Open ykorzikowski opened 2 years ago
Hey @ykorzikowski
Are you running Dashboard and API on different machines, right? It might be that for the gRPC API a default 33073 port is used, as per the docker-compose.yml file.
Try
netbird up --management-url https://netbird-api.company.com:33073
Good morning, just checked your reply.
I forget to tell you: I am using a nginx as reverse proxy.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
538bd6b9673e netbirdio/management:latest "/go/bin/netbird-mgm…" 8 hours ago Up 8 hours 0.0.0.0:33073->80/tcp, :::33073->80/tcp infrastructure_files-management-1
13a3d67ef2cb wiretrustee/dashboard:main "/usr/bin/supervisor…" 8 hours ago Up 8 hours 443/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp infrastructure_files-dashboard-1
17c8165e7fd5 coturn/coturn "docker-entrypoint.s…" 9 hours ago Up 9 hours infrastructure_files-coturn-1
9ada4b76d13b netbirdio/signal:latest "/go/bin/netbird-sig…" 9 hours ago Up 9 hours 0.0.0.0:10000->80/tcp, :::10000->80/tcp infrastructure_files-signal-1
So basically, I want use no TLS in the docker containers, but with my reverse proxy. The Management Service still asks for some certificate, so I give him a self-signed cert.
server {
listen *:80;
listen [::]:80;
server_name netbird.***.com;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
include security.conf;
listen *:443 ssl;
listen [::]:443 ssl;
server_name netbird.***.com;
ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;
access_log /var/log/nginx/***.com/netbird.log;
error_log /var/log/nginx/***.com/err/netbird.log;
location / {
proxy_pass http://10.10.10.118:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host netbird.***.com;
}
}
and
server {
listen *:80;
listen [::]:80;
server_name netbird-api.***.com;
location / {
return 301 https://$server_name$request_uri;
}
}
server {
include security.conf;
listen *:443 ssl;
listen [::]:443 ssl;
server_name netbird-api.***.com;
ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;
access_log /var/log/nginx/***.com/netbird-api.log;
error_log /var/log/nginx/***.com/err/netbird-api.log;
location / {
proxy_pass https://10.10.10.118:33073;
proxy_ssl_verify off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Access-Control-Allow-Origin "*";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host netbird-api.***.com;
}
}
So maybe we can figure it out together and add it to the documentation :)
We didn't try it yet with Ngnix but there should be some config that allows gRPC connections.
The Management service exposes gRPC API to clients to fetch the network config.
Dashboard uses the Management HTTP API.
gRPC and HTTP APIs are running on the same port.
So the netbird client uses the gRPC-API and not HTTP?
So the netbird client uses the gRPC-API and not HTTP?
Yes, exactly. The HTTP API is used by the Dashboard.
We will be putting things behind Caddy for simpler setups in the near future.
THX for the tip. I am one step further now:
server {
include security.conf;
listen *:9000 ssl http2;
listen [::]:9000 ssl;
server_name netbird-grpc.***.com;
ssl_certificate /etc/letsencrypt/live/***.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/***.com/privkey.pem;
access_log /var/log/nginx/***.com/netbird-grpc.log;
error_log /var/log/nginx/***.com/err/netbird-grpc.log;
location / {
grpc_pass grpcs://10.10.10.118:33073;
grpc_ssl_verify off;
}
}
Now Keycloak Oauth opens, but I get this on mgmt console:
time="2022-09-22T08:05:46Z" level=debug msg="rpc error: code = PermissionDenied desc = provided peer with the key wgPubKey ***= is not registered and no setup key or jwt was provided, remote addr is 10.10.10.109:50042" file="grpcserver.go:282"
Maybe I did something wrong when setting up the keycloak realm.
I see, I think this one will be easy to fix. The Keycloak is fine.
How did you start the client? This way?
netbird up --management-url https://netbird-api.company.com/
You should either run it with the setup key like so:
netbird up --management-url https://netbird-api.company.com:33073 --setup-key <Your Setup Key>
Or Device Auth Flow (SSO Login) has to be enabled in Management config: https://github.com/netbirdio/netbird/blob/c5705803a503a910c7fb07fbc3fe9515f6b88701/infrastructure_files/management.json.tmpl#L42
What is in your DeviceAuthorizationFlow config?
It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described.
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "netbird-client",
"Domain": "",
"ClientID": "netbird-client",
"TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
"DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device"
}
}
It looks like this. I am using the master realm, not sure if this is an issue. I did not create a extra one like in the setup guide described.
"DeviceAuthorizationFlow": { "Provider": "hosted", "ProviderConfig": { "Audience": "netbird-client", "Domain": "", "ClientID": "netbird-client", "TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token", "DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device" } }
It is hard to say what went wrong if you didn't follow the guide. Maybe you didn't enable Device Authorization Grant in step 4 (second screenshot) of the client configuration? https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak#step-4-create-a-netbird-client
You are right, it was not selected.
I get this, but ithe netbird up command stuck.
Now I get another error in keycloak logs:
2022-09-23 17:43:20,332 WARN [org.keycloak.events] (executor-thread-26) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=79.**.**.70, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)'
Thank you very much for help :)
And if you restart NetBird and try again? The issue is reproducible?
Yep, I restarted netbird.
I tried on a different machine as client with a different user. The version of keycloak i use is 17.0.2. It looks like, the callback from keycloak back to netbird is not triggered (but I do not know the exact way how the login procedure works). The CLI is endless waiting for the auth. If you re-open the link, keycloak complains that device key is already used (like above described).
THis keys get created on the attempt:
One thing I notice: I logged in with two users, but the cant see each other in users view:
User A:
User B:
keycloak log of auth:
2022-09-24 07:49:53,610 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (executor-thread-20) PrivacyIDEA Client: Replacing privacyIDEA instance for realm master
2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /auth
2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: username=keycloak_service_account
2022-09-24 07:49:53,613 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: password=************************************
2022-09-24 07:49:53,614 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:49:53,806 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: POST /validate/triggerchallenge
2022-09-24 07:49:53,807 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: user=yko_adm_user
2022-09-24 07:49:53,807 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-1) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:49:54,204 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/triggerchallenge:
{
"detail": {
"attributes": {
"hideResponseInput": true
},
"client_mode": "poll",
"message": "Bitte geben Sie einen OTP-Wert ein: , Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.",
"messages": [
"Bitte geben Sie einen OTP-Wert ein: ",
"Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request."
],
"multi_challenge": [
{
"client_mode": "interactive",
"message": "Bitte geben Sie einen OTP-Wert ein: ",
"serial": "***",
"transaction_id": "00942768684158838260",
"type": "totp"
},
{
"attributes": {
"hideResponseInput": true
},
"client_mode": "poll",
"message": "Please confirm the authentication on your mobile device! Use the polling feature of your privacyIDEA Authenticator App to check for a new Login request.",
"serial": "***",
"transaction_id": "00942768684158838260",
"type": "push"
}
],
"serial": "***",
"threadid": 140429160433472,
"transaction_id": "00942768684158838260",
"transaction_ids": [
"00942768684158838260",
"00942768684158838260"
],
"type": "push"
},
"id": 2,
"jsonrpc": "2.0",
"result": {
"authentication": "ACCEPT",
"status": true,
"value": 2
},
"time": 1664005794.1786666,
"version": "privacyIDEA 3.7.3",
"versionnumber": "3.7.3",
"signature": "rsa_sha256_pss:7c00edba56691d004d26457616143077ad56d7607f07c3da40f95bceb2d57018f741786f90ab8eb4fbe9b476e27299b96e256baac0a4ef9489b91f5ad8a57245a365a10a219f50132dbd5e859a0d5ba5f136690e789102e12639b48fa0e8039af0224792a106643e85b9e65409a46069813edf0e713c7fc186cca092e02186a09e161f8f01c7bb70fc7808f17353b9e5fedd494c640a6e3f917474c6f215ae97f1deb9734375f74bc9677de819dda887fb8b49495872b26472f7fd243acc14215626bcc93c0a177d418910ddc1940181c2b7680c6cd928913dc9224b4a6115ce475cb2705e0c00def1d72afa79fc9eb504d8449cb2758dd554c95c67bcfc96ce"
}
2022-09-24 07:49:58,331 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:49:58,331 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-2) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:00,500 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:00,500 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-3) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:02,667 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:02,668 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-4) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,824 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: GET /validate/polltransaction
2022-09-24 07:50:04,824 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-5) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,884 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: POST /validate/check
2022-09-24 07:50:04,884 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: user=yko_adm_user
2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: pass=
2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: transaction_id=00942768684158838260
2022-09-24 07:50:04,885 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (pool-9-thread-6) PrivacyIDEA Client: realm=***.com.admin
2022-09-24 07:50:04,987 INFO [org.privacyidea.authenticator.PrivacyIDEAAuthenticator] (OkHttp https://2fa.***.com/...) PrivacyIDEA Client: /validate/check:
{
"detail": {
"message": "Found matching challenge",
"serial": "***",
"threadid": 140429160433472
},
"id": 2,
"jsonrpc": "2.0",
"result": {
"authentication": "ACCEPT",
"status": true,
"value": true
},
"time": 1664005804.9552202,
"version": "privacyIDEA 3.7.3",
"versionnumber": "3.7.3",
"signature": "rsa_sha256_pss:aeb77fe5037c16d9322dc6f9727c071ee65e2381f06e57fefdf2e7dae4730933f987ca70fa9bd66efc0d0c508945e41ce6095130abdb012a5a979d22f04f86eb115e00dd3eba2292afd7d7611282c5bedea94398c56d96e9e78053a8c05b264e1318f6c8bef3f004fb5af5b6d8bbdb65d44c8630374fd717a49aba43efa14d35f75e4190f5e38e4aaefda126f7c14a941153e5d5d84c1d4007ccbecb9295ff30c5b8c2f1bd2493041300b21dbf388918e370b30c012cb90e1863d312674d4d03324609390151941274ecebd9975f70ccf6aa99a9b32cc03ce58d696f900a2394d43d88223e9a1f372860bcb1c586e7e08b50e8bd9c918b6fc4578a20eb376cd1"
}
2022-09-24 07:54:51,235 WARN [org.keycloak.services] (executor-thread-20) KC-SERVICES0091: Request is missing scope 'openid' so it's not treated as OIDC, but just pure OAuth2 request.
I guess that this is unrelated to the device auth issue:
One thing I notice: I logged in with two users, but the cant see each other in users view: But it is related to this. You probably skipped it in the Keycloak guide.
Overall, I suggest that you go through the setup as per the guideline completing all the steps:
https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-keycloak
@ykorzikowski @braginini I've spent some time recently with setup the self-hosted NetBird based on Keycloak and in general everything works fine (GCP based) - just needed to struggle a little bit.
I'm waiting to be able to setup DNS (https://github.com/netbirdio/netbird/issues/373) maybe then I will put some instruction how to configure it in GCP env specific if it will useful for other people and project itself.
@braginini I think Keycloak addition to docker-compose
version should be quite easy as it possible to import realm out-of-the-box so maybe we should add as a part of NetBird the specific docker-compose which configure NetBird + Keycloak in one shot.
During the installation I noticed that command for management component command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=true", "--single-account-mode-domain=mynetbird.com"]
should be updated - otherwise (at least in my case) the separated client were added to different account/tenant if empty. I think this part wasn't exactly described in the docs and configure script doesn't update it in the fly.
@braginini I have also 2 questions:
Thanks!
Ok - I checked and it seems that UI (dashboard) don't have to be exposed with Keycloak - the realm is enough to authenticate the user/machine.
Hey @pnowy We thought of adding Authentik to docker-compose. But Keycloak should be a good option as well. The alternative was to embed a very simple IdP implemented with Zitadel.
It is not required exposing the dashboard, but you will need to manage the SSL certificates on your own because Letsencrypt validates certs dynamically.
As for the HA availability. No advice in particular, but we planned that for Q1'23. We just refactored the storage interface to be able to embed HA storages.
After updating everything to the most recent 0.17.0 I re-tried the device authorization with my keycloak instance. In the meantime I also updated keycloak to 22.0.1.
I get the "Device Login Successful" like in the Expected Result section, but the terminal is still waiting for the response (so there is never a connection being established).
I recreate the netbird-client in keycloak and checked my configuration but I am not able to find the issue.
keycloak.log (after first successfull message, I can't retry it with same device code. Otherwise I get the following error)
2023-04-28 22:11:38,067 WARN [org.keycloak.events] (executor-thread-30) type=OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR, realmId=master, clientId=null, userId=null, ipAddress=80.141.**.**, error=invalid_oauth2_user_code, reason='device code not found (it may already have been used)'
/var/log/netbird/client.log
2023-04-29T00:12:11+02:00 WARN client/server/server.go:119: failed login: rpc error: code = InvalidArgument desc = invalid setup-key or no sso information provided, err: invalid UUID length: 0
management.json
{
"Stuns": [
{
"Proto": "udp",
"URI": "stun:netbird.***.com:3478",
"Username": "",
"Password": null
}
],
"TURNConfig": {
"Turns": [
{
"Proto": "udp",
"URI": "turn:netbird.***.com:3478",
"Username": "self",
"Password": "***"
}
],
"CredentialsTTL": "12h",
"Secret": "secret",
"TimeBasedCredentials": false
},
"Signal": {
"Proto": "https",
"URI": "netbird.***.com:10000",
"Username": "",
"Password": null
},
"Datadir": "",
"HttpConfig": {
"Address": "0.0.0.0:80",
"AuthIssuer": "https://sso.***.com/realms/master",
"AuthAudience": "netbird-client",
"AuthKeysLocation": "https://sso.***.com/realms/master/protocol/openid-connect/certs",
"disabled_CertFile":"/etc/letsencrypt/live/netbird.***.com/fullchain.pem",
"disabled_CertKey":"/etc/letsencrypt/live/netbird.***.com/privkey.pem",
"OIDCConfigEndpoint":"https://sso.***.com/realms/master/.well-known/openid-configuration"
},
"IdpManagerConfig": {
"ManagerType": "keycloak",
"KeycloakClientCredentials": {
"ClientID": "netbird-backend",
"ClientSecret": "***",
"GrantType": "client_credentials",
"TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
"AdminEndpoint": "https://sso.***.com/admin/realms/master"
}
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"Audience": "netbird-client",
"Domain": "",
"ClientID": "netbird-client",
"TokenEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/token",
"DeviceAuthEndpoint": "https://sso.***.com/realms/master/protocol/openid-connect/auth/device",
"Scope": "openid",
"UseIDToken": false
}
}
}
Hello there,
I set up erverything like described in the selfhosting guide with keycloak. I can login to the admin console with keycloak and can see Peers etc.
However, when I try to do a
netbird up
, it wont connect to the management service.I can curl the api from my machin: