From c2bbec2f050da996f660f2ae28b365330ebff633 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 9 Oct 2015 10:14:20 -0700 Subject: Docker example (and useful for testing) --- examples/docker/Dockerfile | 19 +++++++++++++++++++ examples/docker/README.md | 8 ++++++++ examples/docker/main.sh | 25 +++++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 examples/docker/Dockerfile create mode 100644 examples/docker/README.md create mode 100644 examples/docker/main.sh (limited to 'examples/docker') diff --git a/examples/docker/Dockerfile b/examples/docker/Dockerfile new file mode 100644 index 00000000..a4274924 --- /dev/null +++ b/examples/docker/Dockerfile @@ -0,0 +1,19 @@ +FROM centos:7 + +MAINTAINER https://www.zerotier.com/ + +RUN yum -y update && yum clean all + +EXPOSE 9993/udp + +RUN mkdir -p /var/lib/zerotier-one +RUN mkdir -p /var/lib/zerotier-one/networks.d +RUN ln -sf /var/lib/zerotier-one/zerotier-one /usr/local/bin/zerotier-cli +RUN ln -sf /var/lib/zerotier-one/zerotier-one /usr/local/bin/zerotier-idtool + +ADD zerotier-one /var/lib/zerotier-one/ + +ADD main.sh / +RUN chmod a+x /main.sh + +CMD ["./main.sh"] diff --git a/examples/docker/README.md b/examples/docker/README.md new file mode 100644 index 00000000..4dae52f3 --- /dev/null +++ b/examples/docker/README.md @@ -0,0 +1,8 @@ +Simple Dockerfile Example +====== + +This is a simple Docker example using ZeroTier One in normal tun/tap mode. It uses a Dockerfile to build an image containing ZeroTier One and a main.sh that launches it with an identity supplied via the Docker environment via the ZEROTIER\_IDENTITY\_SECRET and ZEROTIER\_NETWORK variables. The Dockerfile assumes that the zerotier-one binary is in the build folder. + +This is not a very secure way to load an identity secret, but it's useful for testing since it allows you to repeatedly launch Docker containers with the same identity. For production we'd recommend using something like Hashicorp Vault, or modifying main.sh to leave identities unspecified and allow the container to generate a new identity at runtime. Then you could script approval of containers using the controller API, approving them as they launch, etc. (We are working on better ways of doing mass provisioning.) + +To use in normal tun/tap mode with Docker, containers must be run with the options "--device=/dev/net/tun --cap-add=NET_ADMIN". The main.sh script supplied here will complain and exit if these options are not present (no /dev/net/tun device). diff --git a/examples/docker/main.sh b/examples/docker/main.sh new file mode 100644 index 00000000..e9febb13 --- /dev/null +++ b/examples/docker/main.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin + +if [ ! -c "/dev/net/tun" ]; then + echo 'FATAL: must be docker run with: --device=/dev/net/tun --cap-add=NET_ADMIN' + exit 1 +fi + +if [ -z "$ZEROTIER_IDENTITY_SECRET" ]; then + echo 'FATAL: ZEROTIER_IDENTITY_SECRET not set -- aborting!' + exit 1 +fi + +if [ -z "$ZEROTIER_NETWORK" ]; then + echo 'Warning: ZEROTIER_NETWORK not set, you will need to docker exec zerotier-cli to join a network.' +else + # The existence of a .conf will cause the service to "remember" this network + touch /var/lib/zerotier-one/networks.d/$ZEROTIER_NETWORK.conf +fi + +rm -f /var/lib/zerotier-one/identity.* +echo "$ZEROTIER_IDENTITY_SECRET" >identity.secret + +/var/lib/zerotier-one/zerotier-one -- cgit v1.2.3 From 9a2565115119f4c56bada376974ed77c6b2661c7 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 9 Oct 2015 10:14:45 -0700 Subject: . --- examples/docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'examples/docker') diff --git a/examples/docker/README.md b/examples/docker/README.md index 4dae52f3..fbc93481 100644 --- a/examples/docker/README.md +++ b/examples/docker/README.md @@ -5,4 +5,4 @@ This is a simple Docker example using ZeroTier One in normal tun/tap mode. It us This is not a very secure way to load an identity secret, but it's useful for testing since it allows you to repeatedly launch Docker containers with the same identity. For production we'd recommend using something like Hashicorp Vault, or modifying main.sh to leave identities unspecified and allow the container to generate a new identity at runtime. Then you could script approval of containers using the controller API, approving them as they launch, etc. (We are working on better ways of doing mass provisioning.) -To use in normal tun/tap mode with Docker, containers must be run with the options "--device=/dev/net/tun --cap-add=NET_ADMIN". The main.sh script supplied here will complain and exit if these options are not present (no /dev/net/tun device). +To use in normal tun/tap mode with Docker, containers must be run with the options "--device=/dev/net/tun --privileged". The main.sh script supplied here will complain and exit if these options are not present (no /dev/net/tun device). -- cgit v1.2.3 From e33adad8f5b1bb64cc4c5b318a8fb95077407419 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 9 Oct 2015 12:15:42 -0700 Subject: Script to quickly generate test docker env files. --- examples/docker/maketestenv.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100755 examples/docker/maketestenv.sh (limited to 'examples/docker') diff --git a/examples/docker/maketestenv.sh b/examples/docker/maketestenv.sh new file mode 100755 index 00000000..275692e1 --- /dev/null +++ b/examples/docker/maketestenv.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if [ -z "$1" -o -z "$2" ]; then + echo 'Usage: maketestenv.sh ' + exit 1 +fi + +newid=`../../zerotier-idtool generate` + +echo "ZEROTIER_IDENTITY_SECRET=$newid" >$1 +echo "ZEROTIER_NETWORK=$2" >>$1 -- cgit v1.2.3 From 97dee9de36a69ed0aba4baf0cce03b9c4f11b30d Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 9 Oct 2015 12:50:52 -0700 Subject: Add more helpful example stuff. --- examples/api/README.md | 20 ++++++++++++++++++++ examples/api/public.json | 27 +++++++++++++++++++++++++++ examples/docker/Dockerfile | 2 +- 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 examples/api/README.md create mode 100644 examples/api/public.json (limited to 'examples/docker') diff --git a/examples/api/README.md b/examples/api/README.md new file mode 100644 index 00000000..8b6d9633 --- /dev/null +++ b/examples/api/README.md @@ -0,0 +1,20 @@ +API Examples +====== + +This folder contains examples that can be posted with curl or another http query utility to a local instance. + +To test querying with curl: + + curl -H 'X-ZT1-Auth:AUTHTOKEN' http://127.0.0.1:9993/status + +To create a public network on a local controller (service must be built with "make ZT\_ENABLE\_NETWORK\_CONTROLLER=1"): + + curl -H 'X-ZT1-Auth:AUTHTOKEN' -X POST -d @public.json http://127.0.0.1:9993/controller/network/################ + +Replace AUTHTOKEN with the contents of this instance's authtoken.secret file and ################ with a valid network ID. Its first 10 hex digits must be the ZeroTier address of the controller itself, while the last 6 hex digits can be anything. Also be sure to change the port if you have this instance listening somewhere other than 9993. + +After POSTing you can double check the network config with: + + curl -H 'X-ZT1-Auth:AUTHTOKEN' http://127.0.0.1:9993/controller/network/################ + +Once this network is created (and if your controller is online, etc.) you can then join this network from any device anywhere in the world and it will receive a valid network configuration. diff --git a/examples/api/public.json b/examples/api/public.json new file mode 100644 index 00000000..4317bd3e --- /dev/null +++ b/examples/api/public.json @@ -0,0 +1,27 @@ +{ + "name": "public_test_network", + "private": false, + "enableBroadcast": true, + "allowPassiveBridging": false, + "v4AssignMode": "zt", + "v6AssignMode": "rfc4193", + "multicastLimit": 32, + "relays": [], + "gateways": [], + "ipLocalRoutes": ["10.66.0.0/16"], + "ipAssignmentPools": [{"ipRangeStart":"10.66.0.1","ipRangeEnd":"10.66.255.254"}], + "rules": [ + { + "ruleNo": 10, + "etherType": 2048, + "action": "accept" + },{ + "ruleNo": 20, + "etherType": 2054, + "action": "accept" + },{ + "ruleNo": 30, + "etherType": 34525, + "action": "accept" + }] +} diff --git a/examples/docker/Dockerfile b/examples/docker/Dockerfile index a4274924..f1ce6bb5 100644 --- a/examples/docker/Dockerfile +++ b/examples/docker/Dockerfile @@ -2,7 +2,7 @@ FROM centos:7 MAINTAINER https://www.zerotier.com/ -RUN yum -y update && yum clean all +RUN yum -y update && yum install -y sqlite net-tools && yum clean all EXPOSE 9993/udp -- cgit v1.2.3 From a95fa379cca0ddbce98d476b143c3606f3ae7bce Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Fri, 9 Oct 2015 14:51:38 -0700 Subject: Circuit tests basically work but need some tweaks, and fix some issues found with valgrind. --- controller/SqliteNetworkController.cpp | 2 - controller/SqliteNetworkController.hpp | 2 - examples/api/circuit-test-pingpong.json | 13 ++++++ examples/docker/main.sh | 2 +- node/InetAddress.hpp | 72 ++++++++++++++++++++------------- node/Node.cpp | 2 +- 6 files changed, 59 insertions(+), 34 deletions(-) create mode 100644 examples/api/circuit-test-pingpong.json (limited to 'examples/docker') diff --git a/controller/SqliteNetworkController.cpp b/controller/SqliteNetworkController.cpp index 40fafd79..d87e5624 100644 --- a/controller/SqliteNetworkController.cpp +++ b/controller/SqliteNetworkController.cpp @@ -258,8 +258,6 @@ SqliteNetworkController::~SqliteNetworkController() sqlite3_finalize(_sCreateMember); sqlite3_finalize(_sGetNodeIdentity); sqlite3_finalize(_sCreateOrReplaceNode); - sqlite3_finalize(_sUpdateNode); - sqlite3_finalize(_sUpdateNode2); sqlite3_finalize(_sGetEtherTypesFromRuleTable); sqlite3_finalize(_sGetActiveBridges); sqlite3_finalize(_sGetIpAssignmentsForNode); diff --git a/controller/SqliteNetworkController.hpp b/controller/SqliteNetworkController.hpp index 7a01487c..a3d5dfc7 100644 --- a/controller/SqliteNetworkController.hpp +++ b/controller/SqliteNetworkController.hpp @@ -155,8 +155,6 @@ private: sqlite3_stmt *_sCreateMember; sqlite3_stmt *_sGetNodeIdentity; sqlite3_stmt *_sCreateOrReplaceNode; - sqlite3_stmt *_sUpdateNode; - sqlite3_stmt *_sUpdateNode2; sqlite3_stmt *_sGetEtherTypesFromRuleTable; sqlite3_stmt *_sGetActiveBridges; sqlite3_stmt *_sGetIpAssignmentsForNode; diff --git a/examples/api/circuit-test-pingpong.json b/examples/api/circuit-test-pingpong.json new file mode 100644 index 00000000..8fcc5d94 --- /dev/null +++ b/examples/api/circuit-test-pingpong.json @@ -0,0 +1,13 @@ +{ + "hops": [ + [ "4cbc810d4c" ], + [ "868cd1664f" ], + [ "4cbc810d4c" ], + [ "868cd1664f" ], + [ "4cbc810d4c" ], + [ "868cd1664f" ], + [ "4cbc810d4c" ], + [ "868cd1664f" ] + ], + "reportAtEveryHop": true +} diff --git a/examples/docker/main.sh b/examples/docker/main.sh index e9febb13..53fb6540 100644 --- a/examples/docker/main.sh +++ b/examples/docker/main.sh @@ -20,6 +20,6 @@ else fi rm -f /var/lib/zerotier-one/identity.* -echo "$ZEROTIER_IDENTITY_SECRET" >identity.secret +echo "$ZEROTIER_IDENTITY_SECRET" >/var/lib/zerotier-one/identity.secret /var/lib/zerotier-one/zerotier-one diff --git a/node/InetAddress.hpp b/node/InetAddress.hpp index 6970e92d..50db272a 100644 --- a/node/InetAddress.hpp +++ b/node/InetAddress.hpp @@ -100,74 +100,88 @@ struct InetAddress : public sockaddr_storage inline InetAddress &operator=(const InetAddress &a) throw() { - memcpy(this,&a,sizeof(InetAddress)); + if (&a != this) + memcpy(this,&a,sizeof(InetAddress)); return *this; } inline InetAddress &operator=(const InetAddress *a) throw() { - memcpy(this,a,sizeof(InetAddress)); + if (a != this) + memcpy(this,a,sizeof(InetAddress)); return *this; } inline InetAddress &operator=(const struct sockaddr_storage &ss) throw() { - memcpy(this,&ss,sizeof(InetAddress)); + if (reinterpret_cast(&ss) != this) + memcpy(this,&ss,sizeof(InetAddress)); return *this; } inline InetAddress &operator=(const struct sockaddr_storage *ss) throw() { - memcpy(this,ss,sizeof(InetAddress)); + if (reinterpret_cast(ss) != this) + memcpy(this,ss,sizeof(InetAddress)); return *this; } inline InetAddress &operator=(const struct sockaddr_in &sa) throw() { - memset(this,0,sizeof(InetAddress)); - memcpy(this,&sa,sizeof(struct sockaddr_in)); + if (reinterpret_cast(&sa) != this) { + memset(this,0,sizeof(InetAddress)); + memcpy(this,&sa,sizeof(struct sockaddr_in)); + } return *this; } inline InetAddress &operator=(const struct sockaddr_in *sa) throw() { - memset(this,0,sizeof(InetAddress)); - memcpy(this,sa,sizeof(struct sockaddr_in)); + if (reinterpret_cast(sa) != this) { + memset(this,0,sizeof(InetAddress)); + memcpy(this,sa,sizeof(struct sockaddr_in)); + } return *this; } inline InetAddress &operator=(const struct sockaddr_in6 &sa) throw() { - memset(this,0,sizeof(InetAddress)); - memcpy(this,&sa,sizeof(struct sockaddr_in6)); + if (reinterpret_cast(&sa) != this) { + memset(this,0,sizeof(InetAddress)); + memcpy(this,&sa,sizeof(struct sockaddr_in6)); + } return *this; } inline InetAddress &operator=(const struct sockaddr_in6 *sa) throw() { - memset(this,0,sizeof(InetAddress)); - memcpy(this,sa,sizeof(struct sockaddr_in6)); + if (reinterpret_cast(sa) != this) { + memset(this,0,sizeof(InetAddress)); + memcpy(this,sa,sizeof(struct sockaddr_in6)); + } return *this; } inline InetAddress &operator=(const struct sockaddr &sa) throw() { - memset(this,0,sizeof(InetAddress)); - switch(sa.sa_family) { - case AF_INET: - memcpy(this,&sa,sizeof(struct sockaddr_in)); - break; - case AF_INET6: - memcpy(this,&sa,sizeof(struct sockaddr_in6)); - break; + if (reinterpret_cast(&sa) != this) { + memset(this,0,sizeof(InetAddress)); + switch(sa.sa_family) { + case AF_INET: + memcpy(this,&sa,sizeof(struct sockaddr_in)); + break; + case AF_INET6: + memcpy(this,&sa,sizeof(struct sockaddr_in6)); + break; + } } return *this; } @@ -175,14 +189,16 @@ struct InetAddress : public sockaddr_storage inline InetAddress &operator=(const struct sockaddr *sa) throw() { - memset(this,0,sizeof(InetAddress)); - switch(sa->sa_family) { - case AF_INET: - memcpy(this,sa,sizeof(struct sockaddr_in)); - break; - case AF_INET6: - memcpy(this,sa,sizeof(struct sockaddr_in6)); - break; + if (reinterpret_cast(sa) != this) { + memset(this,0,sizeof(InetAddress)); + switch(sa->sa_family) { + case AF_INET: + memcpy(this,sa,sizeof(struct sockaddr_in)); + break; + case AF_INET6: + memcpy(this,sa,sizeof(struct sockaddr_in6)); + break; + } } return *this; } diff --git a/node/Node.cpp b/node/Node.cpp index 84452146..1eb21914 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -491,7 +491,7 @@ ZT_ResultCode Node::circuitTestBegin(ZT_CircuitTest *test,void (*reportCallback) for(unsigned int a=0;ahops[0].breadth;++a) { outp.newInitializationVector(); outp.setDestination(Address(test->hops[0].addresses[a])); - RR->sw->send(outp,true,test->credentialNetworkId); + RR->sw->send(outp,true,0); } } catch ( ... ) { return ZT_RESULT_FATAL_ERROR_INTERNAL; // probably indicates FIFO too big for packet -- cgit v1.2.3