README
¶
Network Resource Package
Overview
This package implements network resource management for ZOS Network Light, providing isolated network namespaces for workloads with mycelium and Wireguard connectivity.
Network Resource
A network resource consists of:
- Network namespace (
n{name}) - Private network bridge (
r{name}) - Mycelium bridge (
m{name}) - Interfaces (public, private, mycelium, wireguard)
- NFT rules for proper routing and security
Creation
Create() sets up a network resource by:
- Creating bridges for private network and mycelium
- Creating a network namespace
- Setting up veth pairs to connect namespace to bridges
- Configuring IP addresses and routing
- Applying NFT rules
Wireguard Integration
To create network resource with wireguard user needs should be
- Providing the subnet for the network resource (e.g., 10.1.3.0/24)
- Defining the overall IP range for the network (e.g., 10.1.0.0/16)
- Generating and providing the Wireguard private key
- Selecting an available port for Wireguard to listen on
- Configuring the list of peers with their public keys and allowed IPs
Implementation
Wireguard interfaces are added to a network resource through:
WGName(): Generates the Wireguard interface name (w-{name})SetWireguard(): Creates Wireguard interface in the host namespace and moves it into the network namespaceConfigureWG(): Sets up the Wireguard interface with:- The user-provided private key
- The user-selected listen port
- Peer configurations (public keys, allowed IPs, endpoints)
HasWireguard(): Checks if the Wireguard interface exists in the namespace
The Wireguard interface is created in the host namespace and then moved into the network resource namespace. Once configured with the user-provided private key, listen port, and peer information, it enables secure communication between network resources across different nodes by establishing encrypted tunnels to other network resources on different nodes, creating a secure mesh network.
Cleanup
Delete()
- Destroys mycelium service
- Removes network namespace
- Deletes all created bridges
The cleanup process continues even if some steps fail, collecting all errors for proper reporting.
Documentation
¶
Index ¶
- Constants
- func Delete(name string) error
- func SetupMycelium(netNS ns.NetNS, mycelium string, seed []byte) error
- type MyceliumInspection
- type Resource
- func (r *Resource) AttachMycelium(id string, seed []byte) (device localPkg.TapDevice, err error)
- func (r *Resource) AttachMyceliumZDB(id string, zdbNS ns.NetNS) (err error)
- func (r *Resource) AttachPrivate(id string, vmIp net.IP) (device localPkg.TapDevice, err error)
- func (r *Resource) ConfigureWG(privateKey string) error
- func (r *Resource) HasWireguard() (bool, error)
- func (r *Resource) Namespace() (string, error)
- func (r *Resource) Seed() (seed []byte, err error)
- func (r *Resource) SetWireguard(wg *wireguard.Wireguard) error
- func (r *Resource) WGName() (string, error)
Constants ¶
const ( MyceliumSeedDir = "/tmp/network/mycelium" HostMyceliumBr = "br-hmy" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type MyceliumInspection ¶
type MyceliumInspection struct {
PublicKey string `json:"publicKey"`
Address net.IP `json:"address"`
}
func InspectMycelium ¶
func InspectMycelium(seed []byte) (inspection MyceliumInspection, err error)
func (*MyceliumInspection) Gateway ¶
func (m *MyceliumInspection) Gateway() (gw net.IPNet, err error)
Gateway derive the gateway IP from the mycelium IP in the /64 range.
func (*MyceliumInspection) IP ¶
func (m *MyceliumInspection) IP() net.IP
IP return the address in the 400::/7 subnet allocated by mycelium
type Resource ¶
type Resource struct {
// contains filtered or unexported fields
}
func Create ¶
func Create(name string, master *netlink.Bridge, ndmzIP *net.IPNet, ndmzGwIP *net.IPNet, privateNet *net.IPNet, nr zos.NetworkLight) (*Resource, error)
Create creates a network resource (please check docs) name: is the name of the network resource. The Create function is idempotent which means if the same name is used the function will not recreate the resource. master: Normally the br-ndmz bridge, this is the resource "way out" to the public internet. A `public` interface is created and wired to the master bridge ndmzIP: the IP assigned to the `public` interface. ndmzGwIP: the gw Ip for the resource. Normally this is the ip assigned to the master bridge. privateNet: optional private network range seed: mycelium seed
func (*Resource) AttachMycelium ¶
func (*Resource) AttachMyceliumZDB ¶
func (*Resource) AttachPrivate ¶
func (*Resource) ConfigureWG ¶ added in v0.1.9
ConfigureWG sets the routes and IP addresses on the wireguard interface of the network resources
func (*Resource) HasWireguard ¶ added in v0.1.9
HasWireguard checks if network resource has wireguard setup up
func (*Resource) Namespace ¶ added in v0.1.9
Namespace returns the name of the network namespace to create for the network resource
func (*Resource) SetWireguard ¶ added in v0.1.9
SetWireguard sets wireguard of this network resource
Source Files
Directories