A quick heads up about how I’m restructuring flyctl.
We currently have a big UX problem with user-mode WireGuard, which is that you can only have one WireGuard connection at a time (each connection is separately IPv6-addressed), and we can’t reasonably make new WireGuard connections for every run of flyctl. What happens now is, if you
flyctl ssh into an instance in one window, and then do the same thing in another window, you’ll kill the first session when your second steals its IPv6 address.
It’s not the end of the world right now (we could just “lock” and only allow one SSH session at a time, and most people wouldn’t care) but it’s a real buzzkill if we want to use flyctl’s WireGuard for other stuff.
What I’m doing now is:
flyctl agent daemon-startand
agent start, a long-lived Unix domain socket (UDS) server (and a command that forks off that server as a background process).
pkg/agentto flyctl with a simple text RPC protocol for the agent.
Moving most WireGuard logic into the agent, and driving it from normal flyctl with a client of that agent.
The agent handles an arbitrary number of different orgs. The UDS is
$HOME/.fly/fly-agent.sock, protected by Unix filesystem permissions. The client exports a
Dialer that you should ideally be able to drop into anything that accepts a
This is going to be corner-casey AF. Everything I use on my Macbook that spawns a long-lived agent ends up leaking agents or orphaning its socket or whatever. I’m trying to be aggressive about this; there’s a single
EstablishFlyAgent fn that will verify it can actually talk to the agent, and, if it can’t, will zap the UDS and fork off a new agent. Spawning a new agent is always preceded by killing the previous one, if possible.
What I’m hoping we can do is get this stabilized in a branch, a branch we all use for a couple weeks, before we inflict it on the world.
The other huge problem we’re going to have is Windows. What I expect to do here is stub out the client/agent stuff so all this stuff happens in-process on Windows — you won’t be able to run multiple WireGuard connections in different sessions on Windows, though.