nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Documentation Should Explain How To Run Nebula As Non-Root User And Still Create TUN/TAP Devices

Open bonedaddy opened this issue 5 years ago • 5 comments
trafficstars

I'm not sure about windows, however for unix/linux it is possible to create TUN/TAP devices on the lighthouse without having to run the lighthouse node as a root userr, and I think this is something that should be documented. As it stands right now the available documentation (the example generated config linked in the readme, as well as the release notes for v1.3.) gives the impression that this is not the case.

As long as you grant the service the CAP_NET_ADMIN capabilities you'll be able to run nebula as a non-root user, and still be able to create tunnels, while gaining the security benefits of a rootless service. I've included an example systemd service file below that demonstrates such functionality.

A note on CapabilityBoundingSet and AmbientCapabilities you may only need CapabilityBoundingSet however I ran into a problem that required using AmbientCapabilities more information on the reasoning for this can be seen here

[Unit]
Description=start nebula daemon
After=network.target

[Service]
CapabilityBoundingSet=CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_ADMIN
User=nebula
Group=nebula
Type=simple
LimitNOFILE=65535
ExecStart=nebula -config /etc/nebula/lighthouse.yml
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

bonedaddy avatar Sep 22 '20 20:09 bonedaddy

You additionally need CAP_NET_BIND_SERVICE if you're running Nebula's DNS (on the default :53 port or anywhere beneath port 1024)

twnk avatar Nov 23 '20 13:11 twnk

Any clue how to get rootless mode working on a macOS? I can see the server is running, but there's not tunnel/interface created.

rolandjitsu avatar Jun 13 '21 09:06 rolandjitsu

Same issue on macOS

$ /opt/homebrew/opt/nebula/bin/nebula -config /opt/homebrew/etc/nebula/config.yml
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:outgoing endPort:0 groups:[] host:any ip: localIp: proto:0 startPort:0]"
INFO[0000] Firewall rule added                           firewallRule="map[caName: caSha: direction:incoming endPort:0 groups:[] host:any ip: localIp: proto:1 startPort:0]"
INFO[0000] Firewall started                              firewallHash=807243764ac783d089ea5ae93e0ed7fc0a1da4756ca7cb7ae553e128a2b3eb65
ERRO[0000] Failed to get a tun/tap device                error="SYS_CONNECT: operation not permitted"

Showfom avatar May 28 '23 14:05 Showfom

MacOS AFAIK doesn't have the required APIs to allow nebula to run as non-root. ZeroTier (a similar software) suffers a similar problem on MacOS.

DarkArc avatar May 28 '23 15:05 DarkArc

Try adding permission to executable, as root run:

setcap cap_net_admin=+pe /usr/bin/nebula

or wherever you have your nebula bin

aaronhernan avatar Oct 04 '24 21:10 aaronhernan