Merge pull request #282 from AkihiroSuda/guestagent-watch-audit

AkihiroSuda · web-flow · commit e31f365878ce · 2021-10-05T15:48:39.000+09:00
guestagent: watch NETFILTER_CFG audit events to reduce polling
diff --git a/README.md b/README.md
@@ -182,7 +182,7 @@ The current default spec:
 
 - Hypervisor: QEMU with HVF accelerator
 - Filesystem sharing: [reverse sshfs](https://github.com/lima-vm/sshocker/blob/v0.2.0/pkg/reversesshfs/reversesshfs.go) (planned to be replaced with 9p soon)
-- Port forwarding: `ssh -L`, automated by watching `/proc/net/tcp` in the guest
+- Port forwarding: `ssh -L`, automated by watching `/proc/net/tcp` and `iptables` events in the guest
 
 ## Developer guide
 
diff --git a/cmd/lima-guestagent/daemon_linux.go b/cmd/lima-guestagent/daemon_linux.go
@@ -46,7 +46,10 @@ func daemonAction(cmd *cobra.Command, args []string) error {
 		return ticker.C, ticker.Stop
 	}
 
-	agent := guestagent.New(newTicker)
+	agent, err := guestagent.New(newTicker, tick*20)
+	if err != nil {
+		return err
+	}
 	backend := &server.Backend{
 		Agent: agent,
 	}
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/digitalocean/go-qemu v0.0.0-20210326154740-ac9e0b687001
 	github.com/diskfs/go-diskfs v1.2.0
 	github.com/docker/go-units v0.4.0
+	github.com/elastic/go-libaudit/v2 v2.2.0
 	github.com/gorilla/mux v1.8.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/lima-vm/sshocker v0.2.2
diff --git a/go.sum b/go.sum
@@ -300,6 +300,8 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZ
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ=
+github.com/elastic/go-libaudit/v2 v2.2.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy v0.0.0-20210801061803-8e322dfb79c4/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
@@ -666,6 +668,7 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pierrec/lz4 v2.3.0+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -768,6 +771,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
diff --git a/pkg/guestagent/guestagent_linux.go b/pkg/guestagent/guestagent_linux.go
@@ -5,26 +5,88 @@ import (
 	"encoding/binary"
 	"errors"
 	"reflect"
+	"sync"
 	"time"
 
+	"github.com/elastic/go-libaudit/v2"
+	"github.com/elastic/go-libaudit/v2/auparse"
 	"github.com/lima-vm/lima/pkg/guestagent/api"
 	"github.com/lima-vm/lima/pkg/guestagent/iptables"
 	"github.com/lima-vm/lima/pkg/guestagent/procnettcp"
 	"github.com/sirupsen/logrus"
 	"github.com/yalue/native_endian"
 )
 
-func New(newTicker func() (<-chan time.Time, func())) Agent {
-	return &agent{
+func New(newTicker func() (<-chan time.Time, func()), iptablesIdle time.Duration) (Agent, error) {
+	a := &agent{
 		newTicker: newTicker,
 	}
+
+	auditClient, err := libaudit.NewMulticastAuditClient(nil)
+	if err != nil {
+		return nil, err
+	}
+	auditStatus, err := auditClient.GetStatus()
+	if err != nil {
+		return nil, err
+	}
+	if auditStatus.Enabled == 0 {
+		if err = auditClient.SetEnabled(true, libaudit.WaitForReply); err != nil {
+			return nil, err
+		}
+	}
+
+	go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle)
+	return a, nil
 }
 
 type agent struct {
 	// Ticker is like time.Ticker.
 	// We can't use inotify for /proc/net/tcp, so we need this ticker to
 	// reload /proc/net/tcp.
 	newTicker func() (<-chan time.Time, func())
+
+	worthCheckingIPTables   bool
+	worthCheckingIPTablesMu sync.RWMutex
+	latestIPTables          []iptables.Entry
+	latestIPTablesMu        sync.RWMutex
+}
+
+// setWorthCheckingIPTablesRoutine sets worthCheckingIPTables to be true
+// when received NETFILTER_CFG audit message.
+//
+// setWorthCheckingIPTablesRoutine sets worthCheckingIPTables to be false
+// when no NETFILTER_CFG audit message was received for the iptablesIdle time.
+func (a *agent) setWorthCheckingIPTablesRoutine(auditClient *libaudit.AuditClient, iptablesIdle time.Duration) {
+	var latestTrue time.Time
+	go func() {
+		for {
+			time.Sleep(iptablesIdle)
+			a.worthCheckingIPTablesMu.Lock()
+			// time is monotonic, see https://pkg.go.dev/time#hdr-Monotonic_Clocks
+			elapsedSinceLastTrue := time.Since(latestTrue)
+			if elapsedSinceLastTrue >= iptablesIdle {
+				logrus.Debug("setWorthCheckingIPTablesRoutine(): setting to false")
+				a.worthCheckingIPTables = false
+			}
+			a.worthCheckingIPTablesMu.Unlock()
+		}
+	}()
+	for {
+		msg, err := auditClient.Receive(false)
+		if err != nil {
+			logrus.Error(err)
+			continue
+		}
+		switch msg.Type {
+		case auparse.AUDIT_NETFILTER_CFG:
+			a.worthCheckingIPTablesMu.Lock()
+			logrus.Debug("setWorthCheckingIPTablesRoutine(): setting to true")
+			a.worthCheckingIPTables = true
+			latestTrue = time.Now()
+			a.worthCheckingIPTablesMu.Unlock()
+		}
+	}
 }
 
 type eventState struct {
@@ -131,10 +193,26 @@ func (a *agent) LocalPorts(ctx context.Context) ([]api.IPPort, error) {
 		}
 	}
 
-	ipts, err := iptables.GetPorts()
-	if err != nil {
-		return res, err
+	a.worthCheckingIPTablesMu.RLock()
+	worthCheckingIPTables := a.worthCheckingIPTables
+	a.worthCheckingIPTablesMu.RUnlock()
+	logrus.Debugf("LocalPorts(): worthCheckingIPTables=%v", worthCheckingIPTables)
+
+	var ipts []iptables.Entry
+	if a.worthCheckingIPTables {
+		ipts, err = iptables.GetPorts()
+		if err != nil {
+			return res, err
+		}
+		a.latestIPTablesMu.Lock()
+		a.latestIPTables = ipts
+		a.latestIPTablesMu.Unlock()
+	} else {
+		a.latestIPTablesMu.RLock()
+		ipts = a.latestIPTables
+		a.latestIPTablesMu.RUnlock()
 	}
+
 	for _, ipt := range ipts {
 		// Make sure the port isn't already listed from procnettcp
 		found := false

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,10 @@ func daemonAction(cmd *cobra.Command, args []string) error {`
`46`	`46`	`return ticker.C, ticker.Stop`
`47`	`47`	`}`
`48`	`48`
`49`		`- agent := guestagent.New(newTicker)`
	`49`	`+ agent, err := guestagent.New(newTicker, tick*20)`
	`50`	`+ if err != nil {`
	`51`	`+ return err`
	`52`	`+ }`
`50`	`53`	`backend := &server.Backend{`
`51`	`54`	`Agent: agent,`
`52`	`55`	`}`