v1.0.0

.github/workflows/ci-build.yml

@@ -29,19 +29,29 @@ jobs:
       - name: setup-node
         uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 20.x
 
       - name: install ui node modules
         shell: bash
         run: npm install
         working-directory: ui
 
-      - name: build node ui
+      - name: build ui
         shell: bash
         run: npm run build
         working-directory: ui
         env:
           CI: "true"
+
+      - name: install agent ui node modules
+        shell: bash
+        run: npm install
+        working-directory: agent/agentUi
+
+      - name: build agent ui
+        shell: bash
+        run: npm run build
+        working-directory: agent/agentUi
 
       - name: go install
         shell: bash

CHANGELOG.md

@@ -1,5 +1,17 @@
 # CHANGELOG
 
+## v1.0.0
+
+MAJOR RELEASE: zrok reaches version 1.0.0!
+
+FEATURE: New "zrok Agent", a background manager process for your zrok environments, which allows you to easily manage and work with multiple `zrok share` and `zrok access` processes. New `--subordinate` flag added to `zrok share [public|private|reserved]` and `zrok access private` to operate in a mode that allows an Agent to manage shares and accesses (https://github.com/openziti/zrok/issues/463)
+
+FEATURE: New "zrok Agent UI" a web-based user interface for the zrok Agent, which allows creating and releasing shares and accesses through a web browser. This is just an initial chunk of the new Agent UI, and is considered a "minimum viable" version of this interface (https://github.com/openziti/zrok/issues/221)
+
+FEATURE: `zrok share [public|private|reserved]` and `zrok access private` now auto-detect if the zrok Agent is running in an environment and will automatically service share and access requests through the Agent, rather than in-process if the Agent is running. If the Agent is not running, operation remains as it was in `v0.4.x` and the share or access is handled in-process. New `--force-agent` and `--force-local` flags exist to skip Agent detection and manually select an operating mode (https://github.com/openziti/zrok/issues/751)
+
+FEATURE `zrok access private` supports a new `--auto` mode, which can automatically find an available open address/port to bind the frontend listener on. Also includes `--auto-address`, `--auto-start-port`, and `--auto-end-port` features with sensible defaults. Supported by both the agent and local operating modes (https://github.com/openziti/zrok/issues/780)
+
 ## v0.4.46
 
 FEATURE: Linux service template for systemd user units (https://github.com/openziti/zrok/pull/818)

agent/access.go

@@ -0,0 +1,30 @@
+package agent
+
+import (
+	"github.com/michaelquigley/pfxlog"
+	"github.com/openziti/zrok/agent/proctree"
+	"github.com/openziti/zrok/cmd/zrok/subordinate"
+)
+
+type access struct {
+	frontendToken   string
+	token           string
+	bindAddress     string
+	autoMode        bool
+	autoAddress     string
+	autoStartPort   uint16
+	autoEndPort     uint16
+	responseHeaders []string
+
+	process *proctree.Child
+	sub     *subordinate.MessageHandler
+
+	agent *Agent
+}
+
+func (a *access) monitor() {
+	if err := proctree.WaitChild(a.process); err != nil {
+		pfxlog.ChannelLogger(a.token).Error(err)
+	}
+	a.agent.rmAccess <- a
+}

agent/accessPrivate.go

@@ -0,0 +1,93 @@
+package agent
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/openziti/zrok/agent/agentGrpc"
+	"github.com/openziti/zrok/agent/proctree"
+	"github.com/openziti/zrok/cmd/zrok/subordinate"
+	"github.com/openziti/zrok/environment"
+	"github.com/sirupsen/logrus"
+	"os"
+)
+
+func (i *agentGrpcImpl) AccessPrivate(_ context.Context, req *agentGrpc.AccessPrivateRequest) (*agentGrpc.AccessPrivateResponse, error) {
+	root, err := environment.LoadRoot()
+	if err != nil {
+		return nil, err
+	}
+
+	if !root.IsEnabled() {
+		return nil, errors.New("unable to load environment; did you 'zrok enable'?")
+	}
+
+	accCmd := []string{os.Args[0], "access", "private", "--subordinate", "-b", req.BindAddress, req.Token}
+	if req.AutoMode {
+		accCmd = append(accCmd, "--auto", "--auto-address", req.AutoAddress, "--auto-start-port", fmt.Sprintf("%v", req.AutoStartPort))
+		accCmd = append(accCmd, "--auto-end-port", fmt.Sprintf("%v", req.AutoEndPort))
+	}
+	logrus.Info(accCmd)
+
+	acc := &access{
+		token:           req.Token,
+		bindAddress:     req.BindAddress,
+		autoMode:        req.AutoMode,
+		autoAddress:     req.AutoAddress,
+		autoStartPort:   uint16(req.AutoStartPort),
+		autoEndPort:     uint16(req.AutoEndPort),
+		responseHeaders: req.ResponseHeaders,
+		sub:             subordinate.NewMessageHandler(),
+		agent:           i.agent,
+	}
+	acc.sub.MessageHandler = func(msg subordinate.Message) {
+		logrus.Info(msg)
+	}
+	var bootErr error
+	acc.sub.BootHandler = func(msgType string, msg subordinate.Message) {
+		switch msgType {
+		case subordinate.BootMessage:
+			if v, found := msg["frontend_token"]; found {
+				if str, ok := v.(string); ok {
+					acc.frontendToken = str
+				}
+			}
+			if v, found := msg["bind_address"]; found {
+				if sr, ok := v.(string); ok {
+					acc.bindAddress = sr
+				}
+			}
+
+		case subordinate.ErrorMessage:
+			if v, found := msg[subordinate.ErrorMessage]; found {
+				if str, ok := v.(string); ok {
+					bootErr = errors.New(str)
+				}
+			}
+		}
+	}
+	acc.sub.MalformedHandler = func(msg subordinate.Message) {
+		logrus.Error(msg)
+	}
+
+	logrus.Infof("executing '%v'", accCmd)
+
+	acc.process, err = proctree.StartChild(acc.sub.Tail, accCmd...)
+	if err != nil {
+		return nil, err
+	}
+
+	<-acc.sub.BootComplete
+
+	if bootErr == nil {
+		go acc.monitor()
+		i.agent.addAccess <- acc
+		return &agentGrpc.AccessPrivateResponse{FrontendToken: acc.frontendToken}, nil
+
+	} else {
+		if err := proctree.WaitChild(acc.process); err != nil {
+			logrus.Errorf("error joining: %v", err)
+		}
+		return nil, fmt.Errorf("unable to start access: %v", bootErr)
+	}
+}

agent/agent.go

@@ -0,0 +1,197 @@
+package agent
+
+import (
+	"context"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/openziti/zrok/agent/agentGrpc"
+	"github.com/openziti/zrok/agent/agentUi"
+	"github.com/openziti/zrok/agent/proctree"
+	"github.com/openziti/zrok/environment/env_core"
+	"github.com/openziti/zrok/sdk/golang/sdk"
+	"github.com/openziti/zrok/util"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"net"
+	"net/http"
+	"os"
+)
+
+type Agent struct {
+	cfg          *AgentConfig
+	httpEndpoint string
+	root         env_core.Root
+	agentSocket  string
+	shares       map[string]*share
+	addShare     chan *share
+	rmShare      chan *share
+	accesses     map[string]*access
+	addAccess    chan *access
+	rmAccess     chan *access
+}
+
+func NewAgent(cfg *AgentConfig, root env_core.Root) (*Agent, error) {
+	if !root.IsEnabled() {
+		return nil, errors.Errorf("unable to load environment; did you 'zrok enable'?")
+	}
+	return &Agent{
+		cfg:       cfg,
+		root:      root,
+		shares:    make(map[string]*share),
+		addShare:  make(chan *share),
+		rmShare:   make(chan *share),
+		accesses:  make(map[string]*access),
+		addAccess: make(chan *access),
+		rmAccess:  make(chan *access),
+	}, nil
+}
+
+func (a *Agent) Run() error {
+	logrus.Infof("started")
+
+	if err := proctree.Init("zrok Agent"); err != nil {
+		return err
+	}
+
+	agentSocket, err := a.root.AgentSocket()
+	if err != nil {
+		return err
+	}
+	l, err := net.Listen("unix", agentSocket)
+	if err != nil {
+		return err
+	}
+	a.agentSocket = agentSocket
+
+	go a.manager()
+	go a.gateway(a.cfg)
+
+	srv := grpc.NewServer()
+	agentGrpc.RegisterAgentServer(srv, &agentGrpcImpl{agent: a})
+	if err := srv.Serve(l); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (a *Agent) Shutdown() {
+	logrus.Infof("stopping")
+
+	if err := os.Remove(a.agentSocket); err != nil {
+		logrus.Warnf("unable to remove agent socket: %v", err)
+	}
+	for _, shr := range a.shares {
+		logrus.Debugf("stopping share '%v'", shr.token)
+		a.rmShare <- shr
+	}
+	for _, acc := range a.accesses {
+		logrus.Debugf("stopping access '%v'", acc.token)
+		a.rmAccess <- acc
+	}
+}
+
+func (a *Agent) Config() *AgentConfig {
+	return a.cfg
+}
+
+func (a *Agent) gateway(cfg *AgentConfig) {
+	logrus.Info("started")
+	defer logrus.Warn("exited")
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	mux := runtime.NewServeMux()
+	opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
+	endpoint := "unix:" + a.agentSocket
+	logrus.Debugf("endpoint: '%v'", endpoint)
+	if err := agentGrpc.RegisterAgentHandlerFromEndpoint(ctx, mux, "unix:"+a.agentSocket, opts); err != nil {
+		logrus.Fatalf("unable to register gateway: %v", err)
+	}
+
+	listener, err := util.AutoListener("tcp", cfg.ConsoleAddress, cfg.ConsoleStartPort, cfg.ConsoleEndPort)
+	if err != nil {
+		logrus.Fatalf("unable to create a listener: %v", err)
+	}
+	a.httpEndpoint = listener.Addr().String()
+
+	if err := http.Serve(listener, agentUi.Middleware(mux)); err != nil {
+		logrus.Error(err)
+	}
+}
+
+func (a *Agent) manager() {
+	logrus.Info("started")
+	defer logrus.Warn("exited")
+
+	for {
+		select {
+		case inShare := <-a.addShare:
+			logrus.Infof("adding new share '%v'", inShare.token)
+			a.shares[inShare.token] = inShare
+
+		case outShare := <-a.rmShare:
+			if shr, found := a.shares[outShare.token]; found {
+				logrus.Infof("removing share '%v'", shr.token)
+				if err := proctree.StopChild(shr.process); err != nil {
+					logrus.Errorf("error stopping share '%v': %v", shr.token, err)
+				}
+				if err := proctree.WaitChild(shr.process); err != nil {
+					logrus.Errorf("error joining share '%v': %v", shr.token, err)
+				}
+				if !shr.reserved {
+					if err := a.deleteShare(shr.token); err != nil {
+						logrus.Errorf("error deleting share '%v': %v", shr.token, err)
+					}
+				}
+				delete(a.shares, shr.token)
+			} else {
+				logrus.Debug("skipping unidentified (orphaned) share removal")
+			}
+
+		case inAccess := <-a.addAccess:
+			logrus.Infof("adding new access '%v'", inAccess.frontendToken)
+			a.accesses[inAccess.frontendToken] = inAccess
+
+		case outAccess := <-a.rmAccess:
+			if acc, found := a.accesses[outAccess.frontendToken]; found {
+				logrus.Infof("removing access '%v'", acc.frontendToken)
+				if err := proctree.StopChild(acc.process); err != nil {
+					logrus.Errorf("error stopping access '%v': %v", acc.frontendToken, err)
+				}
+				if err := proctree.WaitChild(acc.process); err != nil {
+					logrus.Errorf("error joining access '%v': %v", acc.frontendToken, err)
+				}
+				if err := a.deleteAccess(acc.token, acc.frontendToken); err != nil {
+					logrus.Errorf("error deleting access '%v': %v", acc.frontendToken, err)
+				}
+				delete(a.accesses, acc.frontendToken)
+			} else {
+				logrus.Debug("skipping unidentified (orphaned) access removal")
+			}
+		}
+	}
+}
+
+func (a *Agent) deleteShare(token string) error {
+	logrus.Debugf("deleting share '%v'", token)
+	if err := sdk.DeleteShare(a.root, &sdk.Share{Token: token}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (a *Agent) deleteAccess(token, frontendToken string) error {
+	logrus.Debugf("deleting access '%v'", frontendToken)
+	if err := sdk.DeleteAccess(a.root, &sdk.Access{Token: frontendToken, ShareToken: token}); err != nil {
+		return err
+	}
+	return nil
+}
+
+type agentGrpcImpl struct {
+	agentGrpc.UnimplementedAgentServer
+	agent *Agent
+}