refactor: use workspace proxy for setup server (#1790)

Author: FabianKramm

go.mod

@@ -29,9 +29,9 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/joho/godotenv v1.5.1
 	github.com/julienschmidt/httprouter v1.3.0
-	github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.11
+	github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.16
 	github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e
-	github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.11
+	github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.16
 	github.com/loft-sh/apiserver v0.0.0-20250206205835-422f1d472459
 	github.com/loft-sh/log v0.0.0-20240219160058-26d83ffb46ac
 	github.com/loft-sh/programming-language-detection v0.0.5

go.sum

@@ -422,12 +422,12 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/loft-sh/admin-apis v0.0.0-20250221182517-7499d86167d2 h1:om1MqUdW84ZQc0GMGGgFfPI6xpTbrF+6DwKVq+76R44=
 github.com/loft-sh/admin-apis v0.0.0-20250221182517-7499d86167d2/go.mod h1:WHCqWfljfD1hkwk41hLeqBhW2yeLvWipB1sH6vfnR7U=
-github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.11 h1:1tcoDVN5ZGdhKMvW2ySqsyemWD/5DaNg3Z9VbDS73uA=
-github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.11/go.mod h1:UteiUdc6QeGt2uXIo5K5qlReRa366GbPY5QdDuPyFCs=
+github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.16 h1:a7iemRlezfhsmSWJYmhPpeMNIkRZFHhrJL538nLCqlM=
+github.com/loft-sh/agentapi/v4 v4.3.0-devpod.alpha.16/go.mod h1:UteiUdc6QeGt2uXIo5K5qlReRa366GbPY5QdDuPyFCs=
 github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e h1:JcPnMaoczikvpasi8OJ47dCkWZjfgFubWa4V2SZo7h0=
 github.com/loft-sh/analytics-client v0.0.0-20240219162240-2f4c64b2494e/go.mod h1:FFWcGASyM2QlWTDTCG/WBVM/XYr8btqYt335TFNRCFg=
-github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.11 h1:AbYZX2KjmCzGKe3HyVDY89oSVNk72EwImzVfuCIRdzE=
-github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.11/go.mod h1:IDuvg5bFg9zzG1NB7OOpmggIZ23jib9ZQ8x8wB8qYf8=
+github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.16 h1:tvVofFbGDND2ifiAQeA9gHCUhFR1GHBntlltSDs9fTk=
+github.com/loft-sh/api/v4 v4.3.0-devpod.alpha.16/go.mod h1:QvDqPCWhP8VG8GH8OnbJ3ps8SmdDiF6f2qHDI2mvqBI=
 github.com/loft-sh/apiserver v0.0.0-20250206205835-422f1d472459 h1:6SrgBtT1S9ANsQMoO/O0Mq+hs9EbC5te5kPqOBfg5UI=
 github.com/loft-sh/apiserver v0.0.0-20250206205835-422f1d472459/go.mod h1:rung3jsKjaVAtykQN0vWmFHhx2A/umpRyAae8BJVSeE=
 github.com/loft-sh/log v0.0.0-20240219160058-26d83ffb46ac h1:Gz/7Lb7WgdgIv+KJz87ORA1zvQW52tUqKPGyunlp4dQ=

pkg/client/clientimplementation/daemonclient/client.go

@@ -173,11 +173,12 @@ func (c *client) SSHClients(ctx context.Context, user string) (toolClient *ssh.C
 		return nil, nil, fmt.Errorf("resolve workspace hostname: %w", err)
 	}
 
-	toolClient, err = ts.WaitForSSHClient(ctx, c.tsClient, wAddr.Host(), wAddr.Port(), "root", c.log)
+	address := fmt.Sprintf("%s:%d", wAddr.Host(), wAddr.Port())
+	toolClient, err = ts.WaitForSSHClient(ctx, c.tsClient.Dial, "tcp", address, "root", time.Second*10, c.log)
 	if err != nil {
 		return nil, nil, fmt.Errorf("create SSH tool client: %w", err)
 	}
-	userClient, err = ts.WaitForSSHClient(ctx, c.tsClient, wAddr.Host(), wAddr.Port(), user, c.log)
+	userClient, err = ts.WaitForSSHClient(ctx, c.tsClient.Dial, "tcp", address, user, time.Second*10, c.log)
 	if err != nil {
 		return nil, nil, fmt.Errorf("create SSH user client: %w", err)
 	}

pkg/devcontainer/setup.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -20,6 +21,9 @@ import (
 	"github.com/loft-sh/devpod/pkg/driver"
 	"github.com/loft-sh/devpod/pkg/ide"
 	provider2 "github.com/loft-sh/devpod/pkg/provider"
+	devssh "github.com/loft-sh/devpod/pkg/ssh"
+	"github.com/loft-sh/devpod/pkg/ssh/server"
+	"github.com/loft-sh/devpod/pkg/ts"
 	"github.com/loft-sh/log"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -96,15 +100,6 @@ func (r *runner) setupContainer(
 	// check if docker driver
 	_, isDockerDriver := r.Driver.(driver.DockerDriver)
 
-	// ssh tunnel
-	sshTunnelCmd := fmt.Sprintf("'%s' helper ssh-server --stdio", agent.ContainerDevPodHelperLocation)
-	if ide.ReusesAuthSock(r.WorkspaceConfig.Workspace.IDE.Name) {
-		sshTunnelCmd += fmt.Sprintf(" --reuse-ssh-auth-sock=%s", r.WorkspaceConfig.CLIOptions.SSHAuthSockID)
-	}
-	if r.Log.GetLevel() == logrus.DebugLevel {
-		sshTunnelCmd += " --debug"
-	}
-
 	// setup container
 	r.Log.Infof("Setup container...")
 
@@ -132,10 +127,46 @@ func (r *runner) setupContainer(
 		setupCommand += " --debug"
 	}
 
+	// run setup server
+	runSetupServer := func(ctx context.Context, stdin io.WriteCloser, stdout io.Reader) (*config.Result, error) {
+		return tunnelserver.RunSetupServer(
+			ctx,
+			stdout,
+			stdin,
+			r.WorkspaceConfig.Agent.InjectGitCredentials != "false",
+			r.WorkspaceConfig.Agent.InjectDockerCredentials != "false",
+			config.GetMounts(result),
+			r.Log,
+			tunnelserver.WithPlatformOptions(&r.WorkspaceConfig.CLIOptions.Platform),
+		)
+	}
+
+	// check if we should use the platform workspace socket
+	shouldUsePlatformWorkspaceSocket := r.WorkspaceConfig.CLIOptions.Platform.Enabled && r.WorkspaceConfig.CLIOptions.Platform.WorkspaceSocket != ""
+	if shouldUsePlatformWorkspaceSocket {
+		_, err := os.Stat(r.WorkspaceConfig.CLIOptions.Platform.WorkspaceSocket)
+		if err != nil {
+			shouldUsePlatformWorkspaceSocket = false
+		}
+	}
+
+	// if we can use the platform workspace socket we connect directly to it
+	if shouldUsePlatformWorkspaceSocket {
+		return r.runPlatformSetupServer(ctx, setupCommand, runSetupServer)
+	}
+
+	// ssh tunnel
+	sshTunnelCmd := fmt.Sprintf("'%s' helper ssh-server --stdio", agent.ContainerDevPodHelperLocation)
+	if ide.ReusesAuthSock(r.WorkspaceConfig.Workspace.IDE.Name) {
+		sshTunnelCmd += fmt.Sprintf(" --reuse-ssh-auth-sock=%s", r.WorkspaceConfig.CLIOptions.SSHAuthSockID)
+	}
+	if r.Log.GetLevel() == logrus.DebugLevel {
+		sshTunnelCmd += " --debug"
+	}
+
 	agentInjectFunc := func(cancelCtx context.Context, sshCmd string, sshTunnelStdinReader, sshTunnelStdoutWriter *os.File, writer io.WriteCloser) error {
 		return r.Driver.CommandDevContainer(cancelCtx, r.ID, "root", sshCmd, sshTunnelStdinReader, sshTunnelStdoutWriter, writer)
 	}
-
 	return sshtunnel.ExecuteCommand(
 		ctx,
 		nil,
@@ -144,21 +175,68 @@ func (r *runner) setupContainer(
 		sshTunnelCmd,
 		setupCommand,
 		r.Log,
-		func(ctx context.Context, stdin io.WriteCloser, stdout io.Reader) (*config.Result, error) {
-			return tunnelserver.RunSetupServer(
-				ctx,
-				stdout,
-				stdin,
-				r.WorkspaceConfig.Agent.InjectGitCredentials != "false",
-				r.WorkspaceConfig.Agent.InjectDockerCredentials != "false",
-				config.GetMounts(result),
-				r.Log,
-				tunnelserver.WithPlatformOptions(&r.WorkspaceConfig.CLIOptions.Platform),
-			)
-		},
+		runSetupServer,
 	)
 }
 
+func (r *runner) runPlatformSetupServer(ctx context.Context, setupCommand string, tunnelServerFunc sshtunnel.TunnelServerFunc) (*config.Result, error) {
+	r.Log.Infof("Connecting to workspace...")
+
+	// create a dialer that connects to the platform workspace socket
+	dialer := func(ctx context.Context, network, address string) (net.Conn, error) {
+		dial := &net.Dialer{}
+		return dial.DialContext(ctx, "unix", r.WorkspaceConfig.CLIOptions.Platform.WorkspaceSocket)
+	}
+
+	// start machine on stdio
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// create a new direct ssh client
+	toolClient, err := ts.WaitForSSHClient(ctx, dialer, "tcp", fmt.Sprintf("%s:%d", r.WorkspaceConfig.CLIOptions.Platform.WorkspaceHost, server.DefaultUserPort), "root", time.Second*30, r.Log)
+	if err != nil {
+		return nil, fmt.Errorf("create SSH tool client: %w", err)
+	}
+	defer toolClient.Close()
+
+	// create the pipes
+	stdoutReader, stdoutWriter, err := os.Pipe()
+	if err != nil {
+		return nil, err
+	}
+	stdinReader, stdinWriter, err := os.Pipe()
+	if err != nil {
+		return nil, err
+	}
+	defer stdoutWriter.Close()
+	defer stdinWriter.Close()
+
+	// create the error channel & execute remote command
+	errChan := make(chan error, 1)
+	go func() {
+		defer cancel()
+
+		writer := r.Log.Writer(logrus.InfoLevel, false)
+		defer writer.Close()
+
+		err = devssh.Run(ctx, toolClient, setupCommand, stdinReader, stdoutWriter, writer, nil)
+		if err != nil {
+			errChan <- errors.Wrap(err, "run agent command")
+		} else {
+			errChan <- nil
+		}
+	}()
+
+	// start tunnel server locally
+	result, err := tunnelServerFunc(ctx, stdinWriter, stdoutReader)
+	if err != nil {
+		return nil, fmt.Errorf("start tunnel server: %w", err)
+	}
+
+	// wait until command finished
+	return result, <-errChan
+}
+
 func getRelativeDevContainerJson(origin, localWorkspaceFolder string) string {
 	relativePath := strings.TrimPrefix(filepath.ToSlash(origin), filepath.ToSlash(localWorkspaceFolder))
 	return strings.TrimPrefix(relativePath, "/")

pkg/ts/ssh.go

@@ -3,23 +3,25 @@ package ts
 import (
 	"context"
 	"fmt"
+	"net"
 	"time"
 
 	"github.com/loft-sh/log"
 	"golang.org/x/crypto/ssh"
-	tsClient "tailscale.com/client/tailscale"
 )
 
-func WaitForSSHClient(ctx context.Context, lc *tsClient.LocalClient, host string, port int, user string, log log.Logger) (*ssh.Client, error) {
-	deadline := time.Now().Add(10 * time.Second)
+type Dialer func(ctx context.Context, network, address string) (net.Conn, error)
+
+func WaitForSSHClient(ctx context.Context, dialer Dialer, network, address string, user string, timeout time.Duration, log log.Logger) (*ssh.Client, error) {
+	deadline := time.Now().Add(timeout)
 
 	var (
 		c   *ssh.Client
 		err error
 	)
-	log.Debugf("Attempting to establish SSH connection with %s as user %s", host, user)
+	log.Debugf("Attempting to establish SSH connection with %s as user %s", address, user)
 	for time.Now().Before(deadline) {
-		c, err = newSSHClient(ctx, lc, host, port, user)
+		c, err = newSSHClient(ctx, dialer, network, address, user)
 		if err == nil {
 			return c, nil
 		}
@@ -35,10 +37,10 @@ func WaitForSSHClient(ctx context.Context, lc *tsClient.LocalClient, host string
 	return c, err
 }
 
-func newSSHClient(ctx context.Context, lc *tsClient.LocalClient, host string, port int, user string) (*ssh.Client, error) {
-	conn, err := lc.DialTCP(ctx, host, uint16(port))
+func newSSHClient(ctx context.Context, dialer Dialer, network, address string, user string) (*ssh.Client, error) {
+	conn, err := dialer(ctx, network, address)
 	if err != nil {
-		return nil, fmt.Errorf("dial %s: %w", host, err)
+		return nil, fmt.Errorf("dial %s: %w", address, err)
 	}
 
 	clientConfig := &ssh.ClientConfig{
@@ -47,8 +49,7 @@ func newSSHClient(ctx context.Context, lc *tsClient.LocalClient, host string, po
 		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 	}
 
-	serverAddress := fmt.Sprintf("%s:%d", host, port)
-	sshConn, channels, requests, err := ssh.NewClientConn(conn, serverAddress, clientConfig)
+	sshConn, channels, requests, err := ssh.NewClientConn(conn, address, clientConfig)
 	if err != nil {
 		return nil, fmt.Errorf("establish SSH connection: %w", err)
 	}