Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS #353665

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

nixos/nebula: add CAP_NET_BIND_SERVICE when lighthouse node serves DNS #353665

wants to merge 2 commits into from
+52 −8

Conversation

siriobalmelli
Copy link
Contributor

Serving DNS fails in the absence of CAP_NET_BIND_SERVICE.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 4, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Nov 5, 2024
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 2 times, most recently from 4fdd4f0 to 51d1018 Compare November 5, 2024 17:03
@siriobalmelli siriobalmelli marked this pull request as draft November 5, 2024 17:04
@siriobalmelli siriobalmelli marked this pull request as ready for review November 6, 2024 06:54
@siriobalmelli
Copy link
Contributor Author

@numinit I would appreciate your review on this 🙏

numinit
numinit suggested changes Nov 17, 2024
View reviewed changes
nixos/modules/services/networking/nebula.nix Outdated
@@ -210,6 +210,11 @@ in
''
settings
);
capabilities = concatStringsSep " " ([
"CAP_NET_ADMIN"
] ++ (optionals (settings.lighthouse.serve_dns or false) [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition should probably be:

let
  nebulaPort = settings.listen.port;
  dnsPort = if (settings.lighthouse.serve_dns or false) then settings.lighthouse.dns.port or -1 else -1;
in nebulaPort > 0 && nebulaPort < 1024 || dnsPort > 0 && dnsPort < 1024;

Do you mind adding services.nebula.networks.<name>.dns.{enable,port,host} as well? The port should likely default to 5353 so we don't need the extra capability.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably should still have this condition. If any port is < 1024 and > 0 we need CAP_NET_ADMIN.

@numinit
Copy link
Contributor

numinit commented Nov 17, 2024

May be worth updating the NixOS test too.

@siriobalmelli siriobalmelli marked this pull request as draft November 19, 2024 11:00
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 10, 2024
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 3 times, most recently from 2ceb113 to f77e832 Compare December 21, 2024 23:32
@numinit
Copy link
Contributor

numinit commented Dec 21, 2024

Hey, thanks for taking this btw! Let me know if you need any help getting it across the finish line.

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 22, 2024
@siriobalmelli siriobalmelli marked this pull request as ready for review January 6, 2025 09:55
@siriobalmelli
Copy link
Contributor Author

Thanks :)

Got it done and working well on my own nebula network.

A bit stumped about how to extend the tests to cover this however, any help there is appreciated.

@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 2 times, most recently from 73d2f99 to d09287b Compare January 13, 2025 07:10
numinit
numinit suggested changes Jan 13, 2025
View reviewed changes
nixos/modules/services/networking/nebula.nix Outdated
@@ -231,6 +249,10 @@ in
''
settings
);
capabilities = lib.concatStringsSep " " (
(lib.optional (!settings.tun.disabled) "CAP_NET_ADMIN")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can get rid of the parens around (lib.optional ..) - ++ is higher precedence than the function call.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, TIL

nixos/modules/services/networking/nebula.nix Outdated

lighthouse.dns.port = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = 53;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe default this to something like 5353

@numinit
Copy link
Contributor

numinit commented Jan 13, 2025

For the tests, maybe make a dig query to the other hosts in the network that we test. It's mostly optional though.

@siriobalmelli siriobalmelli marked this pull request as draft January 13, 2025 08:58
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 9 times, most recently from 74887ed to 34707a9 Compare January 13, 2025 12:53
@siriobalmelli siriobalmelli requested a review from numinit January 13, 2025 12:53
@siriobalmelli siriobalmelli marked this pull request as ready for review January 13, 2025 12:53
@siriobalmelli siriobalmelli force-pushed the sb/nebula-dns branch 4 times, most recently from 53fe558 to b20eef9 Compare January 13, 2025 15:16
@siriobalmelli
nixos/nebula: add DNS options
ab0f68e 
Add the options:

- lighthouse.serve_dns
- lighthouse.dns.host
- lighthouse.dns.port

Improve systemd capabilities handling:

- do not give CAP_NET_ADMIN when tunnel interface is disabled
- give CAP_NET_BIND_SERVICE when DNS is enabled

Add self as maintainer: I'm using Nebula on NixOS in prod.

Signed-off-by: Sirio Balmelli <[email protected]>
@siriobalmelli
nixos/nebula: add DNS tests
6f28fe6 
Signed-off-by: Sirio Balmelli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@numinit numinit Awaiting requested review from numinit

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@siriobalmelli @numinit @wegank