feat: don’t set up the TCP-over-WebSocket tunnels if running on the same machine

michalrus · michalrus · commit ba099df5a0bf · 2025-12-19T19:34:32.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -62,6 +62,10 @@ anyhow.workspace = true
 bech32.workspace = true
 cardano-serialization-lib.workspace = true
 ntest = "0.9.3"
+sysinfo.workspace = true
+machine-uid = "0.5"
+blake3 = "1"
+getrandom = "0.3"
 
 [target.'cfg(unix)'.dependencies]
 nix = { version = "0.30", default-features = false, features = ["signal"] }
@@ -126,6 +130,7 @@ reqwest = { version = "0.12.12", features = ["blocking"] }
 rstest = "0.24.0"
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"
+sysinfo = "0.33.1"
 thiserror = "2.0.12"
 tokio = { version = "1.43.0", features = [
   "rt",
diff --git a/crates/node/Cargo.toml b/crates/node/Cargo.toml
@@ -18,7 +18,7 @@ serde_json.workspace = true
 tokio.workspace = true
 pallas-network.workspace = true
 deadpool = "0.12.1"
-sysinfo = "0.33.1"
+sysinfo.workspace = true
 num_cpus = "1"
 metrics.workspace = true
 pallas-hardano.workspace = true
diff --git a/src/hydra.rs b/src/hydra.rs
@@ -19,13 +19,15 @@ pub struct HydraController {
 
 #[derive(serde::Deserialize, serde::Serialize, Debug, PartialEq, Eq, Clone)]
 pub struct KeyExchangeRequest {
+    pub machine_id: String,
     pub platform_cardano_vkey: serde_json::Value,
     pub platform_hydra_vkey: serde_json::Value,
     pub accepted_platform_h2h_port: Option<u16>,
 }
 
 #[derive(serde::Deserialize, serde::Serialize, Debug, PartialEq, Eq, Clone)]
 pub struct KeyExchangeResponse {
+    pub machine_id: String,
     pub gateway_cardano_vkey: serde_json::Value,
     pub gateway_hydra_vkey: serde_json::Value,
     pub hydra_scripts_tx_id: String,
@@ -255,6 +257,7 @@ impl State {
 
                 self.kex_requests
                     .send(KeyExchangeRequest {
+                        machine_id: verifications::hashed_machine_id(),
                         platform_cardano_vkey: self.platform_cardano_vkey.clone(),
                         platform_hydra_vkey: verifications::read_json_file(
                             &self.config_dir.join("hydra.vk"),
@@ -291,6 +294,7 @@ impl State {
                 } else {
                     self.kex_requests
                         .send(KeyExchangeRequest {
+                            machine_id: verifications::hashed_machine_id(),
                             platform_cardano_vkey: self.platform_cardano_vkey.clone(),
                             platform_hydra_vkey: verifications::read_json_file(
                                 &self.config_dir.join("hydra.vk"),
diff --git a/src/hydra/verifications.rs b/src/hydra/verifications.rs
@@ -383,3 +383,29 @@ pub fn sigterm(pid: u32) -> Result<()> {
 pub fn sigterm(_pid: u32) -> Result<()> {
     unreachable!()
 }
+
+/// We use it for `localhost` tests, to detect if the Gateway and Platform are
+/// running on the same host. Then we cannot set up a
+/// `[crate::hydra::tunnel2::Tunnel]`, because the ports are already taken.
+pub fn hashed_machine_id() -> String {
+    const MACHINE_ID_NAMESPACE: &str = "blockfrost.machine-id.v1";
+
+    let mut hasher = blake3::Hasher::new();
+    hasher.update(MACHINE_ID_NAMESPACE.as_bytes());
+    hasher.update(b":");
+
+    match machine_uid::get() {
+        Ok(id) => {
+            hasher.update(id.as_bytes());
+        },
+        Err(e) => {
+            tracing::warn!(error = ?e, "machine_uid::get() failed; falling back to random bytes");
+            let mut fallback = [0u8; 32];
+            getrandom::fill(&mut fallback)
+                .expect("getrandom::fill shouldn’t fail in normal circumstances");
+            hasher.update(&fallback);
+        },
+    }
+
+    hasher.finalize().to_hex().to_string()
+}
diff --git a/src/load_balancer.rs b/src/load_balancer.rs
@@ -253,17 +253,19 @@ mod event_loop {
 
                 LBEvent::NewLoadBalancerMessage(LoadBalancerMessage::HydraKExResponse(resp)) => {
                     if let Some(hydra_kex) = &hydra_kex {
-                        if resp.kex_done {
+                        // Only start the TCP-over-WebSocket tunnels if we’re running
+                        // on different machines:
+                        if resp.machine_id != hydra::verifications::hashed_machine_id() {
                             let (tunnel_ctl, mut tunnel_rx) = hydra::tunnel2::Tunnel::new(
                                 hydra::tunnel2::TunnelConfig {
-                                    expose_port: resp.gateway_h2h_port,
+                                    expose_port: resp.proposed_platform_h2h_port,
                                     id_prefix_bit: true,
                                     ..(hydra::tunnel2::TunnelConfig::default())
                                 },
                                 tunnel_cancellation.clone(),
                             );
 
-                            tunnel_ctl.spawn_listener(resp.proposed_platform_h2h_port).await.expect("FIXME: this really shouldn’t fail, unless we hit the TOCTOU race condition…");
+                            tunnel_ctl.spawn_listener(resp.gateway_h2h_port).await.expect("FIXME: this really shouldn’t fail, unless we hit the TOCTOU race condition…");
 
                             let socket_tx_ = socket_tx.clone();
                             let config_ = config.clone();
