diff --git a/.goreleaser-linux-arm64.yml b/.goreleaser-linux-arm64.yml index 23637caa..27bd3474 100644 --- a/.goreleaser-linux-arm64.yml +++ b/.goreleaser-linux-arm64.yml @@ -112,6 +112,9 @@ nfpms: - dst: /lib/systemd/system/ src: ./nfpm/zrok-share.service + - dst: /etc/systemd/system/zrok-share.service.d/override.conf + src: ./nfpm/zrok-share.service.override.conf + - dst: /opt/openziti/etc/zrok type: dir file_info: diff --git a/.goreleaser-linux-armhf.yml b/.goreleaser-linux-armhf.yml index afb4e052..829c85b8 100644 --- a/.goreleaser-linux-armhf.yml +++ b/.goreleaser-linux-armhf.yml @@ -112,6 +112,9 @@ nfpms: - dst: /lib/systemd/system/ src: ./nfpm/zrok-share.service + - dst: /etc/systemd/system/zrok-share.service.d/override.conf + src: ./nfpm/zrok-share.service.override.conf + - dst: /opt/openziti/etc/zrok type: dir file_info: diff --git a/.goreleaser-linux.yml b/.goreleaser-linux.yml index aa728c45..0e5ec9e8 100644 --- a/.goreleaser-linux.yml +++ b/.goreleaser-linux.yml @@ -108,6 +108,9 @@ nfpms: - dst: /lib/systemd/system/ src: ./nfpm/zrok-share.service + - dst: /etc/systemd/system/zrok-share.service.d/override.conf + src: ./nfpm/zrok-share.service.override.conf + - dst: /opt/openziti/etc/zrok type: dir file_info: diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d6cc2e4..ca3dca42 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,12 @@ ## v0.4.34 +FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert) + FIX: Fix for mixing limited and unlimited (-1) resource counts in the limits system (https://github.com/openziti/zrok/issues/680) CHANGE: bump many GitHub Actions that were using deprecated distributions of Node.js + CHANGE: bump macOS runner for Node SDK from macos-11 to macos-12 ## v0.4.33 diff --git a/nfpm/zrok-share.bash b/nfpm/zrok-share.bash index a0480d3d..6f1a1de0 100644 --- a/nfpm/zrok-share.bash +++ b/nfpm/zrok-share.bash @@ -54,9 +54,12 @@ fi exit 1 } -# default mode is reserved (public), override mode is temp-public, i.e., "share public" without a reserved subdomain +# default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private. +: "${ZROK_FRONTEND_MODE:=reserved-public}" if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}" +elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then + ZROK_CMD="share private --headless ${ZROK_VERBOSE:-}" elif [[ -s ~/.zrok/reserved.json ]]; then ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)" if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then @@ -73,8 +76,13 @@ elif [[ -s ~/.zrok/reserved.json ]]; then exit 0 fi fi -else +elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-public ]]; then ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}" +elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-private ]]; then + ZROK_CMD="reserve private --json-output ${ZROK_VERBOSE:-}" +else + echo "ERROR: invalid value for ZROK_FRONTEND_MODE '${ZROK_FRONTEND_MODE}'" >&2 + exit 1 fi [[ -n "${ZROK_BACKEND_MODE:-}" ]] || { @@ -88,12 +96,12 @@ case "${ZROK_BACKEND_MODE}" in echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2 exit 1 else - echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" + echo "INFO: validated backend mode '${ZROK_BACKEND_MODE}' and target '${ZROK_TARGET}'" fi ;; caddy) if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then - echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2 exit 1 elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2 @@ -104,7 +112,7 @@ case "${ZROK_BACKEND_MODE}" in ;; web|drive) if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then - echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 + echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2 exit 1 elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2 @@ -113,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" fi ;; + tcpTunnel|udpTunnel|socks|vpn) + if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then + echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2 + exit 1 + else + case "${ZROK_BACKEND_MODE}" in + tcpTunnel|udpTunnel) + echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'" + ;; + vpn) + if [[ -n "${ZROK_TARGET}" ]]; then + ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf + if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then + echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\ + "and run 'systemctl daemon-reload' to enable VPN mode" >&2 + exit 1 + fi + fi + ;; + socks) + if [[ -n "${ZROK_TARGET}" ]]; then + echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2 + unset ZROK_TARGET + fi + ;; + esac + fi + ;; *) echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\ " ZROK_TARGET value will not validated before running." >&2 ;; esac -[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && { +[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && { ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}" } @@ -142,8 +178,9 @@ fi echo "INFO: running: zrok ${ZROK_CMD}" -if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then - # share until exit +if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^temp- ]]; then + # frontend mode starts with 'temp-', so is temporary. + # share without reserving until exit. exec zrok ${ZROK_CMD} else # reserve and continue diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env index 323f5b8c..546fd26f 100644 --- a/nfpm/zrok-share.env +++ b/nfpm/zrok-share.env @@ -17,48 +17,65 @@ ZROK_ENABLE_TOKEN="" # ZROK_ENVIRONMENT_NAME="" -# You MUST set this if not using the default zrok.io API endpoint +# You MUST set this if not using the default API endpoint #ZROK_API_ENDPOINT="https://api.zrok.io" # -## ZROK BACKEND TARGET +## ZROK BACKEND MODE AND TARGET # # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL. + # +## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES +# + # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control. -ZROK_TARGET="" # e.g., http://127.0.0.1:3000 ZROK_BACKEND_MODE="proxy" +ZROK_TARGET="" # e.g., http://127.0.0.1:3000 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy' # NOTE: changing this value does not require provisioning a new frontend URL #ZROK_INSECURE="--insecure" # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an # absolute path to a directory that is readable by 'other' -#ZROK_TARGET="/var/www/html" #ZROK_BACKEND_MODE="web" +#ZROK_TARGET="/var/www/html" # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute # path to a directory that is readable by 'other' -#ZROK_TARGET="/usr/share/doc" #ZROK_BACKEND_MODE="drive" +#ZROK_TARGET="/usr/share/doc" # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that # is readable by 'other'. -#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile" #ZROK_BACKEND_MODE="caddy" +#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile" -# DEBUG log level -# NOTE: changing this value does not require provisioning a new frontend URL -#ZROK_VERBOSE="--verbose" +# +## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES +# -# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints -# WARNING: changes take effect the next time the frontend URL is reserved -# NOTE: basic auth and oauth are mutually exclusive -ZROK_SHARE_OPTS="" +# you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes + +#ZROK_BACKEND_MODE="tcpTunnel" +#ZROK_TARGET="127.0.0.1:25565" + +#ZROK_BACKEND_MODE="udpTunnel" +#ZROK_TARGET="127.0.0.1:53" + +# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands: +# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf +# systemctl daemon-reload +#ZROK_BACKEND_MODE="vpn" +#ZROK_TARGET="172.16.0.1/12" + +# there is no target for socks mode because the share is only a dynamic exit for the proxy client +#ZROK_BACKEND_MODE="socks" +#ZROK_TARGET="" # ## ZROK FRONTEND @@ -86,3 +103,17 @@ ZROK_SHARE_OPTS="" # set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list # WARNING: changes take effect the next time the frontend URL is reserved #ZROK_FRONTENDS="public" + +# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private +#ZROK_FRONTEND_MODE="reserved-public" + +# +## OPTIONS +# + +# DEBUG log level +# NOTE: changing this value does not require provisioning a new frontend URL +#ZROK_VERBOSE="--verbose" + +# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints +ZROK_SHARE_OPTS="" diff --git a/nfpm/zrok-share.service.override.conf b/nfpm/zrok-share.service.override.conf new file mode 100644 index 00000000..57f4a796 --- /dev/null +++ b/nfpm/zrok-share.service.override.conf @@ -0,0 +1,10 @@ +[Service] + +# +## extra permissions +# + +# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn +# AmbientCapabilities=CAP_NET_ADMIN + +# you must run 'systemctl daemon-reload' after modifying this file