Merge pull request #652 from openziti/stefanadelbert-linux-share-private

Stefanadelbert linux share private
This commit is contained in:
Michael Quigley 2024-06-27 12:26:11 -04:00 committed by GitHub
commit f95ee5984c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 111 additions and 21 deletions

View File

@ -112,6 +112,9 @@ nfpms:
- dst: /lib/systemd/system/ - dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service src: ./nfpm/zrok-share.service
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
src: ./nfpm/zrok-share.service.override.conf
- dst: /opt/openziti/etc/zrok - dst: /opt/openziti/etc/zrok
type: dir type: dir
file_info: file_info:

View File

@ -112,6 +112,9 @@ nfpms:
- dst: /lib/systemd/system/ - dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service src: ./nfpm/zrok-share.service
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
src: ./nfpm/zrok-share.service.override.conf
- dst: /opt/openziti/etc/zrok - dst: /opt/openziti/etc/zrok
type: dir type: dir
file_info: file_info:

View File

@ -108,6 +108,9 @@ nfpms:
- dst: /lib/systemd/system/ - dst: /lib/systemd/system/
src: ./nfpm/zrok-share.service src: ./nfpm/zrok-share.service
- dst: /etc/systemd/system/zrok-share.service.d/override.conf
src: ./nfpm/zrok-share.service.override.conf
- dst: /opt/openziti/etc/zrok - dst: /opt/openziti/etc/zrok
type: dir type: dir
file_info: file_info:

View File

@ -2,9 +2,12 @@
## v0.4.34 ## v0.4.34
FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)
FIX: Fix for mixing limited and unlimited (-1) resource counts in the limits system (https://github.com/openziti/zrok/issues/680) FIX: Fix for mixing limited and unlimited (-1) resource counts in the limits system (https://github.com/openziti/zrok/issues/680)
CHANGE: bump many GitHub Actions that were using deprecated distributions of Node.js CHANGE: bump many GitHub Actions that were using deprecated distributions of Node.js
CHANGE: bump macOS runner for Node SDK from macos-11 to macos-12 CHANGE: bump macOS runner for Node SDK from macos-11 to macos-12
## v0.4.33 ## v0.4.33

View File

@ -54,9 +54,12 @@ fi
exit 1 exit 1
} }
# default mode is reserved (public), override mode is temp-public, i.e., "share public" without a reserved subdomain # default mode is 'reserved-public', override modes are reserved-private, temp-public, temp-private.
: "${ZROK_FRONTEND_MODE:=reserved-public}"
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then
ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}" ZROK_CMD="share public --headless ${ZROK_VERBOSE:-}"
elif [[ "${ZROK_FRONTEND_MODE:-}" == temp-private ]]; then
ZROK_CMD="share private --headless ${ZROK_VERBOSE:-}"
elif [[ -s ~/.zrok/reserved.json ]]; then elif [[ -s ~/.zrok/reserved.json ]]; then
ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)" ZROK_RESERVED_TOKEN="$(jq -r '.token' ~/.zrok/reserved.json 2>/dev/null)"
if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then if [[ -z "${ZROK_RESERVED_TOKEN}" || "${ZROK_RESERVED_TOKEN}" == null ]]; then
@ -73,8 +76,13 @@ elif [[ -s ~/.zrok/reserved.json ]]; then
exit 0 exit 0
fi fi
fi fi
else elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-public ]]; then
ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}" ZROK_CMD="reserve public --json-output ${ZROK_VERBOSE:-}"
elif [[ "${ZROK_FRONTEND_MODE:-}" == reserved-private ]]; then
ZROK_CMD="reserve private --json-output ${ZROK_VERBOSE:-}"
else
echo "ERROR: invalid value for ZROK_FRONTEND_MODE '${ZROK_FRONTEND_MODE}'" >&2
exit 1
fi fi
[[ -n "${ZROK_BACKEND_MODE:-}" ]] || { [[ -n "${ZROK_BACKEND_MODE:-}" ]] || {
@ -88,12 +96,12 @@ case "${ZROK_BACKEND_MODE}" in
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2 echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an HTTP URL" >&2
exit 1 exit 1
else else
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" echo "INFO: validated backend mode '${ZROK_BACKEND_MODE}' and target '${ZROK_TARGET}'"
fi fi
;; ;;
caddy) caddy)
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2
exit 1 exit 1
elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then elif ! [[ -f "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2 echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable regular file" >&2
@ -104,7 +112,7 @@ case "${ZROK_BACKEND_MODE}" in
;; ;;
web|drive) web|drive)
if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then if ! [[ "${ZROK_TARGET}" =~ ^/ ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path." >&2 echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not an absolute filesystem path" >&2
exit 1 exit 1
elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then elif ! [[ -d "${ZROK_TARGET}" && -r "${ZROK_TARGET}" ]]; then
echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2 echo "ERROR: ZROK_TARGET='${ZROK_TARGET}' is not a readable directory" >&2
@ -113,13 +121,41 @@ case "${ZROK_BACKEND_MODE}" in
echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}" echo "INFO: validated backend mode ${ZROK_BACKEND_MODE} and target ${ZROK_TARGET}"
fi fi
;; ;;
tcpTunnel|udpTunnel|socks|vpn)
if ! [[ "${ZROK_FRONTEND_MODE}" =~ -private$ ]]; then
echo "ERROR: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is a private share backend mode and cannot be used with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
exit 1
else
case "${ZROK_BACKEND_MODE}" in
tcpTunnel|udpTunnel)
echo "INFO: ${ZROK_BACKEND_MODE} backend mode has target '${ZROK_TARGET}'"
;;
vpn)
if [[ -n "${ZROK_TARGET}" ]]; then
ZROK_SVC_FILE=/etc/systemd/system/zrok-share.service.d/override.conf
if ! grep -qE '^AmbientCapabilities=CAP_NET_ADMIN' "${ZROK_SVC_FILE}"; then
echo "ERROR: you must uncomment 'AmbientCapabilities=CAP_NET_ADMIN' in '${ZROK_SVC_FILE}'"\
"and run 'systemctl daemon-reload' to enable VPN mode" >&2
exit 1
fi
fi
;;
socks)
if [[ -n "${ZROK_TARGET}" ]]; then
echo "WARNING: ZROK_TARGET='${ZROK_TARGET}' is ignored with ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}'" >&2
unset ZROK_TARGET
fi
;;
esac
fi
;;
*) *)
echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\ echo "WARNING: ZROK_BACKEND_MODE='${ZROK_BACKEND_MODE}' is not a recognized mode for a zrok public share."\
" ZROK_TARGET value will not validated before running." >&2 " ZROK_TARGET value will not validated before running." >&2
;; ;;
esac esac
[[ -n "${ZROK_UNIQUE_NAME:-}" ]] && { [[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}" ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
} }
@ -142,8 +178,9 @@ fi
echo "INFO: running: zrok ${ZROK_CMD}" echo "INFO: running: zrok ${ZROK_CMD}"
if [[ "${ZROK_FRONTEND_MODE:-}" == temp-public ]]; then if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^temp- ]]; then
# share until exit # frontend mode starts with 'temp-', so is temporary.
# share without reserving until exit.
exec zrok ${ZROK_CMD} exec zrok ${ZROK_CMD}
else else
# reserve and continue # reserve and continue

View File

@ -17,48 +17,65 @@ ZROK_ENABLE_TOKEN=""
# #
ZROK_ENVIRONMENT_NAME="" ZROK_ENVIRONMENT_NAME=""
# You MUST set this if not using the default zrok.io API endpoint # You MUST set this if not using the default API endpoint
#ZROK_API_ENDPOINT="https://api.zrok.io" #ZROK_API_ENDPOINT="https://api.zrok.io"
# #
## ZROK BACKEND TARGET ## ZROK BACKEND MODE AND TARGET
# #
# You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY
# change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend
# authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with
# WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL. # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
# #
## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES
#
# backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
# 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control. # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
ZROK_BACKEND_MODE="proxy" ZROK_BACKEND_MODE="proxy"
ZROK_TARGET="" # e.g., http://127.0.0.1:3000
# if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy' # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
# NOTE: changing this value does not require provisioning a new frontend URL # NOTE: changing this value does not require provisioning a new frontend URL
#ZROK_INSECURE="--insecure" #ZROK_INSECURE="--insecure"
# backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
# absolute path to a directory that is readable by 'other' # absolute path to a directory that is readable by 'other'
#ZROK_TARGET="/var/www/html"
#ZROK_BACKEND_MODE="web" #ZROK_BACKEND_MODE="web"
#ZROK_TARGET="/var/www/html"
# backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
# path to a directory that is readable by 'other' # path to a directory that is readable by 'other'
#ZROK_TARGET="/usr/share/doc"
#ZROK_BACKEND_MODE="drive" #ZROK_BACKEND_MODE="drive"
#ZROK_TARGET="/usr/share/doc"
# backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
# is readable by 'other'. # is readable by 'other'.
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
#ZROK_BACKEND_MODE="caddy" #ZROK_BACKEND_MODE="caddy"
#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
# DEBUG log level #
# NOTE: changing this value does not require provisioning a new frontend URL ## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
#ZROK_VERBOSE="--verbose" #
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints # you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes
# WARNING: changes take effect the next time the frontend URL is reserved
# NOTE: basic auth and oauth are mutually exclusive #ZROK_BACKEND_MODE="tcpTunnel"
ZROK_SHARE_OPTS="" #ZROK_TARGET="127.0.0.1:25565"
#ZROK_BACKEND_MODE="udpTunnel"
#ZROK_TARGET="127.0.0.1:53"
# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
# sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
# systemctl daemon-reload
#ZROK_BACKEND_MODE="vpn"
#ZROK_TARGET="172.16.0.1/12"
# there is no target for socks mode because the share is only a dynamic exit for the proxy client
#ZROK_BACKEND_MODE="socks"
#ZROK_TARGET=""
# #
## ZROK FRONTEND ## ZROK FRONTEND
@ -86,3 +103,17 @@ ZROK_SHARE_OPTS=""
# set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list # set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list
# WARNING: changes take effect the next time the frontend URL is reserved # WARNING: changes take effect the next time the frontend URL is reserved
#ZROK_FRONTENDS="public" #ZROK_FRONTENDS="public"
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
#ZROK_FRONTEND_MODE="reserved-public"
#
## OPTIONS
#
# DEBUG log level
# NOTE: changing this value does not require provisioning a new frontend URL
#ZROK_VERBOSE="--verbose"
# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
ZROK_SHARE_OPTS=""

View File

@ -0,0 +1,10 @@
[Service]
#
## extra permissions
#
# allow adding tun device and IP routes and iptables rules; required when ZROK_BACKEND_MODE=vpn
# AmbientCapabilities=CAP_NET_ADMIN
# you must run 'systemctl daemon-reload' after modifying this file