re6stnet:cfb2c159823f538472135f08682b8e5d89858a35 commitshttps://lab.node.vifib.com/Nicolas/re6stnet/-/commits/cfb2c159823f538472135f08682b8e5d89858a352015-04-03T18:21:04+02:00https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/cfb2c159823f538472135f08682b8e5d89858a35demo: duplicate code from Nemu for future monkey-patching2015-04-03T18:21:04+02:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/16f87a3008735324c1c46996f9cdb7afa5f305a8Stop specifying a rxcost for old nodes since there's none left with the new p...2015-04-03T18:16:09+02:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/bec6b3cf2c530c3d45e9023e99f43ed85a6c80bere6st-conf: generate private key compatible with the network2015-03-27T19:23:40+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/f7d04fc4fb26bc62d3b5c2a2cb2ebb209347857cBy default, get DH parameters from the registry instead of requiring each nod...2015-03-07T18:54:51+01:00Julien Muchembledjm@nexedi.com
Generating them takes a lot of time and there's no reason to do this by default.
We keep --dh option in 're6stnet' to not break existing configuration.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/8ebdd500ede1ec25d36307bd8c8300f44e6c9cb6Certificate revocation, with broadcast of CRL2015-03-07T18:54:51+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/f73c51ec7dbd77c8fa526eb471f2452e0fc11dacMove runtime files to a subdirectory and simplify command-line options2015-03-07T18:54:50+01:00Julien Muchembledjm@nexedi.com
We consider using sockets to communicate with OpenVPN, via --management option.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/1257f36c4a4d1a420a6259afdaa8c07141c55dc9Some network option should be the same everywhere so move them to the registry2015-03-06T19:45:10+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/ef5401a443a141a06b6f032d5f7fab68efa99b74Add a way to define network parameters in the registry and propagate them eff...2015-03-06T19:45:05+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/aba0e94d0a34f4d8ed7954b61b11ceb979587ff3Network parameters will be also cached so rename a few things2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
db.py -> cache.py
PeerDB -> Cache
peers.db -> cache.dbhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/acc0568a96c988dea040fc3125f87a0108d4c51cGenerate certificates with 2 serials for future needs (crl & ivp4)2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
And automatic renewal of existing certificates.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/37943a2684bb2cee8964c3a49e44bcb45230e029Remove type specifier on config.value column2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.com
For the registry at least, we'll want to store integers
without having to convert to/from strings.
To upgrade 'registry.db':
- dump it to a file
- fix create table statements
- load it
Nodes will restart with an empty cache.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/648e677431dc48e76c74dffd79f8e02ae2fcfb08Forget peers whose certificate expires2015-03-06T19:42:52+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/a7a863412521848082d9d96ccfe9da6cf1178f70New protocol between nodes with authentication2015-02-25T20:56:00+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/32ebb80ba7b08052b68a042118399f31ed6b746ere6st-conf: new --fingerprint option2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/b2040ea0c15467cd27bc45c5e9bc01f3275d7096Make --client & --client-count=0 modes process UDP/326 messages2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.com
These modes are partly unified with the normal one by splitting TunnelManager.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/9717eb0e3fe29a68424a03d0ee4e8dc0fdd0d680re6stnet: verify certificate with CA at startup2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/7977404ac7502121d55ea58235857199efe7836erefactoring: move crypto code to a new file2015-02-24T19:31:20+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/5be3cc90e5dea5fe823b6e4c5f945e79a05be5d9Update TODO2015-02-24T19:30:59+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/d4beb9c7da911e36d87b4c6fdef0189b3a92b888demo: abort quickly if there's an obvious error2015-02-19T11:21:08+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/e803749b2dc7cfb0bf99dfca6c5778c2a26ba11ddemo: generate certs that expire quickly to check renewal2015-02-19T11:21:04+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/0234d059ddef5520ac9d0b324fc3d1e11e26fd34demo: add wrapper to easily monkey-patch re6st2015-02-19T11:12:05+01:00Julien Muchembledjm@nexedi.com
Also:
- use '/usr/bin/env python' to easily use a Python interpreter different than
/usr/bin/python
- demo must be run by root so "dont_write_bytecode" to avoid having *.pyc files
owned by root in the working copyhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/51cfbec774265663313f782fa5c7d124584bb717demo: print executed command when re6stnet crashes2015-02-19T11:02:12+01:00Julien Muchembledjm@nexedi.com
This is then easier to restart it manually.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/3ada47f8aaa86e84a1596e4a6d5da67f6fbfa441registry: increase/fix timeouts for requests done by getBootstrapPeer/topolog...2015-02-13T14:39:09+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/58204ee82d9b14033c6bf9e06881c894f11a0e92Limit number of client tunnels if NAT is not configured properly2015-02-02T20:30:34+01:00Julien Muchembledjm@nexedi.com
If too many nodes create client tunnels without serving any, working servers
saturate and the network collapses.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/3a9e668c08d826284b2bbd5b66067182c5407d6cUPnP: randomize external port2015-02-02T18:19:23+01:00Julien Muchembledjm@nexedi.com
Some routers are so broken that UPnP NAT don't report ConflictInMappingEntry
when redirecting the same port several times.
Here is for example what we had with a Numericable Box (France):
0 (1024, 'TCP', ('192.168.0.29', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
1 (1024, 'TCP', ('192.168.0.16', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
2 (1024, 'TCP', ('192.168.0.33', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
3 (1024, 'TCP', ('192.168.0.20', 1194), 're6stnet openvpn server (1194/tcp)', '1', '', 0)
('192.168.0.29', 1194, 're6stnet openvpn server (1194/tcp)', True, 0)
Obviously, this can't work.
It seems that this router also accepts a limited number of NAT rules, far less
than we'd like, so even if there's still a probability of conflict with this
commit, it will be good enough for our use.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/e3c424942dda646d4a2b43eefbb30185b99c813clogging: higher severity for UDP errors other than ENETUNREACH2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.com
ENETUNREACH is the only error I've ever seen since the beginning of the project.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/4536d8eb83ee2e2bb93e88f158fe0ebea3629fd8Reread routing table when a established tunnel breaks2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.com
The main reason is to speed up recovery from temporary network cut:
- by not wasting time trying remaining distant peers that were collected during
the last read of the routing table.
- by not blacklisting good peers, which would happen if too many of them were
retried before network is backhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/4ea3e7be0ebec59dfa016fabbfc3c29c9644f67fDo not send TERM signal to a process that has already been waited on2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/f3a69c984ad4e5efa10fd497aaf1d6b1c22c2875Rotate babeld log2014-12-30T16:26:03+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/780bfbe39738be9eb6d5677f0047d321264e12d9Faster recovery of registry node (e.g. restart or temporary network cut)2014-12-26T14:24:57+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/f68cdf510707057090869a6c7c5309cb33504338When logging that a tunnel broke, format prefix in CN format (base10/len10) i...2014-12-26T14:24:57+01:00Julien Muchembledjm@nexedi.com
For consistency with other log messages.https://lab.node.vifib.com/Nicolas/re6stnet/-/commit/cb3c62d31df17a5045dd00ff86ef0bbd177b2616Log when the destruction of a tunnel is aborted2014-12-26T14:24:57+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/7c350eb069a6d13a1ff68ca3f54b8b51591dea06Do not hardcode executable path in re6st-registry.service2014-12-18T18:01:24+01:00Julien Muchembledjm@nexedi.com
To be consistent with re6stnet.servicehttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/3dc25c00361cd88b83190ec021f62a9b35a5c239Add 2 new experimental commands: re6st-cn & re6st-geo2014-12-18T17:31:49+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/ee745d9b5cc374bff4d266fc83b07a6e8e93e10dOn exit, stop babeld first to give a change to send wildcard retractions2014-12-18T15:12:12+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/d7bcf391a25b83c907b47edd497ff323f22b1035Send User-Agent header when querying the registry2014-12-18T15:00:27+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/7487cd46fa8c14131e761f5a5424c828c3b2b367registry: increase grace period when cleaning old certs2014-12-17T17:35:01+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/7cdf00d7acd26d5f43fb5acb9eb4362ae0ccd82cregistry: fix security of some RPC when serving behind proxy2014-12-17T17:22:01+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/3b5d03e460b34e854fbadef060c6fc02615b1a7fregistry: document that workaround is only useful for old Python2014-12-17T17:22:01+01:00Julien Muchembledjm@nexedi.comhttps://lab.node.vifib.com/Nicolas/re6stnet/-/commit/254dd5cdf616cff517b6e338c10baa188bed7f42Fix creation of tunnel ignoring routing table updates until all peers are tried2014-11-14T16:04:06+01:00Julien Muchembledjm@nexedi.com