Update install process and Containerization (#149)

* initial update, images building - doc updates and docker-compose next

* small fixes

* stages of build w/ makefile to allow for smaller images for independent pieces

* remove pfring from sim target

* docker-compose files and start scripts

* env var for registrar config

* use pf_ringcfg to load drivers in on-reboot.sh

* readme and run instructions

* remove reference to tapdance in comment

* we do not commit Cargo.lock because it is a rust lib, not a bin

* Fixes for containerization
- copy to /opt/conjure/ paths
- misc bugfixes

* fixed linux headers dep, fixed path for zbalance systemd file (others seem fine)

* added ability to build pfring from source with older versions and fixed some wiring things

* cahnged the application zmq private key to default to the station private key via env var

* variable oversight

* add systemd service so docker can be used to run conjure from boot

* systemd service for containerized conjure

* docker-umentation

---------

Co-authored-by: mfallone <[email protected]>

Author: jmwample

Makefile

@@ -36,10 +36,28 @@ conjure-sim: detect.c loadkey.c rust_util.c rust libtapdance
 registration-server:
 	cd ./cmd/registration-server/ && make
 
-# Note this copies in the whole current directory as context and results in
-# overly large context. should not be used to build release/production images.
-custom-build:
-	docker build --build-arg CUSTOM_BUILD=1 -f docker/Dockerfile .
+PARAMS := det app reg zbalance sim
+target := unk
+# makefile arguments take preference, if one is not provided we check the environment variable.
+# If that is also missing then we use "latest" and install pfring from pkg in the docker build.
+ifndef pfring_ver
+	ifdef PFRING_VER
+		pfring_ver := ${PFRING_VER}
+	else
+		pfring_ver := latest
+	endif
+endif
+
+container:
+ifeq (unk,$(target))
+	DOCKER_BUILDKIT=1 docker build -t conjure -t pf-$(pfring_ver) -f  docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .
+#	@printf "DOCKER_BUILDKIT=1 docker build -t conjure -f  docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .\n"
+else ifneq  (,$(findstring $(target), $(PARAMS)))
+	DOCKER_BUILDKIT=1 docker build --target conjure_$(target) -t conjure_$(target) -t pf-$(pfring_ver) -f docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .
+#	@printf "DOCKER_BUILDKIT=1 docker build --target conjure_$(target) -t conjure_$(target) -f docker/Dockerfile --build-arg pfring_ver=$(pfring_ver) .\n"
+else
+	@printf "unrecognized container target $(target) - please use one of [ $(PARAMS) ]\n"
+endif
 
 
 backup-config:

application/config.toml

@@ -10,8 +10,10 @@ socket_name = "zmq-proxy"
 
 # Absolute path to private key to use when authenticating with servers.
 # Can be either privkey or privkey || pubkey; only first 32 bytes will
-# be used.
-privkey_path = "/opt/conjure/sysconfig/privkey"
+# be used. If this is blank then the environment variable CJ_PRIVKEY
+# which is defined in conjure.conf will be used (if that fails to parse
+# the station will shutdown).
+privkey_path = ""
 
 # Time in milliseconds to wait between sending heartbeats.
 # Heartbeats are only sent when other traffic doesn't come through;
@@ -75,7 +77,7 @@ covert_blocklist_subnets = [
 
 # Automatically add all addresses and subnets associated with local devices to
 # the blocklist.
-covert_blocklist_public_addrs = false
+covert_blocklist_public_addrs = true
 
 # Override the blocklist providing a more restrictive allowlist. Any addresses
 # not explicitly included in an allowlisted subnet will be considered

application/lib/config.go

@@ -23,7 +23,7 @@ func ParseConfig() (*Config, error) {
 	var envPath = os.Getenv("CJ_STATION_CONFIG")
 	_, err := toml.DecodeFile(envPath, &c)
 	if err != nil {
-		return nil, fmt.Errorf("failed to load config(%s): %v", envPath, err)
+		return nil, fmt.Errorf("failed to load config (%s): %v", envPath, err)
 	}
 
 	c.ParseBlocklists()

application/lib/zmq_proxy.go

@@ -145,7 +145,12 @@ func (zi *ZMQIngester) PrintAndReset(logger *log.Logger) {
 // location of the config file with the CJ_PROXY_CONFIG environment variable.
 func (zi *ZMQIngester) proxyZMQ() {
 
-	privkey, err := os.ReadFile(zi.PrivateKeyPath)
+	privkeyPath := zi.PrivateKeyPath
+	if privkeyPath == "" {
+		privkeyPath = os.Getenv("CJ_PRIVKEY")
+	}
+
+	privkey, err := os.ReadFile(privkeyPath)
 	if err != nil {
 		zi.logger.Fatalln("failed to load private key:", err)
 	}

cmd/registration-server/main.go

@@ -145,15 +145,19 @@ func main() {
 	var configPath string
 	var apiOnly, dnsOnly bool
 
-	flag.StringVar(&configPath, "config", "", "configuration file path")
+	flag.StringVar(&configPath, "config", "", "configuration file path, alternative to CJ_REGISTRAR_CONFIG env var")
 	flag.BoolVar(&apiOnly, "api-only", false, "run only the API registrar")
 	flag.BoolVar(&dnsOnly, "dns-only", false, "run only the DNS registrar")
 	flag.Parse()
 
 	if configPath == "" {
-		fmt.Fprintf(os.Stderr, "-config is a required flag")
-		flag.Usage()
-		os.Exit(2)
+		configPath = os.Getenv("CJ_REGISTRAR_CONFIG")
+
+		if configPath == "" {
+			fmt.Fprintf(os.Stderr, "configuration path is a required flag")
+			flag.Usage()
+			os.Exit(2)
+		}
 	}
 
 	logFormatter := &log.TextFormatter{

docker/Dockerfile

@@ -1,104 +1,152 @@
-#FROM ubuntu:20.04 as build_base
-FROM ubuntu:20.04 as build_base_go
-#    PATH="/opt/PF_RING/userland/examples_zc:$PATH"
-ARG GO_VERSION=1.15.2
-ARG CUSTOM_BUILD
-ARG BRANCH=master
-ENV PATH="/usr/local/go/bin:/root/.cargo/bin:${PATH}" \
-    GOPATH="/root/go" \
-    GOROOT="/usr/local/go"
-
-# Install dependencies: including rust and go
-RUN apt-get update && \
-    DEBIAN_FRONTEND="noninteractive" apt-get -y -q install wget git make gcc bison flex protobuf-compiler curl libssl-dev pkg-config libgmp3-dev libzmq3-dev && \
-    apt-get clean all && \
-    wget -q https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
-    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
-    curl https://sh.rustup.rs -sSf -o install_rust.sh; sh install_rust.sh -y && \
-    cargo install protobuf-codegen
-
-# Install PFRING to get libraries
-RUN apt-get install -y -q software-properties-common wget && \
-    add-apt-repository universe && \
-    wget https://packages.ntop.org/apt-stable/20.04/all/apt-ntop-stable.deb && \
-    apt install ./apt-ntop-stable.deb && \
-    apt-get clean all && \
-    apt-get update && \
-    apt-get install -y -q pfring && \
-    apt-get clean all
-
-
-# Copy docker context dir. This is used as a source if CUSTOM_BUILD is enabled
-COPY . /tmp/conjure
-
-# Get Conjure or copy a directory Dockerfile is in. Switched by CUSTOM_BUILD var
-RUN go get -d github.com/refraction-networking/conjure/...  ; \
-    bash -c 'if [[ ! -z "$CUSTOM_BUILD" ]] ; then \
-    rm -rf ${GOPATH}/src/github.com/refraction-networking/conjure; cp -r /tmp/conjure ${GOPATH}/src/github.com/refraction-networking/conjure ; \
-    fi'
-
-# Checkout needed branch if not builing using CUSTOM_BUILD
-RUN bash -c 'if [[ -z "CUSTOM_BUILD" ]] ; then \
-    cd /root/go/src/github.com/refraction-networking/conjure && \
-    git checkout ${BRANCH}; \
-    fi'
-
-# Compile
-RUN cd /root/go/src/github.com/refraction-networking/conjure && \
-    go get ./... || true && \
-    make
-
-# Copy results
-RUN cp -r /root/go/src/github.com/refraction-networking/conjure /opt/conjure
-
-
-
-FROM ubuntu:20.04 as zbalance
-ENV CJ_IFACE=lo \
-    CJ_CLUSTER_ID=98 \
-    CJ_CORECOUNT=1 \
-    CJ_COREBASE=0 \
-    ZBALANCE_HASH_MODE=1
-#COPY --from=build_base /opt/PF_RING /opt/PF_RING
-
-RUN apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get -y -q install libelf1
-
-COPY --from=build_base_go /usr/bin/zbalance_ipc /usr/bin/zbalance_ipc
-COPY ./docker/zbalance-entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["bash", "/entrypoint.sh"]
-
-
-
-
-FROM ubuntu:20.04 as detector
-ENV CJ_CLUSTER_ID=98 \
-    CJ_CORECOUNT=1 \
-    CJ_COREBASE=0 \
-    CJ_SKIP_CORE=-1 \
-    CJ_QUEUE_OFFSET=0 \
-    CJ_LOG_INTERVAL=5 \
-    CJ_PRIVKEY=/opt/conjure/keys/privkey \
-    CJ_STATION_CONFIG=/opt/conjure/application/config.toml \
-    CJ_IP4_ADDR=127.0.0.1 \
-    CJ_IP6_ADDR=[::1]
-#COPY --from=build_base_go /opt/conjure/dark-decoy /opt/conjure/dark-decoy
-COPY --from=build_base_go /opt/conjure/conjure /opt/conjure/conjure
-COPY --from=build_base_go /opt/conjure/application/config.toml /opt/conjure/application/config.toml
-COPY ./docker/detector-entrypoint.sh /entrypoint.sh
-COPY --from=build_base_go /usr/local/lib/libpcap.so /usr/local/lib/libpcap.so
-
-RUN apt-get update && apt-get -y -q install libzmq3-dev iproute2 iptables && apt-get clean all
-ENTRYPOINT [ "/entrypoint.sh"]
-
-
-
-
-FROM ubuntu:20.04 as application
-ENV CJ_STATION_CONFIG=/opt/conjure/application/config.toml \
-    PHANTOM_SUBNET_LOCATION=/opt/conjure/sysconfig/phantom_subnets.toml
-COPY --from=build_base_go /opt/conjure/application/application /opt/conjure/application/application
-RUN apt-get update && apt-get -y -q install libzmq3-dev && apt-get clean all
-COPY --from=build_base_go /opt/conjure/application/config.toml ${CJ_STATION_CONFIG}
-COPY --from=build_base_go /opt/conjure/application/lib/test/phantom_subnets.toml ${PHANTOM_SUBNET_LOCATION}
-#COPY ./docker/application-entrypoint.sh /entrypoint.sh
-ENTRYPOINT [ "/opt/conjure/application/application"]
+# syntax=docker/dockerfile:1.3-labs
+
+FROM ubuntu:20.04 AS base_pfring
+ARG UNAME=conjure
+ARG UID=1000
+ARG GID=1000
+RUN groupadd -g $GID -o $UNAME
+RUN useradd -m -u $UID -g $GID -o -s /bin/bash $UNAME
+
+RUN apt-get update && apt-get install -yq sudo apt-utils software-properties-common
+
+# install pf_ring deps
+
+COPY scripts/install_pfring.sh /
+ARG pfring_ver="latest"
+RUN /usr/bin/sudo pfring_ver="${pfring_ver}" /install_pfring.sh
+
+# ------------------------------------------------------------------------------
+# Development image
+#
+# Builds a common image that has all dependencies required to build and run
+# any piece of the station. Ideally we want to redo this as little as possible.
+# ------------------------------------------------------------------------------
+FROM base_pfring AS dev_img
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata
+COPY prereqs_once.sh /opt/conjure/
+
+WORKDIR /opt/conjure
+ENV is_docker_build YES
+RUN /usr/bin/sudo ./prereqs_once.sh
+
+WORKDIR /opt/conjure
+
+COPY Makefile *.c *.h  /opt/conjure/
+COPY libtapdance/ /opt/conjure/libtapdance
+RUN make libtd
+
+# run cargo build to allow for dependencies to cached
+RUN PATH="$HOME/.cargo/bin:$PATH" cargo init --lib .
+COPY Cargo.toml build.rs /opt/conjure/
+RUN --mount=type=cache,target=/usr/local/cargo/registry PATH="$HOME/.cargo/bin:$PATH" cargo build --release
+
+COPY src/ /opt/conjure/src
+
+# A bit of magic here!
+# * We're mounting that cache again to use during the build, otherwise it's not present and we'll have to download those again - bad!
+# * EOF syntax is neat but not without its drawbacks. We need to `set -e`, otherwise a failing command is going to continue on
+# * Rust here is a bit fiddly, so we'll touch the files (even though we copied over them) to force a new build
+RUN --mount=type=cache,target=/usr/local/cargo/registry <<EOF
+set -e
+# update timestamps to force a new build
+touch /opt/conjure/src/lib.rs
+PATH="$HOME/.cargo/bin:$PATH" make rust
+EOF
+
+RUN PATH="$HOME/.cargo/bin:$PATH" make conjure-sim && mv conjure conjure-sim
+RUN PATH="$HOME/.cargo/bin:$PATH" make conjure
+
+COPY go.* /opt/conjure/
+COPY cmd/ /opt/conjure/cmd
+COPY application/ /opt/conjure/application
+COPY pkg/ /opt/conjure/pkg
+
+RUN PATH="$HOME/.go/bin/:$PATH" make app
+RUN PATH="$HOME/.go/bin/:$PATH" make registration-server
+
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+
+# add application as default entrypoint for dev reasons.
+ENTRYPOINT /opt/conjure/application/application
+
+
+# ------------------------------------------------------------------------------
+# Production image zbalance only
+# ------------------------------------------------------------------------------
+FROM base_pfring as conjure_zbalance
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+
+ENTRYPOINT /opt/conjure/bin/start_zbalance_ipc.sh
+
+
+# ------------------------------------------------------------------------------
+# Production image detector only (kind of, requires pfring)
+# ------------------------------------------------------------------------------
+FROM base_pfring as conjure_det
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+
+RUN apt update && apt install -yq libzmq3-dev
+COPY --from=dev_img /opt/conjure/conjure /opt/conjure/bin/
+
+
+# ------------------------------------------------------------------------------
+# Production image application only
+# ------------------------------------------------------------------------------
+FROM ubuntu:20.04 as conjure_app
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+COPY application/ /opt/conjure/application
+
+RUN apt update && apt install -yq libzmq3-dev
+COPY --from=dev_img /opt/conjure/application/application /opt/conjure/bin/
+
+
+# ------------------------------------------------------------------------------
+# Production image registration server only
+# ------------------------------------------------------------------------------
+FROM ubuntu:20.04 as conjure_reg
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+
+RUN apt update && apt install -yq libzmq3-dev
+COPY --from=dev_img /opt/conjure/cmd/registration-server/registration-server /opt/conjure/bin/
+
+
+# ------------------------------------------------------------------------------
+# Simulation image (no pfring required)
+# ------------------------------------------------------------------------------
+FROM ubuntu:20.04 as conjure_sim
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+
+RUN apt update && apt install -yq libzmq3-dev
+COPY --from=dev_img /opt/conjure/conjure-sim /opt/conjure/bin/conjure
+COPY --from=dev_img /opt/conjure/cmd/registration-server/registration-server /opt/conjure/bin/
+COPY --from=dev_img /opt/conjure/conjure /opt/conjure/bin/
+
+
+# ------------------------------------------------------------------------------
+# Production image all (default)
+# ------------------------------------------------------------------------------
+FROM base_pfring as conjure
+# Add default configs and launch scripts
+COPY sysconfig/ /opt/conjure/sysconfig
+COPY scripts/ /opt/conjure/bin
+COPY application/ /opt/conjure/application
+
+RUN apt update && apt install -yq libzmq3-dev
+COPY --from=dev_img /opt/conjure/application/application /opt/conjure/bin/
+COPY --from=dev_img /opt/conjure/cmd/registration-server/registration-server /opt/conjure/bin/
+COPY --from=dev_img /opt/conjure/conjure /opt/conjure/bin/
+
+# ENTRYPOINT /bin/bash