Refactored for ziti-controller running as ziti

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. The format
 ###
 # [0.8.12] - 2024-08-07
 - Change ci workflow display name and to trigger on puch to branches other than main.
+- Refactored install.sh, start_ebpf_controller.py and revert_ebpf_controller.py to work with controller not running as root.
 
 ###
 # [0.8.11] - 2024-08-03

files/scripts/revert_ebpf_controller.py

@@ -100,28 +100,28 @@ def iterate_rules(intf):
             print("Malformed or missing json object in /opt/openziti/etc/ebpf_config.json can't revert ufw!")
 
 service = False
-if(os.path.exists('/etc/systemd/system/ziti-controller.service')):
-    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service")
+if(os.path.exists('/etc/systemd/system/zfw-logging.service')):
+    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service")
     if(not unconfigured):
-        os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/ExecStartPre\=-\/opt\/netfoundry\/ebpf\/objects\/etables \-F \-r/g' /etc/systemd/system/ziti-controller.service")
-        os.system("sed -i 's/#ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/ExecStartPre\=\-\/opt\/netfoundry\/ebpf\/scripts\/tproxy_splicer_startup.sh/g' /etc/systemd/system/ziti-controller.service")
-        test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/ziti-controller.service")
+        test1 = os.system("sed -i '/ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py/d' /etc/systemd/system/zfw-logging.service")
         if(not test1):
             test1 = os.system("systemctl daemon-reload")
             if(not test1):
                 service = True
+                test1 = os.system("systemctl disable zfw-logging.service")
+                test1 = os.system("systemctl disable fw-init.service")
                 os.system("/opt/openziti/bin/zfw -Q")
                 if(os.path.exists("/opt/openziti/etc/ebpf_config.json")):
                     os.remove("/opt/openziti/etc/ebpf_config.json")
                 if(os.path.exists("/opt/openziti/bin/user/user_rules.sh")):
                     os.remove("/opt/openziti/bin/user/user_rules.sh")
-                print("Successfully reverted ziti-controller.service!")
+                print("Successfully reverted ziti-logging.service!")
         else:
-            print("Failed to revert ziti-controller.service!")
+            print("Failed to revert zfw-logging.service!")
     else:
-        print("ziti-controller.service already reverted. Nothing to do!")
+        print("zfw-logging.service already reverted. Nothing to do!")
 else:
-    print("Skipping ziti-controller.service reversal. File does not exist!")
+    print("Skipping zfw-logging.service reversal. File does not exist!")
 
 if service:
     print("config.yml successfully reverted. restarting ziti-controller.service")

files/scripts/start_ebpf_controller.py

@@ -432,7 +432,7 @@ def set_local_rules(ip):
         os.system("/opt/openziti/bin/user/user_rules.sh")
 else:
     print("ebpf already running!");
-    os.system("/usr/sbin/zfw -F -z ingress")
+    os.system("/usr/sbin/zfw -F -r")
     print("Flushed Table")
     for i in internal_list:
         if(not tc_status(i, "ingress")):
@@ -477,17 +477,20 @@ def set_local_rules(ip):
 lanIp = get_if_ip(lanIf)
 if(len(lanIp)):
     set_local_rules(lanIp)
-if(os.path.exists('/etc/systemd/system/ziti-controller.service') and controller):
-    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/ziti-controller.service")
+if(os.path.exists('/etc/systemd/system/zfw-logging.service') and controller):
+    unconfigured = os.system("grep -r 'ExecStartPre\=\-\/opt/openziti\/bin\/start_ebpf_controller.py' /etc/systemd/system/zfw-logging.service")
     if(unconfigured):
-        test0 = 1
-        test0 = os.system("sed -i 's/User\=ziti/User\=root/g' /etc/systemd/system/ziti-controller.service")
         test1 = 1
-        test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/ziti-controller.service")
-        if((not test0) and (not test1)):
+        test1 = os.system("sed -i '/ExecStart=/i ExecStartPre\=\-\/opt\/openziti\/bin\/start_ebpf_controller.py --lanIf " + lanIf + "' /etc/systemd/system/zfw-logging.service")
+        test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/zfw-logging.service") 
+        test1 = os.system("sed -i 's/ziti-router/ziti-controller/g' /etc/systemd/system/fw-init.service") 
+
+        if(not test1):
             test1 = os.system("systemctl daemon-reload")
             if(not test1):
-                print("Successfully converted ziti-controller.service. Restarting!")
+                print("Successfully converted zfw-logging.service. Restarting!")
+                os.system('systemctl enable zfw-logging.service')
+                os.system('systemctl enable fw-init.service')
                 os.system('systemctl restart ziti-controller.service')
                 if(not os.system('systemctl is-active --quiet ziti-controller.service')):
                     print("ziti-controller.service successfully restarted!")
@@ -496,7 +499,7 @@ def set_local_rules(ip):
         else:
             print("Failed to convert ziti-controller.service!")
     else:
-        print("ziti-controller.service already converted. Nothing to do!")
+        print("zfw-logging.service already converted. Nothing to do!")
 else:
-    print("Skipping ziti-controller.service conversion. File does not exist or is already converted to run ebpf!")
+    print("Skipping zfw-logging.service conversion. File does not exist or is already converted to run ebpf!")
 sys.exit(0)

src/install.sh

@@ -105,6 +105,7 @@ then
    cp  ../files/scripts/user_rules.sh.sample /opt/openziti/bin/user
    cp  ../files/json/ebpf_config.json.sample /opt/openziti/etc
    cp  ../files/services/zfw-logging.service /etc/systemd/system
+   cp ../files/services/fw-init.service /etc/systemd/system
    chmod 744 /opt/openziti/bin/start_ebpf_controller.py
    chmod 744 /opt/openziti/bin/user/user_rules.sh.sample
    chmod 744 /opt/openziti/bin/zfw