From 9dd1deabcfc394bd378379818dc65f7954e832f5 Mon Sep 17 00:00:00 2001 From: Leonardo Mosciatti Date: Sat, 20 May 2023 19:27:18 +0200 Subject: [PATCH] Added development section, removed systemd socket, typos --- README.md | 32 +++++++++++++++++++++++++++----- entities.go | 3 +-- init/dwgd.service | 4 ++-- init/dwgd.socket | 8 -------- log.go | 6 +++--- rootless.go | 4 ++-- 6 files changed, 35 insertions(+), 22 deletions(-) delete mode 100644 init/dwgd.socket diff --git a/README.md b/README.md index d6a04eb..6f2186b 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,11 @@ # dwgd: Docker WireGuard Driver -**dwgd** is a Docker plugin that let your containers connect to a WireGuard server. +**dwgd** is a Docker plugin that let your containers connect to a WireGuard network. This is achieved by [moving a WireGuard network interface](https://www.wireguard.com/netns/) from `dwgd` running namespace into the designated container namespace. **Credits**: this is a rewrite of the proof of concept presented in [this great article](https://www.bestov.io/blog/using-wireguard-as-the-network-for-a-docker-container). -## Example +## Usage Generate the public key given your seed and the IP address that your container will have: ``` @@ -58,7 +58,7 @@ rtt min/avg/max/mdev = 8.343/8.990/9.976/0.708 ms So far it has been tested in a Linux machine with Ubuntu 20.04, but I guess it could work on any reasonably recent Linux system that respects the dependencies. -After cloning the repository you can build the binary and optionally install the systemd units. +After cloning the repository you can build the binary and optionally install the systemd unit. ``` $ go build -o /usr/bin/dwgd ./cmd/dwgd.go $ chmod +x /usr/bin/dwgd @@ -71,6 +71,28 @@ You need to have WireGuard installed on your system and the `iproute2` package: You will also need the `nsenter` binary if you want `dwgd` to work with docker rootless. -## Limitations +## Development -Currently `dwgd` sets the WireGuard interface as the default route, in the future this issue will be addressed. \ No newline at end of file +You can develop on your own machine by compiling `dwgd`, creating a WireGuard network and starting `dwgd`: + +```sh +go build ./cmd/dwgd.go +# create server keys +SERVER_PRIVATE_KEY=$(wg genkey) +SERVER_PUBLIC_KEY=$(echo $SERVER_PRIVATE_KEY | wg pubkey) +# create new dwgd0 wireguard interface +sudo ip link add dwgd0 type wireguard +echo $SERVER_PRIVATE_KEY | sudo wg set dwgd0 private-key /dev/fd/0 listen-port 51820 +sudo ip address add 10.0.0.1/24 dev dwgd0 +# bring interface up +sudo ip link set up dev dwgd0 +# generate your container's public key with a specific seed +CLIENT_PUBLIC_KEY=$(./dwgd pubkey -i 10.0.0.2 -s supersecretseed) +sudo wg set dwgd0 peer $CLIENT_PUBLIC_KEY allowed-ips 10.0.0.2/32 +# run dwgd driver +sudo ./dwgd -v & +# create docker network with the previously set server public key and seed +docker network create --driver=dwgd -o dwgd.endpoint=localhost:51820 -o dwgd.seed=supersecretseed -o dwgd.pubkey=$SERVER_PUBLIC_KEY --subnet="10.0.0.0/24" --gateway=10.0.0.1 dwgd-net +# run your container +docker run -it --rm --network=dwgd-net --ip=10.0.0.2 busybox +``` \ No newline at end of file diff --git a/entities.go b/entities.go index ca35a0d..b8ea5c6 100644 --- a/entities.go +++ b/entities.go @@ -24,8 +24,7 @@ func (n *Network) PeerConfig() wgtypes.PeerConfig { keepalive := 25 * time.Second _, ipnet, _ := net.ParseCIDR("0.0.0.0/0") - allowedIPs := make([]net.IPNet, 1) - allowedIPs[0] = *ipnet + allowedIPs := []net.IPNet{*ipnet} return wgtypes.PeerConfig{ Endpoint: n.endpoint, diff --git a/init/dwgd.service b/init/dwgd.service index 3bc79f4..e14d3d1 100644 --- a/init/dwgd.service +++ b/init/dwgd.service @@ -1,8 +1,8 @@ [Unit] Description=dwgd Before=docker.service -After=network.target dwgd.socket -Requires=dwgd.socket docker.service +After=network.target +Requires=docker.service [Service] ExecStart=/usr/bin/dwgd -d /var/lib/dwgd.db diff --git a/init/dwgd.socket b/init/dwgd.socket deleted file mode 100644 index 149acb2..0000000 --- a/init/dwgd.socket +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=dwgd - -[Socket] -ListenStream=/run/docker/plugins/dwgd.sock - -[Install] -WantedBy=sockets.target diff --git a/log.go b/log.go index 23240b5..ba91281 100644 --- a/log.go +++ b/log.go @@ -6,15 +6,15 @@ import ( "os" ) -// used for everything that can be considered a "result" +// Used for everything that can be considered a "result" // and should be printed to standard output var EventsLog = log.New(os.Stdout, "", log.Lmsgprefix) -// used for messages that can give the user a context of +// Used for messages that can give the user a context of // what the software is doing var DiagnosticsLog = log.New(os.Stderr, "", log.LstdFlags|log.LUTC) -// used for very detailed messages, should not be used +// Used for very detailed messages, should not be used // in a production environment. // Disabled by default. var TraceLog = log.New(&EmptyWriter{}, "", log.LstdFlags|log.LUTC) diff --git a/rootless.go b/rootless.go index a93feba..fc62cc8 100644 --- a/rootless.go +++ b/rootless.go @@ -51,7 +51,7 @@ func moveToRootlessNamespaceIfNecessary(sandboxKey string, ifname string) error return nil } -// returns (pid, socket path, errror) +// returns (pid, socket path, error) func generateSockSymlinkFromDockerPidFile(dockerPidFileFullPath string) (int, string, error) { data, err := os.ReadFile(dockerPidFileFullPath) if err != nil { @@ -127,7 +127,7 @@ func (r *RootlessSymlinker) handleEvent(ev gonotify.InotifyEvent) { func (r *RootlessSymlinker) Start() error { // We create a context to handle inotify's lifecyle. // When the symlinker is stopped we want to stop - // cleanly also the inotofy instance. + // cleanly also the inotify instance. ctx, cancel := context.WithCancel(context.Background()) defer cancel()