Currently, all init scripts, except for systemd, will generate a config
file with default permissions, which is usually `rw-r--r--`.
This is bad, because the config contains a private key.
The systemd service does `chmod 640` after creating the config, which is
much better than just leaving it readable for everyone forever, but
there is still a slight chance that some malicious program might steal
the private key during the time window between key creation and chmod.
For this reason, in this pull request I use `umask 037`, so the config
won't have read permission for others in the first place.
Note that I have only tested openrc and systemd services.
Also, I'm not sure what to do with the contrib/msi/build-msi.sh script,
which creates a bat file that generates a config. I don't know anything
about file permissions on windows, however, it seems that the bat file
generates the config into a user's personal directory, so maybe it's
already somewhat fine.
# Summary
This PR addresses failures to run Yggdrasil on ARM systems. The root
cause was the lack of ARM artifacts/images, which led to exec format
error and similar issues.
## What’s added:
- ```Dockerfile.multiarch``` — multi-stage Go build that correctly
propagates GOOS/GOARCH for linux/amd64, linux/arm64, linux/armhf and
linux/armel platform.
- ```entrypoint.sh``` - Introduced ENV **ALLOW_IPV6_FORWARDING**. When
set to a truthy value (e.g., true), the entrypoint executes: ```sysctl
-w net.ipv6.conf.all.forwarding=1```.
- GitHub Action for multi-arch builds and publishing to GHCR — triggered
via ```workflow_dispatch```, push to ```master``` and release via tags
(with docker semantic tags e.g. v0.5.12 → 0.5.12, 0.5, 0).
Example published images:
[https://github.com/Forne/yggdrasil-go/pkgs/container/yggdrasil-go](https://github.com/Forne/yggdrasil-go/pkgs/container/yggdrasil-go)
## Testing
✅ Ubuntu (24.04, amd64) — image runs correctly.
✅ macOS (Apple Silicon, arm64) — image runs correctly.
✅ MikroTik RouterOS (arm64) — image runs under the RouterOS container
package.
This PR updates Ironwood to include the new RTT-based link costing and
updates `yggdrasilctl` to report the cost in `getPeers`.
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
* Update Debian package
* Don't put `AdminListen` in config by default, fix path in Debian package
* Fix path in unit file
* Preserve original service files for other packages
---------
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
* Allow setting link priorities
* Fix a bug
* Allow setting priority on listeners and multicast interfaces
* Update `yggdrasilctl`
* Update to Arceliar/ironwood#5
* Link refactoring
* More refactoring
* More tweaking
* Cleaner shutdowns, UNIX socket support, more tweaks
* Actorise links, remove mutex
* SOCKS support
* Do not exit on multicast errors (mobile)
* Consistency with cmd/yggdrasil/main.go
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
