dfinity · DFINITYManu · Aug 27, 2024 · Aug 27, 2024 · Aug 27, 2024 · Sep 11, 2024
@@ -58,6 +58,7 @@ go_deps.bzl               @dfinity/idx
 /ic-os/components/boundary-guestos/                                     @dfinity/boundary-node @dfinity/node
 /ic-os/components/boundary-guestos.bzl                                  @dfinity/boundary-node @dfinity/node
 /ic-os/components/init/bootstrap-ic-node/boundary-guestos/              @dfinity/boundary-node @dfinity/node
+/ic-os/components/networking/nftables/                                  @dfinity/dre
 /toolchains/                                                            @dfinity/node
 
 # [metrics-proxy]

diff --git a/Cargo.Bazel.Fuzzing.json.lock b/Cargo.Bazel.Fuzzing.json.lock
@@ -1,5 +1,5 @@
 {
-  "checksum": "9ef6df4a9a9699fa60c0deb0f30df0446a5aaa79555f9225b15f48ccb5afca4d",
+  "checksum": "7680077187e67e088479ce8e663201a5bdde52f67daa6cf767109aaeea928ba0",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -33348,10 +33348,20 @@
         "crate_features": {
           "common": [
             "default",
+            "serde",
             "std"
           ],
           "selects": {}
         },
+        "deps": {
+          "common": [
+            {
+              "id": "serde 1.0.203",
+              "target": "serde"
+            }
+          ],
+          "selects": {}
+        },
         "edition": "2018",
         "version": "2.8.0"
       },

diff --git a/Cargo.Bazel.Fuzzing.toml.lock b/Cargo.Bazel.Fuzzing.toml.lock
@@ -5866,6 +5866,9 @@ name = "ipnet"
 version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6"
+dependencies = [
+ "serde",
+]
 
 [[package]]
 name = "ipnetwork"

diff --git a/Cargo.Bazel.json.lock b/Cargo.Bazel.json.lock
@@ -1,5 +1,5 @@
 {
-  "checksum": "6d91b4d8565bf0af7b7870fd7a6b31e599c590eb3e7bf682ba77d1f93a035912",
+  "checksum": "8c7eb3b6f79b6e190dca4b2c651d578bf3b1fcf469913f067eafa7a36e320629",
   "crates": {
     "abnf 0.12.0": {
       "name": "abnf",
@@ -33244,10 +33244,20 @@
         "crate_features": {
           "common": [
             "default",
+            "serde",
             "std"
           ],
           "selects": {}
         },
+        "deps": {
+          "common": [
+            {
+              "id": "serde 1.0.203",
+              "target": "serde"
+            }
+          ],
+          "selects": {}
+        },
         "edition": "2018",
         "version": "2.8.0"
       },

diff --git a/Cargo.Bazel.toml.lock b/Cargo.Bazel.toml.lock
@@ -5867,6 +5867,9 @@ name = "ipnet"
 version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6"
+dependencies = [
+ "serde",
+]
 
 [[package]]
 name = "ipnetwork"

diff --git a/Cargo.lock b/Cargo.lock
@@ -661,7 +661,8 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
                 features = ["serde"],
             ),
             "ipnet": crate.spec(
-                version = "^2.5.0",
+                version = "^2.8.0",
+                features = ["serde"],
             ),
             "isocountry": crate.spec(
                 version = "^0.3.2",

@@ -2,17 +2,17 @@
 set -eEuo pipefail
 
 if [ -n "${IN_NIX_SHELL:-}" ]; then
-    echo "Please do not run $0 inside of nix-shell." >&2
+    eprintln "Please do not run $0 inside of nix-shell."
     exit 1
 fi
 
 if [ -e /run/.containerenv ]; then
-    echo "Nested $0 is not supported." >&2
+    eprintln "Nested $0 is not supported."
     exit 1
 fi
 
 if ! which podman >/dev/null 2>&1; then
-    echo "Podman missing...install it." >&2
+    eprintln "Podman missing...install it."
     exit 1
 fi
 
@@ -27,6 +27,10 @@ Script uses dfinity/ic-build image by default.
 EOF
 }
 
+eprintln() {
+    echo "$@" >&2
+}
+
 if findmnt /hoststorage >/dev/null; then
     PODMAN_ARGS=(--root /hoststorage/podman-root)
 else
@@ -39,17 +43,17 @@ CTR=0
 while test $# -gt $CTR; do
     case "$1" in
         -h | --help) usage && exit 0 ;;
-        -f | --full) echo "The legacy image has been deprecated, --full is not an option anymore." && exit 0 ;;
+        -f | --full) eprintln "The legacy image has been deprecated, --full is not an option anymore." && exit 0 ;;
         -c | --cache-dir)
             if [[ $# -gt "$CTR + 1" ]]; then
                 if [ ! -d "$2" ]; then
-                    echo "$2 is not a directory! Create it and try again."
+                    eprintln "$2 is not a directory! Create it and try again."
                     usage && exit 1
                 fi
                 CACHE_DIR="$2"
-                echo "Bind-mounting $CACHE_DIR as cache directory."
+                eprintln "Bind-mounting $CACHE_DIR as cache directory."
             else
-                echo "Missing argument for -c | --cache-dir!"
+                eprintln "Missing argument for -c | --cache-dir!"
                 usage && exit 1
             fi
             shift
@@ -73,7 +77,7 @@ if ! sudo podman "${PODMAN_ARGS[@]}" image exists $IMAGE; then
 fi
 
 if findmnt /hoststorage >/dev/null; then
-    echo "Purging non-relevant container images"
+    eprintln "Purging non-relevant container images"
     sudo podman "${PODMAN_ARGS[@]}" image prune -a -f --filter "reference!=$IMAGE"
 fi
 
@@ -127,6 +131,7 @@ if [ "$(id -u)" = "1000" ]; then
         PODMAN_RUN_ARGS+=(
             --mount type=bind,source="${HOME}/.bash_history",target="/home/ubuntu/.bash_history"
         )
+
     fi
     if [ -e "${HOME}/.local/share/fish" ]; then
         PODMAN_RUN_ARGS+=(
@@ -151,7 +156,7 @@ if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -e "${SSH_AUTH_SOCK:-}" ]; then
         -e SSH_AUTH_SOCK="/ssh-agent"
     )
 else
-    echo "No ssh-agent to forward."
+    eprintln "No ssh-agent to forward."
 fi
 
 # make sure we have all bind-mounts
@@ -160,22 +165,28 @@ mkdir -p ~/.{aws,ssh,cache,local/share/fish} && touch ~/.{zsh,bash}_history
 PODMAN_RUN_USR_ARGS=()
 if [ -f "$HOME/.container-run.conf" ]; then
     # conf file with user's custom PODMAN_RUN_USR_ARGS
-    echo "Sourcing user's ~/.container-run.conf"
+    eprintln "Sourcing user's ~/.container-run.conf"
     source "$HOME/.container-run.conf"
 fi
 
-# privileged rootful podman is required due to requirements of IC-OS guest build
-# additionally, we need to use hosts's cgroups and network
+# Omit -t if not a tty.
+# Also shut up logging, because podman will by default log
+# every byte of standard output to the journal, and that
+# destroys the journal + wastes enormous amounts of CPU.
+# I witnessed journald and syslog peg 2 cores of my devenv
+# when running a simple cat /path/to/file.
+if tty >/dev/null 2>&1; then
+    tty=-t
+else
+    tty=
+fi
+other_args="--pids-limit=-1 -i $tty --log-driver=none --rm --privileged --network=host --cgroupns=host"
+# Privileged rootful podman is required due to requirements of IC-OS guest build;
+# additionally, we need to use hosts's cgroups and network.
 if [ $# -eq 0 ]; then
     set -x
-    sudo podman "${PODMAN_ARGS[@]}" run --pids-limit=-1 -it --rm --privileged --network=host --cgroupns=host \
-        "${PODMAN_RUN_ARGS[@]}" ${PODMAN_RUN_USR_ARGS[@]} -w "$WORKDIR" \
-        "$IMAGE" ${USHELL:-/usr/bin/bash}
-    set +x
+    exec sudo podman "${PODMAN_ARGS[@]}" run $other_args "${PODMAN_RUN_ARGS[@]}" ${PODMAN_RUN_USR_ARGS[@]} -w "$WORKDIR" "$IMAGE" "${USHELL}"
 else
     set -x
-    sudo podman "${PODMAN_ARGS[@]}" run --pids-limit=-1 -it --rm --privileged --network=host --cgroupns=host \
-        "${PODMAN_RUN_ARGS[@]}" "${PODMAN_RUN_USR_ARGS[@]}" -w "$WORKDIR" \
-        "$IMAGE" "$@"
-    set +x
+    exec sudo podman "${PODMAN_ARGS[@]}" run $other_args "${PODMAN_RUN_ARGS[@]}" ${PODMAN_RUN_USR_ARGS[@]} -w "$WORKDIR" "$IMAGE" "$@"
 fi
@@ -96,6 +96,7 @@ component_files = {
     Label("networking/fallback.conf"): "/etc/systemd/resolved.conf.d/fallback.conf",
     Label("networking/resolv.conf"): "/etc/resolv.conf",
     Label("networking/network-tweaks.conf"): "/etc/sysctl.d/network-tweaks.conf",
+    Label("networking/nftables/nftables-add-operator-rules-guestos.conf"): "/etc/systemd/system/nftables.service.d/nftables-add-operator-rules.conf",
     Label("networking/hosts"): "/etc/hosts",
     Label("networking/dev-certs/canister_http_test_ca.cert"): "/dev-certs/canister_http_test_ca.cert",
 

@@ -110,6 +110,9 @@ options may be specified:
   --socks_proxy url
     The URL of the socks proxy to use. To be used in
     systems tests only.
+
+  --firewall_rules_file path
+    Optional. Should point to a file containing a firewall.json rules file.
 EOF
 }
 
@@ -130,6 +133,7 @@ function build_ic_bootstrap_tar() {
     local QUERY_STATS_EPOCH_LENGTH
     local BITCOIND_ADDR
     local JAEGER_ADDR
+    local FIREWALL_RULES_FILE
 
     while true; do
         if [ $# == 0 ]; then
@@ -203,6 +207,9 @@ function build_ic_bootstrap_tar() {
             --socks_proxy)
                 SOCKS_PROXY="$2"
                 ;;
+            --firewall_rules_file)
+                FIREWALL_RULES_FILE="$2"
+                ;;
             *)
                 echo "Unrecognized option: $1"
                 usage
@@ -274,6 +281,9 @@ EOF
     if [ "${NODE_OPERATOR_PRIVATE_KEY}" != "" ]; then
         cp "${NODE_OPERATOR_PRIVATE_KEY}" "${BOOTSTRAP_TMPDIR}/node_operator_private_key.pem"
     fi
+    if [ "${FIREWALL_RULES_FILE}" != "" ]; then
+        cp "${FIREWALL_RULES_FILE}" "${BOOTSTRAP_TMPDIR}/firewall.json"
+    fi
 
     tar cf "${OUT_FILE}" \
         --sort=name \

@@ -31,6 +31,7 @@ Arguments:
   -h, --help            show this help message and exit
   -i=, --input=         specify the input template file (Default: /opt/ic/share/guestos.xml.template)
   -m=, --media=         specify the config media image file (Default: /run/ic-node/config.img)
+  -f=, --firewall=      specify the firewall.json configuration file (Default: /boot/config/firewall.json)
   -o=, --output=        specify the output configuration file (Default: /var/lib/libvirt/guestos.xml)
 '
             exit 1
@@ -43,6 +44,10 @@ Arguments:
             MEDIA="${argument#*=}"
             shift
             ;;
+        -f=* | --firewall=*)
+            FIREWALL="${argument#*=}"
+            shift
+            ;;
         -o=* | --output=*)
             OUTPUT="${argument#*=}"
             shift
@@ -58,13 +63,18 @@ function validate_arguments() {
     if [ "${CONFIG}" == "" -o "${DEPLOYMENT}" == "" -o "${INPUT}" == "" -o "${OUTPUT}" == "" ]; then
         $0 --help
     fi
+    if [ "${FIREWALL}" != "" -a ! -f "${FIREWALL}" ]; then
+        echo >&2 "Error: specified firewall rules file $FIREWALL does not exist"
+        $0 --help
+    fi
 }
 
 # Set arguments if undefined
 CONFIG="${CONFIG:=/boot/config/config.ini}"
 DEPLOYMENT="${DEPLOYMENT:=/boot/config/deployment.json}"
 INPUT="${INPUT:=/opt/ic/share/guestos.xml.template}"
 MEDIA="${MEDIA:=/run/ic-node/config.img}"
+FIREWALL="${DEPLOYMENT:=/boot/config/firewall.json}"
 OUTPUT="${OUTPUT:=/var/lib/libvirt/guestos.xml}"
 
 function read_variables() {
@@ -85,6 +95,9 @@ function read_variables() {
 function assemble_config_media() {
     cmd=(/opt/ic/bin/build-bootstrap-config-image.sh ${MEDIA})
     cmd+=(--nns_public_key "/boot/config/nns_public_key.pem")
+    if [ -f "${FIREWALL}" ]; then
+        cmd+=(--firewall_rules_file "${FIREWALL}")
+    fi
     cmd+=(--elasticsearch_hosts "$(/opt/ic/bin/fetch-property.sh --key=.logging.hosts --metric=hostos_logging_hosts --config=${DEPLOYMENT})")
     cmd+=(--ipv6_address "$(/opt/ic/bin/hostos_tool generate-ipv6-address --node-type GuestOS)")
     cmd+=(--ipv6_gateway "${ipv6_gateway}")

@@ -79,6 +79,7 @@ component_files = {
     Label("networking/resolv.conf"): "/etc/resolv.conf",
     Label("networking/network-tweaks.conf"): "/etc/sysctl.d/network-tweaks.conf",
     Label("networking/nftables/nftables-hostos.conf"): "/etc/nftables.conf",
+    Label("networking/nftables/nftables-add-operator-rules-hostos.conf"): "/etc/systemd/system/nftables.service.d/nftables-add-operator-rules.conf",
     Label("networking/hosts"): "/etc/hosts",
 
     # ssh

@@ -190,6 +190,9 @@
 \n\
   counter rate_limit_v4_counter {}\n\
   counter connection_limit_v4_counter {}\n\
+\n\
+  chain provider_INPUT {\n\
+  }\n\
 \n\
   chain INPUT {\n\
     type filter hook input priority 0; policy drop;\n\
@@ -207,6 +210,7 @@
     ct state { invalid } drop\n\
     #   - The rule accepts all established and related connections. It's required for the IPv4 connectivity check.\n\
     ct state { established, related } accept\n\
+    jump provider_INPUT\n\
     log prefix \"Drop - default policy: \"\n\
   }\n\
 \n\
@@ -236,6 +240,9 @@ table ip6 filter {\n\
 \n\
   counter rate_limit_v6_counter {}\n\
   counter connection_limit_v6_counter {}\n\
+\n\
+  chain provider_INPUT {\n\
+  }\n\
 \n\
   chain INPUT {\n\
     type filter hook input priority 0; policy drop;\n\
@@ -259,6 +266,7 @@ table ip6 filter {\n\
     ip6 saddr { hostos } ct state { new } tcp dport { 42372 } accept # Allow access from HostOS metrics-proxy so GuestOS metrics-proxy can proxy certain metrics to HostOS.\n\
     <<IPv6_TCP_RULES>>\n\
     <<IPv6_UDP_RULES>>\n\
+    jump provider_INPUT\n\
     log prefix \"Drop - default policy: \"\n\
   }\n\
 \n\

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=/usr/bin/bash -c 'set -o pipefail ; /opt/ic/bin/guestos_tool render-firewall-config | nft -f -'
+ExecReload=/usr/bin/bash -c 'set -o pipefail ; /opt/ic/bin/guestos_tool render-firewall-config | nft -f -'
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=/usr/bin/bash -c 'set -o pipefail ; /opt/ic/bin/hostos_tool render-firewall-config | nft -f -'
+ExecReload=/usr/bin/bash -c 'set -o pipefail ; /opt/ic/bin/hostos_tool render-firewall-config | nft -f -'