Revert "ws-daemon: Use a pair of veths instead of slirp4netns"

This reverts commit 4fef102.

Author: akosyakov

components/ee/agent-smith/pkg/detector/proc_test.go

@@ -88,13 +88,15 @@ func TestFindWorkspaces(t *testing.T) {
 					Env: []string{"GITPOD_WORKSPACE_ID=foobar", "GITPOD_INSTANCE_ID=baz"},
 				}
 				res[3] = memoryProcEntry{P: &process{PID: 3, Parent: res[2].P, Cmdline: []string{"supervisor", "init"}}}
+				res[4] = memoryProcEntry{P: &process{PID: 4, Parent: res[2].P, Cmdline: []string{"slirp4netns"}}}
 				res[1].P.Children = []*process{res[2].P}
-				res[2].P.Children = []*process{res[3].P}
+				res[2].P.Children = []*process{res[3].P, res[4].P}
 				return res
 			})(),
 			Expectation: []WorkspaceAndDepth{
 				{PID: 2, D: 1, K: ProcessSandbox, C: "/proc/self/exe", W: ws},
 				{PID: 3, D: 2, K: ProcessSupervisor, C: "supervisor", W: ws},
+				{PID: 4, D: 2, K: ProcessUserWorkload, C: "slirp4netns", W: ws},
 			},
 		},
 		{

components/supervisor/pkg/ports/ports.go

@@ -33,18 +33,28 @@ func init() {
 }
 
 // NewManager creates a new port manager
-func NewManager(exposed ExposedPortsInterface, served ServedPortsObserver, config ConfigInterace, tunneled TunneledPortsInterface, internalPorts ...uint32) *Manager {
+func NewManager(exposed ExposedPortsInterface, served ServedPortsObserver, config ConfigInterace, tunneled TunneledPortsInterface, slirp SlirpClient, internalPorts ...uint32) *Manager {
 	state := make(map[uint32]*managedPort)
 	internal := make(map[uint32]struct{})
 	for _, p := range internalPorts {
 		internal[p] = struct{}{}
 	}
 
+	if slirp != nil {
+		for _, p := range internalPorts {
+			err := slirp.Expose(p)
+			if err != nil {
+				log.WithError(err).WithField("port", p).Error("cannot expose port")
+			}
+		}
+	}
+
 	return &Manager{
-		E: exposed,
-		S: served,
-		C: config,
-		T: tunneled,
+		E:     exposed,
+		S:     served,
+		C:     config,
+		T:     tunneled,
+		Slirp: slirp,
 
 		forceUpdates: make(chan struct{}, 1),
 
@@ -75,10 +85,11 @@ type autoExposure struct {
 // Manager brings together served and exposed ports. It keeps track of which port is exposed, which one is served,
 // auto-exposes ports and proxies ports served on localhost only.
 type Manager struct {
-	E ExposedPortsInterface
-	S ServedPortsObserver
-	C ConfigInterace
-	T TunneledPortsInterface
+	E     ExposedPortsInterface
+	S     ServedPortsObserver
+	C     ConfigInterace
+	T     TunneledPortsInterface
+	Slirp SlirpClient
 
 	forceUpdates chan struct{}
 
@@ -277,6 +288,7 @@ func (pm *Manager) updateState(ctx context.Context, exposed []ExposedPort, serve
 			log.WithField("served", newServed).Debug("updating served ports")
 			pm.served = newServed
 			pm.updateProxies()
+			pm.updateSlirp()
 			pm.autoTunnel(ctx)
 		}
 	}
@@ -525,6 +537,19 @@ func (pm *Manager) autoTunnel(ctx context.Context) {
 	}
 }
 
+func (pm *Manager) updateSlirp() {
+	if pm.Slirp == nil {
+		return
+	}
+
+	for _, served := range pm.served {
+		err := pm.Slirp.Expose(served.Port)
+		if err != nil {
+			log.WithError(err).Debug("cannot expose port for slirp")
+		}
+	}
+}
+
 func (pm *Manager) updateProxies() {
 	servedPortMap := map[uint32]bool{}
 	for _, s := range pm.served {

components/supervisor/pkg/ports/ports_test.go

@@ -517,7 +517,7 @@ func TestPortsUpdateState(t *testing.T) {
 					Error:   make(chan error, 1),
 				}
 
-				pm    = NewManager(exposed, served, config, tunneled, test.InternalPorts...)
+				pm    = NewManager(exposed, served, config, tunneled, nil, test.InternalPorts...)
 				updts [][]*api.PortsStatus
 			)
 			pm.proxyStarter = func(port uint32) (io.Closer, error) {
@@ -683,7 +683,7 @@ func TestPortsConcurrentSubscribe(t *testing.T) {
 			Changes: make(chan []PortTunnelState),
 			Error:   make(chan error, 1),
 		}
-		pm = NewManager(exposed, served, config, tunneled)
+		pm = NewManager(exposed, served, config, tunneled, nil)
 	)
 	pm.proxyStarter = func(local uint32) (io.Closer, error) {
 		return io.NopCloser(nil), nil

components/supervisor/pkg/ports/slirp4netns.go

@@ -0,0 +1,83 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package ports
+
+import (
+	"encoding/json"
+	"io"
+	"net"
+
+	"golang.org/x/xerrors"
+)
+
+type SlirpClient interface {
+	Expose(port uint32) error
+}
+
+type request struct {
+	Execute   string      `json:"execute"`
+	Arguments interface{} `json:"arguments"`
+}
+
+type reply struct {
+	Return map[string]interface{} `json:"return,omitempty"`
+	Error  map[string]interface{} `json:"error,omitempty"`
+}
+
+type Slirp4Netns string
+
+func (s Slirp4Netns) Expose(port uint32) error {
+	type addHostFwdArguments struct {
+		Proto     string `json:"proto"`
+		HostAddr  string `json:"host_addr"`
+		HostPort  int    `json:"host_port"`
+		GuestAddr string `json:"guest_addr"`
+		GuestPort int    `json:"guest_port"`
+	}
+
+	_, err := s.sendRequest(request{
+		Execute: "add_hostfwd",
+		Arguments: addHostFwdArguments{
+			GuestAddr: "10.0.2.100",
+			GuestPort: int(port),
+			HostAddr:  "0.0.0.0",
+			HostPort:  int(port),
+			Proto:     "tcp",
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s Slirp4Netns) sendRequest(req request) (resp map[string]interface{}, err error) {
+	conn, err := net.DialUnix("unix", nil, &net.UnixAddr{Name: string(s), Net: "unix"})
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+
+	if err := json.NewEncoder(conn).Encode(req); err != nil {
+		return nil, err
+	}
+	if err := conn.CloseWrite(); err != nil {
+		return nil, err
+	}
+	b, err := io.ReadAll(conn)
+	if err != nil {
+		return nil, err
+	}
+	var rep reply
+	if err := json.Unmarshal(b, &rep); err != nil {
+		return nil, err
+	}
+
+	if len(rep.Error) > 0 {
+		return nil, xerrors.Errorf("error reply: %+v", rep.Error)
+	}
+	return rep.Return, nil
+}

components/supervisor/pkg/supervisor/supervisor.go

@@ -193,6 +193,11 @@ func Run(options ...RunOption) {
 		log.WithError(err).Warn("cannot tunnel internal ports")
 	}
 
+	var slirp ports.SlirpClient
+	if _, err := os.Stat("/.supervisor/slirp4netns.sock/slirp4netns.sock"); err == nil {
+		slirp = ports.Slirp4Netns("/.supervisor/slirp4netns.sock/slirp4netns.sock")
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 
 	internalPorts := []uint32{uint32(cfg.IDEPort), uint32(cfg.APIEndpointPort), uint32(cfg.SSHPort)}
@@ -214,6 +219,7 @@ func Run(options ...RunOption) {
 			},
 			ports.NewConfigService(cfg.WorkspaceID, gitpodConfigService, gitpodService),
 			tunneledPortsService,
+			slirp,
 			internalPorts...,
 		)
 		termMux             = terminal.NewMux()

components/workspacekit/cmd/rings.go

@@ -249,6 +249,10 @@ var ring1Cmd = &cobra.Command{
 			fsshift = api.FSShiftMethod(v)
 		}
 
+		var (
+			slirp4netnsSocket string
+		)
+
 		type mnte struct {
 			Target string
 			Source string
@@ -309,6 +313,15 @@ var ring1Cmd = &cobra.Command{
 			)
 		}
 
+		f, err := ioutil.TempDir("", "wskit-slirp4netns")
+		if err != nil {
+			log.WithError(err).Error("cannot create slirp4netns socket tempdir")
+			return
+		}
+
+		slirp4netnsSocket = filepath.Join(f, "slirp4netns.sock")
+		mnts = append(mnts, mnte{Target: "/.supervisor/slirp4netns.sock", Source: f, Flags: unix.MS_BIND | unix.MS_REC})
+
 		for _, m := range mnts {
 			dst := filepath.Join(ring2Root, m.Target)
 			_ = os.MkdirAll(dst, 0644)
@@ -462,6 +475,26 @@ var ring1Cmd = &cobra.Command{
 			return
 		}
 
+		slirpCmd := exec.Command(filepath.Join(filepath.Dir(ring2Opts.SupervisorPath), "slirp4netns"),
+			"--configure",
+			"--mtu=65520",
+			"--disable-host-loopback",
+			"--api-socket", slirp4netnsSocket,
+			strconv.Itoa(cmd.Process.Pid),
+			"tap0",
+		)
+		slirpCmd.SysProcAttr = &syscall.SysProcAttr{
+			Pdeathsig: syscall.SIGKILL,
+		}
+
+		err = slirpCmd.Start()
+		if err != nil {
+			log.WithError(err).Error("cannot start slirp4netns")
+			return
+		}
+		//nolint:errcheck
+		defer slirpCmd.Process.Kill()
+
 		client, err = connectToInWorkspaceDaemonService(ctx)
 		if err != nil {
 			log.WithError(err).Error("cannot connect to daemon")

components/workspacekit/leeway.Dockerfile

@@ -2,11 +2,17 @@
 # Licensed under the GNU Affero General Public License (AGPL).
 # See License-AGPL.txt in the project root for license information.
 
+FROM alpine:3.15 as download
+ENV SLIRP4NETNS_VERSION=v1.1.12
+WORKDIR /download
+RUN wget https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/slirp4netns-x86_64 -O slirp4netns && chmod 755 slirp4netns
+
 FROM scratch
 
 COPY components-workspacekit--app/workspacekit \
      components-workspacekit--fuse-overlayfs/fuse-overlayfs \
      /.supervisor/
+COPY --from=download /download/slirp4netns /.supervisor/
 
 ARG __GIT_COMMIT
 ARG VERSION