Merge branch 'dev' into hello-encryption

# Conflicts:
#	controller/DB.hpp
#	controller/DBMirrorSet.cpp
#	controller/DBMirrorSet.hpp
#	controller/EmbeddedNetworkController.cpp
#	controller/FileDB.cpp
#	controller/FileDB.hpp
#	controller/LFDB.cpp
#	controller/LFDB.hpp
#	controller/PostgreSQL.cpp
#	controller/PostgreSQL.hpp
#	node/C25519.cpp
#	node/C25519.hpp
#	node/Capability.hpp
#	node/CertificateOfMembership.cpp
#	node/CertificateOfMembership.hpp
#	node/CertificateOfOwnership.hpp
#	node/Credential.hpp
#	node/Identity.cpp
#	node/Identity.hpp
#	node/IncomingPacket.cpp
#	node/Metrics.cpp
#	node/Metrics.hpp
#	node/Multicaster.cpp
#	node/Network.cpp
#	node/Node.cpp
#	node/Packet.cpp
#	node/Packet.hpp
#	node/Peer.cpp
#	node/Revocation.hpp
#	node/Switch.cpp
#	node/Tag.hpp
#	node/World.hpp
#	osdep/Http.hpp
#	service/OneService.cpp

ext/central-controller-docker/Dockerfile

@@ -1,11 +1,16 @@
 # Dockerfile for ZeroTier Central Controllers
-FROM registry.zerotier.com/zerotier/ctlbuild:latest as builder
-MAINTAINER Adam Ierymekno <adam.ierymenko@zerotier.com>, Grant Limberg <grant.limberg@zerotier.com>
+FROM registry.zerotier.com/zerotier/ctlbuild:2025-05-13-01 AS builder
 ADD . /ZeroTierOne
 RUN export PATH=$PATH:~/.cargo/bin && cd ZeroTierOne && make clean && make central-controller -j8
 
-FROM registry.zerotier.com/zerotier/ctlrun:latest
+FROM golang:bookworm AS go_base
+RUN go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@latest
+
+FROM registry.zerotier.com/zerotier/ctlrun:2025-05-13-01
 COPY --from=builder /ZeroTierOne/zerotier-one /usr/local/bin/zerotier-one
+COPY --from=go_base /go/bin/migrate /usr/local/bin/migrate
+COPY ext/central-controller-docker/migrations /migrations
+
 RUN chmod a+x /usr/local/bin/zerotier-one
 RUN echo "/usr/local/lib64" > /etc/ld.so.conf.d/usr-local-lib64.conf && ldconfig
 

ext/central-controller-docker/Dockerfile.builder

@@ -1,8 +1,5 @@
 # Dockerfile for building ZeroTier Central Controllers
-FROM ubuntu:jammy as builder
-MAINTAINER Adam Ierymekno <adam.ierymenko@zerotier.com>, Grant Limberg <grant.limberg@zerotier.com>
-
-ARG git_branch=master
+FROM debian:bookworm
 
 RUN apt update && apt upgrade -y
 RUN apt -y install \

ext/central-controller-docker/Dockerfile.run_base

@@ -1,15 +1,17 @@
-FROM ubuntu:jammy
+FROM debian:bookworm
+
+
 
 RUN apt update && apt upgrade -y
-
 RUN apt -y install \
-    netcat \
+    netcat-traditional \
     postgresql-client \
     postgresql-client-common \
     libjemalloc2 \
     libpq5 \
     curl \
     binutils \
-    linux-tools-gke \
     perf-tools-unstable \
-    google-perftools 
+    google-perftools \
+    gnupg
+

ext/central-controller-docker/main.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ -z "$ZT_IDENTITY_PATH" ]; then
-    echo '*** FAILED: ZT_IDENTITY_PATH environment variable is not defined'
-    exit 1
-fi
 if [ -z "$ZT_DB_HOST" ]; then
     echo '*** FAILED: ZT_DB_HOST environment variable not defined'
     exit 1
@@ -24,6 +20,9 @@ if [ -z "$ZT_DB_PASSWORD" ]; then
     echo '*** FAILED: ZT_DB_PASSWORD environment variable not defined'
     exit 1
 fi
+if [ -z "$ZT_DB_TYPE" ]; then
+    ZT_DB_TYPE="postgres"
+fi
 
 REDIS=""
 if [ "$ZT_USE_REDIS" == "true" ]; then
@@ -56,10 +55,14 @@ fi
 mkdir -p /var/lib/zerotier-one
 
 pushd /var/lib/zerotier-one
-ln -s $ZT_IDENTITY_PATH/identity.public identity.public
-ln -s $ZT_IDENTITY_PATH/identity.secret identity.secret
-if [ -f  "$ZT_IDENTITY_PATH/authtoken.secret" ]; then
-    ln -s $ZT_IDENTITY_PATH/authtoken.secret authtoken.secret
+if [ -d "$ZT_IDENTITY_PATH" ]; then
+    echo '*** Using existing ZT identity from path $ZT_IDENTITY_PATH'
+
+    ln -s $ZT_IDENTITY_PATH/identity.public identity.public
+    ln -s $ZT_IDENTITY_PATH/identity.secret identity.secret
+    if [ -f  "$ZT_IDENTITY_PATH/authtoken.secret" ]; then
+        ln -s $ZT_IDENTITY_PATH/authtoken.secret authtoken.secret
+    fi
 fi
 popd
 
@@ -70,7 +73,7 @@ APP_NAME="controller-$(cat /var/lib/zerotier-one/identity.public | cut -d ':' -f
 
 echo "{
     \"settings\": {
-        \"controllerDbPath\": \"postgres:host=${ZT_DB_HOST} port=${ZT_DB_PORT} dbname=${ZT_DB_NAME} user=${ZT_DB_USER} password=${ZT_DB_PASSWORD} application_name=${APP_NAME} sslmode=prefer sslcert=${DB_CLIENT_CERT} sslkey=${DB_CLIENT_KEY} sslrootcert=${DB_SERVER_CA}\",
+        \"controllerDbPath\": \"${ZT_DB_TYPE}:host=${ZT_DB_HOST} port=${ZT_DB_PORT} dbname=${ZT_DB_NAME} user=${ZT_DB_USER} password=${ZT_DB_PASSWORD} application_name=${APP_NAME} sslmode=prefer sslcert=${DB_CLIENT_CERT} sslkey=${DB_CLIENT_KEY} sslrootcert=${DB_SERVER_CA}\",
         \"portMappingEnabled\": true,
         \"softwareUpdate\": \"disable\",
         \"interfacePrefixBlacklist\": [
@@ -100,6 +103,15 @@ else
     done
 fi
 
+if [ "$ZT_DB_TYPE" == "cv2" ]; then
+    echo "Migrating database (if needed)..."
+    if [ -n "$DB_SERVER_CA" ]; then
+        /usr/local/bin/migrate -source file:///migrations -database "postgres://$ZT_DB_USER:$ZT_DB_PASSWORD@$ZT_DB_HOST:$ZT_DB_PORT/$ZT_DB_NAME?x-migrations-table=controller_migrations&sslmode=verify-full&sslrootcert=$DB_SERVER_CA&sslcert=$DB_CLIENT_CERT&sslkey=$DB_CLIENT_KEY" up  
+    else 
+        /usr/local/bin/migrate -source file:///migrations -database "postgres://$ZT_DB_USER:$ZT_DB_PASSWORD@$ZT_DB_HOST:$ZT_DB_PORT/$ZT_DB_NAME?x-migrations-table=controller_migrations&sslmode=disable" up
+    fi
+fi
+
 if [ -n "$ZT_TEMPORAL_HOST" ] && [ -n "$ZT_TEMPORAL_PORT" ]; then
     echo "waiting for temporal..."
     while ! nc -z ${ZT_TEMPORAL_HOST} ${ZT_TEMPORAL_PORT}; do

ext/central-controller-docker/migrations/0001_init.down.sql

@@ -0,0 +1,3 @@
+DROP TABLE IF EXISTS network_memberships_ctl;
+DROP TABLE IF EXISTS networks_ctl;
+DROP TABLE IF EXISTS controllers_ctl;

ext/central-controller-docker/migrations/0001_init.up.sql

@@ -0,0 +1,47 @@
+-- inits controller db schema
+
+CREATE TABLE IF NOT EXISTS controllers_ctl (
+    id text NOT NULL PRIMARY KEY,
+    hostname text,
+    last_heartbeat timestamp with time zone,
+    public_identity text NOT NULL,
+    version text
+);
+
+CREATE TABLE IF NOT EXISTS networks_ctl (
+    id character varying(22) NOT NULL PRIMARY KEY,
+    name text NOT NULL,
+    configuration jsonb DEFAULT '{}'::jsonb NOT NULL,
+    controller_id text REFERENCES controllers_ctl(id),
+    revision integer DEFAULT 0 NOT NULL,
+    last_modified timestamp with time zone DEFAULT now(),
+    creation_time timestamp with time zone DEFAULT now()
+);
+
+CREATE TABLE IF NOT EXISTS network_memberships_ctl (
+    device_id character varying(22) NOT NULL,
+    network_id character varying(22) NOT NULL REFERENCES networks_ctl(id),
+    authorized boolean,
+    active_bridge boolean,
+    ip_assignments text[],
+    no_auto_assign_ips boolean,
+    sso_exempt boolean,
+    authentication_expiry_time timestamp with time zone,
+    capabilities jsonb,
+    creation_time timestamp with time zone DEFAULT now(),
+    last_modified timestamp with time zone DEFAULT now(),
+    identity text DEFAULT ''::text,
+    last_authorized_credential text,
+    last_authorized_time timestamp with time zone,
+    last_deauthorized_time timestamp with time zone,
+    last_seen jsonb DEFAULT '{}'::jsonb NOT NULL, -- in the context of the network
+    remote_trace_level integer DEFAULT 0 NOT NULL,
+    remote_trace_target text DEFAULT ''::text NOT NULL,
+    revision integer DEFAULT 0 NOT NULL,
+    tags jsonb,
+    version_major integer DEFAULT 0 NOT NULL,
+    version_minor integer DEFAULT 0 NOT NULL,
+    version_revision integer DEFAULT 0 NOT NULL,
+    version_protocol integer DEFAULT 0 NOT NULL,
+    PRIMARY KEY (device_id, network_id)
+);

ext/central-controller-docker/migrations/0002_os_arch.down.sql

@@ -0,0 +1,3 @@
+ALTER TABLE network_memberships_ctl
+    DROP COLUMN os,
+    DROP COLUMN arch;

ext/central-controller-docker/migrations/0002_os_arch.up.sql

@@ -0,0 +1,3 @@
+ALTER TABLE network_memberships_ctl
+    ADD COLUMN os TEXT NOT NULL DEFAULT 'unknown',
+    ADD COLUMN arch TEXT NOT NULL DEFAULT 'unknown';