`govet` now complains about them as they’ve been superseded by
`//go:build` for a while now:
```
test-win-sshproxy/suite_test.go:2:1: buildtag: +build line is no longer needed (govet)
```
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
This is a little rethink of how to configure. Since the previous
implementation disallows to use the compiled binaries in releases, I
have prepared a more flexible version. However, the legacy behavior
(without configuration file) remains as is (proven by unit tests).
List of changes
Enable -config flag. If no such flag provided, then remain the original behavior
Partial refactoring of the initialization process
Most of all changes are tested, see unit tests.
I'm trying to enable multi-VM local lab which should support different
host OS, guest OS, guest arches. With this tool I have resolved the
significant problem with the proper VM networking (at least for MacOS).
Signed-off-by: Andre Buryndin <themrecco@gmail.com>
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Added `ec2-metadata-access` flag to allow TCP traffic being routed to AWS EC2 metadata service explicitly.
This flag is required for easy AWS Nitro Enclave to EC2 IMDSv2 communication via gvproxy. Originally
`lincLocal` access has been blocked in #f4a40d2 to prevent issues with CoreOS VM.
Signed-off-by: David Dornseifer <dornseid@amazon.com>
Instead of always writing to a `capture.pcap` file in the current
directory when --debug is used, this commit introduces a separate --pcap
argument, which can also be used to specify the path to the capture
file.
These pcap files can get huge, and are not always useful when debug logs
are requested, so it’s better to separate --debug and --pcap.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
when disposing the vfkit socket, gvproxy fails at removing it bc it tries to remove the unixgram uri (e.g. unixgram:///var/folders/n4/n5hyrstd2739lcy9903jn8f40000gn/T/podman/podman-gvproxy.sock).
This patch fixes it by extracting the path from the uri.
Signed-off-by: Luca Stocchi <lstocchi@redhat.com>
According to macOS 'man 5 resolver' 'search' is limited to six domains with a total of 256 characters. This commit uses only 256/6 domains and cuts rest.
Since glibc 2.26 Linux has no limitation on 'search'.
Signed-off-by: Yevhen Vydolob <yvydolob@redhat.com>
In the current implementation when gvproxy is started with the --listen option, it exposes a HTTP API with several endpoints like /connect, /stats, /services ...
The /connect endpoint, however, is only used when the gvforwarder tool is running on the guest, and, when using different connectivities like --listen-vfkit or --listen-qemu, it is not really necessary.
This commit adds a new flag --services that allows to start the HTTP API without the /connect endpoint. It could be used when using different network connectivity and still wanting a lighter HTTP API. It accepts the endpoint where it will be reachable E.g. gvproxy --listen-vfkit .... --services unix:///tmp/svc_gvproxy.sock
Signed-off-by: Luca Stocchi <lstocchi@redhat.com>
As reported by https://github.com/containers/podman/issues/21426 , it
may happen that during a Windows update the Event Log Service is
disabled automatically without the user noticing it. In this case win-sshproxy
fails at starting bc it is not able to write logs.
However, the Event Log Service could also be disabled voluntarely by the
user and we cannot be sure that the user want/can re-enable it. In such a case,
a warn log is printed and win-sshproxy keeps executing. It
should be up to the user to decide if to start the Event Log service again or keep
running win-sshproxy without logs.
Signed-off-by: lstocchi <lstocchi@redhat.com>
this commit fixes a potential race condition that prevented the tests to succeed
when running in a github workflow.
Basically the thread id was not actually available before
writing it on the file, resulting in a thread id equals to 0 written in it.
So, when the tests were trying to retrieve the thread id to use it to send
the WM_QUIT signal, they failed.
This patch adds a check on the thread id before writing
it on the file. Now, if the thread id is 0, it keeps calling winquit to
retrieve it. If, after 10 secs, there is no success it returns an error.
Signed-off-by: lstocchi <lstocchi@redhat.com>
The original PR only enabled log-file on the command line. This PR adds
log-file to gvproxy's builder (for consumption) and adds trivial test.
Also, when --debug is used, we seed the log file with some environment
information
Signed-off-by: Brent Baude <bbaude@redhat.com>
Some errors are currently not logged, or without much context.
This commit adds prefixes to some of these, to make it easier to
understand the codepaths which caused gvproxy to exit.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Add ability specify a log-file for log messages. This PR redirects are
logged messages from the logrus logger to a given file. It is intended
to help debug gvproxy failures and usage.
Signed-off-by: Brent Baude <bbaude@redhat.com>
This sets the version to `git describe --always --dirty` using the
`-X github.com/containers/gvisor-tap-vsock/pkg/types.ModuleVersion`
linker flag.
This adds a -version flag to all binaries which currently have
command-line flags.
Correct versioning when installing from tarballs, and through
`go install` will be addressed in the next commits.
This fixes https://github.com/containers/gvisor-tap-vsock/issues/295
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Leverages WM_CLOSE and WM_QUIT events on win32 for SIGTERM like behavior
The improved/updated logic is now implemented in a shared containers/winquit module
Also, refactors win-sshproxy.exe to be consistent (had it's own precursor impl)
Signed-off-by: Jason T. Greene <jason.greene@redhat.com>
Some tools hard code the `host.docker.internal` dns name so it is not
possible to run them with podman right now. Adding the entry is simple
so we should support it for better compatibility.
Also remove crc.testing, podman does not depend on it since at least
v4.0 and it seems like there are no other users.
see https://github.com/containers/podman/issues/19361
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit improves networking performance by 1) moving an unnecessary
allocation to outside the hot loop and by 2) eliminating an unnecessary
Write call.
This result in ~7% faster throughput as measured via iperf3 and a custom
Web service to measure requests per second. Note that this is *despite*
the append call.
Signed-off-by: Philipp Winter <phw@brave.com>
Communication must happen over a connected datagram unix socket. This
reuses most of the work which was done for bess.
Since there is no 'accept' with unixgram sockets which could be used to
get the address to send the data back to (ie the VM address), this adds
a handshake between the VM and gvproxy:
- gvproxy listens on a unixgram socket at a known location
- vfkit connects to this location
- vfkit sends "VFKT"
- gvproxy receives this message and gets the VM address from it
- network traffic can now happen between gvproxy and vfkit
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
This adds stdio as a way to communicate between gvproxy and vm mainly for use
with WSL2, although it should work for other cases as well.
When network connections between WSL2 and the Windows host are blocked, stdio
is the only reliable way to establish a channel between WSL2 and the Windows
host. Hyper-V socket for WSL2 is a possibility, but it requires undocumented
APIs and admin privileges.
Signed-off-by: Keiichi Shimamura <sakai135@users.noreply.github.com>
Add command line option to make network configuration of the TAP
interface optional.
This allows to use create the tap device using 'native' tools, for
example:
# nmcli connection add type tun ifname tap0 con-name tap0 mode tap
# nmcli conn up tap0 ifname tap0
The advantage of not doing the configuration in the 'vm' binary is that
we don't need to hardcode the name of a dhcp client and call it from go
code, we can just use native OS networking (NetworkManager,
systemd-resolved, ...) and let it do its work.
There is currently no dhcp client easily available in ubi8 images, and
for the images we use in CRC, we'd prefer not to use a busybox base
image, this work helps with that.
After this change, 'vm' can be started as a systemd service:
[Unit]
Description=gvisor-tap-vsock traffic forwarder
BindsTo=sys-devices-virtual-net-tap0.device
After=sys-devices-virtual-net-tap0.device
[Service]
Restart=on-success
TimeoutStopSec=70
ExecStart=/usr/bin/gvisor-tap-vsock-forwarder -preexisting
[Install]
WantedBy=default.target
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
golangci-lint reports the lack of timeouts as errors:
cmd/gvproxy/main.go:423:10: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
err := http.Serve(ln, mux)
^
cmd/test-companion/main.go:44:12: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
log.Fatal(http.ListenAndServe(":8080", mux))
^
test/port_forwarding_test.go:41:14: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
if err := http.Serve(ln, mux); err != nil {
^
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
ioutil has been deprecated since golang 1.16.
This commit uses the replacement methods from the os or io packages.
This should fix some golangci-lint CI failures.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
BESS protocol transferrs L2 packets as AF_UNIX SOCK_SEQPACKET .
BESS protocol has been used by the vector network interfaces of User Mode Linux (UML).
```
(terminal 1) $ bin/gvproxy -debug -listen unix:///tmp/network.sock -listen-bess unixpacket:///tmp/bess.sock
(terminal 2) $ linux.uml vec0:transport=bess,dst=/tmp/bess.sock,depth=128,gro=1,mac=5a:94:ef:e4:0c:ee root=/dev/root rootfstype=hostfs init=/bin/bash mem=2G
(terminal 2: UML)$ ip addr add 192.168.127.2/24 dev vec0
(terminal 2: UML)$ ip link set vec0 up
(terminal 2: UML)$ ip route add default via 192.168.127.254
```
More docs about the User Mode Linux with BESS socket transport: https://www.kernel.org/doc/html/latest/virt/uml/user_mode_linux_howto_v2.html#bess-socket-transport
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This is a no-op since:
commit 63ad932977664aff2b763d23f1e9efc5a6d001b4
Author: Guillaume Rose <gurose@redhat.com>
Date: Thu Apr 29 15:13:55 2021 +0200
Use DHCP instead of custom handshake between daemon and the VM
