Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gvproxy: Split --listen features in 2 separate args #425

Open
cfergeau opened this issue Nov 14, 2024 · 2 comments
Open

gvproxy: Split --listen features in 2 separate args #425

cfergeau opened this issue Nov 14, 2024 · 2 comments
Assignees
@lstocchi

Comments

@cfergeau
Copy link
Collaborator

--listen defines the sockets that will be used for gvproxy REST API

gvisor-tap-vsock/pkg/virtualnetwork/mux.go

Lines 19 to 31 in 72b102d

mux := http.NewServeMux()
mux.Handle("/services/", http.StripPrefix("/services", n.servicesMux))
mux.HandleFunc("/stats", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(statsAsJSON(n.networkSwitch.Sent, n.networkSwitch.Received, n.stack.Stats()))
})
mux.HandleFunc("/cam", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(n.networkSwitch.CAM())
})
mux.HandleFunc("/leases", func(w http.ResponseWriter, _ *http.Request) {
_ = json.NewEncoder(w).Encode(n.ipPool.Leases())
})
mux.HandleFunc(types.ConnectPath, func(w http.ResponseWriter, _ *http.Request) {
hj, ok := w.(http.Hijacker)

This exposes the /connect API endpoint, which is used for network connectivity when gvforwarder/vm is running in the guest, a /services endpoint providing port forwarding, DNS, DHCP, a /stat endpoint, ...

Since there are other ways to get network connectivity without using /connect (--listen-vfkit, --listen-bess, ...), it's desirable to be able to enable the service/stats/... endpoints without enabling /connect.

It's better to add a separate option(s) for this, as at this point, there could be users relying on gvproxy --listen current behaviour.

#78 is a distinct issue, the /services/forwarder API endpoint is unconditionally enabled in the guest, which might have security implications. Being able to disable it would be useful.
@cfergeau cfergeau mentioned this issue Nov 19, 2024
Open
@cfergeau
Copy link
Collaborator Author

On linux, podman machine's gvproxy command line is:

/usr/local/lib/podman/gvproxy -debug -mtu 1500 -ssh-port 41117 -listen-qemu unix:///run/user/1000/podman/crc-gvproxy.sock -forward-sock /run/user/1000/podman/crc-api.sock -forward-dest /run/user/1000/podman/podman.sock -forward-user core -forward-identity /var/home/teuf/.crc/cache/crc_microshift_libvirt_4.16.18_amd64/id_ecdsa_crc -pid-file /run/user/1000/podman/gvproxy.pid -log-file /run/user/1000/podman/gvproxy.log

It is similar on other platforms.

@cfergeau
Copy link
Collaborator Author

The issue could actually be rephrased as "it should be possible to start gvproxy using --listen-qemu/--listen-vfkit/..., while still being able to use the /services endpoint from the host", which is not really possible at the moment, or not really convenient/obvious as --listen needs to be specified for that.

@cfergeau cfergeau assigned cfergeau and lstocchi and unassigned cfergeau Nov 20, 2024
@lstocchi lstocchi moved this from Todo to Ready for review in Project planning: crc Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lstocchi lstocchi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cfergeau @lstocchi