This is an atempt at creating a snap package for the Nebula overlay networking tool.
Current state:
- Nebula binary is running in strict confinement. For this to work you will have to provide:
config.yaml in /var/snap/nebula/common/configca.crt in /var/snap/nebula/common/certsnebula-node.crt and nebula-node.key in /var/snap/nebula/common/certs
- CA creation and certificate signing is working. However, the name of the produced certs are hardcoded to:
ca.crtca.keynebula-node.crtnebula-node.key
- Since created certs are placed in
/var/snap/nebula/common/certsthe cert-functionality needs sudo permissions. Not optimal perhaps, but necessary.
To bypass the above restrictions the snap can be installed with --devmode, thereby circumventing the sandboxing in place:
sudo snap install --devmode nebula
After placing a config.yaml in /var/snap/nebula/common/config you can either start Nebula manually or use the provided daemon
See here for instructions on the config file. Also, the Nebula github page is a good resource. An example config.yaml can be found there.
sudo nebula
You can NOT provide a location for the config.yaml file. It is hardcoded to /var/snap/nebula/common/config
sudo snap restart nebula.daemon
This problem does not, however, occur if the ip of the lighthouse is put into the config file. (See here)
Once the configuration is proven, start the snap proper:
sudo snap start nebula
To check if the daemon started as expected:
sudo snap logs nebula
or using systemd:s logging facilities:
sudo journalctl -r -u snap.nebula.daemon.service
sudo nebula.cert-ca -name <ORGANIZATION_NAME>
This will generate ca.crt and ca.key
Again, paths are hardcoded to /var/snap/nebula/common/certs so NOT possible to change this at the moment.
sudo nebula.cert-sign -name <CLIENT_NAME> -ip <CLIENT_IP_ADDRESS>
This will generate nebula-node.crt and nebula-node.key placed in /var/snap/nebula/common/certs