diff --git a/nitro-shim/Dockerfile b/nitro-shim/Dockerfile deleted file mode 100644 index 295b5e899..000000000 --- a/nitro-shim/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -# Build proxies that facilitate communication with the enclave. -FROM golang:1.20 as builder - -WORKDIR /src -COPY tools/ ./ -RUN make -C ./viproxy/ viproxy -RUN make -C ./gvproxy/ gvproxy -RUN make -C ./eifbuild/ eifbuild - -FROM amazonlinux:2.0.20230207.0 - -RUN echo "timeout=60.0" >> /etc/yum.conf - -RUN amazon-linux-extras install aws-nitro-enclaves-cli -y && \ - yum install aws-nitro-enclaves-cli-devel wget curl strace awscli -y && \ - yum clean all && \ - rm -rf /var/cache/yum && \ - mkdir -p /enclave - -WORKDIR /enclave - -COPY --from=builder /src/viproxy/viproxy /enclave/ -COPY --from=builder /src/gvproxy/gvproxy /enclave/ -COPY --from=builder /src/eifbuild/eifbuild /enclave/ - -COPY scripts/ /enclave/ diff --git a/nitro-shim/README.md b/nitro-shim/README.md deleted file mode 100644 index 70ef1e57f..000000000 --- a/nitro-shim/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Nitro Shim - -This container definition will allow the nitro shim container to build -and run nitro images on an enclave. - -## Build - -docker build -t nitro-shim:latest . -docker tag nitro-shim:latest .dkr.ecr.us-west-2.amazonaws.com/brave-intl/nitro-shim:latest -docker login ... -docker push .dkr.ecr.us-west-2.amazonaws.com/brave-intl/nitro-shim:latest - -## Usage - -Inside Kubernetes you can specify the shim container to build and launch a given reproducible docker -image inside an enclave with the `build.sh` command shown below: - -```bash -/enclave/build.sh .dkr.ecr.us-west-2.amazonaws.com/brave-intl/bat-go/master:repro- run -``` - -The above command will build a `.eif` image using this docker image and run in an enclave diff --git a/nitro-shim/scripts/build.sh b/nitro-shim/scripts/build.sh deleted file mode 100755 index 1fc156938..000000000 --- a/nitro-shim/scripts/build.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -docker_image_base="${1}" - -# service var is the service we wish to run in the enclave -service="" -if [ "${2}" != "" ]; then - service="/${2}" -fi - -and_run="${3}" -run_cpu_count="${4}" -run_memory="${5}" - -set -eux - -# wait for a few seconds for eks to pull down the right version -sleep 20 - -# get the latest docker image of the base image we are looking for -docker_image=$(docker images --format "{{.Repository}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 2 | awk -v s="${service}" 'NR==1{printf "%s%s", $1, s}') - -if [ -z "${docker_image}" ]; then - docker_image=${docker_image_base} -fi - -aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${docker_image} - -# get the latest docker image of the base image we are looking for with tag -docker_image_tag=$(docker images --format "{{.Repository}} {{.Tag}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 3 | awk -v s="${service}" 'NR==1{printf "%s%s:%s", $1, s, $2}') -if [ -z "${docker_image_tag}" ]; then - docker_image_tag=${docker_image_base} -fi - -if [[ ! -z "$EIF_PASS_ENV" && ! -z "$EIF_COMMAND" ]]; then - buildeif -pass-env $EIF_PASS_ENV -docker-uri ${docker_image_tag} -output-file nitro-image.eif -- sh -c \"$EIF_COMMAND\" -else - nitro-cli build-enclave --docker-uri ${docker_image_tag} --output-file nitro-image.eif -fi - -if [ "${and_run}" == "run" ]; then - /enclave/run.sh "${service}" ${run_cpu_count} ${run_memory} -fi - diff --git a/nitro-shim/scripts/run.sh b/nitro-shim/scripts/run.sh deleted file mode 100755 index 06d76fc12..000000000 --- a/nitro-shim/scripts/run.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -service="${1}" -cpu_count=${2:-2} -memory=${3:-512} -cid="4" - -set -eux - -nitro-cli run-enclave \ - --enclave-cid "${cid}" \ - --cpu-count ${cpu_count} \ - --memory ${memory} \ - --eif-path nitro-image.eif > /tmp/output.json -cat /tmp/output.json - -# background the proxy startup -/enclave/start-proxies.sh "${service}" "${cid}" & - -# sleep forever while enclave runs -# will cause the container to die if enclave dies -/enclave/sleep.sh - diff --git a/nitro-shim/scripts/sleep.sh b/nitro-shim/scripts/sleep.sh deleted file mode 100755 index 2f6f01b5b..000000000 --- a/nitro-shim/scripts/sleep.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -echo --- Monitoring enclave $(date) --- -set -eux - -while true -do - # check every so often that the enclave is running - sleep 480 - date - - EID=$(nitro-cli describe-enclaves | jq -r .[].EnclaveID) - if [ "${EID}" == "" ]; then - break; - fi -done diff --git a/nitro-shim/scripts/start-proxies.sh b/nitro-shim/scripts/start-proxies.sh deleted file mode 100755 index 7383e0fa3..000000000 --- a/nitro-shim/scripts/start-proxies.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -service="${1}" -CID="${2}" -PARENT_CID="3" # the CID of the EC2 instance - -echo "cid is ${CID}" -# at this point the enclave is up. depending on what service we're running, -# it's now time to set up proxy tools -if [ "${service}" = "/payments" ]; then - # setup inbound traffic proxy - export IN_ADDRS=":8080" - export OUT_ADDRS="${CID}:8080" - echo "${IN_ADDRS} to ${OUT_ADDRS}" - # next startup the proxy - /enclave/viproxy > /tmp/viproxy.log & -elif [ "${service}" = "/star-randsrv" ]; then - domain_socket="/tmp/network.sock" - /enclave/gvproxy \ - -listen "vsock://:1024" \ - -listen "unix://${domain_socket}" & - # give gvproxy a second to start - sleep 1 - # instruct gvproxy to forward port 443 to the enclave - curl \ - -X POST \ - --unix-socket "$domain_socket" \ - -d '{"local":":443","remote":"192.168.127.2:443"}' \ - "http:/unix/services/forwarder/expose" -fi diff --git a/nitro-shim/tools/eifbuild/Makefile b/nitro-shim/tools/eifbuild/Makefile deleted file mode 100644 index 4982e9191..000000000 --- a/nitro-shim/tools/eifbuild/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -binary = eifbuild -godeps = go.mod go.sum *.go - -.PHONY: all test lint $(binary) clean - -all: test lint $(binary) - -$(binary): $(godeps) - go build -o $(binary) . - -clean: - rm -f $(binary) diff --git a/nitro-shim/tools/eifbuild/go.mod b/nitro-shim/tools/eifbuild/go.mod deleted file mode 100644 index fc3669e77..000000000 --- a/nitro-shim/tools/eifbuild/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module eifbuild - -go 1.20 diff --git a/nitro-shim/tools/eifbuild/go.sum b/nitro-shim/tools/eifbuild/go.sum deleted file mode 100644 index e69de29bb..000000000 diff --git a/nitro-shim/tools/eifbuild/main.go b/nitro-shim/tools/eifbuild/main.go deleted file mode 100644 index f33455fff..000000000 --- a/nitro-shim/tools/eifbuild/main.go +++ /dev/null @@ -1,256 +0,0 @@ -package main - -import ( - "flag" - "fmt" - "io/ioutil" - "os" - "os/exec" - "path/filepath" - "strings" - "text/template" -) - -const ( - bootstrapTemplate = `files: - - path: dev - directory: true - mode: "0755" - - path: init - source: {{ .initPath }} - mode: "0755" - - path: nsm.ko - source: {{ .nsmkoPath }} - mode: "0755"` - customerTemplate = `init: - - {{ .image }} -files: - - path: rootfs/dev - directory: true - mode: "0755" - - path: rootfs/run - directory: true - mode: "0755" - - path: rootfs/sys - directory: true - mode: "0755" - - path: rootfs/var - directory: true - mode: "0755" - - path: rootfs/proc - directory: true - mode: "0755" - - path: rootfs/tmp - directory: true - mode: "0755" - - path: cmd - source: {{ .cmd }} - mode: "0644" - - path: env - source: {{ .env }} - mode: "0644"` -) - -func printusage() { - fmt.Println("Usage:\n") - fmt.Println("eifbuild -pass-envs ENVS -docker-uri IMAGE -output-file OUTPUT -- COMMAND...\n") - - flag.PrintDefaults() -} - -func printhelp() { - fmt.Println("eifbuild is a tool for building enclave image files.\n") - printusage() -} - -func main() { - var help bool - - passEnvPtr := flag.String("pass-env", "", "Comma separated list of env vars to pass to the build") - imagePtr := flag.String("docker-uri", "", "Docker image URI") - outPtr := flag.String("output-file", "", "Output file for built EIF") - flag.BoolVar(&help, "help", false, "Show help") - flag.BoolVar(&help, "h", false, "Show help (shorthand)") - flag.Usage = printusage - flag.Parse() - - if help { - printhelp() - os.Exit(0) - } - - if *imagePtr == "" || *outPtr == "" { - fmt.Println("Both -docker-uri and -output-file flags must be set!") - printusage() - os.Exit(1) - } - - fmt.Println("Image:", *imagePtr, "\n") - fmt.Println("Output:", *outPtr, "\n") - - cmd := make([]string, 0) - afterSep := false - for _, arg := range os.Args { - if afterSep { - cmd = append(cmd, arg) - } - if arg == "--" { - afterSep = true - } - } - - fmt.Println("Command:", cmd, "\n") - fmt.Println("Env:") - - envs := make(map[string]string) - if *passEnvPtr != "" { - passEnv := strings.Split(*passEnvPtr, ",") - for _, k := range passEnv { - v, ok := os.LookupEnv(k) - if !ok { - fmt.Println("Warning:", k, "not present in environment but requested to be passed") - continue - } - envs[k] = v - fmt.Println(k, "=", v) - } - } - - fmt.Println("\nBuilding...") - - err := BuildEif("/usr/share/nitro_enclaves/blobs/", *imagePtr, cmd, envs, *outPtr) - if err != nil { - fmt.Println(err) - os.Exit(1) - } - - os.Exit(0) -} - -func generateBootstrap(initPath, nsmkoPath string) (*os.File, error) { - file, err := os.CreateTemp("", "bootstrap") - if err != nil { - return nil, err - } - templ := template.Must(template.New("bootstrap").Parse(bootstrapTemplate)) - err = templ.Execute(file, map[string]interface{}{ - "initPath": initPath, - "nsmkoPath": nsmkoPath, - }) - return file, err -} - -func generateCustomer(image, cmdPath, envPath string) (*os.File, error) { - file, err := os.CreateTemp("", "customer") - if err != nil { - return nil, err - } - templ := template.Must(template.New("customer").Parse(customerTemplate)) - err = templ.Execute(file, map[string]interface{}{ - "image": image, - "cmd": cmdPath, - "env": envPath, - }) - return file, err -} - -func BuildEif(blobsPath string, image string, cmds []string, envs map[string]string, output string) error { - artifactsDir, err := os.MkdirTemp("", "initramfs") - if err != nil { - return err - } - defer os.RemoveAll(artifactsDir) - - bootstrap, err := generateBootstrap(filepath.Join(blobsPath, "init"), filepath.Join(blobsPath, "nsm.ko")) - if err != nil { - return err - } - defer os.Remove(bootstrap.Name()) - - cmd, err := os.CreateTemp("", "cmd") - if err != nil { - return err - } - defer os.Remove(cmd.Name()) - - env, err := os.CreateTemp("", "env") - if err != nil { - return err - } - defer os.Remove(env.Name()) - - // TODO for now we will ignore the cmd and env from the docker image - for _, c := range cmds { - fmt.Fprintf(cmd, "%s\n", c) - } - for k, v := range envs { - fmt.Fprintf(env, "%s=%s\n", k, v) - } - - customer, err := generateCustomer(image, cmd.Name(), env.Name()) - if err != nil { - return err - } - defer os.Remove(customer.Name()) - - bootstrapRamdisk := filepath.Join(artifactsDir, "bootstrap-initrd.img") - customerRamdisk := filepath.Join(artifactsDir, "customer-initrd.img") - - command := execCommand(filepath.Join(blobsPath, "linuxkit"), - "build", - "-name", - filepath.Join(artifactsDir, "bootstrap"), - "-format", - "kernel+initrd", - bootstrap.Name(), - ) - if err = command.Run(); err != nil { - return err - } - - command = execCommand(filepath.Join(blobsPath, "linuxkit"), - "build", - "-name", - filepath.Join(artifactsDir, "customer"), - "-format", - "kernel+initrd", - "-prefix", - "rootfs/", - customer.Name(), - ) - if err = command.Run(); err != nil { - return err - } - - cmdline, err := ioutil.ReadFile(filepath.Join(blobsPath, "cmdline")) - if err != nil { - return err - } - command = execCommand("eif_build", - "--kernel", - filepath.Join(blobsPath, "bzImage"), - "--kernel_config", - filepath.Join(blobsPath, "bzImage.config"), - "--cmdline", - string(cmdline), - "--ramdisk", - bootstrapRamdisk, - "--ramdisk", - customerRamdisk, - "--output", - output, - ) - if err = command.Run(); err != nil { - return err - } - return nil -} - -func execCommand(name string, arg ...string) *exec.Cmd { - fmt.Println("Running:", name, arg) - - command := exec.Command(name, arg...) - command.Stdout = os.Stdout - command.Stderr = os.Stderr - return command -} diff --git a/nitro-shim/tools/gvproxy/Makefile b/nitro-shim/tools/gvproxy/Makefile deleted file mode 100644 index 711ec1e20..000000000 --- a/nitro-shim/tools/gvproxy/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -binary = gvproxy -godeps = go.mod go.sum *.go Makefile - -.PHONY: all -all: lint $(binary) - -.PHONY: lint -lint: $(godeps) - golangci-lint run - -$(binary): $(godeps) - CGO_ENABLED=0 go build -o $(binary) . - -.PHONY: clean -clean: - rm -f $(binary) diff --git a/nitro-shim/tools/gvproxy/go.mod b/nitro-shim/tools/gvproxy/go.mod deleted file mode 100644 index cd6780a23..000000000 --- a/nitro-shim/tools/gvproxy/go.mod +++ /dev/null @@ -1,32 +0,0 @@ -module gvproxy - -go 1.20 - -require ( - github.com/containers/gvisor-tap-vsock v0.6.1 - github.com/dustin/go-humanize v1.0.1 - github.com/pkg/errors v0.9.1 - github.com/sirupsen/logrus v1.9.0 - golang.org/x/sync v0.1.0 -) - -require ( - github.com/Microsoft/go-winio v0.6.0 // indirect - github.com/apparentlymart/go-cidr v1.1.0 // indirect - github.com/google/btree v1.0.1 // indirect - github.com/google/gopacket v1.1.19 // indirect - github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f // indirect - github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2 // indirect - github.com/mdlayher/socket v0.4.0 // indirect - github.com/mdlayher/vsock v1.2.0 // indirect - github.com/miekg/dns v1.1.52 // indirect - github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect - golang.org/x/crypto v0.31.0 // indirect - golang.org/x/mod v0.9.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/sys v0.28.0 // indirect - golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect - golang.org/x/tools v0.7.0 // indirect - gvisor.dev/gvisor v0.0.0-20221216231429-a78e892a26d2 // indirect - inet.af/tcpproxy v0.0.0-20220326234310-be3ee21c9fa0 // indirect -) diff --git a/nitro-shim/tools/gvproxy/go.sum b/nitro-shim/tools/gvproxy/go.sum deleted file mode 100644 index 2cbd7d048..000000000 --- a/nitro-shim/tools/gvproxy/go.sum +++ /dev/null @@ -1,122 +0,0 @@ -github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= -github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= -github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU= -github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc= -github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= -github.com/containers/gvisor-tap-vsock v0.6.1 h1:FaLOl4CE13Q8PgG89MfAaFx/B0AK/akHaR6pR2nvLUY= -github.com/containers/gvisor-tap-vsock v0.6.1/go.mod h1:L6sgnuJhMaLT9dNi0fOEoloLQnaVgLXP5oEFTVvq8Dw= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= -github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= -github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= -github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= -github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis= -github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f h1:l1QCwn715k8nYkj4Ql50rzEog3WnMdrd4YYMMwemxEo= -github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E= -github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw= -github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ= -github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok= -github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= -github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2 h1:DZMFueDbfz6PNc1GwDRA8+6lBx1TB9UnxDQliCqR73Y= -github.com/linuxkit/virtsock v0.0.0-20220523201153-1a23e78aa7a2/go.mod h1:SWzULI85WerrFt3u+nIm5F9l7EvxZTKQvd0InF3nmgM= -github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7 h1:lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE= -github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y= -github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA= -github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M= -github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY= -github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o= -github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg= -github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065 h1:aFkJ6lx4FPip+S+Uw4aTegFMct9shDvP+79PsSxpm3w= -github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg= -github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw= -github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc= -github.com/mdlayher/vsock v1.2.0 h1:klRY9lndjmg6k/QWbX/ucQ3e2JFRm1M7vfG9hijbQ0A= -github.com/mdlayher/vsock v1.2.0/go.mod h1:w4kdSTQB9p1l/WwGmAs0V62qQ869qRYoongwgN+Y1HE= -github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c= -github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA= -github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= -golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= -golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs= -golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= -golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= -golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4= -golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gvisor.dev/gvisor v0.0.0-20221216231429-a78e892a26d2 h1:QN+Xh63jThYFN4CrcD4KXj+rUhevlb0LXEAlZ4m+qXQ= -gvisor.dev/gvisor v0.0.0-20221216231429-a78e892a26d2/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA= -inet.af/tcpproxy v0.0.0-20220326234310-be3ee21c9fa0 h1:PqdHrvQRVK1zapJkd0qf6+tevvSIcWdfenVqJd3PHWU= -inet.af/tcpproxy v0.0.0-20220326234310-be3ee21c9fa0/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk= diff --git a/nitro-shim/tools/gvproxy/gvproxy.go b/nitro-shim/tools/gvproxy/gvproxy.go deleted file mode 100644 index 1744e1a52..000000000 --- a/nitro-shim/tools/gvproxy/gvproxy.go +++ /dev/null @@ -1,492 +0,0 @@ -// The code below is taken (almost) verbatim from here: -// https://github.com/containers/gvisor-tap-vsock/blob/a39274e8244767c19c74fa68e9d1d8316cf9e175/cmd/gvproxy/main.go -// The only modification we made was to remove the forward-SSH-by-default rule. -// -// In the above revision, gvisor-tap-vsock is licensed under the Apache 2.0 -// license, which permits us to use the code here. -package main - -import ( - "bufio" - "context" - "flag" - "fmt" - "net" - "net/http" - "net/http/pprof" - "net/url" - "os" - "os/signal" - "runtime" - "strconv" - "strings" - "syscall" - "time" - - "github.com/containers/gvisor-tap-vsock/pkg/net/stdio" - "github.com/containers/gvisor-tap-vsock/pkg/sshclient" - "github.com/containers/gvisor-tap-vsock/pkg/transport" - "github.com/containers/gvisor-tap-vsock/pkg/types" - "github.com/containers/gvisor-tap-vsock/pkg/virtualnetwork" - "github.com/dustin/go-humanize" - "github.com/pkg/errors" - log "github.com/sirupsen/logrus" - "golang.org/x/sync/errgroup" -) - -var ( - debug bool - mtu int - endpoints arrayFlags - vpnkitSocket string - qemuSocket string - bessSocket string - stdioSocket string - forwardSocket arrayFlags - forwardDest arrayFlags - forwardUser arrayFlags - forwardIdentify arrayFlags - sshPort int - pidFile string - exitCode int -) - -const ( - gatewayIP = "192.168.127.1" - sshHostPort = "192.168.127.2:22" -) - -func main() { - flag.Var(&endpoints, "listen", "control endpoint") - flag.BoolVar(&debug, "debug", false, "Print debug info") - flag.IntVar(&mtu, "mtu", 1500, "Set the MTU") - flag.IntVar(&sshPort, "ssh-port", 2222, "Port to access the guest virtual machine. Must be between 1024 and 65535") - flag.StringVar(&vpnkitSocket, "listen-vpnkit", "", "VPNKit socket to be used by Hyperkit") - flag.StringVar(&qemuSocket, "listen-qemu", "", "Socket to be used by Qemu") - flag.StringVar(&bessSocket, "listen-bess", "", "unixpacket socket to be used by Bess-compatible applications") - flag.StringVar(&stdioSocket, "listen-stdio", "", "accept stdio pipe") - flag.Var(&forwardSocket, "forward-sock", "Forwards a unix socket to the guest virtual machine over SSH") - flag.Var(&forwardDest, "forward-dest", "Forwards a unix socket to the guest virtual machine over SSH") - flag.Var(&forwardUser, "forward-user", "SSH user to use for unix socket forward") - flag.Var(&forwardIdentify, "forward-identity", "Path to SSH identity key for forwarding") - flag.StringVar(&pidFile, "pid-file", "", "Generate a file with the PID in it") - flag.Parse() - - ctx, cancel := context.WithCancel(context.Background()) - // Make this the last defer statement in the stack - defer os.Exit(exitCode) - - groupErrs, ctx := errgroup.WithContext(ctx) - // Setup signal channel for catching user signals - sigChan := make(chan os.Signal, 1) - signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM, syscall.SIGINT) - - if debug { - log.SetLevel(log.DebugLevel) - } - - // Make sure the qemu socket provided is valid syntax - if len(qemuSocket) > 0 { - uri, err := url.Parse(qemuSocket) - if err != nil || uri == nil { - exitWithError(errors.Wrapf(err, "invalid value for listen-qemu")) - } - if _, err := os.Stat(uri.Path); err == nil && uri.Scheme == "unix" { - exitWithError(errors.Errorf("%q already exists", uri.Path)) - } - } - if len(bessSocket) > 0 { - uri, err := url.Parse(bessSocket) - if err != nil || uri == nil { - exitWithError(errors.Wrapf(err, "invalid value for listen-bess")) - } - if uri.Scheme != "unixpacket" { - exitWithError(errors.New("listen-bess must be unixpacket:// address")) - } - if _, err := os.Stat(uri.Path); err == nil { - exitWithError(errors.Errorf("%q already exists", uri.Path)) - } - } - - if vpnkitSocket != "" && qemuSocket != "" { - exitWithError(errors.New("cannot use qemu and vpnkit protocol at the same time")) - } - if vpnkitSocket != "" && bessSocket != "" { - exitWithError(errors.New("cannot use bess and vpnkit protocol at the same time")) - } - if qemuSocket != "" && bessSocket != "" { - exitWithError(errors.New("cannot use qemu and bess protocol at the same time")) - } - - // If the given port is not between the privileged ports - // and the oft considered maximum port, return an error. - if sshPort < 1024 || sshPort > 65535 { - exitWithError(errors.New("ssh-port value must be between 1024 and 65535")) - } - protocol := types.HyperKitProtocol - if qemuSocket != "" { - protocol = types.QemuProtocol - } - if bessSocket != "" { - protocol = types.BessProtocol - } - - if c := len(forwardSocket); c != len(forwardDest) || c != len(forwardUser) || c != len(forwardIdentify) { - exitWithError(errors.New("-forward-sock, --forward-dest, --forward-user, and --forward-identity must all be specified together, " + - "the same number of times, or not at all")) - } - - for i := 0; i < len(forwardSocket); i++ { - _, err := os.Stat(forwardIdentify[i]) - if err != nil { - exitWithError(errors.Wrapf(err, "Identity file %s can't be loaded", forwardIdentify[i])) - } - } - - // Create a PID file if requested - if len(pidFile) > 0 { - f, err := os.Create(pidFile) - if err != nil { - exitWithError(err) - } - // Remove the pid-file when exiting - defer func() { - if err := os.Remove(pidFile); err != nil { - log.Error(err) - } - }() - pid := os.Getpid() - if _, err := f.WriteString(strconv.Itoa(pid)); err != nil { - exitWithError(err) - } - } - - config := types.Configuration{ - Debug: debug, - CaptureFile: captureFile(), - MTU: mtu, - Subnet: "192.168.127.0/24", - GatewayIP: gatewayIP, - GatewayMacAddress: "5a:94:ef:e4:0c:dd", - DHCPStaticLeases: map[string]string{ - "192.168.127.2": "5a:94:ef:e4:0c:ee", - }, - DNS: []types.Zone{ - { - Name: "containers.internal.", - Records: []types.Record{ - { - Name: "gateway", - IP: net.ParseIP(gatewayIP), - }, - { - Name: "host", - IP: net.ParseIP("192.168.127.254"), - }, - }, - }, - { - Name: "crc.testing.", // still used by current version of podman machine CNI - Records: []types.Record{ - { - Name: "gateway", - IP: net.ParseIP(gatewayIP), - }, - { - Name: "host", - IP: net.ParseIP("192.168.127.254"), - }, - }, - }, - }, - DNSSearchDomains: searchDomains(), - NAT: map[string]string{ - "192.168.127.254": "127.0.0.1", - }, - GatewayVirtualIPs: []string{"192.168.127.254"}, - VpnKitUUIDMacAddresses: map[string]string{ - "c3d68012-0208-11ea-9fd7-f2189899ab08": "5a:94:ef:e4:0c:ee", - }, - Protocol: protocol, - } - - groupErrs.Go(func() error { - return run(ctx, groupErrs, &config, endpoints) - }) - - // Wait for something to happen - groupErrs.Go(func() error { - select { - // Catch signals so exits are graceful and defers can run - case <-sigChan: - cancel() - return errors.New("signal caught") - case <-ctx.Done(): - return nil - } - }) - // Wait for all of the go funcs to finish up - if err := groupErrs.Wait(); err != nil { - log.Error(err) - exitCode = 1 - } -} - -type arrayFlags []string - -func (i *arrayFlags) String() string { - return "my string representation" -} - -func (i *arrayFlags) Set(value string) error { - *i = append(*i, value) - return nil -} - -func captureFile() string { - if !debug { - return "" - } - return "capture.pcap" -} - -func run(ctx context.Context, g *errgroup.Group, configuration *types.Configuration, endpoints []string) error { - vn, err := virtualnetwork.New(configuration) - if err != nil { - return err - } - log.Info("waiting for clients...") - - for _, endpoint := range endpoints { - log.Infof("listening %s", endpoint) - ln, err := transport.Listen(endpoint) - if err != nil { - return errors.Wrap(err, "cannot listen") - } - httpServe(ctx, g, ln, withProfiler(vn)) - } - - ln, err := vn.Listen("tcp", fmt.Sprintf("%s:80", gatewayIP)) - if err != nil { - return err - } - mux := http.NewServeMux() - mux.Handle("/services/forwarder/all", vn.Mux()) - mux.Handle("/services/forwarder/expose", vn.Mux()) - mux.Handle("/services/forwarder/unexpose", vn.Mux()) - httpServe(ctx, g, ln, mux) - - if debug { - g.Go(func() error { - debugLog: - for { - select { - case <-time.After(5 * time.Second): - log.Debugf("%v sent to the VM, %v received from the VM\n", humanize.Bytes(vn.BytesSent()), humanize.Bytes(vn.BytesReceived())) - case <-ctx.Done(): - break debugLog - } - } - return nil - }) - } - - if vpnkitSocket != "" { - vpnkitListener, err := transport.Listen(vpnkitSocket) - if err != nil { - return err - } - g.Go(func() error { - vpnloop: - for { - select { - case <-ctx.Done(): - break vpnloop - default: - // pass through - } - conn, err := vpnkitListener.Accept() - if err != nil { - log.Errorf("vpnkit accept error: %s", err) - continue - } - g.Go(func() error { - return vn.AcceptVpnKit(conn) - }) - } - return nil - }) - } - - if qemuSocket != "" { - qemuListener, err := transport.Listen(qemuSocket) - if err != nil { - return err - } - - g.Go(func() error { - <-ctx.Done() - if err := qemuListener.Close(); err != nil { - log.Errorf("error closing %s: %q", qemuSocket, err) - } - return os.Remove(qemuSocket) - }) - - g.Go(func() error { - conn, err := qemuListener.Accept() - if err != nil { - return errors.Wrap(err, "qemu accept error") - - } - return vn.AcceptQemu(ctx, conn) - }) - } - - if bessSocket != "" { - bessListener, err := transport.Listen(bessSocket) - if err != nil { - return err - } - - g.Go(func() error { - <-ctx.Done() - if err := bessListener.Close(); err != nil { - log.Errorf("error closing %s: %q", bessSocket, err) - } - return os.Remove(bessSocket) - }) - - g.Go(func() error { - conn, err := bessListener.Accept() - if err != nil { - return errors.Wrap(err, "bess accept error") - - } - return vn.AcceptBess(ctx, conn) - }) - } - - if stdioSocket != "" { - g.Go(func() error { - conn := stdio.GetStdioConn() - return vn.AcceptQemu(ctx, conn) - }) - } - - for i := 0; i < len(forwardSocket); i++ { - var ( - src *url.URL - err error - ) - if strings.Contains(forwardSocket[i], "://") { - src, err = url.Parse(forwardSocket[i]) - if err != nil { - return err - } - } else { - src = &url.URL{ - Scheme: "unix", - Path: forwardSocket[i], - } - } - - dest := &url.URL{ - Scheme: "ssh", - User: url.User(forwardUser[i]), - Host: sshHostPort, - Path: forwardDest[i], - } - j := i - g.Go(func() error { - defer os.Remove(forwardSocket[j]) - forward, err := sshclient.CreateSSHForward(ctx, src, dest, forwardIdentify[j], vn) - if err != nil { - return err - } - go func() { - <-ctx.Done() - // Abort pending accepts - forward.Close() - }() - loop: - for { - select { - case <-ctx.Done(): - break loop - default: - // proceed - } - err := forward.AcceptAndTunnel(ctx) - if err != nil { - log.Debugf("Error occurred handling ssh forwarded connection: %q", err) - } - } - return nil - }) - } - - return nil -} - -func httpServe(ctx context.Context, g *errgroup.Group, ln net.Listener, mux http.Handler) { - g.Go(func() error { - <-ctx.Done() - return ln.Close() - }) - g.Go(func() error { - s := &http.Server{ - Handler: mux, - ReadTimeout: 10 * time.Second, - WriteTimeout: 10 * time.Second, - } - err := s.Serve(ln) - if err != nil { - if err != http.ErrServerClosed { - return err - } - return err - } - return nil - }) -} - -func withProfiler(vn *virtualnetwork.VirtualNetwork) http.Handler { - mux := vn.Mux() - if debug { - mux.HandleFunc("/debug/pprof/", pprof.Index) - mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline) - mux.HandleFunc("/debug/pprof/profile", pprof.Profile) - mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol) - } - return mux -} - -func exitWithError(err error) { - log.Error(err) - os.Exit(1) -} - -func searchDomains() []string { - if runtime.GOOS == "darwin" || runtime.GOOS == "linux" { - f, err := os.Open("/etc/resolv.conf") - if err != nil { - log.Errorf("open file error: %v", err) - return nil - } - defer f.Close() - sc := bufio.NewScanner(f) - searchPrefix := "search " - for sc.Scan() { - if strings.HasPrefix(sc.Text(), searchPrefix) { - searchDomains := strings.Split(strings.TrimPrefix(sc.Text(), searchPrefix), " ") - log.Debugf("Using search domains: %v", searchDomains) - return searchDomains - } - } - if err := sc.Err(); err != nil { - log.Errorf("scan file error: %v", err) - return nil - } - } - return nil -} diff --git a/nitro-shim/tools/utils/go.mod b/nitro-shim/tools/utils/go.mod deleted file mode 100644 index df5f09e93..000000000 --- a/nitro-shim/tools/utils/go.mod +++ /dev/null @@ -1,3 +0,0 @@ -module nitro-shim/utils - -go 1.20 diff --git a/nitro-shim/tools/utils/utils.go b/nitro-shim/tools/utils/utils.go deleted file mode 100644 index a96d96293..000000000 --- a/nitro-shim/tools/utils/utils.go +++ /dev/null @@ -1,29 +0,0 @@ -package utils - -import ( - "fmt" - "log" - "os" -) - -// NewLogger creates and returns a new logger with the given log prefix. -func NewLogger(name string) *log.Logger { - return log.New(os.Stderr, name, log.Ldate|log.Ltime|log.LUTC|log.Lshortfile) -} - -// ReadConfigFromEnv reads our configuration from environment variables. If -// any of those variables isn't set, the function returns an error. -func ReadConfigFromEnv(cfg map[string]string) error { - var exists bool - var value string - - for envVar := range cfg { - value, exists = os.LookupEnv(envVar) - if !exists { - return fmt.Errorf("environment variable %q not set", envVar) - } - cfg[envVar] = value - } - - return nil -} diff --git a/nitro-shim/tools/viproxy/Makefile b/nitro-shim/tools/viproxy/Makefile deleted file mode 100644 index ec26b2b26..000000000 --- a/nitro-shim/tools/viproxy/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -binary = viproxy -godeps = go.mod go.sum *.go - -.PHONY: all test lint $(binary) clean - -all: test lint $(binary) - -test: $(godeps) - go test -cover ./... - -lint: $(godeps) - golangci-lint run ./... - -$(binary): $(godeps) - go build -o $(binary) . - -clean: - rm -f $(binary) diff --git a/nitro-shim/tools/viproxy/go.mod b/nitro-shim/tools/viproxy/go.mod deleted file mode 100644 index cc3595163..000000000 --- a/nitro-shim/tools/viproxy/go.mod +++ /dev/null @@ -1,18 +0,0 @@ -module github.com/brave-experiments/ia2-parent/viproxy - -go 1.20 - -replace nitro-shim/utils v0.0.0 => ../utils - -require ( - github.com/brave/viproxy v0.1.2 - github.com/mdlayher/vsock v1.2.0 - nitro-shim/utils v0.0.0 -) - -require ( - github.com/mdlayher/socket v0.4.0 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/sync v0.1.0 // indirect - golang.org/x/sys v0.18.0 // indirect -) diff --git a/nitro-shim/tools/viproxy/go.sum b/nitro-shim/tools/viproxy/go.sum deleted file mode 100644 index 99ca92b2a..000000000 --- a/nitro-shim/tools/viproxy/go.sum +++ /dev/null @@ -1,13 +0,0 @@ -github.com/brave/viproxy v0.1.2 h1:sOY8bI1CqLNq+KyRJrEzQuWia81UmLjK5kqTqD284hs= -github.com/brave/viproxy v0.1.2/go.mod h1:E5v9Ajo1sPVAmgDjKDU8fLmkoJeHjtcXJIkEm8XubpQ= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw= -github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc= -github.com/mdlayher/vsock v1.2.0 h1:klRY9lndjmg6k/QWbX/ucQ3e2JFRm1M7vfG9hijbQ0A= -github.com/mdlayher/vsock v1.2.0/go.mod h1:w4kdSTQB9p1l/WwGmAs0V62qQ869qRYoongwgN+Y1HE= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= diff --git a/nitro-shim/tools/viproxy/main.go b/nitro-shim/tools/viproxy/main.go deleted file mode 100644 index cd5b6d416..000000000 --- a/nitro-shim/tools/viproxy/main.go +++ /dev/null @@ -1,75 +0,0 @@ -package main - -import ( - "net" - "nitro-shim/utils" - "os" - "strconv" - "strings" - - "github.com/brave/viproxy" - "github.com/mdlayher/vsock" -) - -const ( - envInAddrs = "IN_ADDRS" - envOutAddrs = "OUT_ADDRS" -) - -var l = utils.NewLogger("viproxy: ") - -func parseAddr(rawAddr string) net.Addr { - var addr net.Addr - var err error - - addr, err = net.ResolveTCPAddr("tcp", rawAddr) - if err == nil { - return addr - } - - // We couldn't parse the address, so we must be dealing with AF_VSOCK. We - // expect an address like 3:8080. - fields := strings.Split(rawAddr, ":") - if len(fields) != 2 { - l.Fatal("Looks like we're given neither AF_INET nor AF_VSOCK addr.") - } - cid, err := strconv.ParseUint(fields[0], 10, 32) - if err != nil { - l.Fatal("Couldn't turn CID into integer.") - } - // cid ports are 32 bits - port, err := strconv.ParseUint(fields[1], 10, 32) - if err != nil || port == 0 { - l.Fatal("Couldn't turn port into integer.") - } - - addr = &vsock.Addr{ContextID: uint32(cid), Port: uint32(port)} - - return addr -} - -func main() { - // E.g.: IN_ADDRS=127.0.0.1:8080,127.0.0.1:8081 OUT_ADDRS=4:8080,4:8081 go run main.go - inEnv, outEnv := os.Getenv(envInAddrs), os.Getenv(envOutAddrs) - if inEnv == "" || outEnv == "" { - l.Fatalf("Environment variables %s and %s not set.", envInAddrs, envOutAddrs) - } - - rawInAddrs, rawOutAddrs := strings.Split(inEnv, ","), strings.Split(outEnv, ",") - if len(rawInAddrs) != len(rawOutAddrs) { - l.Fatalf("%s and %s must contain same number of addresses.", envInAddrs, envOutAddrs) - } - - var tuples []*viproxy.Tuple - for i := range rawInAddrs { - inAddr := parseAddr(rawInAddrs[i]) - outAddr := parseAddr(rawOutAddrs[i]) - tuples = append(tuples, &viproxy.Tuple{InAddr: inAddr, OutAddr: outAddr}) - } - - p := viproxy.NewVIProxy(tuples) - if err := p.Start(); err != nil { - l.Fatalf("Failed to start VIProxy: %s", err) - } - <-make(chan bool) -}