feat: add zerotier extension to Talos #596
Conversation
ht-danielgo
commented
Feb 5, 2025
ht-danielgo
commented
- This builds a Zerotier 1.14.2 (latest as of writing) for use as a Talos extension
- Tested OK on a Talos 1.8.4 host
- Requires a service config that looks like this
|
Just want to pause on this for a bit as I have a better way to deal with the configuration of the ZT credentials that will make configuration much easier, should have it ready end of week |
|
This should be ready to go now, changes:
(I was using v1.9.4 for dev) |
rob-htl
force-pushed
the
main
branch
2 times, most recently
from
46a40d3 to
7a53e2f
Compare
Changes: * Add zerotier-wrapper as extension entrypoint, this wrapper: * handles PID cleanup and creation * works instead of the upstream zerotier symlinks for zerotier-cli and zerotier-idtool * takes configuration from ENV vars ZEROTIER_NETWORK and optionally ZEROTIER_IDENTITY_SECRET * ZEROTIER_NETWORK must be set, this is the ID of the network that zerotier attempts to join after start up (typically a manual process) * If ZEROTIER_IDENTITY_SECRET is optionally set this is written out and used by zerotier to authenticate as the node * If ZEROTIER_IDENTITY_SECRET is not set a new identity is created * logs the various lifecycle steps in a verbose way * Remove unused mounts (zerotier is compiled statically so /lib etc aren't needed) * Removes the aforementioned symlinks for zerotier-cli and zerotier-idtool as they aren't relevant without shell * Adds some usage docs in network/zerotier/README.md * Adds the renovate comment for zerotier version
network/zerotier/pkg.yaml
Outdated
| @@ -0,0 +1,53 @@ | |||
| name: zerotier | |||
| variant: alpine | |||
There was a problem hiding this comment.
any reason alpine is used, should just build fine with our toolchain
There was a problem hiding this comment.
I've updated to use the toolchain, it didn't build for me using the toolchain originally hence alpine but it builds just fine now - so that's great
| } | ||
|
|
||
| // Start zerotier-one process. | ||
| cmd := exec.Command(zerotierBinPath, "-U", zerotierPath) |
There was a problem hiding this comment.
this is making this more complicated, this can be replaced via unix.Exec making all the pid handling not needed
There was a problem hiding this comment.
exec.Command was due to using zerotier-one -q join <network_id> requiring the service to be up. However all "joining" the network entails is creating an empty config file with the network name, so I have done that to join instead and removed exec.Command and all PID handling.
There was a problem hiding this comment.
we can also split this into two services, on that runs once only, and it doesn't run if file already exists
There was a problem hiding this comment.
I don't quite follow, are you suggesting something like the following?
zerotier-setup: create identity, join network etc etczerotier-wrapper: checks that setup has been done andunix.Execzerotier-one
e.g.
container:
entrypoint: /bin/sh
args:
- -c
- |
/usr/local/bin/zerotier-setup && /usr/local/bin/zerotier-wrapper
There was a problem hiding this comment.
we can also split this into two services, on that runs once only, and it doesn't run if file already exists
@frezbo are you able to clarify what you want here please? I'm keen to get it done and resolved
There was a problem hiding this comment.
sorry, I'll try to get back to this by this week or next, don't worry, this will go in 1.10, just finishing other tasks
| @@ -0,0 +1,232 @@ | |||
| package main | |||
There was a problem hiding this comment.
so this basically makes generating the pub key easier?
There was a problem hiding this comment.
Just trying to see if needing the wrapper makes sense if user could provide secret and pub key as extension service config
There was a problem hiding this comment.
In short yes. There has to be a unique identity per node.
The usage guide from Zerotier boils down to:
- Install from Zerotier repos
- (the debian package generates the identity post-install - presumably the others do too as it's not handled by the following commands)
- use
zerotier-cli join <network_id>(i.ezerotier-one -q join <network_id>) - authorize the node at the zerotier end (the most common way to do this is via the web interface but there are other ways to do it programatically)
- the node is connected
The alternative approach (without the wrapper) is for an admin to have zerotier installed on their workstation and each time a new node is added to a Talos cluster generate the identities one by one (zerotier-idtool / zerotier-one -i) and create a MachineConfig per node.
Without identity files in place the Talos node there will be no error, the zerotier service will start and display this output only (which could cause user confusion).
Starting Control Plane...
Starting V6 Control Plane...
This wrapper allows the admin to have one config patch per cluster for the zerotier network id (with a feature to allow the identity to be provided via env per node and be validated), and it provides more robust logging output.
network/zerotier/zerotier.yaml
Outdated
| writeableSysfs: true | ||
| mounts: | ||
| # Zerotier binaries | ||
| - source: /usr/local/lib/containers/zerotier/usr/local/bin |
There was a problem hiding this comment.
let's not do this and just keep binaries in /usr/local/lib/containers/zerotier/usr/local/bin
