Rhyzome Openwrt
This is a Rhyzome component for networking using Openwrt.
It is expected to be used on an Openwrt VM running on a Hypervisor (or cluster) where you are deploying "instances" (VMs) with Rhyzome Libvirt.
It facilitates the creation of new private networks and WireGuard endpoints.
Install
You can build the package as a single binary using Go as follows:
go build -o rhyzome-openwrt cmd/rhyzome-openwrt/main.go
An IPK package is created using scripts in the ci
directory. This is done automatically using Gitlab CI, but you can also run the build_rhyzome-openwrt.sh
package locally if you setup an environment for using the Openwrt ImageBuilder.
Setup
Configuration
The program will look for a configuration file named rhyzome-openwrt.json
in the directory where it is run, or in /etc/rhyzome/
.
The config requires an apiserver
and a pki
section defined. The following example assumes you are running the Rhyzome API
GRPC server on host Iido2eewe
and default port 9090
. The PKI is explained in the next section.
{
"apiserver": "Iido2eewe:9090",
"pki": {
"ca": "/home/user/.step/certs/root_ca.crt",
"cert": "/etc/step/certificates/step.crt",
"key": "/etc/step/certificates/step.key"
}
}
PKI
Rhyzome uses Mutual TLS (mTLS) authentication between the components. You can read about how to setup a PKI and issue certificates using Smallstep in our PKI guide.
Usage
Once the configuration is in place, we can start the daemon by simply running:
./rhyzome-openwrt
If the configuration is correct the program will connect via GRPC to the Rhyzome API server and long poll for jobs.
You can schedule network creation jobs via Rhyzome API for testing by using curl like so:
curl -H 'Accept: application/json' -H "Authorization: Bearer ${TOKEN}" -X POST ${APISERVER}:8080/v0/network
A new network interface will be added to the Openwrt host, with a private subnet, and a WireGuard interface bridged to that network.