Release 0.0.5-rc1 (Alpha)
⚠️ ALPHA RELEASE ⚠️ All 0.0.x releases are considered alpha. Future 0.0.x releases will likely contain backwards incompatible changes which may require resetting your network. Expect bugs and missing features.
About This Release
Isle 0.0.5 is one of those iceberg releases where there's very few changes visible from the outside, yet lots and lots of work underneath. While the headline feature, CA certificate renewal, seems quite boring, it required the development of a number of new subsystems to see it through. Those subsystems, including the real-time message exchange, lay the foundation for other features in the future, and so have been designed and implemented with a lot of care.
This release is backwards compatible with 0.0.4; you can safely upgrade without any migration steps or downtime.
Downloads
Windows
Linux (Debian)
Linux (Pacman)
Linux (Other)
Miscellaneous
These links provide files which aren't necessary for installation, but which some may find useful.
Checksums for all files in this release
GPG signature of the checksum file
Release Notes
All documentation related to the following changes has been updated accordingly in the Isle repo.
CA Certificate Renewal
It's hard to believe, but it's been nearly two years since the first (and possibly only) Isle network was created, which means it's nearly time for our embedded CA certificate to expire. Without taking some kind of action this would result in all hosts in the network immediately becoming unconnectable, and the network would have to be created from scratch.
Rather than implementing a one-off fix just for us, a general solution was developed instead. Isle will now automatically detect when CA certificates are nearing expiry, coordinate with other hosts that have the current CA private key to generate a new CA ahead of time, and ensure new host certificates are signed and distributed to all hosts in the network. All hosts which are online during that 1-month window at least once will receive all updated credentials automatically. If they miss this window a new bootstrap can be easily generated for them later.
With CA certificate renewal in-place we now have a ready framework ready for upgrading CA credentials in the future. When such a time comes that we want to add new features or change CA credentials in some fundamental way, we can simply do it. This is, in fact, something which is being planned; ideally we'd move over to a system based on actual TLS certificates, and derive VPN certificates from that. This will allow for more flexibility in certificate-based authentication across the network generally.
Message Exchange
To implement CA certificate renewal it was necessary that the hosts holding the current CA certificate be able to elect a leader to generate the next one. Thus we require some kind of real-time communication mechanism between hosts. Such a real-time messaging layer will be useful for many other features in the future, e.g. allowing hosts to query other hosts for information, to perform tasks, or even for real-time chat. So, as usual, a general-purpose foundation was built first, and CA certificate renewal was built on that.
The foundation which was built is a fairly simple integration of the NATS message exchange.
The basic use-case for NATS is as a gossip-based publish-subscription service, which is what is used for CA certificate renewal. All hosts which provide either a public IP (lightouse) or a storage allocation will automatically run a NATS message exchange server in the background, and all message exchange servers will gossip with each other to form a cluster. Message exchange can be explicitly enabled or disabled via the new `message_exchange` section in the `daemon.yml` configuration file.
Firewall Management
One of the pain-points of providing resources like public IPs or storage allocations to a network was the need to configure your host's firewall accordingly. This required a deeper knowledge of computer networking than the target Isle user is expected to have, and so Isle now does firewall management automatically. All supported platforms will automatically allow incoming connections on Isle's IP ranges; Isle's built-in firewall will continue to handle traffic management as before, so this merely removes a redundancy. Hosts which provide a public IP to the network will have their chosen port opened automatically as well.
Automatic firewall management on Windows targets the built-in Windows firewall. On Linux, Isle will automatically figure out if iptables, nftables, or nftables+firewalld is in-use and configure them accordingly. This covers the vast majority of Linux distributions.
If you have a more unusual firewall situation then you will still need to configure it manually as before. Automatic firewall management can be disabled in the `daemon.yml` configuration file.
Health Reporting
Isle puts the maximum amount of effort into providing a hands-off experience for the user, but nevertheless human intervention is sometimes required. For these cases the `isle status` sub-command has been introduced.
When action on the user's part is required, `isle status` will output a summary of what is wrong and potential solutions to the problem. Status items are very intentionally designed to only surface issues with specific actionable solutions; the user will never be told "this background task failed, check the logs", but rather "The DNS server failed to create a listener on port 53, ensure that no other processes are listening on the port".
Minimal user intervention remains the highest priority for Isle, but `isle status` will act as a safety valve where that goal is not attainable.
Other Minor Improvements
- As always, constant improvements to testing; Isle continues to have rock-solid testing infrastructure and comprehensive coverage. It's not impossible that the majority of development time is spent on the testing framework.
- Upgraded our garage fork to version 1.1.0; our fork now also includes a fix related to Windows disk space reporting, as well as logging improvements.
- Upgraded our nebula fork to version 1.10.3. Our fork now also allows lighthouses to proactively reach out to other lighthouses to discover hosts, fixing a bug where a host couldn't provide a public IP unless it was already providing a storage allocation.
- Added more aggressive checks around garage data directory permissions prior to allowing them to be used.
- Implemented a generic framework for sharing secrets between hosts, based on both garage and the message exchange. This is in-use now for CA certificate renewal, but can also be used for other features in the future.
- Enabled relaying on lighthouses; hosts who are behind super-strict or broken private networks will now be reachable by relaying traffic through a lighthouse host.
Bug Fixes
- The embedded DNS server's shutdown logic is now more resilient.
- NXDOMAIN is now properly returned for DNS requests for unknown hostnames under domains that Isle is the authority for.
- Fixed various issues which can arise when a host runs out of disk space (guess how these issues were discovered!)
- Nebula certificates now use the correct field for marking a host's IP address. Luckily, previous certificates will continue to work.
- Fixed a bug in the deb packaging which caused `/etc/isle/daemon.yml` to not be retained across install.