bug: zerotier 1.12.0 compatibility

[mvivaldi]

Bug Report

ZeroUI version:

zero-ui:1.5.1

Current behavior:

with the new version of zerotier 1.12.0 I'm unable to:

• see the member of any networks
• rename a new network (or make any other modification)

Steps to reproduce:

install the new version of zerotier, login in zeroUI and look at the list of memebers of any network it will display something like:

No devices have joined this network. Use the app on your devices to join aaaaabbbbbcccccddddd1111.

[marcomazzaglia]

I have the same problem. Yesterday my zerotier server received the update, we migrated from ZT 1.10.6 to 1.12.0 and now I'm unable to see the clients on the web interface.

[dec0dOS]

Thanks for reporting the problem. Seems to be ZeroTier Team made some breaking changes to the controller behavior. You should stay on the latest supported ZeroTier version for the controller - 1.10

[dec0dOS]

The issue on ZeroTierOne repo to track the problem:
zerotier/ZeroTierOne#2108

[dec0dOS]

          Fixed in 1.12.1

Originally posted by @glimberg in zerotier/ZeroTierOne#2108 (comment)

[iball]

Everything I have has been upgraded to 1.12.1, systems rebooted, and I'm still not seeing them in ZeroUI.

Looks like others are still having the same issue, from the main ZeroTierOne Github issues list:

zerotier/ZeroTierOne#2114

[wongsyrone]

Already fixed via my commit 856682b

[eduardo010174]

zerotier/ZeroTierOne#2114

[U11Leung]

Already fixed via my commit 856682b

Is it included in current version of zero-ui?

[dec0dOS]

It was fixed in zerotier/ZeroTierOne#2115, waiting for 1.12.2 release

[marcomazzaglia]

It was fixed in zerotier/ZeroTierOne#2115, waiting for 1.12.2 release

Perfect! Do you know the time when 1.12.2 will be released?

[KevinRoebert]

Everything I have has been upgraded to 1.12.1, systems rebooted, and I'm still not seeing them in ZeroUI.

Looks like others are still having the same issue, from the main ZeroTierOne Github issues list:

zerotier/ZeroTierOne#2114

@iball Have you found a fix for it?

[dec0dOS]

@KevinRoebert you should wait for 1.12.2 release or downgrade ZeroTier on the controller to supported version.

[glimberg]

1.12.2 is now released

[iball]

Upgraded all my clients to 1.12.2 to include the server running ZeroUI and it's still not showing any clients/peers. zerotier-cli peers lists them all just fine but it's not showing up in the ZeroUI web UI.

[U11Leung]

Someone can confirm this? before I can give 1.12.2 a try

[canghaiwuhen]

1.12.2 Still having problems

[U11Leung]

let's reopen one on their issue list

[knightian]

Yep broken with ZT 1.12.2, I am seeing no clients.

[jonaavanza]

Same issue for me on fedora, I reverted to zerotier 1.10.2 and that solved the issue

[Mihara]

You basically need to revert one line in backend/routes/member.js to get rid of the compatibility fix introduced to handle 1.12.0, now that the compatibility is back to what it was before.

See 856682b#r126131655

[dec0dOS]

You basically need to revert one line in backend/routes/member.js to get rid of the compatibility fix introduced to handle 1.12.0, now that the compatibility is back to what it was before.

See 856682b#r126131655

Please keep in mind that the controller API responses for version 1.12.2 are still distinct from those in version 1.10. This commit was initially introduced as a temporary solution for the 1.12.0 release within the main branch, but the new ZeroUI version hasn't been released yet. I'm planning to revert it back while we await a proper fix from the ZeroTier team. For now, the best solution is to use the 1.10 ZeroTier version on the controller.

[glimberg]

Please keep in mind that the controller API responses for version 1.12.2 are still distinct from those in version 1.10

If this is still the case after 1.12.2, it hasn't been reported to us at ZeroTier.

[dec0dOS]

I couldn't replicate the issue with 1.12.2. My apologies, it turns out I was actually testing 1.12.1 at the time. Could someone please verify the problem with their setup using ZeroUI version 1.5.1 and ZeroTier 1.12.2? If you're still experiencing the problem, please consider building from the source and report any issues.

[mvivaldi]

With the latest update 1.5.8 everything is working fine!

Thank you

[knightian]

@dec0dOS I built your latest commit from source and it is working. One thing to note for everyone, is it seems that with 1.12 zerotier is changing permissions of authtoken.secret to be 600 (rw- --- ---) and owned by root, so because I am spawning zeroui as a user that is not root, it can't access the authtoken.secret file. If I allow that user access to the authtoken, on restart zerotier changes the permissions back. Worth noting this.

[dec0dOS]

@dec0dOS I built your latest commit from source and it is working. One thing to note for everyone, is it seems that with 1.12 zerotier is changing permissions of authtoken.secret to be 600 (rw- --- ---) and owned by root, so because I am spawning zeroui as a user that is not root, it can't access the authtoken.secret file. If I allow that user access to the authtoken, on restart zerotier changes the permissions back. Worth noting this.

In that case you should probably set ZU_CONTROLLER_TOKEN in env.

[iball]

After pulling the latest docker image, it's working properly now. Thank you.

[knightian]

@dec0dOS I built your latest commit from source and it is working. One thing to note for everyone, is it seems that with 1.12 zerotier is changing permissions of authtoken.secret to be 600 (rw- --- ---) and owned by root, so because I am spawning zeroui as a user that is not root, it can't access the authtoken.secret file. If I allow that user access to the authtoken, on restart zerotier changes the permissions back. Worth noting this.

In that case you should probably set ZU_CONTROLLER_TOKEN in env.

Great! I was wondering if this was a thing. Thanks

[eduardo010174]

Flow rules still not work.

[dec0dOS]

@eduardo010174, please provide minimal, reproducible example.

[eduardo010174]

I'm using zerotier 1.10.6 or 1.12.2 get same problem. I not test if rules work, but on controller probably work. The problem it's synchronize on zero-ui only. This problem emerged after update to last version of zero-ui. I will retry build again with this setup for check if it's a false positive or incompatible version and need rebuild after update.

controller.d/network$ cat redacted.json

{
  "authTokens": [
    null
  ],
  "authorizationEndpoint": "",
  "capabilities": [],
  "clientId": "",
  "creationTime": 1631785049729,
  "dns": [],
  "enableBroadcast": false,
  "id": "redacted",
  "ipAssignmentPools": [
    {
      "ipRangeEnd": "10.147.18.254",
      "ipRangeStart": "10.147.18.1"
    }
  ],
  "mtu": 2800,
  "multicastLimit": 32,
  "name": "redacted",
  "nwid": "redacted",
  "objtype": "network",
  "private": true,
  "remoteTraceLevel": 0,
  "remoteTraceTarget": null,
  "revision": 25,
  "routes": [
    {
      "target": "10.147.18.0/24",
      "via": null
    }
  ],
  "rules": [
    {
      "etherType": 2048,
      "not": true,
      "or": false,
      "type": "MATCH_ETHERTYPE"
    },
    {
      "etherType": 34525,
      "not": true,
      "or": false,
      "type": "MATCH_ETHERTYPE"
    },
    {
      "etherType": 2054,
      "not": true,
      "or": false,
      "type": "MATCH_ETHERTYPE"
    },
    {
      "type": "ACTION_DROP"
    },
    {
      "mask": "1000000000000000",
      "not": true,
      "or": false,
      "type": "MATCH_CHARACTERISTICS"
    },
    {
      "type": "ACTION_DROP"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_DEST_ZEROTIER_ADDRESS",
      "zt": "fa7dd9101e"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_SOURCE_ZEROTIER_ADDRESS",
      "zt": "fa7dd9101e"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_DEST_ZEROTIER_ADDRESS",
      "zt": "73a15e1460"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_SOURCE_ZEROTIER_ADDRESS",
      "zt": "73a15e1460"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_DEST_ZEROTIER_ADDRESS",
      "zt": "04a9a0206a"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "not": false,
      "or": false,
      "type": "MATCH_SOURCE_ZEROTIER_ADDRESS",
      "zt": "04a9a0206a"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "etherType": 2054,
      "not": false,
      "or": false,
      "type": "MATCH_ETHERTYPE"
    },
    {
      "type": "ACTION_ACCEPT"
    },
    {
      "type": "ACTION_DROP"
    }
  ],
  "rulesSource": "",
  "ssoEnabled": false,
  "tags": [],
  "v4AssignMode": {
    "zt": true
  },
  "v6AssignMode": {
    "6plane": false,
    "rfc4193": false,
    "zt": false
  }
}

But on ZeroUI only read this

{
  "rules": [
    {
      "type": "MATCH_ETHERTYPE",
      "not": true,
      "or": false,
      "etherType": 2048
    },
    {
      "type": "MATCH_ETHERTYPE",
      "not": true,
      "or": false,
      "etherType": 2054
    },
    {
      "type": "MATCH_ETHERTYPE",
      "not": true,
      "or": false,
      "etherType": 34525
    },
    {
      "type": "ACTION_DROP"
    },
    {
      "type": "ACTION_ACCEPT"
    }
  ],
  "capabilities": [],
  "tags": []
}

Before update zero-ui

cat db.json 
{
  "users": [
    {
      "username": "---",
      "password_hash": "---",
      "token": "---"
    }
  ],
  "networks": [
    {
      "id": "redacted",
      "additionalConfig": {
        "description": "",
        "rulesSource": "\n# This is a default rule set that allows IPv4 and IPv6 traffic but otherwise\n# behaves like a standard Ethernet switch.\n\n#\n# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.\n#\ndrop\n  not ethertype ipv4\n  and not ethertype arp\n  and not ethertype ipv6\n;\n\n#\n# Uncomment to drop non-ZeroTier issued and managed IP addresses.\n#\n# This prevents IP spoofing but also blocks manual IP management at the OS level and\n# bridging unless special rules to exempt certain hosts or traffic are added before\n# this rule.\n#\ndrop\n  not chr ipauth\n;\n\naccept ztdest fa7dd9101e;\naccept ztsrc fa7dd9101e;\naccept ethertype arp;\n\n\n# Accept anything else. This is required since default is 'drop'.\ndrop;\n",
        "tagsByName": {},
        "capabilitiesByName": {}
      },
      "members": [
        {
          "id": "1",
          "additionalConfig": {
            "name": ---,
            "description": ""
          },
          "deleted": false,
          "lastOnline": 24
        },
        {
          "id": "2",
          "additionalConfig": {
            "name": ---,
            "description": ""
          },
          "lastOnline": 67
        },
        ...
        
      ]
    }
  ]

After update zero-ui

zero-ui_data/db.json 
{
  "users": [
    {
      "username": "---",
      "password_hash": "---",
      "token": "---"
    }
  ],
  "networks": [
    {
      "id": "redacted",
      "additionalConfig": {
        "description": "",
        "rulesSource": "\n# This is a default rule set that allows IPv4 and IPv6 traffic but otherwise\n# behaves like a standard Ethernet switch.\n\n#\n# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.\n#\ndrop\n  not ethertype ipv4\n  and not ethertype arp\n  and not ethertype ipv6\n;\n\n#\n# Uncomment to drop non-ZeroTier issued and managed IP addresses.\n#\n# This prevents IP spoofing but also blocks manual IP management at the OS level and\n# bridging unless special rules to exempt certain hosts or traffic are added before\n# this rule.\n#\n#drop\n#  not chr ipauth\n#;\n\n# Accept anything else. This is required since default is 'drop'.\naccept;\n",
        "tagsByName": {},
        "capabilitiesByName": {}
      },
      "members": []
    }
  ]

[artur-borys]

How are the things? Is zero-ui now compatible enough with the controller to update?