Skip to content

Commit

Permalink
Merge pull request #34 from ros-swg/foxy
Browse files Browse the repository at this point in the history
Update for Foxy
  • Loading branch information
ruffsl authored Mar 3, 2021
2 parents 1a13f57 + 5314f14 commit 70057f4
Show file tree
Hide file tree
Showing 28 changed files with 681 additions and 1,682 deletions.
37 changes: 0 additions & 37 deletions .docker/overlay.repos

This file was deleted.

136 changes: 82 additions & 54 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,91 +1,119 @@
FROM osrf/ros:dashing-desktop
# FROM osrf/ros2:nightly
ARG FROM_IMAGE=ros:foxy
ARG OVERLAY_WS=/opt/ros/overlay_ws

# multi-stage for caching
FROM $FROM_IMAGE AS cacher

# copy overlay source
ARG OVERLAY_WS
WORKDIR $OVERLAY_WS
COPY ./overlay ./
RUN vcs import src < overlay.repos && \
find src -name ".git" | xargs rm -rf || true

# copy manifests for caching
WORKDIR /opt
RUN mkdir -p /tmp/opt && \
find ./ -name "package.xml" | \
xargs cp --parents -t /tmp/opt && \
find ./ -name "COLCON_IGNORE" | \
xargs cp --parents -t /tmp/opt || true

# multi-stage for building
FROM $FROM_IMAGE AS builder
ARG DEBIAN_FRONTEND=noninteractive

# install helpful developer tools
RUN apt-get update && apt-get install -y \
bash-completion \
byobu \
ccache \
fish \
glances \
micro \
nano \
python3-argcomplete \
tree \
vim \
&& cd /usr/bin && curl https://getmic.ro | bash \
&& rm -rf /var/lib/apt/lists/*

# install turtlebot external packages
RUN apt-get update && apt-get install -y \
ros-$ROS_DISTRO-rqt* \
ros-$ROS_DISTRO-turtlebot3-cartographer \
ros-$ROS_DISTRO-turtlebot3-navigation2 \
ros-$ROS_DISTRO-turtlebot3-simulations \
ros-$ROS_DISTRO-turtlebot3-teleop \
&& rm -rf /var/lib/apt/lists/*
# # install RTI Connext DDS
# # set up environment
# ENV NDDSHOME /opt/rti.com/rti_connext_dds-6.0.1
# WORKDIR $NDDSHOME
# COPY ./rti ./
# RUN yes | ./rti_connext_dds-6.0.1-eval-x64Linux3gcc5.4.0.run && \
# mv y/*/* ./ && rm -rf y
# # set RTI DDS environment
# ENV CONNEXTDDS_DIR $NDDSHOME
# ENV PATH "$NDDSHOME/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/lib/x64Linux3gcc5.4.0":$LD_LIBRARY_PATH
# # set RTI openssl environment
# ENV PATH "$NDDSHOME/third_party/openssl-1.1.1d/x64Linux4gcc7.3.0/release/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/third_party/openssl-1.1.1d/x64Linux4gcc7.3.0/release/lib":$LD_LIBRARY_PATH

# clone overlay package repos
ENV TB3_OVERLAY_WS /opt/tb3_overlay_ws
RUN mkdir -p $TB3_OVERLAY_WS/src
WORKDIR $TB3_OVERLAY_WS
COPY .docker/overlay.repos ./
RUN vcs import src < overlay.repos
# Install extra sources from this repo
COPY example_nodes/ src/example_nodes
# RUN vcs import src < src/ros-planning/navigation2/tools/ros2_dependencies.repos

# install overlay package dependencies
RUN . /opt/ros/$ROS_DISTRO/setup.sh \
&& rosdep update \
&& rosdep install -y \
# install overlay dependencies
ARG OVERLAY_WS
WORKDIR $OVERLAY_WS
COPY --from=cacher /tmp/$OVERLAY_WS/src ./src
RUN . /opt/ros/$ROS_DISTRO/setup.sh && \
apt-get update && rosdep update \
--rosdistro $ROS_DISTRO && \
apt-get upgrade -y && \
rosdep install -q -y \
--from-paths src \
--ignore-src \
--skip-keys " \
ament_mypy \
libopensplice69 \
rti-connext-dds-5.3.1 \
" \
&& rm -rf /var/lib/apt/lists/*

# build overlay package source
# RUN touch $TB3_OVERLAY_WS/src/turtlebot3/turtlebot3_node/COLCON_IGNORE
# build overlay source
COPY --from=cacher $OVERLAY_WS/src ./src
ARG OVERLAY_MIXINS="release ccache"
RUN . /opt/ros/$ROS_DISTRO/setup.sh && \
colcon build \
--symlink-install
--symlink-install \
--mixin $OVERLAY_MIXINS

# fetch and install tools for reconnaissance
WORKDIR /tmp
RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \
libgmp3-dev gengetopt \
libpcap-dev flex byacc \
libjson-c-dev unzip \
libunistring-dev wget \
libxml2-dev libxslt1-dev \
libffi-dev libssl-dev \
tshark && \
rm -rf /var/lib/apt/lists/*
RUN git clone https://github.com/aliasrobotics/aztarna && \
cd aztarna && python3 setup.py install
# # install RTI Connext
# ENV RTI_NC_LICENSE_ACCEPTED yes
# RUN apt-get update && apt-get install -y \
# ros-$ROS_DISTRO-rmw-connext-cpp \
# && rm -rf /var/lib/apt/lists/*
# # set up environment
# ENV NDDSHOME /opt/rti.com/rti_connext_dds-5.3.1
# ENV PATH "$NDDSHOME/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/lib/x64Linux3gcc5.4.0":$LD_LIBRARY_PATH
# # install RTI Security
# WORKDIR $NDDSHOME
# # ADD https://s3.amazonaws.com/RTI/Bundles/5.3.1/Evaluation/rti_connext_dds_secure-5.3.1-eval-x64Linux3gcc5.4.0.tar.gz ./
# # RUN tar -xvf rti_connext_dds_secure-5.3.1-eval-x64Linux3gcc5.4.0.tar.gz -C ./
# COPY ./rti ./
# RUN rtipkginstall rti_security_plugins-5.3.1-eval-x64Linux3gcc5.4.0.rtipkg && \
# rtipkginstall openssl-1.0.2n-5.3.1-host-x64Linux.rtipkg && \
# tar -xvf openssl-1.0.2n-target-x64Linux3gcc5.4.0.tar.gz
# ENV PATH "$NDDSHOME/openssl-1.0.2n/x64Linux3gcc5.4.0/release/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/openssl-1.0.2n/x64Linux3gcc5.4.0/release/lib":$LD_LIBRARY_PATH
# # install RTI QoS
# ENV NDDS_QOS_PROFILES "$NDDSHOME/NDDS_QOS_PROFILES.xml"

# generate artifacts for keystore
ENV TB3_DEMO_DIR $TB3_OVERLAY_WS/..
ENV TB3_DEMO_DIR $OVERLAY_WS/..
WORKDIR $TB3_DEMO_DIR
COPY policies policies
RUN . $TB3_OVERLAY_WS/install/setup.sh && \
RUN . $OVERLAY_WS/install/setup.sh && \
ros2 security generate_artifacts -k keystore \
-p policies/tb3_gazebo_policy.xml \
-n /_ros2cli
-p policies/tb3_gazebo_policy.xml

# copy demo files
COPY maps maps
COPY configs configs
COPY .gazebo /root/.gazebo

# source overlay workspace from entrypoint
ENV OVERLAY_WS $OVERLAY_WS
RUN sed --in-place \
's|^source .*|source "$TB3_OVERLAY_WS/install/setup.bash"|' \
's|^source .*|source "$OVERLAY_WS/install/setup.bash"|' \
/ros_entrypoint.sh && \
cp /etc/skel/.bashrc ~/ && \
echo 'source "$TB3_OVERLAY_WS/install/setup.bash"' >> ~/.bashrc
echo 'source "$OVERLAY_WS/install/setup.bash"' >> ~/.bashrc

ENV TURTLEBOT3_MODEL='burger' \
GAZEBO_MODEL_PATH=/opt/ros/$ROS_DISTRO/share/turtlebot3_gazebo/models:$GAZEBO_MODEL_PATH
GAZEBO_MODEL_PATH=$OVERLAY_WS/install/turtlebot3_gazebo/share/turtlebot3_gazebo/models:$GAZEBO_MODEL_PATH
91 changes: 5 additions & 86 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Secure Turtlebot3 Demo

This repository includes a demo for securing a simulated Turtlebot3 using SROS2; including sensor and control topics as well the relevant portions of the cartographer and navigation2 software stacks.
This repository includes a demo for securing a simulated Turtlebot3 using SROS2; including sensor and control topics as well the relevant portions of the slam_toolbox and navigation2 software stacks.

## Setting the Demo

Expand All @@ -16,7 +16,7 @@ To run this demo using docker, the following dependencies are required:
* Please ensure display forwarding is working with rocker.
* [nvidia-docker](https://github.com/NVIDIA/nvidia-docker) is also useful for those with a GPU.
* [off-your-rocker](https://github.com/sloretz/off-your-rocker)
* Rocker extension. Required to run the sandbox demo. Used to pass arbitrary arguments Docker arguments through rocker.
* Rocker extension, for passing through arbitrary Docker arguments.

For those who can't use linux containers or for detailed instructions on how to build, you may still follow the general build steps of the [Dockerfile](Dockerfile).

Expand All @@ -41,7 +41,7 @@ Byobu starts a new session and launch the turtlebot3 demo over several windows:
* initialize pose script
* navigation goal script
* `mapping`
* cartographer mapping stack
* slam_toolbox mapping stack
* save map file
* map topic info
* `sros`
Expand All @@ -55,50 +55,10 @@ You can first drive the robot around and generate a map using the teleoperation

[![](media/mapping3.png)](media/mapping.mp4)

Feel free to poke around, open a new window and list or echo topics and services. You can explore the other panes as well, for example you can stop cartographer in the `mapping` window and start the navigation launchfile from the `navigation` window. You will stat by localizing the robot by initializing the pose and then setting a navigation goal via the scripts in the respective window panes. This can also be done graphically via rviz.
Feel free to poke around, open a new window and list or echo topics and services. You can explore the other panes as well, for example you can stop slam_toolbox in the `mapping` window and start the navigation launchfile from the `navigation` window. You will stat by localizing the robot by initializing the pose and then setting a navigation goal via the scripts in the respective window panes. This can also be done graphically via rviz.

[![](media/localize.png)](media/localize.mp4)

## Running the reconnaissance demo:

Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching/connecting-to the target) or passively (meaning that your reconnaissance is being performed through an intermediary).

The purpose of reconnaissance is to accumulate as much information as possible about a robot or robot component, including the available ROS abstractions (topics, services, etc.), the version of ROS, the target’s hardware platform and more.

In this short tutorial we'll demonstrate the use of [`aztarna`](https://github.com/aliasrobotics/aztarna/), a tool for performing reconnaissance in a variety of robotic systems. Particularly, we'll look at the information we can obtain by performing active reconnaissance in an unsecure robot acting both as an attacker with direct access to the robot ("host/container" insider) and as an attacker with access to the local internal network where ROS 2 operates.

### Host/container insider attacker
``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo:roscon19 "byobu -f configs/unsecure.conf attach"
```

### Internal network attacker
``` bash
# in Terminal (terminal 1), initialize first a swarm
docker swarm init
# in Terminal (terminal 1), create the network overlay
docker network create -d overlay \
--subnet=10.0.0.0/24 \
--gateway=10.0.0.1 \
--ip-range 10.0.0.192/27 \
--attachable \
overlay

# in another Terminal (terminal 2), launch demo
rocker --x11 --nvidia --network overlay rosswg/turtlebot3_demo:roscon19 "byobu -f configs/unsecure.conf attach"

# in another Terminal (terminal 3), launch another container
docker run -it --rm --network overlay --name aztarna rosswg/turtlebot3_demo:roscon19 /bin/bash
# then perform a scan
$ aztarna -t ros2
```

Cleanup afterwards:
```bash
docker network rm overlay
```


## Running the secure demo:

So far we've simply launched the turtlebot3 without using SROS2. To enable security, simply exit the previous byobu session and start a new one now using the secure config:
Expand All @@ -120,7 +80,6 @@ These variables simply enable as well as enforce security for all ros2 nodes whi

* https://design.ros2.org/articles/ros2_dds_security.html


## Re-generate security artifacts

Using the same attached session above, now lets try and generate security artifacts for ourselves, rather than simply using the same artifacts that came bundled in the demo docker image. We can start by switching over to the sros window and clearing out the existing keystore:
Expand Down Expand Up @@ -188,51 +147,11 @@ export ROS_SECURITY_ENABLE=true

Now try starting another teleop node with security disabled and check that only the secure teleop node can drive the robot.

## Sandboxed Nodes Demo

The [ROSCon 2019](https://ros-swg.github.io/ROSCon19_Security_Workshop/) [ROS2 Security Workshop](https://ros-swg.github.io/ROSCon19_Security_Workshop/)
will present the opportunity to run the Turtlebot3 demo using the [launch-ros-sandbox](https://github.com/aws-robotics/launch-ros-sandbox)
package. Specifically, the demo uses this package to launch the Turtlebot3 navigation nodes in a docker container. See the
configs/sandbox_demo/navigation_sandbox.launch.py launch file for details.

### Running the Security Workshop Sandbox Node Demo

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/unsecure.conf attach"
```

Omit the `--nvidia` arg if you don't have dedicated GPU for hardware acceleration of 3D OpenGL views.

Likewise, the following command is used to run the demo using the secure config:

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/secure.conf attach"
```

### Demonstrating Sandbox Resource Limits

This demo shows how robot code, acting improperly, can negatively affect the entire robotic system.

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/bad_actor.conf attach" --oyr-run-arg " -v /var/run/docker.sock:/var/run/docker.sock "
```

After launching with the above config, there are two commands ready in the `bad_actor` byobu window.
They are ready to run a cpu hog that will fork many busy processes.
This is a contrived example - but it illustrates what could happen if a node that you are using hits an untested code path and goes into an infinite loop.

If you run the top command (`ros2 run...`), you can see the CPU of your system jump to 100% usage (check the `diagnostic` byobu window), grinding everything else to a halt.

However, if you kill that and run the bottom command (`ros2 launch ...`), it will launch inside a container that has a CPU resource limit set.
This launch will be able to use at most 2 CPUs worth of processing, allowing the rest of the demo to still run at a normal speed.
See `example_nodes/launch/sandboxed_cpu_hog.launch.py` for some more info on the arguments that make this happen.


## Developing
To rebuild this demo locally if you are working on it, you can rebuild the Docker image with the same tag, so all above demo commands will work correctly.

``` bash
git clone git@github.com:ros-swg/turtlebot3_demo.git
cd turtlebot3_demo
docker build . -t rosswg/turtlebot3_demo
docker build --tag rosswg/turtlebot3_demo .
```
Loading

0 comments on commit 70057f4

Please sign in to comment.