- Allow to use SSL certificates to secure unix sockets communications.
- Allow to use abstract users sockets for server and nodes.
Go gRPC doesn't seem to understand unix sockets addresses that start
with "unix-abstract:", and python gRPC doesn't seem to understand
"unix:@" addresses.
Therefore, on the server (python gRPC) we use the format "unix:@" to
specify the address where the server will listen on, and rewrite it to
"unix-abstract:" before starting the server.
Note about certs and abstract unix sockets:
When creating the SSL certificates, you'll have to specify the
address of the unix socket as the Common Name of the certificates:
Address: "unix:@my-abstract-socket"
Common Name: @my-abstract-socket
Allow to cypher channel communications with certificates.
There are 3 authentication types: simple, tls-simple and tls-mutual.
- 'simple' wont't cypher communications.
- 'tls-simple' uses a server key and certificate for the server, and a
common CA certificate or the server certificate to authenticate all
nodes.
- 'tls-mutual' uses a server key and certificate for the server, and a
client key and certificate per node.
There are 2 options to verify how gRPC validates credentials:
- SkipVerify: https://pkg.go.dev/crypto/tls#Config
- ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType
Example configuration:
"Server": {
"Address": "127.0.0.1:12345",
"Authentication": {
"Type": "tls-simple",
"TLSOptions": {
"CACert": "/etc/opensnitchd/auth/ca-cert.pem",
"ServerCert": "/etc/opensnitchd/auth/server-cert.pem",
"ClientCert": "/etc/opensnitchd/auth/client-cert.pem",
"ClientKey": "/etc/opensnitchd/auth/client-key.pem",
"SkipVerify": false,
"ClientAuthType": "req-and-verify-cert"
}
}
}
More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
- Use Message util.
Maybe it'd be better to display a desktop notification for a more
better experience, or a dialog box if notify2 is not installed.
- Translate warning message.
* require pyxdg
* extend xdg, introduce autostart
* use xdg_current_desktop from opensnitch.utils.xdg
* control autostart in tray
* dont use pkill anymore
* check if os-ui is already running
* don't require pyxdg (for now)
* simplify xdg_current_desktop
* do not use pyxdg (for now), use some code from there
* update autostart status when menu is open
* fix possible SameFileError
- Fixed crash on Wayland (Fedora 37) when setting the minimum and
maximum size of a pop-up. setMinimumSize() makes crash the GUI.
- With the above fix, we don't need to set QT_QPA_PLATFORM
(Closes: #794)
Display what versions is using the GUI. It'll help to debug issues.
For next releases we may need to check incompatibilities between grpc
and protobuf (#790).
Up until now, the daemon communicated with the GUI via a unix socket,
stored in /tmp.
/tmp however can be erased at any time (tmpreaper, systemd-tmpfiles.d),
which may lead to remove our unix socket file, and hence losing
connectiong with the daemon.
Now the user has the option to store the socket file under
/run/user/$uid/opensnitch/
https://www.linuxbase.org/betaspecs/fhs/fhs.html#runRuntimeVariableData
In the future we may switch to this path by default.
- Use a good quality icon on all dialogs.
- Set the icon off when closing, to let the user know that we're
exiting.
- Decreased time to wait to exit to 5secs.
- If sys.exit() fails, force exit after 10s.
- Close db connection on exit.
- When closing the GUI (server), set connected nodes to offline.
The status will be updated when nodes connect again / when the server
is available again.
Otherwise, we may end up with nodes marked as _online_ when in reality
they're not connected.
- Add nodes on the main thread.
problem:
- after losing network connectivity node<->server, the node didn't restore
the connection. In reality, the connection with the server was not
closed, but the notifications channel was closed due to inactivity
after 20s.
set inactivity timeouts to 20s on both node and server. Previous
timeouts were 2h for the main connection and 20s for the streaming
channels (notifications).
- get rid of the logic to determine if the server is alive or not based
on sending pings.
Instead, use the connection events when a node connects/disconnects
(Subscribe).
The Ping call is still used to send the statistics.
other:
- fixed exception when updating the status of a node.
/usr/lib/python3/dist-packages/ was missing on OpenSuse TumbleWeed.
Maybe it's not the best solution, but solves the problem for now.
Reported by zaggynl here #59.
This should fix the warning message:
"Attribute Qt::AA_EnableHighDpiScaling must be set before
QCoreApplication is created."
Which should fix the small fonts reported by some users.
We may also need AA_UseHighDpiPixmaps.
Originally UI config file was saved to ~/.opensnitch/ui-config.json
Now those values are saved to ~/.config/opensnitch/settings.conf, along
with new ones.
Closes#3
