ws-daemon: Use a pair of veths instead of slirp4netns

          Pod Network Namespace(ring1)
+------------------------------------------------+
|                                                |
|       Workspace Network Namesapce(ring2)       |
| +--------------------------------------------+ |
| |                                            | |
| |              default via veth0             | |
| |                                            | |
| |                                            | |
| |     +------+  +--------------+             | |
| |     |  lo  |  |    ceth0     | 10.0.2.2/24 | |
| |     +------+  +--^--------+--+             | |
| |                  |        |                | |
| +------------------+--------+----------------+ |
|                    |        |                  |
|                 +--+--------v--+               |
|   +-----------> |    veth0     | 10.0.2.1/24   |
|   |             +-----------+--+               |
|   |                         |                  |
|   |          +--------------v-----+            |
|   |          |                    |            |
|   |          |      nftables      |            |
|   |          |   (ip masquerade)  |            |
|   |          +--------------+-----+            |
|   |                         |                  |
|   |   +------+  +-----------v--+               |
|   |   |  lo  |  |     eth0     |               |
|   |   +------+  +--^--------+--+               |
|   |                |        |                  |
|   |          +-----+--------v-----+            |
|   |          |                    |            |
|   +----------+      nftables      |            |
| if with port | (port redirecter)  |            |
|              +-----^--------+-----+            |
|                    |        |                  |
+--------------------+--------+------------------+
                     |        |
                     |        |
                     |        v
                    o u t s i d e

Author: utam0k

components/ee/agent-smith/pkg/detector/proc_test.go

@@ -88,15 +88,13 @@ func TestFindWorkspaces(t *testing.T) {
 					Env: []string{"GITPOD_WORKSPACE_ID=foobar", "GITPOD_INSTANCE_ID=baz"},
 				}
 				res[3] = memoryProcEntry{P: &process{PID: 3, Parent: res[2].P, Cmdline: []string{"supervisor", "init"}}}
-				res[4] = memoryProcEntry{P: &process{PID: 4, Parent: res[2].P, Cmdline: []string{"slirp4netns"}}}
 				res[1].P.Children = []*process{res[2].P}
-				res[2].P.Children = []*process{res[3].P, res[4].P}
+				res[2].P.Children = []*process{res[3].P}
 				return res
 			})(),
 			Expectation: []WorkspaceAndDepth{
 				{PID: 2, D: 1, K: ProcessSandbox, C: "/proc/self/exe", W: ws},
 				{PID: 3, D: 2, K: ProcessSupervisor, C: "supervisor", W: ws},
-				{PID: 4, D: 2, K: ProcessUserWorkload, C: "slirp4netns", W: ws},
 			},
 		},
 		{

components/supervisor/pkg/ports/ports.go

@@ -33,28 +33,18 @@ func init() {
 }
 
 // NewManager creates a new port manager
-func NewManager(exposed ExposedPortsInterface, served ServedPortsObserver, config ConfigInterace, tunneled TunneledPortsInterface, slirp SlirpClient, internalPorts ...uint32) *Manager {
+func NewManager(exposed ExposedPortsInterface, served ServedPortsObserver, config ConfigInterace, tunneled TunneledPortsInterface, internalPorts ...uint32) *Manager {
 	state := make(map[uint32]*managedPort)
 	internal := make(map[uint32]struct{})
 	for _, p := range internalPorts {
 		internal[p] = struct{}{}
 	}
 
-	if slirp != nil {
-		for _, p := range internalPorts {
-			err := slirp.Expose(p)
-			if err != nil {
-				log.WithError(err).WithField("port", p).Error("cannot expose port")
-			}
-		}
-	}
-
 	return &Manager{
-		E:     exposed,
-		S:     served,
-		C:     config,
-		T:     tunneled,
-		Slirp: slirp,
+		E: exposed,
+		S: served,
+		C: config,
+		T: tunneled,
 
 		forceUpdates: make(chan struct{}, 1),
 
@@ -85,11 +75,10 @@ type autoExposure struct {
 // Manager brings together served and exposed ports. It keeps track of which port is exposed, which one is served,
 // auto-exposes ports and proxies ports served on localhost only.
 type Manager struct {
-	E     ExposedPortsInterface
-	S     ServedPortsObserver
-	C     ConfigInterace
-	T     TunneledPortsInterface
-	Slirp SlirpClient
+	E ExposedPortsInterface
+	S ServedPortsObserver
+	C ConfigInterace
+	T TunneledPortsInterface
 
 	forceUpdates chan struct{}
 
@@ -288,7 +277,6 @@ func (pm *Manager) updateState(ctx context.Context, exposed []ExposedPort, serve
 			log.WithField("served", newServed).Debug("updating served ports")
 			pm.served = newServed
 			pm.updateProxies()
-			pm.updateSlirp()
 			pm.autoTunnel(ctx)
 		}
 	}
@@ -537,19 +525,6 @@ func (pm *Manager) autoTunnel(ctx context.Context) {
 	}
 }
 
-func (pm *Manager) updateSlirp() {
-	if pm.Slirp == nil {
-		return
-	}
-
-	for _, served := range pm.served {
-		err := pm.Slirp.Expose(served.Port)
-		if err != nil {
-			log.WithError(err).Debug("cannot expose port for slirp")
-		}
-	}
-}
-
 func (pm *Manager) updateProxies() {
 	servedPortMap := map[uint32]bool{}
 	for _, s := range pm.served {

components/supervisor/pkg/ports/ports_test.go

@@ -517,7 +517,7 @@ func TestPortsUpdateState(t *testing.T) {
 					Error:   make(chan error, 1),
 				}
 
-				pm    = NewManager(exposed, served, config, tunneled, nil, test.InternalPorts...)
+				pm    = NewManager(exposed, served, config, tunneled, test.InternalPorts...)
 				updts [][]*api.PortsStatus
 			)
 			pm.proxyStarter = func(port uint32) (io.Closer, error) {
@@ -683,7 +683,7 @@ func TestPortsConcurrentSubscribe(t *testing.T) {
 			Changes: make(chan []PortTunnelState),
 			Error:   make(chan error, 1),
 		}
-		pm = NewManager(exposed, served, config, tunneled, nil)
+		pm = NewManager(exposed, served, config, tunneled)
 	)
 	pm.proxyStarter = func(local uint32) (io.Closer, error) {
 		return io.NopCloser(nil), nil

components/supervisor/pkg/ports/slirp4netns.go

@@ -193,11 +193,6 @@ func Run(options ...RunOption) {
 		log.WithError(err).Warn("cannot tunnel internal ports")
 	}
 
-	var slirp ports.SlirpClient
-	if _, err := os.Stat("/.supervisor/slirp4netns.sock/slirp4netns.sock"); err == nil {
-		slirp = ports.Slirp4Netns("/.supervisor/slirp4netns.sock/slirp4netns.sock")
-	}
-
 	ctx, cancel := context.WithCancel(context.Background())
 
 	internalPorts := []uint32{uint32(cfg.IDEPort), uint32(cfg.APIEndpointPort), uint32(cfg.SSHPort)}
@@ -219,7 +214,6 @@ func Run(options ...RunOption) {
 			},
 			ports.NewConfigService(cfg.WorkspaceID, gitpodConfigService, gitpodService),
 			tunneledPortsService,
-			slirp,
 			internalPorts...,
 		)
 		termMux             = terminal.NewMux()

components/supervisor/pkg/supervisor/supervisor.go

@@ -249,10 +249,6 @@ var ring1Cmd = &cobra.Command{
 			fsshift = api.FSShiftMethod(v)
 		}
 
-		var (
-			slirp4netnsSocket string
-		)
-
 		type mnte struct {
 			Target string
 			Source string
@@ -313,15 +309,6 @@ var ring1Cmd = &cobra.Command{
 			)
 		}
 
-		f, err := ioutil.TempDir("", "wskit-slirp4netns")
-		if err != nil {
-			log.WithError(err).Error("cannot create slirp4netns socket tempdir")
-			return
-		}
-
-		slirp4netnsSocket = filepath.Join(f, "slirp4netns.sock")
-		mnts = append(mnts, mnte{Target: "/.supervisor/slirp4netns.sock", Source: f, Flags: unix.MS_BIND | unix.MS_REC})
-
 		for _, m := range mnts {
 			dst := filepath.Join(ring2Root, m.Target)
 			_ = os.MkdirAll(dst, 0644)
@@ -475,26 +462,6 @@ var ring1Cmd = &cobra.Command{
 			return
 		}
 
-		slirpCmd := exec.Command(filepath.Join(filepath.Dir(ring2Opts.SupervisorPath), "slirp4netns"),
-			"--configure",
-			"--mtu=65520",
-			"--disable-host-loopback",
-			"--api-socket", slirp4netnsSocket,
-			strconv.Itoa(cmd.Process.Pid),
-			"tap0",
-		)
-		slirpCmd.SysProcAttr = &syscall.SysProcAttr{
-			Pdeathsig: syscall.SIGKILL,
-		}
-
-		err = slirpCmd.Start()
-		if err != nil {
-			log.WithError(err).Error("cannot start slirp4netns")
-			return
-		}
-		//nolint:errcheck
-		defer slirpCmd.Process.Kill()
-
 		client, err = connectToInWorkspaceDaemonService(ctx)
 		if err != nil {
 			log.WithError(err).Error("cannot connect to daemon")

components/workspacekit/cmd/rings.go

@@ -2,17 +2,11 @@
 # Licensed under the GNU Affero General Public License (AGPL).
 # See License-AGPL.txt in the project root for license information.
 
-FROM alpine:3.15 as download
-ENV SLIRP4NETNS_VERSION=v1.1.12
-WORKDIR /download
-RUN wget https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/slirp4netns-x86_64 -O slirp4netns && chmod 755 slirp4netns
-
 FROM scratch
 
 COPY components-workspacekit--app/workspacekit \
      components-workspacekit--fuse-overlayfs/fuse-overlayfs \
      /.supervisor/
-COPY --from=download /download/slirp4netns /.supervisor/
 
 ARG __GIT_COMMIT
 ARG VERSION