From 921a8114dc052761a32ffd70360653f10f325494 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 8 Aug 2023 08:15:07 -0400 Subject: [PATCH 01/17] Allows ziti runtime user access to manipulate resolv.conf --- programs/ziti-edge-tunnel/CMakeLists.txt | 11 +- .../netif_driver/linux/resolvers.c | 101 ++++++++++++++++++ .../netif_driver/linux/resolvers.h | 3 + .../ziti-edge-tunnel/netif_driver/linux/tun.c | 28 +++-- .../netif_driver/linux/utils.c | 48 +++++++++ .../netif_driver/linux/utils.h | 3 + .../package/CPackGenConfig.cmake | 2 +- .../systemd/ziti-edge-tunnel.service.in | 2 +- 8 files changed, 189 insertions(+), 9 deletions(-) diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index fe2c05120..7bdcc285f 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -57,10 +57,19 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux") option(DISABLE_LIBSYSTEMD_FEATURE "libsystemd library integration toggle" OFF) message("DISABLE_LIBSYSTEMD_FEATURE: ${DISABLE_LIBSYSTEMD_FEATURE}") + find_package(PkgConfig REQUIRED) + + pkg_check_modules(LIBACL REQUIRED IMPORTED_TARGET "libacl") + pkg_check_modules(LIBCAP REQUIRED IMPORTED_TARGET "libcap") + + target_link_libraries(ziti-edge-tunnel + PRIVATE PkgConfig::LIBACL + PRIVATE PkgConfig::LIBCAP + ) + if (DISABLE_LIBSYSTEMD_FEATURE) target_compile_definitions(ziti-edge-tunnel PRIVATE EXCLUDE_LIBSYSTEMD_RESOLVER) else() - find_package(PkgConfig REQUIRED) pkg_check_modules(LIBSYSTEMD IMPORTED_TARGET "libsystemd") if(LIBSYSTEMD_FOUND) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index 031f055f6..7a72161d1 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -19,6 +19,9 @@ #include #include #include +#include +#include + #ifndef EXCLUDE_LIBSYSTEMD_RESOLVER #include #include @@ -463,6 +466,104 @@ void dns_update_resolvconf(const char *tun, unsigned int ifindex, const char *ad run_command("echo 'nameserver %s' | %s -a %s", addr, RESOLVCONF, tun); } +static void cleanup_acl(acl_t *acl) { + if (*acl != NULL) { + if (acl_free(*acl) == -1) { + ZITI_LOG(ERROR, "acl_free error: %s\n", strerror(errno)); + } + *acl = NULL; + } +} + +#define ACL_EXIT(acl) do{ \ + ZITI_LOG(ERROR, "ACL operation failed: %s\n", strerror(errno)); \ + cleanup_acl(acl); \ + return; \ +} while(0) + +#define CHECK_ACL(f) do{ \ + if ((f) == -1) { \ + ACL_EXIT(&acl); \ + } \ +} while(0) + + +void install_user_acl_etc_resolv(uid_t uid) { + + _cleanup_(cleanup_acl) acl_t acl; + acl_entry_t entry; + acl_tag_t acl_tag_type; + acl_permset_t permset; + + acl = acl_get_file(RESOLV_CONF_FILE, ACL_TYPE_ACCESS); + if (acl == NULL) { + ACL_EXIT(&acl); + } + + bool acl_found = false; + for (int entry_id = ACL_FIRST_ENTRY; ; entry_id = ACL_NEXT_ENTRY) { + if (acl_get_entry(acl, entry_id, &entry) != 1) { + break; + } + + CHECK_ACL(acl_get_tag_type(entry, &acl_tag_type)); + + if ( acl_tag_type == ACL_USER) { + uid_t *qualifier_uid = acl_get_qualifier(entry); + if (qualifier_uid == NULL) { + ACL_EXIT(&acl); + } + + if (uid == *qualifier_uid) { + acl_found = true; + break; + } + } + } + + if (acl_found) { + CHECK_ACL(acl_get_permset(entry, &permset)); + + int rd = acl_get_perm(permset, ACL_READ); + CHECK_ACL(rd); + int wr = acl_get_perm(permset, ACL_WRITE); + CHECK_ACL(wr); + + if ( rd != 1 || wr != 1) { + ZITI_LOG(TRACE, "[%s] ACL permissions are incorrect. Fixing...\n", RESOLV_CONF_FILE); + } else { + ZITI_LOG(DEBUG, "[%s] ACL permissions are already set.\n", RESOLV_CONF_FILE); + return; + } + } + + if (!acl_found) { + CHECK_ACL(acl_create_entry(&acl, &entry)); CHECK_ACL(acl_set_tag_type(entry, ACL_USER)); + CHECK_ACL(acl_set_qualifier(entry, &uid)); + CHECK_ACL(acl_get_permset(entry, &permset)); + } + CHECK_ACL(acl_add_perm(permset, ACL_READ | ACL_WRITE)); + CHECK_ACL(acl_calc_mask(&acl)); + + int r = acl_check(acl, NULL); + + switch (r) { + case -1: + ZITI_LOG(ERROR, "acl_check error: %s\n", strerror(errno)); + return; + case 0: + ZITI_LOG(TRACE, "ACL is valid. Proceeding with installation...\n"); + break; + default: + ZITI_LOG(ERROR, "ACL is invalid. Reason: %s\n", acl_error(r)); + return; + } + + CHECK_ACL(acl_set_file(RESOLV_CONF_FILE, ACL_TYPE_ACCESS, acl)); + ZITI_LOG(INFO, "[%s] ACL permissions have been installed.\n", RESOLV_CONF_FILE); + return; +} + static bool make_copy(const char *src, const char *dst) { uv_fs_t req = {0}; diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h index b5a35d788..e070d5cd5 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h @@ -15,6 +15,7 @@ */ #include +#include #ifndef BUSCTL #define BUSCTL "/usr/bin/busctl" @@ -53,3 +54,5 @@ bool is_resolvconf_systemd_resolved(void); void dns_update_systemd_resolved(const char* tun, unsigned int ifindex, const char* addr); void dns_update_resolvconf(const char* tun, unsigned int ifindex, const char* addr); void dns_update_etc_resolv(const char* tun, unsigned int ifindex, const char* addr); + +void install_user_acl_etc_resolv(uid_t uid); diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index b0f290e7d..ea01be9cc 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -269,17 +269,33 @@ static void find_dns_updater() { if (!(is_systemd_resolved_primary_resolver())) { // On newer systems, RESOLVCONF is a symlink to RESOLVECTL // By now, we know systemd-resolved is not available - if (is_executable(RESOLVCONF) && !(is_resolvconf_systemd_resolved())) { + // This resolver is only supported when running as root due + // to the large set of capabilies required. + uid_t euid = geteuid(); + if (euid == 0 && is_executable(RESOLVCONF) && !(is_resolvconf_systemd_resolved())) { dns_updater = dns_update_resolvconf; return; } - ZITI_LOG(WARN, "Adding ziti resolver to /etc/resolv.conf. Ziti DNS functionality may be impaired"); - dns_updater = dns_update_etc_resolv; - dns_set_miss_status(DNS_REFUSE); + bool fowner_cap = has_effective_capability(CAP_FOWNER); + if (euid == 0 || fowner_cap) { + ZITI_LOG(WARN, "Adding ziti resolver to %s.conf. Ziti DNS functionality may be impaired", RESOLV_CONF_FILE); + uid_t ziti_uid = get_user_uid("ziti"); + if (euid != 0 && fowner_cap) { + if (euid == ziti_uid) { + install_user_acl_etc_resolv(ziti_uid); + } else { + ZITI_LOG(ERROR, "No means to manipulate %s. Run this program as 'root' or as the 'ziti' user with CAP_FOWNER.", RESOLV_CONF_FILE); + exit(EXIT_FAILURE); + } + } + dns_updater = dns_update_etc_resolv; + dns_set_miss_status(DNS_REFUSE); + return; + } } else { - ZITI_LOG(ERROR, "Refusing to alter DNS configuration. /etc/resolv.conf is a symlink to systemd-resolved, but no systemd resolver succeeded"); - exit(1); + ZITI_LOG(ERROR, "Refusing to alter DNS configuration. %s is a symlink to systemd-resolved, but no systemd resolver succeeded.", RESOLV_CONF_FILE); + exit(EXIT_FAILURE); } } diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c index e179a6cce..c33919680 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include @@ -59,3 +60,50 @@ bool is_symlink(const char *path) { struct stat s; return (lstat(path, &s) == 0 && S_ISLNK(s.st_mode)); } + +bool has_effective_capability(cap_value_t cap) { + cap_t caps; + cap_flag_value_t flag; + + caps = cap_get_proc(); + + if (caps == NULL) { + ZITI_LOG(ERROR, "could not get process capabilities: %d/%s", errno, strerror(errno)); + return false; + } + + if (cap_get_flag(caps, cap, CAP_EFFECTIVE, &flag) == -1) { + ZITI_LOG(ERROR, "could not get capability flags: %d/%s", errno, strerror(errno)); + cap_free(caps); + return false; + } + + if (flag != CAP_SET) { + char *cap_name = cap_to_name(cap); + if (cap_name == NULL) { + ZITI_LOG(ERROR, "failure getting capability name"); + } else { + ZITI_LOG(WARN, "capability %s is missing", cap_name); + cap_free(cap_name); + } + cap_free(caps); + return false; + } + + cap_free(caps); + return true; +} + +uid_t get_user_uid(const char *username) { + uid_t ziti_uid = -1; + + struct passwd *pwd = getpwnam(username); + if (pwd == NULL) { + ZITI_LOG(ERROR, "could not find id of '%s' user\n", username); + return ziti_uid; + } + + ziti_uid = pwd->pw_uid; + ZITI_LOG(TRACE, "found uid=%d for user '%s'\n", ziti_uid, username); + return ziti_uid; +} diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h index a12fc3a7a..ec17095cd 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h @@ -15,9 +15,12 @@ */ #include #include +#include int run_command_va(bool log_nonzero_ec, const char* cmd, va_list args); int run_command(const char *cmd, ...); int run_command_ex(bool log_nonzero_ec, const char *cmd, ...); bool is_executable(const char *path); bool is_symlink(const char *path); +bool has_effective_capability(cap_value_t cap); +uid_t get_user_uid(const char *username); diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 77497067e..77c90549c 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -1,7 +1,7 @@ cmake_policy(SET CMP0057 NEW) if(CPACK_GENERATOR MATCHES "RPM") - set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel") + set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel, libcap-devel") if(CPACK_OS_RELEASE_NAME IN_LIST CPACK_RPM_DISTRIBUTIONS AND CPACK_OS_RELEASE_VERSION VERSION_GREATER "7") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() diff --git a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.service.in b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.service.in index 144fb4043..01b69d4a7 100644 --- a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.service.in +++ b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.service.in @@ -7,7 +7,7 @@ Type=simple EnvironmentFile=@CPACK_ETC_DIR@/@SYSTEMD_SERVICE_NAME@.env User=ziti UMask=0007 -AmbientCapabilities=CAP_NET_ADMIN +AmbientCapabilities=CAP_NET_ADMIN CAP_FOWNER ExecStartPre=@CPACK_BIN_DIR@/@SYSTEMD_SERVICE_NAME@.sh ExecStart=@CPACK_BIN_DIR@/@SYSTEMD_SERVICE_NAME@ run --verbose=${ZITI_VERBOSE} --dns-ip-range=${ZITI_DNS_IP_RANGE} --identity-dir=${ZITI_IDENTITY_DIR} Restart=always From 61e91ec2761b40bdfe43b69ad0b087a9fe35b719 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 8 Aug 2023 08:21:35 -0400 Subject: [PATCH 02/17] consistent spacing --- programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index 7a72161d1..5b3c4d0ac 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -475,10 +475,10 @@ static void cleanup_acl(acl_t *acl) { } } -#define ACL_EXIT(acl) do{ \ +#define ACL_EXIT(acl) do{ \ ZITI_LOG(ERROR, "ACL operation failed: %s\n", strerror(errno)); \ - cleanup_acl(acl); \ - return; \ + cleanup_acl(acl); \ + return; \ } while(0) #define CHECK_ACL(f) do{ \ From 8b9ad339bd7724a5d74dfdc743cfbf5c93486206 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 8 Aug 2023 08:34:35 -0400 Subject: [PATCH 03/17] update container deps --- .../redhat-8/Dockerfile | 14 ++++++++------ .../redhat-9/Dockerfile | 2 ++ .../ubuntu-20.04/Dockerfile | 2 ++ .../ubuntu-22.04/Dockerfile | 2 ++ 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile index 004583731..d3a873686 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile @@ -15,24 +15,26 @@ ENV TZ=UTC RUN dnf install -y \ "@Development Tools" \ + cmake-rpm-macros \ dnf-plugins-core \ gcc-toolset-10 \ gcc-toolset-10-libatomic-devel \ iproute \ + libacl-devel \ + libcap-devel \ + openssl-devel \ + perl \ python3 \ systemd-devel \ - zlib-devel \ systemd-rpm-macros \ - cmake-rpm-macros \ - openssl-devel \ - perl \ + zlib-devel \ && dnf config-manager --set-enabled powertools \ && dnf install -y \ doxygen \ - graphviz \ git \ + graphviz \ ninja-build \ - && dnf clean all + && dnf clean all RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ && (bash cmake.sh --skip-license --prefix=/usr/local) \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index 4765262ce..191975558 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -27,6 +27,8 @@ RUN dnf install -y \ openssl-devel \ perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy \ libatomic \ + libacl-devel \ + libcap-devel \ && dnf config-manager --set-enabled crb \ && dnf install -y \ doxygen \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index 610ac5f05..2bbf665bf 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -34,6 +34,8 @@ RUN apt-get update \ zlib1g-dev \ libssl-dev \ ninja-build \ + libacl1-dev \ + libcap-dev \ && rm -rf /var/lib/apt/lists/* COPY ./crossbuild.list /etc/apt/sources.list.d/crossbuild.list diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index c06545f9b..4bc6ac377 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -36,6 +36,8 @@ RUN apt-get update \ zlib1g-dev \ libssl-dev \ ninja-build \ + libacl1-dev \ + libcap-dev \ && rm -rf /var/lib/apt/lists/* COPY ./crossbuild.list /etc/apt/sources.list.d/crossbuild.list From 59ccb593a734d688ab31dff625fc6608fada6421 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Wed, 9 Aug 2023 17:22:13 -0400 Subject: [PATCH 04/17] fix builds --- .../redhat-8/Dockerfile | 4 +++ .../redhat-9/Dockerfile | 24 +++++++++++------ .../ubuntu-20.04/Dockerfile | 26 ++++++++++++------- .../ubuntu-22.04/Dockerfile | 21 ++++++++------- BUILD.md | 19 ++++++++++++++ .../package/CPackGenConfig.cmake | 2 +- vcpkg.json | 4 +++ 7 files changed, 72 insertions(+), 28 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile index d3a873686..bd6c09a70 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile @@ -15,13 +15,17 @@ ENV TZ=UTC RUN dnf install -y \ "@Development Tools" \ + autoconf \ + automake \ cmake-rpm-macros \ dnf-plugins-core \ gcc-toolset-10 \ gcc-toolset-10-libatomic-devel \ + gettext-devel \ iproute \ libacl-devel \ libcap-devel \ + libtool \ openssl-devel \ perl \ python3 \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index 191975558..ea32f5c01 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -17,23 +17,31 @@ ENV TZ=UTC RUN dnf install -y \ "@Development Tools" \ + autoconf \ + automake \ + cmake-rpm-macros \ + cmake-rpm-macros \ dnf-plugins-core \ + gettext-devel \ iproute \ + libacl-devel \ + libatomic \ + libatomic \ + libcap-devel \ + libcap-devel \ + libtool \ + openssl-devel \ + openssl-devel \ + perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy \ python3 \ systemd-devel \ - zlib-devel \ systemd-rpm-macros \ - cmake-rpm-macros \ - openssl-devel \ - perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy \ - libatomic \ - libacl-devel \ - libcap-devel \ + zlib-devel \ && dnf config-manager --set-enabled crb \ && dnf install -y \ doxygen \ - graphviz \ git \ + graphviz \ ninja-build \ && dnf clean all diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index 2bbf665bf..86b5ca5a2 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -16,26 +16,30 @@ WORKDIR /root/ RUN apt-get update \ && apt-get -y install \ - autoconf automake autopoint \ - gcc-arm-linux-gnueabihf \ - g++-arm-linux-gnueabihf \ - gcc-aarch64-linux-gnu \ + autoconf \ + automake \ + autopoint \ + build-essential \ crossbuild-essential-arm64 \ crossbuild-essential-armhf \ - build-essential \ - curl zip unzip tar \ + curl \ doxygen \ + g++-arm-linux-gnueabihf \ + gcc-aarch64-linux-gnu \ + gcc-arm-linux-gnueabihf \ git \ graphviz \ + libcap-dev \ + libssl-dev \ libsystemd-dev \ libtool \ + ninja-build \ pkg-config \ python3 \ + tar \ + unzip \ + zip \ zlib1g-dev \ - libssl-dev \ - ninja-build \ - libacl1-dev \ - libcap-dev \ && rm -rf /var/lib/apt/lists/* COPY ./crossbuild.list /etc/apt/sources.list.d/crossbuild.list @@ -43,6 +47,8 @@ RUN sed -Ei 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf RUN apt-get update \ && apt-get -y install \ + libcap-dev:armhf \ + libcap-dev:arm64 \ libssl-dev:arm64 \ libssl-dev:armhf \ zlib1g-dev:arm64 \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index 4bc6ac377..9fe5f8c28 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -18,26 +18,27 @@ WORKDIR /root/ RUN apt-get update \ && apt-get -y install \ - autoconf automake autopoint \ - gcc-arm-linux-gnueabihf \ - g++-arm-linux-gnueabihf \ - gcc-aarch64-linux-gnu \ + autoconf \ + automake \ + autopoint \ + build-essential \ crossbuild-essential-arm64 \ crossbuild-essential-armhf \ - build-essential \ curl zip unzip tar \ doxygen \ + g++-arm-linux-gnueabihf \ + gcc-aarch64-linux-gnu \ + gcc-arm-linux-gnueabihf \ git \ graphviz \ + libcap-dev \ + libssl-dev \ libsystemd-dev \ libtool \ + ninja-build \ pkg-config \ python3 \ zlib1g-dev \ - libssl-dev \ - ninja-build \ - libacl1-dev \ - libcap-dev \ && rm -rf /var/lib/apt/lists/* COPY ./crossbuild.list /etc/apt/sources.list.d/crossbuild.list @@ -45,6 +46,8 @@ RUN sed -Ei 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf RUN apt-get update \ && apt-get -y install \ + libcap-dev:armhf \ + libcap-dev:arm64 \ libssl-dev:arm64 \ libssl-dev:armhf \ zlib1g-dev:arm64 \ diff --git a/BUILD.md b/BUILD.md index afa8fc5ea..4dcbce2cc 100644 --- a/BUILD.md +++ b/BUILD.md @@ -16,6 +16,25 @@ site](https://openziti.io/). * make sure cmake is on your path or replace the following `cmake` commands with the fully qualified path to the binary * [vcpkg](https://github.com/microsoft/vcpkg) is now used for dependencies. +On Linux, you may also need the following: + +* autoconf +* automake +* libtool +* autopoint + +On Red Hat distributions: + +```bash +sudo yum install automake autoconf libtool gettext-devel +``` + +On Debian based distributions: + +```bash +sudo apt install automake autoconf libtool autopoint +``` + ### Setting up vcpkg To setup vcpkg you'll need to clone the actual vcpkg repository. The first step will have you set this environment variable. diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 77c90549c..00fd3ac36 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -1,7 +1,7 @@ cmake_policy(SET CMP0057 NEW) if(CPACK_GENERATOR MATCHES "RPM") - set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel, libcap-devel") + set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel") if(CPACK_OS_RELEASE_NAME IN_LIST CPACK_RPM_DISTRIBUTIONS AND CPACK_OS_RELEASE_VERSION VERSION_GREATER "7") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() diff --git a/vcpkg.json b/vcpkg.json index 750f3aeeb..4644e902a 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -2,6 +2,10 @@ "name": "ziti", "version-semver": "1.0.0", "dependencies": [ + { + "name": "acl", + "platform": "linux" + }, "libuv", "zlib", "llhttp", From 9b10d4e0b9b90d5e94498de621e8ba752857d468 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Thu, 10 Aug 2023 14:55:03 -0400 Subject: [PATCH 05/17] Add missing newline --- programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index 5b3c4d0ac..ca44f6667 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -538,7 +538,8 @@ void install_user_acl_etc_resolv(uid_t uid) { } if (!acl_found) { - CHECK_ACL(acl_create_entry(&acl, &entry)); CHECK_ACL(acl_set_tag_type(entry, ACL_USER)); + CHECK_ACL(acl_create_entry(&acl, &entry)); + CHECK_ACL(acl_set_tag_type(entry, ACL_USER)); CHECK_ACL(acl_set_qualifier(entry, &uid)); CHECK_ACL(acl_get_permset(entry, &permset)); } From 3390285ef8256a49022db8804efe4dc7cddbd221 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 22 Aug 2023 11:13:35 -0400 Subject: [PATCH 06/17] Add include guards --- programs/ziti-edge-tunnel/CMakeLists.txt | 23 ++++++++++------ .../netif_driver/linux/resolvers.c | 5 +++- .../netif_driver/linux/resolvers.h | 2 ++ .../ziti-edge-tunnel/netif_driver/linux/tun.c | 26 +++++++++---------- .../netif_driver/linux/utils.c | 5 ++++ .../netif_driver/linux/utils.h | 7 ++++- .../package/CPackGenConfig.cmake | 4 +-- 7 files changed, 47 insertions(+), 25 deletions(-) diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index 7bdcc285f..ca8267819 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -54,18 +54,25 @@ if(CMAKE_SYSTEM_NAME STREQUAL Windows) endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux") - option(DISABLE_LIBSYSTEMD_FEATURE "libsystemd library integration toggle" OFF) - message("DISABLE_LIBSYSTEMD_FEATURE: ${DISABLE_LIBSYSTEMD_FEATURE}") find_package(PkgConfig REQUIRED) - pkg_check_modules(LIBACL REQUIRED IMPORTED_TARGET "libacl") - pkg_check_modules(LIBCAP REQUIRED IMPORTED_TARGET "libcap") + pkg_check_modules(LIBACL IMPORTED_TARGET "libacl") + pkg_check_modules(LIBCAP IMPORTED_TARGET "libcap") - target_link_libraries(ziti-edge-tunnel - PRIVATE PkgConfig::LIBACL - PRIVATE PkgConfig::LIBCAP - ) + if (LIBACL_FOUND) + target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBACL_H) + target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBACL) + endif() + + if (LIBCAP_FOUND) + target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBCAP_H) + target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBCAP) + endif() + + + option(DISABLE_LIBSYSTEMD_FEATURE "libsystemd library integration toggle" OFF) + message("DISABLE_LIBSYSTEMD_FEATURE: ${DISABLE_LIBSYSTEMD_FEATURE}") if (DISABLE_LIBSYSTEMD_FEATURE) target_compile_definitions(ziti-edge-tunnel PRIVATE EXCLUDE_LIBSYSTEMD_RESOLVER) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index ca44f6667..b00769df5 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -19,8 +19,10 @@ #include #include #include +#ifdef HAVE_LIBACL_H #include #include +#endif #ifndef EXCLUDE_LIBSYSTEMD_RESOLVER #include @@ -466,6 +468,7 @@ void dns_update_resolvconf(const char *tun, unsigned int ifindex, const char *ad run_command("echo 'nameserver %s' | %s -a %s", addr, RESOLVCONF, tun); } +#ifdef HAVE_LIBACL_H static void cleanup_acl(acl_t *acl) { if (*acl != NULL) { if (acl_free(*acl) == -1) { @@ -487,7 +490,6 @@ static void cleanup_acl(acl_t *acl) { } \ } while(0) - void install_user_acl_etc_resolv(uid_t uid) { _cleanup_(cleanup_acl) acl_t acl; @@ -564,6 +566,7 @@ void install_user_acl_etc_resolv(uid_t uid) { ZITI_LOG(INFO, "[%s] ACL permissions have been installed.\n", RESOLV_CONF_FILE); return; } +#endif static bool make_copy(const char *src, const char *dst) { diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h index e070d5cd5..df872558f 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h @@ -55,4 +55,6 @@ void dns_update_systemd_resolved(const char* tun, unsigned int ifindex, const ch void dns_update_resolvconf(const char* tun, unsigned int ifindex, const char* addr); void dns_update_etc_resolv(const char* tun, unsigned int ifindex, const char* addr); +#ifdef HAVE_LIBACL_H void install_user_acl_etc_resolv(uid_t uid); +#endif diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index ea01be9cc..5ed6f48fc 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -277,22 +277,22 @@ static void find_dns_updater() { return; } - bool fowner_cap = has_effective_capability(CAP_FOWNER); - if (euid == 0 || fowner_cap) { - ZITI_LOG(WARN, "Adding ziti resolver to %s.conf. Ziti DNS functionality may be impaired", RESOLV_CONF_FILE); +#if defined(HAVE_LIBCAP_H) && defined(HAVE_LIBACL_H) + if (euid != 0) { uid_t ziti_uid = get_user_uid("ziti"); - if (euid != 0 && fowner_cap) { - if (euid == ziti_uid) { - install_user_acl_etc_resolv(ziti_uid); - } else { - ZITI_LOG(ERROR, "No means to manipulate %s. Run this program as 'root' or as the 'ziti' user with CAP_FOWNER.", RESOLV_CONF_FILE); - exit(EXIT_FAILURE); - } + bool fowner_cap = has_effective_capability(CAP_FOWNER); + if ((euid == ziti_uid) && fowner_cap) { + install_user_acl_etc_resolv(ziti_uid); + } else { + ZITI_LOG(ERROR, "No means to manipulate %s. Run this program as 'root' or as the 'ziti' user with CAP_FOWNER.", RESOLV_CONF_FILE); + exit(EXIT_FAILURE); } - dns_updater = dns_update_etc_resolv; - dns_set_miss_status(DNS_REFUSE); - return; } +#endif + ZITI_LOG(WARN, "Adding ziti resolver to %s.conf. Ziti DNS functionality may be impaired", RESOLV_CONF_FILE); + dns_updater = dns_update_etc_resolv; + dns_set_miss_status(DNS_REFUSE); + return; } else { ZITI_LOG(ERROR, "Refusing to alter DNS configuration. %s is a symlink to systemd-resolved, but no systemd resolver succeeded.", RESOLV_CONF_FILE); exit(EXIT_FAILURE); diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c index c33919680..ca29fcb6f 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c @@ -19,7 +19,10 @@ #include #include #include +#include +#ifdef HAVE_LIBCAP_H #include +#endif #include #include @@ -61,6 +64,7 @@ bool is_symlink(const char *path) { return (lstat(path, &s) == 0 && S_ISLNK(s.st_mode)); } +#ifdef HAVE_LIBCAP_H bool has_effective_capability(cap_value_t cap) { cap_t caps; cap_flag_value_t flag; @@ -93,6 +97,7 @@ bool has_effective_capability(cap_value_t cap) { cap_free(caps); return true; } +#endif uid_t get_user_uid(const char *username) { uid_t ziti_uid = -1; diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h index ec17095cd..816ac87ca 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h @@ -15,12 +15,17 @@ */ #include #include +#include +#ifdef HAVE_LIBCAP_H #include +#endif int run_command_va(bool log_nonzero_ec, const char* cmd, va_list args); int run_command(const char *cmd, ...); int run_command_ex(bool log_nonzero_ec, const char *cmd, ...); bool is_executable(const char *path); bool is_symlink(const char *path); -bool has_effective_capability(cap_value_t cap); uid_t get_user_uid(const char *username); +#ifdef HAVE_LIBCAP_H +bool has_effective_capability(cap_value_t cap); +#endif diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 00fd3ac36..97c0b3867 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -6,7 +6,7 @@ if(CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() set(CPACK_RPM_PACKAGE_SOURCES OFF) - set(CPACK_RPM_PACKAGE_REQUIRES "iproute, gawk, systemd, libatomic, openssl-libs, zlib, polkit") + set(CPACK_RPM_PACKAGE_REQUIRES "iproute, gawk, systemd, libatomic, openssl-libs, zlib, polkit, libcap") set(CPACK_RPM_CHANGELOG_FILE "${CMAKE_CURRENT_LIST_DIR}/RPM_CHANGELOG") set(CPACK_RPM_FILE_NAME "RPM-DEFAULT") set(CPACK_RPM_PACKAGE_DESCRIPTION "The OpenZiti Edge Tunnel is a zero-trust tunneling software client.") @@ -38,6 +38,6 @@ if(CPACK_GENERATOR MATCHES "DEB") # specify "libssl3 if it exists in the repos, or nothing" as a dependency. # systemd package on older distros does not contain `systemd-sysusers`, so include passwd for `useradd`, `groupadd`. # login provides `/usr/sbin/nologin`. - set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g") + set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g, libcap") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CPACK_DEB_CONFFILES};${CPACK_DEB_PRE_INSTALL};${CPACK_DEB_POST_INSTALL};${CPACK_DEB_PRE_UNINSTALL};${CPACK_DEB_POST_UNINSTALL};${CPACK_DEB_TEMPLATES}") endif(CPACK_GENERATOR MATCHES "DEB") From dc831e97436e621090ddd8f71519e3693b700b79 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 22 Aug 2023 12:12:52 -0400 Subject: [PATCH 07/17] fix package name in depends --- programs/ziti-edge-tunnel/package/CPackGenConfig.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 97c0b3867..8cd738251 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -38,6 +38,6 @@ if(CPACK_GENERATOR MATCHES "DEB") # specify "libssl3 if it exists in the repos, or nothing" as a dependency. # systemd package on older distros does not contain `systemd-sysusers`, so include passwd for `useradd`, `groupadd`. # login provides `/usr/sbin/nologin`. - set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g, libcap") + set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g, libcap2") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CPACK_DEB_CONFFILES};${CPACK_DEB_PRE_INSTALL};${CPACK_DEB_POST_INSTALL};${CPACK_DEB_PRE_UNINSTALL};${CPACK_DEB_POST_UNINSTALL};${CPACK_DEB_TEMPLATES}") endif(CPACK_GENERATOR MATCHES "DEB") From f0b4dbe4a24eb4d47c746d933f8875612df5e50e Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 12 Sep 2023 11:56:17 -0400 Subject: [PATCH 08/17] Change compile definition wording --- programs/ziti-edge-tunnel/CMakeLists.txt | 4 ++-- programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c | 4 ++-- programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h | 2 +- programs/ziti-edge-tunnel/netif_driver/linux/tun.c | 2 +- programs/ziti-edge-tunnel/netif_driver/linux/utils.c | 4 ++-- programs/ziti-edge-tunnel/netif_driver/linux/utils.h | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index ca8267819..e70c0ae90 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -61,12 +61,12 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux") pkg_check_modules(LIBCAP IMPORTED_TARGET "libcap") if (LIBACL_FOUND) - target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBACL_H) + target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBACL_PKG) target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBACL) endif() if (LIBCAP_FOUND) - target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBCAP_H) + target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBCAP_PKG) target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBCAP) endif() diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index b00769df5..1f5966009 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -19,7 +19,7 @@ #include #include #include -#ifdef HAVE_LIBACL_H +#ifdef HAVE_LIBACL_PKG #include #include #endif @@ -468,7 +468,7 @@ void dns_update_resolvconf(const char *tun, unsigned int ifindex, const char *ad run_command("echo 'nameserver %s' | %s -a %s", addr, RESOLVCONF, tun); } -#ifdef HAVE_LIBACL_H +#ifdef HAVE_LIBACL_PKG static void cleanup_acl(acl_t *acl) { if (*acl != NULL) { if (acl_free(*acl) == -1) { diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h index df872558f..ec93c483e 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h @@ -55,6 +55,6 @@ void dns_update_systemd_resolved(const char* tun, unsigned int ifindex, const ch void dns_update_resolvconf(const char* tun, unsigned int ifindex, const char* addr); void dns_update_etc_resolv(const char* tun, unsigned int ifindex, const char* addr); -#ifdef HAVE_LIBACL_H +#ifdef HAVE_LIBACL_PKG void install_user_acl_etc_resolv(uid_t uid); #endif diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index 5ed6f48fc..fb2988897 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -277,7 +277,7 @@ static void find_dns_updater() { return; } -#if defined(HAVE_LIBCAP_H) && defined(HAVE_LIBACL_H) +#if defined(HAVE_LIBCAP_PKG) && defined(HAVE_LIBACL_PKG) if (euid != 0) { uid_t ziti_uid = get_user_uid("ziti"); bool fowner_cap = has_effective_capability(CAP_FOWNER); diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c index ca29fcb6f..1c6ec4c58 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.c @@ -20,7 +20,7 @@ #include #include #include -#ifdef HAVE_LIBCAP_H +#ifdef HAVE_LIBCAP_PKG #include #endif #include @@ -64,7 +64,7 @@ bool is_symlink(const char *path) { return (lstat(path, &s) == 0 && S_ISLNK(s.st_mode)); } -#ifdef HAVE_LIBCAP_H +#ifdef HAVE_LIBCAP_PKG bool has_effective_capability(cap_value_t cap) { cap_t caps; cap_flag_value_t flag; diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h index 816ac87ca..9ee559f10 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/utils.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/utils.h @@ -16,7 +16,7 @@ #include #include #include -#ifdef HAVE_LIBCAP_H +#ifdef HAVE_LIBCAP_PKG #include #endif @@ -26,6 +26,6 @@ int run_command_ex(bool log_nonzero_ec, const char *cmd, ...); bool is_executable(const char *path); bool is_symlink(const char *path); uid_t get_user_uid(const char *username); -#ifdef HAVE_LIBCAP_H +#ifdef HAVE_LIBCAP_PKG bool has_effective_capability(cap_value_t cap); #endif From df986958d80805c116a9f933f1896f47e2a17aac Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 12 Sep 2023 16:25:24 -0400 Subject: [PATCH 09/17] Tab to spaces --- programs/ziti-edge-tunnel/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index e70c0ae90..8b93659c2 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -67,7 +67,7 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux") if (LIBCAP_FOUND) target_compile_definitions(ziti-edge-tunnel PRIVATE HAVE_LIBCAP_PKG) - target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBCAP) + target_link_libraries(ziti-edge-tunnel PRIVATE PkgConfig::LIBCAP) endif() From 398d50f0066d100da6adab3525fb7672c248edaa Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Tue, 12 Sep 2023 16:38:18 -0400 Subject: [PATCH 10/17] Libacl-devel to libcap-devel buildrequires --- programs/ziti-edge-tunnel/package/CPackGenConfig.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 8cd738251..f4a67beb7 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -1,7 +1,7 @@ cmake_policy(SET CMP0057 NEW) if(CPACK_GENERATOR MATCHES "RPM") - set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel") + set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libcap-devel") if(CPACK_OS_RELEASE_NAME IN_LIST CPACK_RPM_DISTRIBUTIONS AND CPACK_OS_RELEASE_VERSION VERSION_GREATER "7") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() From cda40a48c04865edc4a7592165b95f047c3ca31e Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 15 Sep 2023 10:52:15 -0400 Subject: [PATCH 11/17] Use dynamic linking when preferrable --- .../redhat-8/entrypoint.sh | 5 +++-- .../openziti-tunnel-build-action/redhat-9/Dockerfile | 11 +++++------ .../redhat-9/entrypoint.sh | 5 +++-- .../ubuntu-20.04/Dockerfile | 1 + .../ubuntu-20.04/entrypoint.sh | 1 + .../ubuntu-22.04/Dockerfile | 1 + .../ubuntu-22.04/entrypoint.sh | 1 + .../ziti-edge-tunnel/package/CPackGenConfig.cmake | 6 +++--- .../linux-syslibs/redhat8/acl/portfile.cmake | 1 + vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json | 4 ++++ .../linux-syslibs/redhat9/acl/portfile.cmake | 1 + vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json | 4 ++++ .../linux-syslibs/ubuntu20/acl/portfile.cmake | 1 + vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json | 4 ++++ .../linux-syslibs/ubuntu22/acl/portfile.cmake | 1 + vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json | 4 ++++ 16 files changed, 38 insertions(+), 13 deletions(-) create mode 100644 vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake create mode 100644 vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json create mode 100644 vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake create mode 100644 vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh index ea83cf477..9407e0f58 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh @@ -39,7 +39,7 @@ done cmake -E make_directory ./build ( [[ -d ./build ]] && rm -r ./build - cmake -E make_directory ./build + cmake -E make_directory ./build # allow unset for scl_source scripts set +u source scl_source enable gcc-toolset-10 \ @@ -47,8 +47,9 @@ cmake -E make_directory ./build --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/redhat8" \ -S . \ - -B ./build + -B ./build source scl_source enable gcc-toolset-10 \ && cmake \ --build ./build \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index ea32f5c01..a1887e278 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -20,19 +20,18 @@ RUN dnf install -y \ autoconf \ automake \ cmake-rpm-macros \ - cmake-rpm-macros \ dnf-plugins-core \ gettext-devel \ iproute \ libacl-devel \ libatomic \ - libatomic \ - libcap-devel \ libcap-devel \ libtool \ openssl-devel \ - openssl-devel \ - perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy \ + perl-File-Compare \ + perl-File-Copy \ + perl-FindBin \ + perl-IPC-Cmd \ python3 \ systemd-devel \ systemd-rpm-macros \ @@ -43,7 +42,7 @@ RUN dnf install -y \ git \ graphviz \ ninja-build \ - && dnf clean all + && dnf clean all RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ && (bash cmake.sh --skip-license --prefix=/usr/local) \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh index aa991116d..33dec187f 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh @@ -38,7 +38,7 @@ done ( [[ -d ./build ]] && rm -r ./build - cmake -E make_directory ./build + cmake -E make_directory ./build # allow unset for scl_source scripts set +u cmake \ @@ -46,8 +46,9 @@ done -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/redhat9" \ -S . \ - -B ./build + -B ./build cmake \ --build ./build \ --config "${cmake_config}" \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index 86b5ca5a2..c5797ad15 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -29,6 +29,7 @@ RUN apt-get update \ gcc-arm-linux-gnueabihf \ git \ graphviz \ + libacl1-dev \ libcap-dev \ libssl-dev \ libsystemd-dev \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh index 1cb65f8fa..bdd9b78e2 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh @@ -44,6 +44,7 @@ cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu20" \ -S "${PWD}/" \ -B ./build/ cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index 9fe5f8c28..c01e7e36b 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -31,6 +31,7 @@ RUN apt-get update \ gcc-arm-linux-gnueabihf \ git \ graphviz \ + libacl1-dev \ libcap-dev \ libssl-dev \ libsystemd-dev \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh index 0a1285c33..0a862b59f 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh @@ -45,6 +45,7 @@ cmake \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu22" \ -S "${PWD}/" \ -B ./build cmake \ diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index f4a67beb7..6b8740711 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -1,12 +1,12 @@ cmake_policy(SET CMP0057 NEW) if(CPACK_GENERATOR MATCHES "RPM") - set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libcap-devel") + set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel, libcap-devel") if(CPACK_OS_RELEASE_NAME IN_LIST CPACK_RPM_DISTRIBUTIONS AND CPACK_OS_RELEASE_VERSION VERSION_GREATER "7") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() set(CPACK_RPM_PACKAGE_SOURCES OFF) - set(CPACK_RPM_PACKAGE_REQUIRES "iproute, gawk, systemd, libatomic, openssl-libs, zlib, polkit, libcap") + set(CPACK_RPM_PACKAGE_REQUIRES "iproute, gawk, systemd, libatomic, openssl-libs, zlib, polkit, libacl, libcap") set(CPACK_RPM_CHANGELOG_FILE "${CMAKE_CURRENT_LIST_DIR}/RPM_CHANGELOG") set(CPACK_RPM_FILE_NAME "RPM-DEFAULT") set(CPACK_RPM_PACKAGE_DESCRIPTION "The OpenZiti Edge Tunnel is a zero-trust tunneling software client.") @@ -38,6 +38,6 @@ if(CPACK_GENERATOR MATCHES "DEB") # specify "libssl3 if it exists in the repos, or nothing" as a dependency. # systemd package on older distros does not contain `systemd-sysusers`, so include passwd for `useradd`, `groupadd`. # login provides `/usr/sbin/nologin`. - set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g, libcap2") + set(CPACK_DEBIAN_PACKAGE_DEPENDS "debconf, iproute2, sed, systemd, libatomic1, libssl3 | libssl1.1 | libssl1.0.0, login, passwd, policykit-1, zlib1g, libacl1, libcap2") set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CPACK_DEB_CONFFILES};${CPACK_DEB_PRE_INSTALL};${CPACK_DEB_POST_INSTALL};${CPACK_DEB_PRE_UNINSTALL};${CPACK_DEB_POST_UNINSTALL};${CPACK_DEB_TEMPLATES}") endif(CPACK_GENERATOR MATCHES "DEB") diff --git a/vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake new file mode 100644 index 000000000..0015715fb --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake @@ -0,0 +1 @@ +set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json new file mode 100644 index 000000000..285eb9403 --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json @@ -0,0 +1,4 @@ +{ + "name": "acl", + "version": "0" +} diff --git a/vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake new file mode 100644 index 000000000..0015715fb --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake @@ -0,0 +1 @@ +set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json new file mode 100644 index 000000000..285eb9403 --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json @@ -0,0 +1,4 @@ +{ + "name": "acl", + "version": "0" +} diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake new file mode 100644 index 000000000..0015715fb --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake @@ -0,0 +1 @@ +set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json new file mode 100644 index 000000000..285eb9403 --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json @@ -0,0 +1,4 @@ +{ + "name": "acl", + "version": "0" +} diff --git a/vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake new file mode 100644 index 000000000..0015715fb --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake @@ -0,0 +1 @@ +set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json new file mode 100644 index 000000000..285eb9403 --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json @@ -0,0 +1,4 @@ +{ + "name": "acl", + "version": "0" +} From 4a764fdbab59915d9e4004dcd050f883e09362db Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 15 Sep 2023 12:17:02 -0400 Subject: [PATCH 12/17] Tryfix rpm --- .../actions/openziti-tunnel-build-action/redhat-8/Dockerfile | 1 + programs/ziti-edge-tunnel/package/CPackGenConfig.cmake | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile index bd6c09a70..0a7680dc2 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile @@ -28,6 +28,7 @@ RUN dnf install -y \ libtool \ openssl-devel \ perl \ + perl-IPC-Cmd \ python3 \ systemd-devel \ systemd-rpm-macros \ diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 6b8740711..8d9556e52 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -1,7 +1,7 @@ cmake_policy(SET CMP0057 NEW) if(CPACK_GENERATOR MATCHES "RPM") - set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel, libcap-devel") + set(CPACK_RPM_BUILDREQUIRES "cmake >= ${CMAKE_MINIMUM_REQUIRED_VERSION}, systemd-devel, gawk, gcc-c++ >= 4.9, python3, openssl-devel, zlib-devel, libacl-devel, libcap-devel, perl-IPC-Cmd") if(CPACK_OS_RELEASE_NAME IN_LIST CPACK_RPM_DISTRIBUTIONS AND CPACK_OS_RELEASE_VERSION VERSION_GREATER "7") list(APPEND CPACK_RPM_BUILDREQUIRES "systemd-rpm-macros") endif() From 65a23d73adeb417dfceb23c0ce9be2865a1699be Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 15 Sep 2023 12:48:59 -0400 Subject: [PATCH 13/17] Tryfix openssl --- .../openziti-tunnel-build-action/redhat-9/entrypoint.sh | 2 +- .../openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh | 2 +- .../openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh index 33dec187f..bddedd705 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh @@ -46,7 +46,7 @@ done -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/redhat9" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/redhat9" \ -S . \ -B ./build cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh index bdd9b78e2..25e4c83f9 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh @@ -44,7 +44,7 @@ cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu20" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/ubuntu20" \ -S "${PWD}/" \ -B ./build/ cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh index 0a862b59f..cdd297247 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh @@ -39,13 +39,13 @@ done [[ -d ./build ]] && rm -r ./build cmake \ -E make_directory \ - ./build + ./build cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu22" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/ubuntu22" \ -S "${PWD}/" \ -B ./build cmake \ From 8b780f5223ef4c6c9f4df691471001bb8e8dbcc5 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 15 Sep 2023 13:08:59 -0400 Subject: [PATCH 14/17] Try with overlay ports with semicolon --- .../actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh | 2 +- .../actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh | 2 +- .../openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh | 2 +- .../openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh index 9407e0f58..cb08f40ad 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh @@ -47,7 +47,7 @@ cmake -E make_directory ./build --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/redhat8" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/redhat8" \ -S . \ -B ./build source scl_source enable gcc-toolset-10 \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh index bddedd705..1429439a1 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh @@ -46,7 +46,7 @@ done -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/redhat9" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/redhat9" \ -S . \ -B ./build cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh index 25e4c83f9..bd7fdeabf 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh @@ -44,7 +44,7 @@ cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/ubuntu20" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/ubuntu20" \ -S "${PWD}/" \ -B ./build/ cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh index cdd297247..481634f1a 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh @@ -45,7 +45,7 @@ cmake \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default:./vcpkg-overlays/linux-syslibs/ubuntu22" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/ubuntu22" \ -S "${PWD}/" \ -B ./build cmake \ From 4cad689371498dfd8a3ccf502622031091d487a0 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 15 Sep 2023 13:21:30 -0400 Subject: [PATCH 15/17] Tryfix arm --- .../openziti-tunnel-build-action/ubuntu-20.04/Dockerfile | 2 ++ .../openziti-tunnel-build-action/ubuntu-22.04/Dockerfile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index c5797ad15..55eed9463 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -48,6 +48,8 @@ RUN sed -Ei 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf RUN apt-get update \ && apt-get -y install \ + libacl1-dev:armhf \ + libacl1-dev:arm64 \ libcap-dev:armhf \ libcap-dev:arm64 \ libssl-dev:arm64 \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index c01e7e36b..2e48d3a5f 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -47,6 +47,8 @@ RUN sed -Ei 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf RUN apt-get update \ && apt-get -y install \ + libacl1-dev:armhf \ + libacl1-dev:arm64 \ libcap-dev:armhf \ libcap-dev:arm64 \ libssl-dev:arm64 \ From c0bbf2c0c63c3ba6461682659fa379742c4ff881 Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Thu, 3 Oct 2024 18:41:27 -0400 Subject: [PATCH 16/17] Prefer existing approach to dep management. Add new libcap vcpkg port. --- .../openziti-tunnel-build-action/redhat-8/entrypoint.sh | 5 ++--- .../openziti-tunnel-build-action/redhat-9/entrypoint.sh | 5 ++--- .../openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh | 1 - .../openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh | 3 +-- .../linux-syslibs/{redhat8 => default}/acl/portfile.cmake | 0 .../linux-syslibs/{redhat8 => default}/acl/vcpkg.json | 0 .../{redhat9/acl => default/libcap}/portfile.cmake | 0 .../{ubuntu20/acl => default/libcap}/vcpkg.json | 2 +- .../linux-syslibs/{ubuntu20 => ubuntu18}/acl/portfile.cmake | 0 .../linux-syslibs/{redhat9 => ubuntu18}/acl/vcpkg.json | 0 .../{ubuntu22/acl => ubuntu18/libcap}/portfile.cmake | 0 .../{ubuntu22/acl => ubuntu18/libcap}/vcpkg.json | 2 +- vcpkg.json | 4 ++++ 13 files changed, 11 insertions(+), 11 deletions(-) rename vcpkg-overlays/linux-syslibs/{redhat8 => default}/acl/portfile.cmake (100%) rename vcpkg-overlays/linux-syslibs/{redhat8 => default}/acl/vcpkg.json (100%) rename vcpkg-overlays/linux-syslibs/{redhat9/acl => default/libcap}/portfile.cmake (100%) rename vcpkg-overlays/linux-syslibs/{ubuntu20/acl => default/libcap}/vcpkg.json (51%) rename vcpkg-overlays/linux-syslibs/{ubuntu20 => ubuntu18}/acl/portfile.cmake (100%) rename vcpkg-overlays/linux-syslibs/{redhat9 => ubuntu18}/acl/vcpkg.json (100%) rename vcpkg-overlays/linux-syslibs/{ubuntu22/acl => ubuntu18/libcap}/portfile.cmake (100%) rename vcpkg-overlays/linux-syslibs/{ubuntu22/acl => ubuntu18/libcap}/vcpkg.json (51%) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh index cb08f40ad..ea83cf477 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh @@ -39,7 +39,7 @@ done cmake -E make_directory ./build ( [[ -d ./build ]] && rm -r ./build - cmake -E make_directory ./build + cmake -E make_directory ./build # allow unset for scl_source scripts set +u source scl_source enable gcc-toolset-10 \ @@ -47,9 +47,8 @@ cmake -E make_directory ./build --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/redhat8" \ -S . \ - -B ./build + -B ./build source scl_source enable gcc-toolset-10 \ && cmake \ --build ./build \ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh index 1429439a1..aa991116d 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh @@ -38,7 +38,7 @@ done ( [[ -d ./build ]] && rm -r ./build - cmake -E make_directory ./build + cmake -E make_directory ./build # allow unset for scl_source scripts set +u cmake \ @@ -46,9 +46,8 @@ done -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/redhat9" \ -S . \ - -B ./build + -B ./build cmake \ --build ./build \ --config "${cmake_config}" \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh index bd7fdeabf..1cb65f8fa 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/entrypoint.sh @@ -44,7 +44,6 @@ cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/ubuntu20" \ -S "${PWD}/" \ -B ./build/ cmake \ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh index 481634f1a..0a1285c33 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh @@ -39,13 +39,12 @@ done [[ -d ./build ]] && rm -r ./build cmake \ -E make_directory \ - ./build + ./build cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/default;./vcpkg-overlays/linux-syslibs/ubuntu22" \ -S "${PWD}/" \ -B ./build cmake \ diff --git a/vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/default/acl/portfile.cmake similarity index 100% rename from vcpkg-overlays/linux-syslibs/redhat8/acl/portfile.cmake rename to vcpkg-overlays/linux-syslibs/default/acl/portfile.cmake diff --git a/vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/default/acl/vcpkg.json similarity index 100% rename from vcpkg-overlays/linux-syslibs/redhat8/acl/vcpkg.json rename to vcpkg-overlays/linux-syslibs/default/acl/vcpkg.json diff --git a/vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/default/libcap/portfile.cmake similarity index 100% rename from vcpkg-overlays/linux-syslibs/redhat9/acl/portfile.cmake rename to vcpkg-overlays/linux-syslibs/default/libcap/portfile.cmake diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/default/libcap/vcpkg.json similarity index 51% rename from vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json rename to vcpkg-overlays/linux-syslibs/default/libcap/vcpkg.json index 285eb9403..021948014 100644 --- a/vcpkg-overlays/linux-syslibs/ubuntu20/acl/vcpkg.json +++ b/vcpkg-overlays/linux-syslibs/default/libcap/vcpkg.json @@ -1,4 +1,4 @@ { - "name": "acl", + "name": "libcap", "version": "0" } diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu18/acl/portfile.cmake similarity index 100% rename from vcpkg-overlays/linux-syslibs/ubuntu20/acl/portfile.cmake rename to vcpkg-overlays/linux-syslibs/ubuntu18/acl/portfile.cmake diff --git a/vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu18/acl/vcpkg.json similarity index 100% rename from vcpkg-overlays/linux-syslibs/redhat9/acl/vcpkg.json rename to vcpkg-overlays/linux-syslibs/ubuntu18/acl/vcpkg.json diff --git a/vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu18/libcap/portfile.cmake similarity index 100% rename from vcpkg-overlays/linux-syslibs/ubuntu22/acl/portfile.cmake rename to vcpkg-overlays/linux-syslibs/ubuntu18/libcap/portfile.cmake diff --git a/vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu18/libcap/vcpkg.json similarity index 51% rename from vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json rename to vcpkg-overlays/linux-syslibs/ubuntu18/libcap/vcpkg.json index 285eb9403..021948014 100644 --- a/vcpkg-overlays/linux-syslibs/ubuntu22/acl/vcpkg.json +++ b/vcpkg-overlays/linux-syslibs/ubuntu18/libcap/vcpkg.json @@ -1,4 +1,4 @@ { - "name": "acl", + "name": "libcap", "version": "0" } diff --git a/vcpkg.json b/vcpkg.json index 4644e902a..eee5730ee 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -6,6 +6,10 @@ "name": "acl", "platform": "linux" }, + { + "name": "libcap", + "platform": "linux" + }, "libuv", "zlib", "llhttp", From cd523dc53a94686881e4ed9b5e3ea21b2765200c Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Fri, 4 Oct 2024 22:06:19 -0400 Subject: [PATCH 17/17] Fix spelling --- programs/ziti-edge-tunnel/netif_driver/linux/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index fb2988897..129d17fa3 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -270,7 +270,7 @@ static void find_dns_updater() { // On newer systems, RESOLVCONF is a symlink to RESOLVECTL // By now, we know systemd-resolved is not available // This resolver is only supported when running as root due - // to the large set of capabilies required. + // to the large set of capabilities required. uid_t euid = geteuid(); if (euid == 0 && is_executable(RESOLVCONF) && !(is_resolvconf_systemd_resolved())) { dns_updater = dns_update_resolvconf;