be set to <code>false</code> to force the Job to fail
when dependency graph submission fails (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1036">gradle/gradle-build-action#1036</a>).
Failure modes include:
<ul>
<li>Fail build step if version of Gradle being executed is not supported
for dependency-graph generation (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1034">gradle/gradle-build-action#1034</a>)</li>
<li>Fail job if permissions are insufficient to submit dependency graph
via Dependency Submission API (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/997">gradle/gradle-build-action#997</a>)</li>
</ul>
</li>
<li>[NEW] - Add <code>dependency-graph: clear</code> option to clear any
dependency-graph previously submitted by the job</li>
<li>[FIX] Allow cache entries to be reused by jobs with the same ID in
different workflows (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1017">gradle/gradle-build-action#1017</a>)
<ul>
<li>Workflow name remains part of the cache key, but cache entries
generated by the same job id in a different workflow may be
restored</li>
</ul>
</li>
<li>[FIX] Register pre-installed JDKs in Maven toolchains.xml file (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1024">gradle/gradle-build-action#1024</a>)
<ul>
<li>This allows pre-installed JDKs to be auto-detected by Gradle
Toolchain support on Windows</li>
</ul>
</li>
<li>[FIX] - Update the Gradle Enterprise injection configuration for
product rename to Develocity (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/995">gradle/gradle-build-action#995</a>)</li>
<li>[FIX] - Avoid submitting an empty dependency graph when state is
loaded from configuration-cache</li>
<li>[FIX] - Update to <code>GitHub Dependency Graph Gradle Plugin</code>
<a
href="https://github.com/gradle/github-dependency-graph-gradle-plugin/releases/tag/v1.2.0">v1.2.0</a></li>
<li>[DEPRECATION] - Deprecation of the arguments parameter (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/996">gradle/gradle-build-action#996</a>)</li>
<li>[BREAKING CHANGE] - Remove the <code>gradle-executable</code> input
parameter. Use a separate workflow Step to execute a Gradle from a
custom location.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3b1b3b9a21"><code>3b1b3b9</code></a>
Prepare for v3.0.0 release</li>
<li><a
href="d4bd442194"><code>d4bd442</code></a>
Delegate to 'setup-gradle@v3.0.0-rc.2'</li>
<li><a
href="4587492cf1"><code>4587492</code></a>
Redirect some README content</li>
<li><a
href="ef85c4ed42"><code>ef85c4e</code></a>
Bump DV plugin version to 3.16.2</li>
<li><a
href="7e08fe288b"><code>7e08fe2</code></a>
Run full-check on change to action.yml</li>
<li><a
href="4a8703fa34"><code>4a8703f</code></a>
Delegate to 'setup-gradle@v3.0.0-rc.1'</li>
<li><a
href="4a39eedb8c"><code>4a39eed</code></a>
Mention setup-gradle in README</li>
<li><a
href="272883a7ba"><code>272883a</code></a>
Remove all action sources: these have been migrated to
'gradle/actions'</li>
<li><a
href="2a8bfcf231"><code>2a8bfcf</code></a>
Delegate action implementation to gradle/actions/setup-gradle</li>
<li><a
href="e1ada08a9a"><code>e1ada08</code></a>
Bump the github-actions group with 1 update (<a
href="https://redirect.github.com/gradle/gradle-build-action/issues/1047">#1047</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/gradle/gradle-build-action/compare/v2...v3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The MSI is needed to install WebView2, otherwise the exe will crash, per
#3451 .
We don't have any manual way to install WebView2, and the MSI also makes
sure the exe goes into Program Files as it should, so I don't think
users will need the bare exe.
It'll still be produced in CI runs for devs / superusers to look at if
they really need.
This should be faster than the Intel runners. Seems to be at least twice
as fast for uncached builds compared to `ubuntu-22.04`.
- [x] ~~Move elixir checks to `macos-14`~~ can't; Depends on `docker`
and `erlef/setup-beam`
- [x] Add macOS targets to rust checks
- [x] Move swift build to macos-14
- [x] Move kotlin build to macos-14
- [x] Name all jobs that are required for merge group to not depend on
job config
- [x] Update PR branch protection rules
`firezone-connection` was a working title that I never really quite
liked. Here is a proposal to rebrand it to `snownet`. That is a lot more
concise and derived from the fact that we are established a network of
connections using ICE.
Test basic connectivity with the headless client after the portal API
restarts.
Based on top of #3364 to test that portal restarts don't cause a
cascading failure.
In case of symmetric NATs, `firezone-connection` needs to fallback to
using TURN to allow peers to communicate with each other. Usage of TURN
requires us to make an allocation on each TURN server and bind channels
for each socket that we expect the remote to send data from. Once set
up, `str0m`s ICE state machine will select a candidate pair for us which
in the case of symmetric NATs will be a pair of relay candidates.
Allocations and channels are what makes operating a TURN server
expensive. As a result, the spec requires those to be continuously
refreshed if they are still in use. `firezone-connection` handles this
in the `Allocation` state machine.
Last but not least, this PR also slightly changes the API to tell the
caller from which source socket it has to send the data. This is
important to make hole-punching work if we are listening on multiple
sockets.
I tested this by temporarily putting panics in `test_ipc_manager` and
`test_ipc_worker`.
It looks like, if a process crashes, Windows will clean up its named
pipe, and the process waiting on the other side of the named pipe will
get an error.
This is good but it's not air-tight - ~~We could still have a situation
where a worker process locks up, and the main process crashes, and the
worker process then leaks.~~ #3311 will fix that
For that case I'll try this
https://stackoverflow.com/questions/53208/how-do-i-automatically-destroy-child-processes-in-windows
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Currently, `firezone-connection` can only handle connections on a LAN.
Via the use of a STUN server, we can discover our public IP and attempt
to direct, hole-punched connection across multiple subnets.
Getting IPv6-related timeouts and flakiness. It's disabled for the
testbed and the connection tests so following suit here since we don't
have tests that use IPv6.
Turns out #3276 was only part of the problem. After that was fixed, the
issue did turn out to be the statically-linked libc runtime. Staging was
using dynamic linking and so didn't hit the issue.
This reverts back to musl which has been tested as @AndrewDryga noted.
Fulfills #2997
cd.yml changes are always blind so it may break the draft release when
it goes into main. Just let me know.
I should probably just switch it to Bash so it's easier to test.
