search

openziti / ziti-tunnel-sdk-c

Apache License 2.0
43 stars 17 forks source link

hosting-only run mode with disabled intercept #183

Closed qrkourier closed 2 years ago

qrkourier commented 3 years ago

I need a run-mode or option like --disable-intercept that changes the behavior of ziti-edge-tunnel to only host services, not intercept.

Characteristics include:

  1. no elevated privileges (necessary to exec resolvectl to configure DNS nor manage /dev/net/tun devices)
  2. run mode sub-command or options like --disable-intercept
  3. no dependence on the availability of /dev/net/tun, /var/run/dbus/system_bus_socket, resolvectl
  4. ziti-edge-tunnel in this configuration will only perform hosting functions for the services for which its identity(ies) are authorized
  5. A DNS server is not running in ziti-edge-tunnel
qrkourier commented 2 years ago

@dovholuknf Following on to our conversation about running ziti-edge-tunnel run in a non-privileged container for the purpose of hosting services without any Ziti DNS or IP routes. This is what I get when I run it without the tun device mounted on the container. If I mount the device I get the permission denied error and it still exits with a critical error. Did you have some success with ziti-edge-tunnel running without privileges for only hosting services? Please share this magic.

exit-tun_1 | + ziti-edge-tunnel run --identity /ziti-edge-tunnel/Exit2122.json run exit-tun_1 | About to run tunnel service... ziti-edge-tunnel[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1413 run_tunnel() failed to open network interface: open /dev/net/tun failed exit-tun_1 | + alldone

ojbfive commented 2 years ago

I think this could be useful --- what would a simple compose file look like?

qrkourier commented 2 years ago 
version: "3.9"
services:
    ziti-host:                  # tunneler for hosting services without providing DNS or IP routes
        image: netfoundry/ziti-edge-tunnel:latest
        volumes:
        - .:/ziti-edge-tunnel
        environment:
        - NF_REG_NAME            # inherit when run like this: NF_REG_NAME=AcmeIdentity docker-compose up ziti-tun
        network_mode: bridge     # use the Compose project's Docker bridge network
        privileged: false        # no special capabilities required for hosting without DNS and IP routes
        command: 
        - --verbose=4
        - --disable-intercept
dovholuknf commented 2 years ago

@qrkourier - does run-host solve this problem now? should this issue be closed?

qrkourier commented 2 years ago

This issue is resolved by the run-host mode.