Merge remote-tracking branch 'origin/develop' for release 0.1.3

CHANGELOG.md

@@ -1,3 +1,12 @@
+0.1.3
+===============
+
+* Added ability on linux to prevent warden from touching dns configuration when `~/.warden/nodnsconfig` is present.
+* Updated install routine to properly trust CA root on Ubuntu (previously warden install would simply fail)
+* Updated DNS auto-configuration on linux systems to handle systemd-resolved usage.
+* Fixed issue on Ubuntu where dnsmasq container would fail to bind to port 53.
+* Fixed issue where lack of `~/.composer` dir (resulting in creation by docker) can cause permissions error inside containers.
+
 0.1.2
 ===============
 

commands/install.cmd

@@ -23,34 +23,63 @@ if [[ ! -f "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem" ]]; then
     -subj "/C=US/O=Warden Proxy Local CA"
 fi
 
-## trust root ca differently on linux-gnu than on macOS
-if [[ "$OSTYPE" == "linux-gnu" ]] && [[ ! -f /etc/pki/ca-trust/source/anchors/warden-proxy-local-ca.cert.pem ]]; then
-  echo "==> Trusting root certificate (requires sudo privileges)"
+## trust root ca differently on Fedora, Ubuntu and macOS
+if [[ "$OSTYPE" == "linux-gnu" ]] \
+  && [[ -d /etc/pki/ca-trust/source/anchors ]] \
+  && [[ ! -f /etc/pki/ca-trust/source/anchors/warden-proxy-local-ca.cert.pem ]] \
+  ## Fedora/CentOS
+then
+  echo "==> Trusting root certificate (requires sudo privileges)"  
   sudo cp "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem" /etc/pki/ca-trust/source/anchors/warden-proxy-local-ca.cert.pem
   sudo update-ca-trust
   sudo update-ca-trust enable
-elif [[ "$OSTYPE" == "darwin"* ]] && ! security dump-trust-settings -d | grep 'Warden Proxy Local CA' >/dev/null; then
+elif [[ "$OSTYPE" == "linux-gnu" ]] \
+  && [[ -d /usr/local/share/ca-certificates ]] \
+  && [[ ! -f /usr/local/share/ca-certificates/warden-proxy-local-ca.cert.pem ]] \
+  ## Ubuntu/Debian
+then
+  echo "==> Trusting root certificate (requires sudo privileges)"  
+  sudo cp "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem" /usr/local/share/ca-certificates/warden-proxy-local-ca.cert.pem
+  sudo update-ca-certificates
+elif [[ "$OSTYPE" == "darwin"* ]] \
+  && ! security dump-trust-settings -d | grep 'Warden Proxy Local CA' >/dev/null \
+  ## Apple macOS
+then
   echo "==> Trusting root certificate (requires sudo privileges)"
   sudo security add-trusted-cert -d -r trustRoot \
     -k /Library/Keychains/System.keychain "${WARDEN_SSL_DIR}/rootca/certs/ca.cert.pem"
 fi
 
+## sign certificate used by services run on warden.test sub-domains
 if [[ ! -f "${WARDEN_SSL_DIR}/certs/warden.test.crt.pem" ]]; then
   "${WARDEN_DIR}/bin/warden" sign-certificate warden.test
 fi
 
-## configure resolver for .test domains
-if [[ "$OSTYPE" == "linux-gnu" ]]; then
+## configure resolver for .test domains; allow linux machines to prevent warden
+## from touching dns configuration if need be since unlike macOS there is not
+## support for resolving only *.test domains via /etc/resolver/test settings
+if [[ "$OSTYPE" == "linux-gnu" ]] && [[ ! -f "${WARDEN_HOME_DIR}/nodnsconfig" ]]; then
   if systemctl status NetworkManager | grep 'active (running)' >/dev/null \
     && ! grep '^nameserver 127.0.0.1$' /etc/resolv.conf >/dev/null
   then
     echo "==> Configuring resolver for .test domains (requires sudo privileges)"
     if ! sudo grep '^prepend domain-name-servers 127.0.0.1;$' /etc/dhcp/dhclient.conf >/dev/null 2>&1; then
+      echo "  + Configuring dhclient to prepend dns with 127.0.0.1 resolver (requires sudo privileges)"
       DHCLIENT_CONF=$'\n'"$(sudo cat /etc/dhcp/dhclient.conf 2>/dev/null)" || DHCLIENT_CONF=
       DHCLIENT_CONF="prepend domain-name-servers 127.0.0.1;${DHCLIENT_CONF}"
       echo "${DHCLIENT_CONF}" | sudo tee /etc/dhcp/dhclient.conf
       sudo systemctl restart NetworkManager
     fi
+
+    ## When systemd-resolvd is used (as it is on Ubuntu by default) check the resolv config mode
+    if systemctl status systemd-resolved | grep 'active (running)' >/dev/null \
+      && [[ -L /etc/resolv.conf ]] \
+      && [[ "$(readlink /etc/resolv.conf)" != "../run/systemd/resolve/resolv.conf" ]]
+    then
+      echo "  + Configuring systemd-resolved to use dhcp settings (requires sudo privileges)"
+      echo "    by pointing /etc/resolv.conf at resolv.conf vs stub-resolv.conf"
+      sudo ln -fsn ../run/systemd/resolve/resolv.conf /etc/resolv.conf
+    fi
   fi
 elif [[ "$OSTYPE" == "darwin"* ]]; then
   if [[ ! -f /etc/resolver/test ]]; then
@@ -60,6 +89,8 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
     fi
     echo "nameserver 127.0.0.1" | sudo tee /etc/resolver/test >/dev/null
   fi
+elif [[ -f "${WARDEN_HOME_DIR}/nodnsconfig" ]]; then
+  echo -e "\033[33m==> WARNING: The flag '${WARDEN_HOME_DIR}/nodnsconfig' is present; skipping DNS configuration\033[0m"
 else
   echo -e "\033[33m==> WARNING: Use of dnsmasq is not supported on this system; entries in /etc/hosts will be required\033[0m"
 fi
@@ -71,6 +102,12 @@ if [[ ! -f "${WARDEN_HOME_DIR}/tunnel/ssh_key" ]]; then
   ssh-keygen -b 2048 -t rsa -f "${WARDEN_HOME_DIR}/tunnel/ssh_key" -N "" -C "[email protected]"
 fi
 
+## if host machine does not have composer installed, this directory will otherwise be created by docker with root:root
+## causing problems so it's created as current user to avoid composer issues inside environments given it is mounted
+if [[ ! -d ~/.composer ]]; then
+  mkdir ~/.composer
+fi
+
 ## since bind mounts are native on linux to use .pub file as authorized_keys file in tunnel it must have proper perms
 if [[ "$OSTYPE" == "linux-gnu" ]] && [[ "$(stat -c '%U' "${WARDEN_HOME_DIR}/tunnel/ssh_key.pub")" != "root" ]]; then
   sudo chown root:root "${WARDEN_HOME_DIR}/tunnel/ssh_key.pub"

commands/usage.help

@@ -11,7 +11,7 @@ WARDEN_HEADER='
 
 WARDEN_USAGE=$(cat <<EOF
 ${WARDEN_HEADER:1}
-Warden version 0.1.2
+Warden version 0.1.3
 
 \033[33mUsage:\033[0m
   command [options] [arguments]

docker/docker-compose.yml

@@ -36,7 +36,7 @@ services:
     container_name: dnsmasq
     image: jpillora/dnsmasq
     ports:
-      - "53:53/udp"
+      - "127.0.0.1:53:53/udp"
     volumes:
       - ~/.warden/etc/dnsmasq.conf:/etc/dnsmasq.conf
     labels: