Use dynamic ports for Steve to avoid conflicts with other software

Steve's hardcoded ports 9443 and 9080 conflict with other software
(e.g. Logitech GHub). Replace them with OS-assigned ephemeral ports.
Since no external tool connects to Steve directly, fixed port numbers
serve no purpose.

Ports are resolved before each Steve start and passed to Steve itself
(--https-listen-port and --http-listen-port), the certificate-error
handler, and DashboardServer.

DashboardServer recreates its proxy middleware on each port change so
that http-proxy-middleware's options.target always holds a valid URL.
The onProxyReqWs callback reads options.target to strip prepended
path prefixes from websocket requests; without a proper target, it
destroys every websocket connection. Express routes use wrapper
functions that delegate to the current proxy instances, so replacing
them takes effect without re-registering routes.

DashboardServer also exposes /api/steve-port so the dashboard plugin
can discover the port dynamically.

Fixes #1890

Signed-off-by: Jan Dubois <jan.dubois@suse.com>

Author: jandubois

.github/actions/spelling/expect.txt

@@ -641,6 +641,7 @@ toggleable
 togglefullscreen
 tonistiigi
 toolsets
+TOCTOU
 topmenu
 TQF
 traefik

background.ts

@@ -35,7 +35,7 @@ import { ImageEventHandler } from '@pkg/main/imageEvents';
 import { getIpcMainProxy } from '@pkg/main/ipcMain';
 import mainEvents from '@pkg/main/mainEvents';
 import buildApplicationMenu from '@pkg/main/mainmenu';
-import setupNetworking from '@pkg/main/networking';
+import setupNetworking, { setStevePort } from '@pkg/main/networking';
 import { Snapshots } from '@pkg/main/snapshots/snapshots';
 import { Snapshot, SnapshotDialog } from '@pkg/main/snapshots/types';
 import { Tray } from '@pkg/main/tray';
@@ -45,6 +45,7 @@ import getCommandLineArgs from '@pkg/utils/commandLine';
 import dockerDirManager from '@pkg/utils/dockerDirManager';
 import { isDevEnv } from '@pkg/utils/environment';
 import Logging, { clearLoggingDirectory, setLogLevel } from '@pkg/utils/logging';
+import { getAvailablePort } from '@pkg/utils/networks';
 import { fetchMacOsVersion, getMacOsVersion } from '@pkg/utils/osVersion';
 import paths from '@pkg/utils/paths';
 import { protocolsRegistered, setupProtocolHandlers } from '@pkg/utils/protocols';
@@ -1277,7 +1278,13 @@ function newK8sManager() {
         currentImageProcessor?.relayNamespaces();
 
         if (enabledK8s) {
-          await Steve.getInstance().start();
+          const steveHttpsPort = await getAvailablePort();
+          const steveHttpPort = await getAvailablePort();
+
+          console.log(`Steve ports: HTTPS=${ steveHttpsPort } HTTP=${ steveHttpPort }`);
+          DashboardServer.getInstance().setStevePort(steveHttpsPort);
+          setStevePort(steveHttpsPort);
+          await Steve.getInstance().start(steveHttpsPort, steveHttpPort);
         }
       }
 

pkg/rancher-desktop/assets/dependencies.yaml

@@ -13,7 +13,7 @@ dockerCompose: 5.1.0
 golangci-lint: 2.11.3
 trivy: 0.69.3
 steve: 0.1.0-beta9.1
-rancherDashboard: 2.11.1.rd3
+rancherDashboard: 2.11.1.rd4
 dockerProvidedCredentialHelpers: 0.9.5
 ECRCredentialHelper: 0.12.0
 mobyOpenAPISpec: "1.54"

pkg/rancher-desktop/backend/steve.ts

@@ -8,18 +8,17 @@ import K3sHelper from '@pkg/backend/k3sHelper';
 import Logging from '@pkg/utils/logging';
 import paths from '@pkg/utils/paths';
 
-const STEVE_PORT = 9443;
-
 const console = Logging.steve;
 
 /**
- * @description Singleton that manages the lifecycle of the Steve API
+ * @description Singleton that manages the lifecycle of the Steve API.
  */
 export class Steve {
   private static instance: Steve;
   private process!:        ChildProcess;
 
   private isRunning: boolean;
+  private httpsPort = 0;
 
   private constructor() {
     this.isRunning = false;
@@ -40,8 +39,10 @@ export class Steve {
   /**
    * @description Starts the Steve API if one is not already running.
    * Returns only after Steve is ready to accept connections.
+   * @param httpsPort The HTTPS port for Steve to listen on.
+   * @param httpPort The HTTP port for Steve to listen on.
    */
-  public async start() {
+  public async start(httpsPort: number, httpPort: number) {
     const { pid } = this.process || { };
 
     if (this.isRunning && pid) {
@@ -50,6 +51,8 @@ export class Steve {
       return;
     }
 
+    this.httpsPort = httpsPort;
+
     const osSpecificName = /^win/i.test(os.platform()) ? 'steve.exe' : 'steve';
     const stevePath = path.join(paths.resources, os.platform(), 'internal', osSpecificName);
     const env = Object.assign({}, process.env);
@@ -68,6 +71,10 @@ export class Steve {
         path.join(paths.resources, 'rancher-dashboard'),
         '--offline',
         'true',
+        '--https-listen-port',
+        String(httpsPort),
+        '--http-listen-port',
+        String(httpPort),
       ],
       { env },
     );
@@ -136,7 +143,7 @@ export class Steve {
   }
 
   /**
-   * Check if Steve is accepting connections on its port.
+   * Check if Steve is accepting connections on its HTTPS port.
    */
   private isPortReady(): Promise<boolean> {
     return new Promise((resolve) => {
@@ -155,7 +162,7 @@ export class Steve {
         socket.destroy();
         resolve(false);
       });
-      socket.connect(STEVE_PORT, '127.0.0.1');
+      socket.connect(this.httpsPort, '127.0.0.1');
     });
   }
 

pkg/rancher-desktop/main/dashboardServer/index.ts

@@ -26,9 +26,27 @@ export class DashboardServer {
   private dashboardApp: Server = new Server();
   private host = '127.0.0.1';
   private port = 6120;
-  private api = 'https://127.0.0.1:9443';
+  private stevePort = 0;
+  private proxies:      Record<string, ReturnType<typeof createProxyMiddleware>> = Object.create(null);
 
-  private proxies = (() => {
+  /**
+   * Checks for an existing instance of Dashboard server.
+   * Instantiate a new one if it does not exist.
+   */
+  public static getInstance(): DashboardServer {
+    DashboardServer.instance ??= new DashboardServer();
+
+    return DashboardServer.instance;
+  }
+
+  /**
+   * Recreate proxy middleware instances with the current Steve URL as
+   * the target.  Called from setStevePort() so each Steve restart gets
+   * proxies whose target (used by onProxyReqWs for path correction)
+   * matches the actual Steve address.
+   */
+  private createProxies() {
+    const api = `https://127.0.0.1:${ this.stevePort }`;
     const proxy: Record<ProxyKeys, Options> = {
       '/k8s':       proxyWsOpts, // Straight to a remote cluster (/k8s/clusters/<id>/)
       '/pp':        proxyWsOpts, // For (epinio) standalone API
@@ -42,20 +60,19 @@ export class DashboardServer {
       '/v1-*etc':   proxyOpts, // SAML, KDM, etc
     };
     const entries = Object.entries(proxy).map(([key, options]) => {
-      return [key, createProxyMiddleware({ ...options, target: this.api + key })] as const;
+      return [key, createProxyMiddleware({ ...options, target: api + key })] as const;
     });
 
-    return Object.fromEntries(entries);
-  })();
+    this.proxies = Object.fromEntries(entries) as typeof this.proxies;
+  }
 
   /**
-   * Checks for an existing instance of Dashboard server.
-   * Instantiate a new one if it does not exist.
+   * Update the Steve HTTPS port and recreate proxies with the new
+   * target.  Call this before each Steve start.
    */
-  public static getInstance(): DashboardServer {
-    DashboardServer.instance ??= new DashboardServer();
-
-    return DashboardServer.instance;
+  public setStevePort(stevePort: number) {
+    this.stevePort = stevePort;
+    this.createProxies();
   }
 
   /**
@@ -68,8 +85,17 @@ export class DashboardServer {
       return;
     }
 
+    // Register before the proxy routes so /api/steve-port is not
+    // captured by the /api proxy to Steve.
+    this.dashboardServer.get('/api/steve-port', (_req, res) => {
+      res.json({ port: this.stevePort });
+    });
+
+    // Register wrapper functions so that when createProxies() replaces
+    // this.proxies (on each Steve restart), express and the upgrade
+    // handler automatically use the new instances.
     ProxyKeys.forEach((key) => {
-      this.dashboardServer.use(key, this.proxies[key]);
+      this.dashboardServer.use(key, (req, res, next) => this.proxies[key]?.(req, res, next) ?? next());
     });
 
     this.dashboardApp = this.dashboardServer
@@ -99,17 +125,20 @@ export class DashboardServer {
           return;
         }
 
-        if (req.url?.startsWith('/v1')) {
-          return this.proxies['/v1'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/v3')) {
-          return this.proxies['/v3'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/k8s/')) {
-          return this.proxies['/k8s'].upgrade(req, socket, head);
-        } else if (req.url?.startsWith('/api/')) {
-          return this.proxies['/api'].upgrade(req, socket, head);
-        } else {
-          console.log(`Unknown Web socket upgrade request for ${ req.url }`);
+        const key = req.url?.startsWith('/v1')
+          ? '/v1'
+          : req.url?.startsWith('/v3')
+            ? '/v3'
+            : req.url?.startsWith('/k8s/')
+              ? '/k8s'
+              : req.url?.startsWith('/api/')
+                ? '/api'
+                : undefined;
+
+        if (key) {
+          return this.proxies[key]?.upgrade(req, socket, head);
         }
+        console.log(`Unknown Web socket upgrade request for ${ req.url }`);
       });
   }
 

pkg/rancher-desktop/main/networking/index.ts

@@ -17,6 +17,17 @@ import { windowMapping } from '@pkg/window';
 
 const console = Logging.networking;
 
+let stevePort = 0;
+
+/**
+ * Update the Steve HTTPS port used by the certificate-error handler.
+ * Call this before each Steve start so that dynamic port changes are
+ * reflected in the allowed-URL list.
+ */
+export function setStevePort(port: number) {
+  stevePort = port;
+}
+
 export default async function setupNetworking() {
   const agentOptions = { ...https.globalAgent.options };
 
@@ -42,10 +53,9 @@ export default async function setupNetworking() {
 
   // Set up certificate handling for system certificates on Windows and macOS
   Electron.app.on('certificate-error', async(event, webContents, url, error, certificate, callback) => {
-    const tlsPort = 9443;
     const dashboardUrls = [
-      `https://127.0.0.1:${ tlsPort }`,
-      `wss://127.0.0.1:${ tlsPort }`,
+      `https://127.0.0.1:${ stevePort }`,
+      `wss://127.0.0.1:${ stevePort }`,
       'http://127.0.0.1:6120',
       'ws://127.0.0.1:6120',
     ];

pkg/rancher-desktop/utils/__tests__/networks.spec.ts

@@ -0,0 +1,34 @@
+import net from 'net';
+
+import { getAvailablePort } from '../networks';
+
+describe('getAvailablePort', () => {
+  it('returns a port greater than zero', async() => {
+    const port = await getAvailablePort();
+
+    expect(port).toBeGreaterThan(0);
+  });
+
+  it('returns a usable port', async() => {
+    const port = await getAvailablePort();
+
+    // Verify the returned port can actually be bound.
+    const server = net.createServer();
+
+    await new Promise<void>((resolve, reject) => {
+      server.once('error', reject);
+      server.listen(port, '127.0.0.1', resolve);
+    });
+
+    await new Promise<void>((resolve) => {
+      server.close(() => resolve());
+    });
+  });
+
+  it('returns distinct ports on consecutive calls', async() => {
+    const port1 = await getAvailablePort();
+    const port2 = await getAvailablePort();
+
+    expect(port1).not.toBe(port2);
+  });
+});

pkg/rancher-desktop/utils/networks.ts

@@ -1,3 +1,4 @@
+import net from 'net';
 import os from 'os';
 
 export enum networkStatus {
@@ -6,6 +7,25 @@ export enum networkStatus {
   OFFLINE = 'offline',
 }
 
+/**
+ * Ask the OS to assign a free port on localhost. The port is released
+ * before returning, so there is a small TOCTOU race before the caller
+ * binds it. In practice the risk is negligible because the caller
+ * (Steve) binds within seconds.
+ */
+export function getAvailablePort(): Promise<number> {
+  return new Promise((resolve, reject) => {
+    const server = net.createServer();
+
+    server.once('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const addr = server.address() as net.AddressInfo;
+
+      server.close(() => resolve(addr.port));
+    });
+  });
+}
+
 export function wslHostIPv4Address(): string | undefined {
   const interfaces = os.networkInterfaces();
   // The veth interface name changed at some time on Windows 11, so try the new name if the old one doesn't exist