Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openthread-border-router: init at unstable-2024-10-18 #332296

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

mrene
Copy link
Contributor

@mrene mrene commented Aug 4, 2024

Description of changes

This adds OpenThread's open source border router component along with a NixOS service.

Thread is a mesh networking technology based on 6LoWPAN (ipv6-based) and 802.15.4. The border router component bridges the mesh network to an ipv6 network on a local interface. If no ipv6 connectivity exists, it'll advertise a new prefix for the local network so communication is possible.

Once setup, it can be used to bridge a Thread network with the local network to expose IoT devices to other systems like Home Assistant, Apple Home, etc..

I've been using this implementation along with Home Assistant and some Nanoleaf light bulbs using both Matter and their proprietary "ltpdu" protocol for about a week now. It's pretty stable.

For the SkyConnect specifically, some options have to be used (see example). There doesn't seem to be a lot of hardware-specific options in nixpkgs so I chose not to include an option for this. Do let me know if there is an appropriate pattern to use here.

 services.openthread-border-router = {
   enable = true;
   radio =  {
     device = "/dev/serial/by-id/.....";
     baudRate = 460800;
     flowControl = true;
   };
 };

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Aug 4, 2024
@mrene mrene force-pushed the openthread-border-router branch 8 times, most recently from f771469 to bc2168f Compare August 4, 2024 18:52
@ofborg ofborg bot added 8.has: package (new) This PR adds a new package 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Aug 4, 2024
@mrene mrene force-pushed the openthread-border-router branch from bc2168f to a83e1b9 Compare August 5, 2024 00:41
@github-actions github-actions bot added 8.has: documentation This PR adds or changes documentation 8.has: changelog labels Aug 5, 2024
@mrene mrene marked this pull request as ready for review August 5, 2024 00:42
@h7x4 h7x4 added the 8.has: module (new) This PR adds a module in `nixos/` label Aug 5, 2024
Copy link
Contributor

@Pandapip1 Pandapip1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move the changelog addition to its own commit

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Sep 10, 2024
@mrene mrene force-pushed the openthread-border-router branch from a83e1b9 to 0d941cf Compare October 20, 2024 14:47
@mrene mrene changed the title openthread-border-router: init at unstable-2024-07-26 openthread-border-router: init at unstable-2024-10-18 Oct 20, 2024
@mrene mrene force-pushed the openthread-border-router branch from 0d941cf to a9d1c74 Compare October 20, 2024 14:49
@mrene
Copy link
Contributor Author

mrene commented Oct 20, 2024

I pushed a few changes:

  • Bumped the package to its latest commit
  • Added the packaged otbr-firewall script (with patches) in order to setup ip6tables rules referencing the otbr ipset
  • Added the included otbr-web service which provides a web interface
  • Cleaned up some of the cmake options which were already set by default
  • Split the changelog entry in its own commit
  • Rebased over master

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 20, 2024
@mrene mrene force-pushed the openthread-border-router branch from a9d1c74 to 269e1ea Compare October 20, 2024 21:59
@mrene mrene force-pushed the openthread-border-router branch from 269e1ea to 2f5ba3d Compare October 21, 2024 03:58
@mrene mrene requested a review from SuperSandro2000 October 21, 2024 04:03
Copy link
Member

@SuperSandro2000 SuperSandro2000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mrene mrene force-pushed the openthread-border-router branch from 31c3205 to 02f29a5 Compare October 24, 2024 03:29
@mrene
Copy link
Contributor Author

mrene commented Oct 24, 2024

Pushed:

  • Applied suggestions
  • Convert log level to an enum

@mrene mrene force-pushed the openthread-border-router branch from 02f29a5 to cf8dcf1 Compare October 24, 2024 03:31
@mrene
Copy link
Contributor Author

mrene commented Oct 24, 2024

Rebased over master to resolve conflicts in changelog.

Copy link
Contributor

@Pandapip1 Pandapip1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM; not tested

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2060

@wegank wegank added the 12.approvals: 2 This PR was reviewed and approved by two reputable people label Oct 29, 2024
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 9, 2024
Copy link
Contributor

@milas milas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have been running this on arm64 / NixOS 24.11 for the past month:

  services.openthread-border-router = {
    enable = true;
    backboneInterface = "end1";
    radio = {
      device = "/dev/serial/by-id/<your-device-id-here>";
      baudRate = 460800;
      flowControl = true;
    };
  };

It's been working great and stable.

@wegank wegank added 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people and removed 12.approvals: 2 This PR was reviewed and approved by two reputable people labels Dec 26, 2024
This can be used to use compatible Thread radios (such as HomeAssistant's SkyConnect)
in order to create a thread border router.
@mrene mrene force-pushed the openthread-border-router branch from cf8dcf1 to faa9a55 Compare December 26, 2024 15:27
@mrene
Copy link
Contributor Author

mrene commented Dec 26, 2024

Thanks for testing!

Rebased over master and moved the changelog entry to rl-2505.

Copy link
Contributor

@Pandapip1 Pandapip1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How many of those patches have been upstreamed? The "don't install systemd units" patch can be easily modified to look at a variable:

if (SYSTEMD_FOUND AND (NOT DEFINED INSTALL_SYSTEMD_UNIT OR INSTALL_SYSTEMD_UNIT))
    pkg_get_variable(OTBR_SYSTEMD_UNIT_DIR systemd systemdsystemunitdir)
endif()

and then lib.cmakeBool "INSTALL_SYSTEMD_UNIT" false could be added to cmakeFlags

The static libs patch can instead be changed to:

if (NOT DEFINED Boost_USE_STATIC_LIBS)
    set(Boost_USE_STATIC_LIBS ON)
endif()

and then lib.cmakeBool "Boost_USE_STATIC_LIBS" stdenv.targetPlatform.isStatic could be added to cmakeFlags.

I'm not sure if the firewall script or the home assistant patch could be upstreamed, but any progress in that direction would be useful.

@milas
Copy link
Contributor

milas commented Dec 27, 2024

I opened two upstream PRs with your CMake suggestions:

The firewall patch is slightly less straightforward as you noted, I need to dig into that a bit more to understand it from the OTBR side before I open an issue upstream, but it seems tractable as well.

The two Home Assistant-derived patches are a bit murkier.

Given that, my suggestion would be to drop the Home Assistant addon patch references entirely:

  • See above: channel monitor patch is trivial and could be "inlined" to this repo (or avoided)
  • Dataset reset is custom to Home-Assistant and will never be upstreamed, so I don't think should be in nixpkgs

Copy link
Contributor

@milas milas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pulled the latest changes and rebuilt my config on arm64 without any issues.

While reviewing the diff, I realized I'd made a couple local changes around network security that might be worth incorporating.

rest = {
listenAddress = lib.mkOption {
type = lib.types.str;
default = "::";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this should default to 127.0.0.1. (Specifically, a localhost IP, and it appears that this is the convention throughout NixOS/nixpgs.)

The REST API works fine on IPv4 even though Matter comms themselves use IPv6.

(Users can still pass ::1 if they want to listen on IPv6 localhost instead or :: as currently to listen on all.)

enable = lib.mkEnableOption "the web interface";
listenAddress = lib.mkOption {
type = lib.types.str;
default = "::";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, I think the web interface should default to a local IP, i.e. 127.0.0.1.

{
meta.maintainers = with lib.maintainers; [ mrene ];

options.services.openthread-border-router = {
Copy link
Contributor

@milas milas Dec 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDIT: Hmm...it looks like the port number for the listening service is dynamic. I was confused and thought 49154 was hardcoded somewhere (note: there ARE other hardcoded ports in OpenThread code 🙈) but I think now it's simply from the "Dynamic and/or Private Ports (49152-65535)" range and shows up a lot in the OpenThread docs by coincidence.

Frustratingly, from what I can tell, it's not clear if this is customizable after compile-time, which makes this tricky.


Original comment:

I think we also need an openFirewall option:

networking.firewall.allowedUDPPorts = [
    49154
];

I don't think it makes sense to have firewall options for REST/web.

In a VM/lab environment, the admin should add allowedTCPPorts for web.listenPort / rest.listenPort themselves.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened a discussion about listener ports upstream: https://github.com/orgs/openthread/discussions/11093

license = lib.licenses.bsd3;
maintainers = with lib.maintainers; [ mrene ];
mainProgram = "ot-ctl";
platforms = lib.platforms.linux;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
platforms = lib.platforms.linux;
platforms = lib.platforms.unix;

If upstream claims that it supports POSIX, we should let it run on all POSIX systems, not just linux.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I can get it to compile on aarch64-darwin with the latest apple sdks, it doesn't function correctly (it uses a bogus setsockopt argument when binding to the backbone interface, and it depends on avahi or dns-sd for mdns).

Would it be preferred to be marked as broken on non-linux while defining platforms as unix?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest it be marked broken on darwin. I suspect it would likely work on the BSDs.

@wegank wegank removed the 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people label Dec 29, 2024
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/thread-border-router-on-nixos/57909/3

@colonelpanic8
Copy link
Contributor

I'm trying to use this with Home Assistant Connect ZBT-1 (previously known as Home Assistant SkyConnect), and seeing this:

Jan 18 05:52:03 justin-bieber-creek systemd[1]: Started OpenThread Border Router Agent.
Jan 18 05:52:03 justin-bieber-creek otbr-agent[253962]: [NOTE]-AGENT---: Backbone interface: enp1s0
Jan 18 05:52:05 justin-bieber-creek otbr-agent[253962]: otbr-agent[253962]: 50d.03:40:18.395 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:05 justin-bieber-creek otbr-agent[253962]: 50d.03:40:18.395 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:07 justin-bieber-creek otbr-agent[253962]: otbr-agent[253962]: 50d.03:40:20.397 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:07 justin-bieber-creek otbr-agent[253962]: 50d.03:40:20.397 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:09 justin-bieber-creek otbr-agent[253962]: otbr-agent[253962]: 50d.03:40:22.399 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:09 justin-bieber-creek otbr-agent[253962]: otbr-agent[253962]: 50d.03:40:22.399 [C] Platform------: Init() at spinel_driver.cpp:82: Failure
Jan 18 05:52:09 justin-bieber-creek otbr-agent[253962]: 50d.03:40:22.399 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:09 justin-bieber-creek otbr-agent[253962]: 50d.03:40:22.399 [C] Platform------: Init() at spinel_driver.cpp:82: Failure
Jan 18 05:52:11 justin-bieber-creek otbr-agent[253962]: otbr-agent[253962]: 50d.03:40:24.402 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:11 justin-bieber-creek otbr-agent[253962]: 50d.03:40:24.402 [W] P-SpinelDrive-: Wait for response timeout
Jan 18 05:52:11 justin-bieber-creek systemd[1]: otbr-agent.service: Main process exited, code=exited, status=1/FAILURE

I suspect that it could be because I haven't flashed the thread firmware to the device yet, but I'm struggling to find any information about how to do that manually (all the documentation that I've seen says that the home-assistant add-on should take care of this automatically).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants