diff --git a/README.md b/README.md index a8d05d8..94bdc1d 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,22 @@ Firewalls can register to the server using [ns-plug](https://github.com/NethServ You can install it on [NS8](https://github.com/NethServer/ns8-nethsecurity-controller#install). Otherwise, first make sure to have [podman](https://podman.io/) installed on your server. -Then clone this repository and execute as root: +Containers should run under non-root users, but first you need to configure the tun device and the user. + +As root, execute: +``` +useradd -m controller +loginctl enable-linger controller + +ip tuntap add dev tunsec mod tun +ip addr add 172.21.0.1/16 dev tunsec +ip link set dev tunsec up ``` + +Then change to non-root user, clone this repository and execute: +``` +su - controller + ./start.sh ``` diff --git a/api/entrypoint.sh b/api/entrypoint.sh index edad962..d6f4785 100755 --- a/api/entrypoint.sh +++ b/api/entrypoint.sh @@ -14,4 +14,16 @@ export CREDENTIALS_DIR="${CREDENTIALS_DIR:-/nethsecurity-api/credentials}" export PROMTAIL_ADDRESS="${PROMTAIL_ADDRESS:-127.0.0.1}" export PROMTAIL_PORT="${PROMTAIL_PORT:-9900}" -exec "$@" \ No newline at end of file +socket=/etc/openvpn/run/mgmt.sock +limit=60 +while [ ! -e "$socket" ]; do + echo "Waiting for $socket to appear ..." + sleep 1 + limit=$((limit - 1)) + if [ "$limit" -le 0 ]; then + echo "Socket not found!" + break + fi +done + +exec "$@" diff --git a/build.sh b/build.sh index 1ad69a9..0a5fb10 100755 --- a/build.sh +++ b/build.sh @@ -12,6 +12,7 @@ echo "Installing build dependencies..." buildah run ${container} apk add --no-cache openvpn easy-rsa echo "Setup image" +buildah add "${container}" vpn/ip /sbin/ip buildah add "${container}" vpn/controller-auth /usr/local/bin/controller-auth buildah add "${container}" vpn/handle-connection /usr/local/bin/handle-connection buildah add "${container}" vpn/entrypoint.sh /entrypoint.sh diff --git a/vpn/ip b/vpn/ip new file mode 100755 index 0000000..296ef78 --- /dev/null +++ b/vpn/ip @@ -0,0 +1,3 @@ +#!/bin/sh + +true