feat: support building enclave image

zensh · zensh · commit 97d4a8663989 · 2024-07-18T17:15:47.000+08:00
diff --git a/.env b/.env
@@ -18,5 +18,5 @@ URL_HTTPBIN="https://httpbin.org/get?api-key=abc123"
 # URL_DOGE_TEST="http://192.168.1.80:44555/"
 # URL_XXX=...
 
-HEADER_API_TOKEN="Basic SUNQYW5kYTpJVEZDNlJjam56RkdEQnd0SzByYV9kS0swR29lSElqVUl3V2lEb3VrRWU0"
+# HEADER_API_TOKEN="Basic SUNQYW5kYTpJVEZDNlJjam56RkdEQnd0SzByYV9kS0swR29lSElqVUl3V2lEb3VrRWU0"
 # HEADER_XXX=...
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -15,7 +15,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "1.1.0"
+version = "1.1.1"
 edition = "2021"
 repository = "https://github.com/ldclabs/idempotent-proxy"
 keywords = ["idempotent", "reverse", "proxy", "icp"]
diff --git a/README.md b/README.md
@@ -64,6 +64,14 @@ docker run --name redis -d -p 6379:6379 redis:latest
 cargo run -p idempotent-proxy-server
 ```
 
+### Building enclave image
+
+https://docs.marlin.org/user-guides/oyster/instances/quickstart/build
+
+```bash
+docker build -f enclave/arm64.Dockerfile -t enclave:latest .
+```
+
 ### Running as Cloudflare Worker
 
 Idempotent Proxy can be running as a Cloudflare Worker. In order to use Durable Objects, you must switch to a paid plan.
diff --git a/enclave/amd64.Dockerfile b/enclave/amd64.Dockerfile
@@ -0,0 +1,60 @@
+# base image
+FROM --platform=arm64 rust:slim-bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y gcc g++ libc6-dev pkg-config libssl-dev
+
+WORKDIR /src
+COPY src ./src
+COPY examples ./examples
+COPY Cargo.toml Cargo.lock .env ./
+RUN cargo build --release --locked -p idempotent-proxy-server
+
+FROM debian:bookworm-slim AS runtime
+
+# install dependency tools
+RUN apt-get update \
+    && apt-get install -y net-tools iptables iproute2 wget ca-certificates tzdata curl openssl \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# working directory
+WORKDIR /app
+
+# supervisord to manage programs
+RUN wget -O supervisord http://public.artifacts.marlin.pro/projects/enclaves/supervisord_master_linux_amd64
+RUN chmod +x supervisord
+
+# transparent proxy component inside the enclave to enable outgoing connections
+RUN wget -O ip-to-vsock-transparent http://public.artifacts.marlin.pro/projects/enclaves/ip-to-vsock-transparent_v1.0.0_linux_amd64
+RUN chmod +x ip-to-vsock-transparent
+
+# key generator to generate static keys
+RUN wget -O keygen http://public.artifacts.marlin.pro/projects/enclaves/keygen_v1.0.0_linux_amd64
+RUN chmod +x keygen
+
+# attestation server inside the enclave that generates attestations
+RUN wget -O attestation-server http://public.artifacts.marlin.pro/projects/enclaves/attestation-server_v1.0.0_linux_amd64
+RUN chmod +x attestation-server
+
+# proxy to expose attestation server outside the enclave
+RUN wget -O vsock-to-ip http://public.artifacts.marlin.pro/projects/enclaves/vsock-to-ip_v1.0.0_linux_amd64
+RUN chmod +x vsock-to-ip
+
+# dnsproxy to provide DNS services inside the enclave
+RUN wget -O dnsproxy http://public.artifacts.marlin.pro/projects/enclaves/dnsproxy_v0.46.5_linux_amd64
+RUN chmod +x dnsproxy
+
+# supervisord config
+COPY enclave/supervisord.conf /etc/supervisord.conf
+
+# setup.sh script that will act as entrypoint
+COPY enclave/setup.sh ./
+RUN chmod +x setup.sh
+
+# your custom setup goes here
+COPY --from=builder /src/.env ./.env
+COPY --from=builder /src/target/release/idempotent-proxy-server ./idempotent-proxy-server
+
+# entry point
+ENTRYPOINT [ "/app/setup.sh" ]
diff --git a/enclave/arm64.Dockerfile b/enclave/arm64.Dockerfile
@@ -0,0 +1,60 @@
+# base image
+FROM --platform=arm64 rust:slim-bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y gcc g++ libc6-dev pkg-config libssl-dev
+
+WORKDIR /src
+COPY src ./src
+COPY examples ./examples
+COPY Cargo.toml Cargo.lock .env ./
+RUN cargo build --release --locked -p idempotent-proxy-server
+
+FROM debian:bookworm-slim AS runtime
+
+# install dependency tools
+RUN apt-get update \
+    && apt-get install -y net-tools iptables iproute2 wget ca-certificates tzdata curl openssl \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# working directory
+WORKDIR /app
+
+# supervisord to manage programs
+RUN wget -O supervisord http://public.artifacts.marlin.pro/projects/enclaves/supervisord_master_linux_arm64
+RUN chmod +x supervisord
+
+# transparent proxy component inside the enclave to enable outgoing connections
+RUN wget -O ip-to-vsock-transparent http://public.artifacts.marlin.pro/projects/enclaves/ip-to-vsock-transparent_v1.0.0_linux_arm64
+RUN chmod +x ip-to-vsock-transparent
+
+# key generator to generate static keys
+RUN wget -O keygen http://public.artifacts.marlin.pro/projects/enclaves/keygen_v1.0.0_linux_arm64
+RUN chmod +x keygen
+
+# attestation server inside the enclave that generates attestations
+RUN wget -O attestation-server http://public.artifacts.marlin.pro/projects/enclaves/attestation-server_v1.0.0_linux_arm64
+RUN chmod +x attestation-server
+
+# proxy to expose attestation server outside the enclave
+RUN wget -O vsock-to-ip http://public.artifacts.marlin.pro/projects/enclaves/vsock-to-ip_v1.0.0_linux_arm64
+RUN chmod +x vsock-to-ip
+
+# dnsproxy to provide DNS services inside the enclave
+RUN wget -O dnsproxy http://public.artifacts.marlin.pro/projects/enclaves/dnsproxy_v0.46.5_linux_arm64
+RUN chmod +x dnsproxy
+
+# supervisord config
+COPY enclave/supervisord.conf /etc/supervisord.conf
+
+# setup.sh script that will act as entrypoint
+COPY enclave/setup.sh ./
+RUN chmod +x setup.sh
+
+# your custom setup goes here
+COPY --from=builder /src/.env ./.env
+COPY --from=builder /src/target/release/idempotent-proxy-server ./idempotent-proxy-server
+
+# entry point
+ENTRYPOINT [ "/app/setup.sh" ]
diff --git a/enclave/setup.sh b/enclave/setup.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# setting an address for loopback
+ifconfig lo 127.0.0.1
+ifconfig
+
+# adding a default route
+ip route add default via 127.0.0.1 dev lo
+route -n
+
+# iptables rules to route traffic to transparent proxy
+iptables -A OUTPUT -t nat -p tcp --dport 1:65535 ! -d 127.0.0.1  -j DNAT --to-destination 127.0.0.1:1200
+iptables -t nat -A POSTROUTING -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1
+iptables -L -t nat
+
+# generate identity key
+/app/keygen --secret /app/id.sec --public /app/id.pub
+
+# your custom setup goes here
+
+# starting supervisord
+cat /etc/supervisord.conf
+/app/supervisord
diff --git a/enclave/supervisord.conf b/enclave/supervisord.conf
@@ -0,0 +1,49 @@
+[supervisord]
+loglevel=debug
+logfile=/dev/stdout
+logfile_maxbytes=0
+
+# attestation server
+[program:attestation-server]
+command=/app/attestation-server --ip-addr 127.0.0.1:1300 --pub-key /app/id.pub
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# attestation server proxy
+[program:attestation-proxy]
+command=/app/vsock-to-ip --vsock-addr 88:1300 --ip-addr 127.0.0.1:1300
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# transparent proxy component inside enclave
+[program:ip-to-vsock-transparent]
+command=/app/ip-to-vsock-transparent --vsock-addr 3:1200 --ip-addr 127.0.0.1:1200
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# DNS-over-HTTPS provider
+[program:dnsproxy]
+command=/app/dnsproxy -u https://1.1.1.1/dns-query -v
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# your custom programs go here
+[program:idempotent-proxy-server]
+command=/app/idempotent-proxy-server
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
