diff options
| -rw-r--r-- | netcon/README.md | 40 |
1 files changed, 17 insertions, 23 deletions
diff --git a/netcon/README.md b/netcon/README.md index 3d4eb754..bf6ae939 100644 --- a/netcon/README.md +++ b/netcon/README.md @@ -1,21 +1,20 @@ -ZeroTier Network Containers +ZeroTier Network Containers ====== ### Functional Overview: This system exists as a dynamically-linked library, and a service/IP-stack built into ZeroTier -If you care about the technicals, +If you care about the technicals, The intercept is compiled as a shared library and installed in some user-accessible directory. When you want to intercept -a user application you dynamically link the shared library to the application during runtime. When the application starts, the +a user application you dynamically link the shared library to the application during runtime. When the application starts, the intercept's global constructor is called which sets up a hidden pipe which is used to communicate remote procedure calls (RPC) to the host Netcon service running in the background. When an RPC for a socket() is received by the Netcon service from the intercepted application, the Netcon service will ask the lwIP stack for a new PCB structure (used to represent a connection), if the system permits its allocation, it will be passed to Netcon where a PCB/socket table entry will be created. The table is used for mapping [callbacks from lwIP] and [RPCs from the intercept] to the correct connections. Upon the first call to a intercept-overriden system call, a Unix-domain socket is opened between the Netcon service and the application's intercept. This socket provides us the ability to pass file descriptors of newly-created socketpairs to the intercept (used as the read/write buffer). More specifically, after the socketpair creation, one end is kept in a table entry in Netcon and one end is sent to the intercept. - ### Building from Source (and Installing) Build zerotier-intercept library: @@ -84,17 +83,17 @@ B) Results will be written to the 'netcon/docker-test/_results/' directory Network Containers have been tested with the following: - sshd [ WORKS as of 20151112] - ssh [ WORKS as of 20151112] - sftp [ WORKS as of 20151022] - curl [ WORKS as of 20151021] - apache (debug mode) [ WORKS as of 20150810] - apache (prefork MPM) [ WORKS as of 20151123] (2.4.6-31.x86-64 on Centos 7), (2.4.16-1.x84-64 on F22), (2.4.17-3.x86-64 on F22) - nginx [ WORKS as of 20151123] Broken on Centos 7, unreliable on Fedora 23 - nodejs [ WORKS as of 20151123] - java [ WORKS as of 20151010] - MongoDB [ WORKS as of 20151028] - Redis-server [ WORKS as of 20151123] + sshd [ WORKS as of 20151112] + ssh [ WORKS as of 20151112] + sftp [ WORKS as of 20151022] + curl [ WORKS as of 20151021] + apache (debug mode) [ WORKS as of 20150810] + apache (prefork MPM) [ WORKS as of 20151123] (2.4.6-31.x86-64 on Centos 7), (2.4.16-1.x84-64 on F22), (2.4.17-3.x86-64 on F22) + nginx [ WORKS as of 20151123] Broken on Centos 7, unreliable on Fedora 23 + nodejs [ WORKS as of 20151123] + java [ WORKS as of 20151010] + MongoDB [ WORKS as of 20151028] + Redis-server [ WORKS as of 20151123] Future: @@ -113,17 +112,15 @@ Future: 20151028 Added MongoDB support: - Added logic (RPC_MAP_REQ) to check whether a given AF_LOCAL socket is mapped to anything - inside the service instance. - + inside the service instance. 20151027 Added Redis-server support: - Added extra logic to detect socket re-issuing and consequent service-side double mapping. - Redis appears to try to set its initial listen socket to IPV6 only, this currently fails. As + Redis appears to try to set its initial listen socket to IPV6 only, this currently fails. As a result, Redis will close the socket and re-open it. The server will now test for closures during mapping and will eliminate any mappings to broken pipes. - 20151021 Added Node.js support: - syscall(long number, ...) is now intercepted and re-directs the __NR_accept4 call to our intercepted accept4() function @@ -138,8 +135,5 @@ Future: level == IPPROTO_TCP || (level == SOL_SOCKET && option_name == SO_KEEPALIVE) This might be unnecessary or might need a better workaround - - Careful attention should be given to how arguments are passed in the intercepted syscall() function, this differs for + - Careful attention should be given to how arguments are passed in the intercepted syscall() function, this differs for 32/64-bit systems - - - |