Skip to content

Commit 50edc09

Browse files
committed
add documentation to wireguard implementation
1 parent 034ec3f commit 50edc09

File tree

2 files changed

+79
-12
lines changed

2 files changed

+79
-12
lines changed

pkg/netlight/network.go

Lines changed: 20 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -53,10 +53,10 @@ var NDMZGwIP = &net.IPNet{
5353
var NetworkSchemaLatestVersion = semver.MustParse("0.1.0")
5454

5555
type networker struct {
56-
ipamLease string
57-
networkDir string
58-
portSet *set.UIntSet
59-
linkDir string
56+
ipamLease string
57+
networkDir string
58+
portSet *set.UIntSet
59+
linkDirPath string
6060
}
6161

6262
var _ localPkg.NetworkerLight = (*networker)(nil)
@@ -69,17 +69,17 @@ func NewNetworker() (localPkg.NetworkerLight, error) {
6969

7070
ipamLease := filepath.Join(vd, ipamLeaseDir)
7171
runtimeDir := filepath.Join(vd, networkDir)
72-
linkDir := filepath.Join(runtimeDir, linkDir)
72+
linkDirPath := filepath.Join(runtimeDir, linkDir)
7373

74-
if err := os.MkdirAll(linkDir, 0755); err != nil {
75-
return nil, errors.Wrapf(err, "failed to create directory: '%s'", linkDir)
74+
if err := os.MkdirAll(linkDirPath, 0755); err != nil {
75+
return nil, errors.Wrapf(err, "failed to create directory: '%s'", linkDirPath)
7676
}
7777

7878
n := networker{
79-
ipamLease: ipamLease,
80-
networkDir: runtimeDir,
81-
portSet: set.NewInt(),
82-
linkDir: linkDir,
79+
ipamLease: ipamLease,
80+
networkDir: runtimeDir,
81+
portSet: set.NewInt(),
82+
linkDirPath: linkDirPath,
8383
}
8484

8585
if err := n.syncWGPorts(); err != nil {
@@ -620,6 +620,14 @@ func (n *networker) releasePort(port uint16) error {
620620
return nil
621621
}
622622

623+
// setupWireguard configures a Wireguard interface for the network resource
624+
// by checking for existing network configuration and releasing any previously reserved port.
625+
// reserves the specified Wireguard listen port.
626+
// checks if wireguard interface already exists in the namespace, if not it creates the interface in the host namespace.
627+
// If not, it creates a new Wireguard interface in the host namespace and moves it to the network resource
628+
// and configures the Wireguard interface with the private key, listen port, and peers using
629+
// This function handles both initial setup and reconfiguration of existing
630+
// Wireguard interfaces, ensuring proper port management and interface configuration.
623631
func (n networker) setupWireguard(name string, net zos.NetworkLight, netr *resource.Resource) error {
624632
log.Debug().Msg("setting up wireguard")
625633

@@ -687,7 +695,7 @@ func (n *networker) storeNetwork(name string, wl gridtypes.WorkloadID, network z
687695
if err := enc.Encode(&network); err != nil {
688696
return err
689697
}
690-
link := filepath.Join(n.linkDir, wl.String())
698+
link := filepath.Join(n.linkDirPath, wl.String())
691699
if err := os.Symlink(filepath.Join("../", name), link); err != nil && !os.IsExist(err) {
692700
return errors.Wrap(err, "failed to create network symlink")
693701
}

pkg/netlight/resource/README.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# Network Resource Package
2+
3+
## Overview
4+
5+
This package implements network resource management for ZOS Network Light, providing isolated network namespaces for workloads with mycelium and Wireguard connectivity.
6+
7+
## Network Resource
8+
9+
A network resource consists of:
10+
11+
- Network namespace (`n{name}`)
12+
- Private network bridge (`r{name}`)
13+
- Mycelium bridge (`m{name}`)
14+
- Interfaces (public, private, mycelium, wireguard)
15+
- NFT rules for proper routing and security
16+
17+
## Creation
18+
19+
`Create()` sets up a network resource by:
20+
21+
1. Creating bridges for private network and mycelium
22+
2. Creating a network namespace
23+
3. Setting up veth pairs to connect namespace to bridges
24+
4. Configuring IP addresses and routing
25+
5. Applying NFT rules
26+
27+
## Wireguard Integration
28+
29+
To create network resource with wireguard user needs should be
30+
31+
- Providing the subnet for the network resource (e.g., 10.1.3.0/24)
32+
- Defining the overall IP range for the network (e.g., 10.1.0.0/16)
33+
- Generating and providing the Wireguard private key
34+
- Selecting an available port for Wireguard to listen on
35+
- Configuring the list of peers with their public keys and allowed IPs
36+
37+
### Implementation
38+
39+
Wireguard interfaces are added to a network resource through:
40+
41+
1. `WGName()`: Generates the Wireguard interface name (`w-{name}`)
42+
2. `SetWireguard()`: Creates Wireguard interface in the host namespace and moves it into the network namespace
43+
3. `ConfigureWG()`: Sets up the Wireguard interface with:
44+
- The user-provided private key
45+
- The user-selected listen port
46+
- Peer configurations (public keys, allowed IPs, endpoints)
47+
4. `HasWireguard()`: Checks if the Wireguard interface exists in the namespace
48+
49+
The Wireguard interface is created in the host namespace and then moved into the network resource namespace. Once configured with the user-provided private key, listen port, and peer information, it enables secure communication between network resources across different nodes by establishing encrypted tunnels to other network resources on different nodes, creating a secure mesh network.
50+
51+
## Cleanup
52+
53+
`Delete()`
54+
55+
- Destroys mycelium service
56+
- Removes network namespace
57+
- Deletes all created bridges
58+
59+
The cleanup process continues even if some steps fail, collecting all errors for proper reporting.

0 commit comments

Comments
 (0)