Merge pull request #68 from netfoundry/v0.8.12-release-candidate

V0.8.12 release candidate
netfoundry · Aug 10, 2024 · 3b4018d · 3b4018d
2 parents 4b78c2c + 934e0d6
commit 3b4018d
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 23 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,8 +1,11 @@
 ---
-name: release
+name: ci
 
-on: [push]
-
+on:
+  push:
+    branches:
+    - '*'
+    - '!main'
 
 env:
   APP_NAME: 'zfw'

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,11 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+###
+# [0.8.12] - 2024-08-07
+- Change ci workflow display name and to trigger on push to branches other than main.
+- Refactored install.sh, start_ebpf_controller.py and revert_ebpf_controller.py to work with controller not running as root.
+
 ###
 # [0.8.11] - 2024-08-03
 

diff --git a/files/scripts/revert_ebpf_controller.py b/files/scripts/revert_ebpf_controller.py
@@ -100,28 +100,28 @@ def iterate_rules(intf):
             print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!")
 
 service = False
-if(os.path.exists('/etc/systemd/system/ziti-controller.service')):
-    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service")
+if(os.path.exists('/etc/systemd/system/zfw-logging.service')):
+    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service")
     if(not unconfigured):
-        os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-controller.service")
-        os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-controller.service")
-        test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/ziti-controller.service")
+        test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/zfw-logging.service")
         if(not test1):
             test1 = os.system("systemctl daemon-reload")
             if(not test1):
                 service = True
+                test1 = os.system("systemctl disable zfw-logging.service")
+                test1 = os.system("systemctl disable fw-init.service")
                 os.system("/opt/openziti/bin/zfw -Q")
                 if(os.path.exists("/opt/openziti/etc/ebpf_config.json")):
                     os.remove("/opt/openziti/etc/ebpf_config.json")
                 if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")):
                     os.remove("/opt/openziti/bin/user/user_rules.sh")
-                print("Successfully reverted ziti-controller.service!")
+                print("Successfully reverted ziti-logging.service!")
         else:
-            print("Failed to revert ziti-controller.service!")
+            print("Failed to revert zfw-logging.service!")
     else:
-        print("ziti-controller.service already reverted. Nothing to do!")
+        print("zfw-logging.service already reverted. Nothing to do!")
 else:
-    print("Skipping ziti-controller.service reversal. File does not exist!")
+    print("Skipping zfw-logging.service reversal. File does not exist!")
 
 if service:
     print("config.yml successfully reverted. restarting ziti-controller.service")

diff --git a/files/scripts/start_ebpf_controller.py b/files/scripts/start_ebpf_controller.py
@@ -477,17 +477,20 @@ def set_local_rules(ip):
 lanIp = get_if_ip(lanIf)
 if(len(lanIp)):
     set_local_rules(lanIp)
-if(os.path.exists('/etc/systemd/system/ziti-controller.service') and controller):
-    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service")
+if(os.path.exists('/etc/systemd/system/zfw-logging.service') and controller):
+    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service")
     if(unconfigured):
-        test0 = 1
-        test0 = os.system("sed -i 's/User\=ziti/User\=root/g' /etc/systemd/system/ziti-controller.service")
         test1 = 1
-        test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/ziti-controller.service")
-        if((not test0) and (not test1)):
+        test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service")
+        test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") 
+        test1 = os.system("sed -i 's/_router.py/_controller.py --lanIf " + lanIf + "/g' /etc/systemd/system/fw-init.service") 
+
+        if(not test1):
             test1 = os.system("systemctl daemon-reload")
             if(not test1):
-                print("Successfully converted ziti-controller.service. Restarting!")
+                print("Successfully converted zfw-logging.service. Restarting!")
+                os.system('systemctl enable zfw-logging.service')
+                os.system('systemctl enable fw-init.service')
                 os.system('systemctl restart ziti-controller.service')
                 if(not os.system('systemctl is-active --quiet ziti-controller.service')):
                     print("ziti-controller.service successfully restarted!")
@@ -496,7 +499,7 @@ def set_local_rules(ip):
         else:
             print("Failed to convert ziti-controller.service!")
     else:
-        print("ziti-controller.service already converted. Nothing to do!")
+        print("zfw-logging.service already converted. Nothing to do!")
 else:
-    print("Skipping ziti-controller.service conversion. File does not exist or is already converted to run ebpf!")
+    print("Skipping zfw-logging.service conversion. File does not exist or is already converted to run ebpf!")
 sys.exit(0)
diff --git a/src/install.sh b/src/install.sh
@@ -105,6 +105,7 @@ then
    cp  ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user
    cp  ../files/json/ebpf_config.json.sample /opt/openziti/etc
    cp  ../files/services/zfw-logging.service /etc/systemd/system
+   cp ../files/services/fw-init.service /etc/systemd/system
    chmod 744 /opt/openziti/bin/start_ebpf_controller.py
    chmod 744 /opt/openziti/bin/user/user_rules.sh.sample
    chmod 744 /opt/openziti/bin/zfw

diff --git a/src/zfw.c b/src/zfw.c
@@ -236,7 +236,7 @@ char *direction_string;
 char *masq_interface;
 char check_alt[IF_NAMESIZE];
 
-const char *argp_program_version = "0.8.11";
+const char *argp_program_version = "0.8.12";
 struct ring_buffer *ring_buffer;
 
 __u32 if_list[MAX_IF_LIST_ENTRIES];

diff --git a/src/zfw_monitor.c b/src/zfw_monitor.c
@@ -78,7 +78,7 @@ char check_alt[IF_NAMESIZE];
 char doc[] = "zfw_monitor -- ebpf firewall monitor tool";
 const char *rb_map_path = "/sys/fs/bpf/tc/globals/rb_map";
 const char *tproxy_map_path = "/sys/fs/bpf/tc/globals/zt_tproxy_map";
-const char *argp_program_version = "0.8.11";
+const char *argp_program_version = "0.8.12";
 union bpf_attr rb_map;
 int rb_fd = -1;