Cbc UI d2 4553 replace vsock with gvisor

.github/actions/build_aws_eif/action.yaml

@@ -116,6 +116,8 @@ runs:
         docker cp amazonlinux:/sockd                                    ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/vsockpx                                  ${ARTIFACTS_OUTPUT_DIR}/
         docker cp amazonlinux:/${{ inputs.identity_scope }}operator.eif ${ARTIFACTS_OUTPUT_DIR}/uid2operator.eif
+
+        docker cp amazonlinux:/gvproxy                                  ${ARTIFACTS_OUTPUT_DIR}/
 
         docker cp amazonlinux:/pcr0.txt                                 ${{ steps.buildFolder.outputs.BUILD_FOLDER }}
         docker cp amazonlinux:/pcr0.txt                                 ${ARTIFACTS_OUTPUT_DIR}/

.github/actions/build_eks_docker_image/action.yaml

@@ -87,7 +87,6 @@ runs:
       shell: bash
       working-directory: ${{ inputs.artifacts_output_dir }}
       run: |
-        ls -al
         VERSION_NUMBER=$(cat ./version_number.txt)
         echo "VERSION_NUMBER=$VERSION_NUMBER" >> $GITHUB_OUTPUT
         echo "Version Number: " $VERSION_NUMBER

.github/workflows/publish-aws-nitro-eif.yaml

@@ -50,7 +50,7 @@ jobs:
 
       - name: Update Operator Version
         id: update_version
-        uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@main
+        uses: IABTechLab/uid2-operator/.github/actions/update_operator_version@cbc-UID2-4553-replace-vsock-with-gvisor
         with:
           release_type: ${{ inputs.release_type }}
           version_number_input: ${{ inputs.version_number_input }}
@@ -68,9 +68,36 @@ jobs:
     runs-on: ubuntu-latest
     needs: start
     steps:
+      - name: Free disk space
+        run: |
+          sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
+          sudo rm -rf \
+            /usr/share/dotnet /usr/local/lib/android /opt/ghc \
+            /usr/local/share/powershell /usr/share/swift /usr/local/.ghcup || true
+          echo "some directories deleted"
+          sudo apt install aptitude -y >/dev/null 2>&1
+          sudo aptitude purge aria2 ansible azure-cli shellcheck rpm xorriso zsync \
+            esl-erlang firefox gfortran-8 gfortran-9 google-chrome-stable \
+            google-cloud-sdk imagemagick \
+            libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
+            mercurial apt-transport-https mono-complete libmysqlclient \
+            unixodbc-dev yarn chrpath libssl-dev libxft-dev \
+            libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev \
+            snmp pollinate libpq-dev postgresql-client powershell ruby-full \
+            sphinxsearch subversion mongodb-org azure-cli microsoft-edge-stable \
+            -y -f >/dev/null 2>&1
+          sudo aptitude purge google-cloud-sdk -f -y >/dev/null 2>&1
+          sudo aptitude purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+          sudo apt purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+          sudo aptitude purge '~n ^mysql' -f -y >/dev/null 2>&1
+          sudo aptitude purge '~n ^php' -f -y >/dev/null 2>&1
+          sudo aptitude purge '~n ^dotnet' -f -y >/dev/null 2>&1
+          sudo apt-get autoremove -y >/dev/null 2>&1
+          sudo apt-get autoclean -y >/dev/null 2>&1
+          echo "some packages purged"
       - name: Build UID2 AWS EIF
         id: build_uid2_eif
-        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@cbc-UID2-4553-replace-vsock-with-gvisor
         with:
           identity_scope: uid2
           artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/uid2
@@ -102,11 +129,38 @@ jobs:
   buildEUIDEIF:
     name: Build EUID EIF
     runs-on: ubuntu-latest
-    needs: start
+    needs: [start, buildUID2EIF]
     steps:
+      - name: Free disk space
+        run: |
+          sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
+          sudo rm -rf \
+            /usr/share/dotnet /usr/local/lib/android /opt/ghc \
+            /usr/local/share/powershell /usr/share/swift /usr/local/.ghcup || true
+          echo "some directories deleted"
+          sudo apt install aptitude -y >/dev/null 2>&1
+          sudo aptitude purge aria2 ansible azure-cli shellcheck rpm xorriso zsync \
+            esl-erlang firefox gfortran-8 gfortran-9 google-chrome-stable \
+            google-cloud-sdk imagemagick \
+            libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
+            mercurial apt-transport-https mono-complete libmysqlclient \
+            unixodbc-dev yarn chrpath libssl-dev libxft-dev \
+            libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev \
+            snmp pollinate libpq-dev postgresql-client powershell ruby-full \
+            sphinxsearch subversion mongodb-org azure-cli microsoft-edge-stable \
+            -y -f >/dev/null 2>&1
+          sudo aptitude purge google-cloud-sdk -f -y >/dev/null 2>&1
+          sudo aptitude purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+          sudo apt purge microsoft-edge-stable -f -y >/dev/null 2>&1 || true
+          sudo aptitude purge '~n ^mysql' -f -y >/dev/null 2>&1
+          sudo aptitude purge '~n ^php' -f -y >/dev/null 2>&1
+          sudo aptitude purge '~n ^dotnet' -f -y >/dev/null 2>&1
+          sudo apt-get autoremove -y >/dev/null 2>&1
+          sudo apt-get autoclean -y >/dev/null 2>&1
+          echo "some packages purged"
       - name: Build EUID AWS EIF
         id: build_euid_eif
-        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@main
+        uses: IABTechLab/uid2-operator/.github/actions/build_aws_eif@cbc-UID2-4553-replace-vsock-with-gvisor
         with:
           identity_scope: euid
           artifacts_base_output_dir: ${{ env.ARTIFACTS_BASE_OUTPUT_DIR }}/euid

.gitignore

@@ -13,3 +13,4 @@ e2e-target
 *.iml
 # Ignore generated credentials from google-github-actions/auth
 gha-creds-*.json
+opt/*

Dockerfile.nitro.builder

@@ -1,10 +1,21 @@
-FROM ubuntu:22.04
+FROM golang:1.23.0 AS go-build
+
+WORKDIR /build
+
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+    && cd gvisor-tap-vsock \
+    && make \
+    && cd .. \
+    && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+    && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
+FROM ubuntu:22.04 AS main
 
 ENV enclave_platform="aws-nitro"
 
 # install build-essential, openjdk, maven, git
 RUN apt-get update -y \
-    && apt-get install -y curl -y build-essential pkg-config libssl-dev cmake openjdk-21-jdk maven git \
+    && apt-get install -y curl -y build-essential pkg-config libssl-dev cmake openjdk-21-jdk maven golang-go git \
     && rm -rf /var/lib/apt/lists/*
 
 # install rust
@@ -31,3 +42,5 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
     && mkdir uid2-aws-enclave-vsockproxy/build \
     && (cd uid2-aws-enclave-vsockproxy/build; cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo; make; cd ../..) \
     && cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx
+
+COPY --from=go-build /build/gvforwarder ./gvforwarder

Makefile.eif

@@ -13,11 +13,11 @@ all: build_eif
 
 build_eif: uid2operator.eif euidoperator.eif
 
-uid2operator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
+uid2operator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/gvforwarder build/Dockerfile build/load_config.py build/make_config.py
 	cd build; docker build -t uid2operator . --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./uid2operator.tar uid2operator; docker cp ./uid2operator.tar amazonlinux:/uid2operator.tar; rm -f ./uid2operator.tar
 	docker exec amazonlinux bash aws_nitro_eif.sh uid2operator
 
-euidoperator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/Dockerfile build/load_config.py build/make_config.py
+euidoperator.eif: build_artifacts build_configs build/proxies.nitro.yaml build/syslog-ng-client.conf build/syslog-ng-core_4.6.0-1_amd64.deb build/syslog-ng-ose-pub.asc build/entrypoint.sh build/vsockpx build/gvforwarder build/Dockerfile build/load_config.py build/make_config.py
 	cd build; docker build -t euidoperator . --build-arg IDENTITY_SCOPE='EUID' --build-arg JAR_VERSION=`cat package.version` --build-arg IMAGE_VERSION=`cat package.version`-`git show --format="%h" --no-patch`; docker save -o ./euidoperator.tar euidoperator; docker cp ./euidoperator.tar amazonlinux:/euidoperator.tar; rm -f ./euidoperator.tar
 	docker exec amazonlinux bash aws_nitro_eif.sh euidoperator
 

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.43.4</version>
+    <version>5.43.31-alpha-161-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

scripts/aws/Dockerfile

@@ -20,13 +20,15 @@ COPY ./syslog-ng-ose-pub.asc /app/dep/
 
 RUN echo "deb http://security.ubuntu.com/ubuntu focal-security main" | tee -a /etc/apt/sources.list \
     && apt update -y \
-    && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 \
+    && apt install -y pkg-config libssl-dev libssl1.1 net-tools curl jq netcat python3 python3-pip libcap2 libivykis0 libjson-c5 libnet1 libwrap0 busybox udhcpc\
     && apt-key add /app/dep/syslog-ng-ose-pub.asc \
     && apt-get install /app/dep/syslog-ng-core_4.6.0-1_amd64.deb \
     && rm -rf /var/lib/apt/lists/* \
     && apt-key del 6694369F 
 RUN pip3 install boto3==1.16.9
 
+COPY ./gvforwarder /app
+
 COPY ./target/${JAR_NAME}-${JAR_VERSION}-jar-with-dependencies.jar /app/${JAR_NAME}-${JAR_VERSION}.jar
 COPY ./static             /app/static
 COPY ./libjnsm.so         /app/lib/

scripts/aws/eks-pod/Dockerfile

@@ -10,6 +10,7 @@ ARG SYSLOG_NG_LOGROTATE_RPM="syslog-ng-logrotate-4.7.1.104.gcc5a7d9-1.amzn2023.x
 COPY ./sockd /home/
 COPY ./sockd_eks.conf /etc/sockd.conf
 COPY ./vsockpx /home
+COPY ./gvproxy /home
 COPY ./${IVYKIS_RPM} /home/syslog-ng/
 COPY ./${LIBNET_RPM} /home/syslog-ng/
 COPY ./${PUBKEY} /home/syslog-ng/

scripts/aws/eks-pod/entrypoint.sh

@@ -32,6 +32,9 @@ function setup_vsockproxy() {
     echo "starting vsock proxy at $VSOCK_PROXY with $VSOCK_THREADS worker threads..."
     $VSOCK_PROXY -c $VSOCK_CONFIG --workers $VSOCK_THREADS --log-level $VSOCK_LOG_LEVEL --daemon
     echo "vsock proxy now running in background."
+
+    /home/gvproxy -listen vsock://:1024 -listen unix:///tmp/network.sock &
+    curl  --unix-socket /tmp/network.sock http:/unix/services/forwarder/expose -X POST -d '{"local":":80","remote":"192.168.127.2:8080"}' &
 }
 
 function setup_dante() {

scripts/aws/eks-pod/proxies.host.yaml

@@ -5,11 +5,6 @@ socks5h-proxy:
   listen: vsock://-1:3305
   connect: tcp://127.0.0.1:3306
 
-operator-service:
-  service: direct
-  listen: tcp://0.0.0.0:80
-  connect: vsock://42:8080
-
 operator-prometheus:
   service: direct
   listen: tcp://0.0.0.0:9080

scripts/aws/entrypoint.sh

@@ -18,6 +18,10 @@ ifconfig lo 127.0.0.1
 echo "Starting vsock proxy..."
 /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( ( $(nproc) + 3 ) / 4 )) --log-level 3
 
+# -- gvisor forwarder
+/app/gvforwarder -debug -url vsock://3:1024/connect &
+sleep 5
+
 # -- load config from identity service
 echo "Loading config from identity service via proxy..."
 

scripts/aws/pipeline/amazonlinux.Dockerfile

@@ -5,7 +5,7 @@ RUN yum -y update
     # systemd is not a hard requirement for Amazon ECS Anywhere, but the installation script currently only supports systemd to run.
     # Amazon ECS Anywhere can be used without systemd, if you set up your nodes and register them into your ECS cluster **without** the installation script.
 RUN yum -y groupinstall "Development Tools"
-RUN yum -y install systemd vim-common wget git tar
+RUN yum -y install systemd vim-common wget git tar go
 RUN yum clean all
 
 RUN yum -y install cmake cmake3
@@ -47,6 +47,13 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
     && cd uid2-aws-enclave-vsockproxy/build; cmake .. -DCMAKE_BUILD_TYPE=RelWithDebInfo; make; cd ../.. \
     && cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx
 
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+    && cd gvisor-tap-vsock \
+    && make \
+    && cd .. \
+    && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+    && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
 COPY ./scripts/aws/pipeline/aws_nitro_eif.sh /aws_nitro_eif.sh
 
 CMD ["/usr/sbin/init"]

scripts/aws/pipeline/amazonlinux2023.Dockerfile

@@ -5,7 +5,7 @@ RUN dnf update -y
     # systemd is not a hard requirement for Amazon ECS Anywhere, but the installation script currently only supports systemd to run.
     # Amazon ECS Anywhere can be used without systemd, if you set up your nodes and register them into your ECS cluster **without** the installation script.
 RUN dnf -y groupinstall "Development Tools" \
-    && dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel \
+    && dnf -y install systemd vim-common wget git tar libstdc++-static.x86_64 cmake cmake3 go aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel \
     && dnf clean all
 
 RUN systemctl enable docker
@@ -24,6 +24,13 @@ RUN git clone https://github.com/IABTechLab/uid2-aws-enclave-vsockproxy.git \
     && cp uid2-aws-enclave-vsockproxy/build/vsock-bridge/src/vsock-bridge ./vsockpx \
     && rm -rf uid2-aws-enclave-vsockproxy
 
+RUN git clone https://github.com/containers/gvisor-tap-vsock.git \
+    && cd gvisor-tap-vsock \
+    && make \
+    && cd .. \
+    && cp gvisor-tap-vsock/bin/gvproxy ./gvproxy \
+    && cp gvisor-tap-vsock/bin/gvforwarder ./gvforwarder
+
 COPY ./scripts/aws/pipeline/aws_nitro_eif.sh /aws_nitro_eif.sh
 
 CMD ["/usr/sbin/init"]

scripts/aws/proxies.nitro.yaml

@@ -1,10 +1,4 @@
 ---
-
-uid-operator-in:
-  service: direct
-  listen: vsock://-1:8080
-  connect: tcp://127.0.0.1:8080
-
 prometheus-server:
   service: direct
   listen: vsock://-1:9080