Merge branch 'dev' into hello-encryption

.github/workflows/build.yml

@@ -1,4 +1,7 @@
-on: [ push ]
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
 
 jobs:
   build_ubuntu:

.github/workflows/validate.yml

@@ -1,4 +1,5 @@
 on:
+  pull_request:
   push:
   workflow_dispatch:
 
@@ -44,7 +45,7 @@ jobs:
         sudo ./.github/workflows/validate-linux.sh
 
     - name: Archive test results
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: ${{github.sha}}-test-results
         path: "*test-results*"

Dockerfile.release

@@ -1,6 +1,6 @@
 # vim: ft=dockerfile
 
-FROM debian:bullseye
+FROM debian:bookworm
 
 ARG VERSION
 
@@ -9,9 +9,9 @@ RUN mkdir -p /usr/share/zerotier && \
     curl -o /usr/share/zerotier/tmp.asc "https://download.zerotier.com/contact%40zerotier.com.gpg" && \
     gpg --no-default-keyring --keyring /usr/share/zerotier/zerotier.gpg --import /usr/share/zerotier/tmp.asc && \
     rm -f /usr/share/zerotier/tmp.asc && \
-    echo "deb [signed-by=/usr/share/zerotier/zerotier.gpg] http://download.zerotier.com/debian/bullseye bullseye main" > /etc/apt/sources.list.d/zerotier.list
+    echo "deb [signed-by=/usr/share/zerotier/zerotier.gpg] http://download.zerotier.com/debian/bookworm bookworm main" > /etc/apt/sources.list.d/zerotier.list
 
-RUN apt-get update -qq && apt-get install zerotier-one=${VERSION} curl iproute2 net-tools iputils-ping openssl libssl1.1 -y
+RUN apt-get update -qq && apt-get install zerotier-one=${VERSION} curl iproute2 net-tools iputils-ping openssl libssl3 -y
 RUN rm -rf /var/lib/zerotier-one
 
 COPY entrypoint.sh.release /entrypoint.sh

README.docker.md

@@ -64,6 +64,7 @@ You can control a few settings including the identity used and the authtoken use
 - `ZEROTIER_API_SECRET`: replaces the `authtoken.secret` before booting and allows you to manage the control socket's authentication key.
 - `ZEROTIER_IDENTITY_PUBLIC`: the `identity.public` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
 - `ZEROTIER_IDENTITY_SECRET`: the `identity.secret` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
+- `ZEROTIER_LOCAL_CONF`: Sets the the `local.conf` file content for zerotier-one
 
 ### Tips
 

RELEASE-NOTES.md

@@ -1,6 +1,13 @@
 ZeroTier Release Notes
 ======
 
+# 2024-10-23 -- Version 1.14.2
+
+  * Fix for missing entitlement on macOS Sequoia.
+  * Fix for a problem correctly parsing local.conf to enable low bandwidth mode.
+  * Increment versions of some dependent libraries.
+  * Other fixes.
+
 # 2024-09-12 -- Version 1.14.1
 
   * Multithreaded packet I/O support! Currently this is just for Linux and must

controller/EmbeddedNetworkController.cpp

@@ -1548,7 +1548,8 @@ void EmbeddedNetworkController::_request(
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
-				authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str());
+				authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str()); 
+				authInfo.add(ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER, info.ssoProvider.c_str());
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 			}
 			DB::cleanMember(member);

debian/changelog

@@ -1,3 +1,9 @@
+zerotier-one (1.14.2) unstable; urgency=medium
+
+  * See RELEASE-NOTES.md for release notes.
+
+ -- Adam Ierymenko <adam.ierymenko@zerotier.com>  Wed, 23 Oct 2024 01:00:00 -0700
+
 zerotier-one (1.14.1) unstable; urgency=medium
 
   * See RELEASE-NOTES.md for release notes.

entrypoint.sh.release

@@ -9,15 +9,16 @@ mkztfile() {
   file=$1
   mode=$2
   content=$3
-
+  echo "creating $file"
   mkdir -p /var/lib/zerotier-one
-  echo "$content" > "/var/lib/zerotier-one/$file"
+  echo -n "$content" > "/var/lib/zerotier-one/$file"
   chmod "$mode" "/var/lib/zerotier-one/$file"
 }
 
 if [ "x$ZEROTIER_API_SECRET" != "x" ]
 then
   mkztfile authtoken.secret 0600 "$ZEROTIER_API_SECRET"
+  mkztfile metricstoken.secret 0600 "$ZEROTIER_API_SECRET"
 fi
 
 if [ "x$ZEROTIER_IDENTITY_PUBLIC" != "x" ]
@@ -30,6 +31,11 @@ then
   mkztfile identity.secret 0600 "$ZEROTIER_IDENTITY_SECRET"
 fi
 
+if [ "x$ZEROTIER_LOCAL_CONF" != "x" ]
+then
+  mkztfile local.conf 0644 "$ZEROTIER_LOCAL_CONF"
+fi
+
 mkztfile zerotier-one.port 0600 "9993"
 
 killzerotier() {

ext/installfiles/mac/ZeroTier One.pkgproj

@@ -701,7 +701,7 @@
 				<key>USE_HFS+_COMPRESSION</key>
 				<false/>
 				<key>VERSION</key>
-				<string>1.14.1</string>
+				<string>1.14.2</string>
 			</dict>
 			<key>TYPE</key>
 			<integer>0</integer>

ext/installfiles/windows/ZeroTier One.aip

@@ -24,10 +24,10 @@
     <ROW Property="AiFeatIcoZeroTierOne" Value="ZeroTierIcon.exe" Type="8"/>
     <ROW Property="MSIFASTINSTALL" MultiBuildValue="DefaultBuild:2"/>
     <ROW Property="Manufacturer" Value="ZeroTier, Inc."/>
-    <ROW Property="ProductCode" Value="1033:{EC58088A-4E0F-4BD5-B0B2-FD81C803EEC4} " Type="16"/>
+    <ROW Property="ProductCode" Value="1033:{0143A36C-46C6-458D-AB9B-C8843E089323} " Type="16"/>
     <ROW Property="ProductLanguage" Value="1033"/>
     <ROW Property="ProductName" Value="ZeroTier One"/>
-    <ROW Property="ProductVersion" Value="1.14.0" Options="32"/>
+    <ROW Property="ProductVersion" Value="1.14.2" Options="32"/>
     <ROW Property="REBOOT" MultiBuildValue="DefaultBuild:ReallySuppress"/>
     <ROW Property="SecureCustomProperties" Value="OLDPRODUCTS;AI_NEWERPRODUCTFOUND;AI_SETUPEXEPATH;SETUPEXEDIR"/>
     <ROW Property="UpgradeCode" Value="{B0E2A5F3-88B6-4E77-B922-CB4739B4C4C8}"/>
@@ -62,7 +62,7 @@
     <ROW Directory="regid.201001.com.zerotier_Dir" Directory_Parent="CommonAppDataFolder" DefaultDir="REGID2~1.ZER|regid.2010-01.com.zerotier" DirectoryOptions="12"/>
   </COMPONENT>
   <COMPONENT cid="caphyon.advinst.msicomp.MsiCompsComponent">
-    <ROW Component="AI_CustomARPName" ComponentId="{8BC01817-02AC-4C44-A84C-0727BC5B6E22}" Directory_="APPDIR" Attributes="4" KeyPath="DisplayName" Options="1"/>
+    <ROW Component="AI_CustomARPName" ComponentId="{DFE7A60C-C2B9-41F6-9171-8955BA30E556}" Directory_="APPDIR" Attributes="4" KeyPath="DisplayName" Options="1"/>
     <ROW Component="AI_DisableModify" ComponentId="{46FFA8C5-A0CB-4E05-9AD3-911D543DE8CA}" Directory_="APPDIR" Attributes="4" KeyPath="NoModify" Options="1"/>
     <ROW Component="AI_ExePath" ComponentId="{8E02B36C-7A19-429B-A93E-77A9261AC918}" Directory_="APPDIR" Attributes="4" KeyPath="AI_ExePath"/>
     <ROW Component="APPDIR" ComponentId="{4DD7907D-D7FE-4CD6-B1A0-B5C1625F5133}" Directory_="APPDIR" Attributes="0"/>
@@ -498,7 +498,7 @@
     <ROW XmlAttribute="xsischemaLocation" XmlElement="swidsoftware_identification_tag" Name="xsi:schemaLocation" Flags="14" Order="3" Value="http://standards.iso.org/iso/19770/-2/2008/schema.xsd software_identification_tag.xsd"/>
   </COMPONENT>
   <COMPONENT cid="caphyon.advinst.msicomp.XmlElementComponent">
-    <ROW XmlElement="swidbuild" ParentElement="swidnumeric" Name="swid:build" Condition="1" Order="2" Flags="14" Text="0" UpdateIndexInParent="0"/>
+    <ROW XmlElement="swidbuild" ParentElement="swidnumeric" Name="swid:build" Condition="1" Order="2" Flags="14" Text="2" UpdateIndexInParent="0"/>
     <ROW XmlElement="swidentitlement_required_indicator" ParentElement="swidsoftware_identification_tag" Name="swid:entitlement_required_indicator" Condition="1" Order="0" Flags="14" Text="false" UpdateIndexInParent="0"/>
     <ROW XmlElement="swidmajor" ParentElement="swidnumeric" Name="swid:major" Condition="1" Order="0" Flags="14" Text="1" UpdateIndexInParent="0"/>
     <ROW XmlElement="swidminor" ParentElement="swidnumeric" Name="swid:minor" Condition="1" Order="1" Flags="14" Text="14" UpdateIndexInParent="0"/>

ext/prometheus-cpp-lite-1.0/core/include/prometheus/client_metric.h

@@ -8,6 +8,7 @@
 namespace prometheus {
 
   // структура, в которую копируются значения метрик перед их сериализацией
+  
   struct ClientMetric {
 
     // Label

include/ZeroTierOne.h

@@ -84,7 +84,7 @@ extern "C" {
 /**
  * Minimum UDP payload size allowed
  */
-#define ZT_MIN_PHYSMTU 1400
+#define ZT_MIN_PHYSMTU 510
 
 /**
  * Maximum physical interface name length. This number is gigantic because of Windows.

make-mac.mk

@@ -194,6 +194,9 @@ controller-run: _buildx FORCE
 central-controller-docker: _buildx FORCE
 	docker buildx build --platform linux/arm64,linux/amd64 --no-cache -t registry.zerotier.com/zerotier-central/ztcentral-controller:${TIMESTAMP} -f ext/central-controller-docker/Dockerfile --build-arg git_branch=$(shell git name-rev --name-only HEAD) . --push
 	@echo Image: registry.zerotier.com/zerotier-central/ztcentral-controller:${TIMESTAMP}
+
+docker-release:	_buildx
+	docker buildx build --platform linux/386,linux/amd64,linux/arm/v7,linux/arm64,linux/mips64le,linux/ppc64le,linux/s390x -t zerotier/zerotier:${RELEASE_DOCKER_TAG} -t zerotier/zerotier:latest --build-arg VERSION=${RELEASE_VERSION} -f Dockerfile.release . --push
 	
 clean:
 	rm -rf MacEthernetTapAgent *.dSYM build-* *.a *.pkg *.dmg *.o node/*.o controller/*.o service/*.o osdep/*.o ext/http-parser/*.o $(CORE_OBJS) $(ONE_OBJS) zerotier-one zerotier-idtool zerotier-selftest zerotier-cli zerotier doc/node_modules zt1_update_$(ZT_BUILD_PLATFORM)_$(ZT_BUILD_ARCHITECTURE)_* rustybits/target/

objects.mk

@@ -30,7 +30,8 @@ CORE_OBJS=\
 	node/Trace.o \
 	node/Utils.o \
 	node/Bond.o \
-	node/PacketMultiplexer.o
+	node/PacketMultiplexer.o \
+	osdep/OSUtils.o
 
 ONE_OBJS=\
 	controller/EmbeddedNetworkController.o \
@@ -42,7 +43,6 @@ ONE_OBJS=\
 	osdep/EthernetTap.o \
 	osdep/ManagedRoute.o \
 	osdep/Http.o \
-	osdep/OSUtils.o \
 	service/SoftwareUpdater.o \
 	service/OneService.o
 

osdep/BSDEthernetTap.cpp

@@ -436,75 +436,82 @@ void BSDEthernetTap::setMtu(unsigned int mtu)
 
 void BSDEthernetTap::threadMain() throw()
 {
-    // Wait for a moment after startup -- wait for Network to finish
+	// Wait for a moment after startup -- wait for Network to finish
-    // constructing itself.
+	// constructing itself.
-    Thread::sleep(500);
+	Thread::sleep(500);
 
-    for (unsigned int i = 0; i < _concurrency; ++i) {
+#ifndef __OpenBSD__
-        _rxThreads.push_back(std::thread([this, i, _pinning] {
+	bool pinning = _pinning;
-            if (_pinning) {
-                int pinCore = i % _concurrency;
-                fprintf(stderr, "Pinning thread %d to core %d\n", i, pinCore);
-                pthread_t self = pthread_self();
-                cpu_set_t cpuset;
-                CPU_ZERO(&cpuset);
-                CPU_SET(pinCore, &cpuset);
-                // int rc = sched_setaffinity(self, sizeof(cpu_set_t), &cpuset);
-                int rc = pthread_setaffinity_np(self, sizeof(cpu_set_t), &cpuset);
-                if (rc != 0) {
-                    fprintf(stderr, "Failed to pin thread %d to core %d: %s\n", i, pinCore, strerror(errno));
-                    exit(1);
-                }
-            }
 
-            uint8_t b[ZT_TAP_BUF_SIZE];
+	for (unsigned int i = 0; i < _concurrency; ++i) {
-            MAC to, from;
+		_rxThreads.push_back(std::thread([this, i, pinning] {
-            fd_set readfds, nullfds;
-            int n, nfds, r;
 
-            FD_ZERO(&readfds);
+			if (pinning) {
-            FD_ZERO(&nullfds);
+				int pinCore = i % _concurrency;
-            nfds = (int)std::max(_shutdownSignalPipe[0], _fd) + 1;
+				fprintf(stderr, "Pinning thread %d to core %d\n", i, pinCore);
+				pthread_t self = pthread_self();
+				cpu_set_t cpuset;
+				CPU_ZERO(&cpuset);
+				CPU_SET(pinCore, &cpuset);
+				//int rc = sched_setaffinity(self, sizeof(cpu_set_t), &cpuset);
+				int rc = pthread_setaffinity_np(self, sizeof(cpu_set_t), &cpuset);
+				if (rc != 0)
+				{
+					fprintf(stderr, "Failed to pin thread %d to core %d: %s\n", i, pinCore, strerror(errno));
+					exit(1);
+				}
+			}
+#endif // __OpenBSD__
 
-            r = 0;
+			uint8_t b[ZT_TAP_BUF_SIZE];
+			MAC to, from;
+			fd_set readfds, nullfds;
+			int n, nfds, r;
 
-            for (;;) {
+			FD_ZERO(&readfds);
-                FD_SET(_shutdownSignalPipe[0], &readfds);
+			FD_ZERO(&nullfds);
-                FD_SET(_fd, &readfds);
+			nfds = (int)std::max(_shutdownSignalPipe[0],_fd) + 1;
-                select(nfds, &readfds, &nullfds, &nullfds, (struct timeval*)0);
 
-                if (FD_ISSET(_shutdownSignalPipe[0], &readfds))   // writes to shutdown pipe terminate thread
+			r = 0;
-                    break;
 
-                if (FD_ISSET(_fd, &readfds)) {
+			for(;;) {
-                    n = (int)::read(_fd, b + r, sizeof(b) - r);
+				FD_SET(_shutdownSignalPipe[0],&readfds);
-                    if (n < 0) {
+				FD_SET(_fd,&readfds);
-                        if ((errno != EINTR) && (errno != ETIMEDOUT))
+				select(nfds,&readfds,&nullfds,&nullfds,(struct timeval *)0);
-                            break;
-                    }
-                    else {
-                        // Some tap drivers like to send the ethernet frame and the
-                        // payload in two chunks, so handle that by accumulating
-                        // data until we have at least a frame.
-                        r += n;
-                        if (r > 14) {
-                            if (r > ((int)_mtu + 14))   // sanity check for weird TAP behavior on some platforms
-                                r = _mtu + 14;
 
-                            if (_enabled) {
+				if (FD_ISSET(_shutdownSignalPipe[0],&readfds)) // writes to shutdown pipe terminate thread
-                                to.setTo(b, 6);
+					break;
-                                from.setTo(b + 6, 6);
-                                unsigned int etherType = ntohs(((const uint16_t*)b)[6]);
-                                _handler(_arg, (void*)0, _nwid, from, to, etherType, 0, (const void*)(b + 14), r - 14);
-                            }
 
-                            r = 0;
+				if (FD_ISSET(_fd,&readfds)) {
-                        }
+					n = (int)::read(_fd,b + r,sizeof(b) - r);
-                    }
+					if (n < 0) {
-                }
+						if ((errno != EINTR)&&(errno != ETIMEDOUT))
-            }
+							break;
-        }));
+					} else {
-    }
+						// Some tap drivers like to send the ethernet frame and the
+						// payload in two chunks, so handle that by accumulating
+						// data until we have at least a frame.
+						r += n;
+						if (r > 14) {
+							if (r > ((int)_mtu + 14)) // sanity check for weird TAP behavior on some platforms
+								r = _mtu + 14;
+
+							if (_enabled) {
+								to.setTo(b,6);
+								from.setTo(b + 6,6);
+								unsigned int etherType = ntohs(((const uint16_t *)b)[6]);
+								_handler(_arg,(void *)0,_nwid,from,to,etherType,0,(const void *)(b + 14),r - 14);
+							}
+
+							r = 0;
+						}
+					}
+				}
+			}
+#ifndef __OpenBSD__
+		}));
+	}
+#endif // __OpenBSD__
 }
 
 }   // namespace ZeroTier

osdep/EthernetTap.cpp

@@ -132,8 +132,8 @@ std::shared_ptr<EthernetTap> EthernetTap::newInstance(
 #endif   // __NetBSD__
 
 #ifdef __OpenBSD__
-    return std::shared_ptr<EthernetTap>(new BSDEthernetTap(homePath, mac, mtu, metric, nwid, friendlyName, handler, arg));
+	return std::shared_ptr<EthernetTap>(new BSDEthernetTap(homePath,concurrency,pinning,mac,mtu,metric,nwid,friendlyName,handler,arg));
-#endif   // __OpenBSD__
+#endif // __OpenBSD__
 
 #endif   // ZT_SDK?
 

rustybits/smeeclient/Cargo.toml

@@ -13,7 +13,7 @@ serde = { version = "1", features = ["derive"] }
 temporal-sdk = { git = "https://github.com/temporalio/sdk-core", branch = "master" }
 temporal-client = { git = "https://github.com/temporalio/sdk-core", branch = "master", features = ["telemetry"] }
 temporal-sdk-core-protos = { git = "https://github.com/temporalio/sdk-core", branch = "master" }
-tokio = { version = "1.29", features = ["full"] }
+tokio = { version = "1.43", features = ["full"] }
 url = { version = "2" }
 uuid = { version = "1.4", features = ["v4"] }
 

rustybits/smeeclient/src/lib.rs

@@ -16,7 +16,10 @@ use serde::{Deserialize, Serialize};
 use std::str::FromStr;
 use std::time::Duration;
 use temporal_client::{Client, ClientOptionsBuilder, RetryClient, WorkflowClientTrait, WorkflowOptions};
-use temporal_sdk_core_protos::{coresdk::AsJsonPayloadExt, temporal::api::enums::v1::WorkflowIdReusePolicy};
+use temporal_sdk_core_protos::{
+    coresdk::AsJsonPayloadExt,
+    temporal::api::enums::v1::{WorkflowIdConflictPolicy, WorkflowIdReusePolicy},
+};
 use url::Url;
 use uuid::Uuid;
 
@@ -72,6 +75,7 @@ impl SmeeClient {
         println!("notifying network joined");
         let options = WorkflowOptions {
             id_reuse_policy: WorkflowIdReusePolicy::RejectDuplicate,
+            id_conflict_policy: WorkflowIdConflictPolicy::Fail,
             execution_timeout: None,
             run_timeout: None,
             task_timeout: None,

version.h

@@ -27,7 +27,7 @@
 /**
  * Revision
  */
-#define ZEROTIER_ONE_VERSION_REVISION 0
+#define ZEROTIER_ONE_VERSION_REVISION 2
 
 /**
  * Build version

zerotier-one.spec

@@ -1,5 +1,5 @@
 Name:           zerotier-one
-Version:        1.15.0
+Version:        1.14.2
 Release:        1%{?dist}
 Summary:        ZeroTier network virtualization service
 
@@ -155,6 +155,9 @@ chmod 0755 $RPM_BUILD_ROOT/etc/init.d/zerotier-one
 %endif
 
 %changelog
+* Wed Oct 23 2024 Adam Ierymenko <adam.ierymenko@zerotier.com> - 1.14.2
+- see https://github.com/zerotier/ZeroTierOne for release notes
+
 * Tue Mar 19 2024 Adam Ierymenko <adam.ierymenko@zerotier.com> - 1.14.0
 - see https://github.com/zerotier/ZeroTierOne for release notes