UID2-3702 Add python config server to eks pipeline (#739)

* Add config server changes * Use custom branch for testing * Add scripts/aws/config-server/ * Install python3.11 and pip3 * Update requirements.txt path * Add debugging message for entrypoint.sh * Comment out everything in entrypoint for debugging * Update sockd conf external host name * Add scripts/aws/eks/pod/sockd_eks.conf * Install amazon-ec2-net-utils * Try out different ethnert pods * Add ip link show to debug * Add packages in Dockerfile * Install systemd-networkd * Start systemd before starting the enclave * Try eth0@if180 and debug with networkctl * Use eth0 for dante external * Add ec2-user as user * Add ec2-user user * cd into /home/config-server/ before running the flask server * Add flask app files * Provide config server the correct path * Provide config server correct path * Fix typo and provide the correct path for secret * Add .pyc files to gitignore * Remove unnecessary packages * Install net-tools to run ifconfig * Remove `EXPOSE 27015` * Remove aws-nitro-enclaves-cli-devel * Revert kcc-UID2-3702-config-server to main
IABTechLab · Jul 22, 2024 · e4007e0 · e4007e0
1 parent 87c5b17
commit e4007e0
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 5 deletions.
diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml
@@ -72,6 +72,7 @@ runs:
       id: copy_docker_files
       run: |
         mkdir -p ${{ inputs.artifacts_output_dir }}
+        cp -r ./scripts/aws/config-server/* ${{ inputs.artifacts_output_dir }}
         cp -r ./scripts/aws/eks/pod/* ${{ inputs.artifacts_output_dir }}
         ls -l ${{ inputs.artifacts_output_dir }}
 

diff --git a/scripts/aws/config-server/app.py b/scripts/aws/config-server/app.py
@@ -0,0 +1,15 @@
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/getConfig', methods=['GET'])
+def get_config():
+    try:
+        with open('/etc/secret/secret-value/config', 'r') as secret_file:
+            secret_value = secret_file.read().strip()
+        return secret_value
+    except Exception as e:
+        return str(e), 500
+
+if __name__ == '__main__':
+    app.run(processes=8)
diff --git a/scripts/aws/config-server/requirements.txt b/scripts/aws/config-server/requirements.txt
@@ -0,0 +1,3 @@
+Flask==2.3.2
+Werkzeug==3.0.3
+setuptools==70.0.0
diff --git a/scripts/aws/eks/pod/Dockerfile b/scripts/aws/eks/pod/Dockerfile
@@ -1,12 +1,16 @@
 FROM amazonlinux:2023
-RUN yum install aws-nitro-enclaves-cli-devel jq -y
+
 RUN dnf install aws-nitro-enclaves-cli -y
 # RUN yum install -y libxcrypt-compat
+RUN dnf -y install iproute
+RUN dnf -y install net-tools
+
 
-RUN yum install -y python3
+RUN dnf install python3.11 -y
+RUN dnf install python3.11-pip -y
 
 COPY ./sockd /home/
-COPY ./sockd.conf /etc/
+COPY ./sockd_eks.conf /etc/sockd.conf
 COPY ./vsockpx /home
 
 COPY ./entrypoint.sh /home/
@@ -16,4 +20,12 @@ COPY ./proxies.host.yaml /home/proxies.host.yaml
 RUN chmod +x /home/vsockpx && chmod +x /home/entrypoint.sh
 # RUN yum install net-tools -y
 
+COPY ./app.py /home/config-server/
+COPY ./requirements.txt /home/config-server/
+RUN python3 -m venv config-server
+RUN config-server/bin/pip3 install -r /home/config-server/requirements.txt
+
+RUN dnf -y install shadow-utils
+RUN useradd ec2-user
+
 CMD ["/home/entrypoint.sh"]
diff --git a/scripts/aws/eks/pod/entrypoint.sh b/scripts/aws/eks/pod/entrypoint.sh
@@ -5,11 +5,23 @@ MEMORY_MB=24576
 CPU_COUNT=6
 
 function terminate_old_enclave() {
+    echo "terminate_old_enclave"
     ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")
-    [ "$ENCLAVE_ID" != "null" ] && nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
+    if [ "$ENCLAVE_ID" != "null" ]; then
+        nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
+        echo "Terminated enclave with ID ${ENCLAVE_ID}"
+    else
+        echo "No running enclaves to terminate."
+    fi
+}
+
+function debug() {
+    ip link show
+    ifconfig
 }
 
 function setup_vsockproxy() {
+    echo "setup_vsockproxy"
     VSOCK_PROXY=${VSOCK_PROXY:-/home/vsockpx}
     VSOCK_CONFIG=${VSOCK_CONFIG:-/home/proxies.host.yaml}
     VSOCK_THREADS=${VSOCK_THREADS:-$(( $(nproc) * 2 )) }
@@ -20,16 +32,25 @@ function setup_vsockproxy() {
 }
 
 function setup_dante() {
+    echo "setup_dante"
     ulimit -n 1024
     /home/sockd -D
 }
 
+function run_config_server() {
+    echo "run_config_server"
+    cd /home/config-server/
+    /config-server/bin/flask run --host 127.0.0.1 --port 27015
+}
+
 function run_enclave() {
     echo "starting enclave..."
     nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name simple-eif --debug-mode --attach-console
 }
 
 terminate_old_enclave
+debug
 setup_vsockproxy
 setup_dante
-run_enclave
+run_config_server
+run_enclave
diff --git a/scripts/aws/eks/pod/sockd_eks.conf b/scripts/aws/eks/pod/sockd_eks.conf
@@ -0,0 +1,17 @@
+internal: 127.0.0.1 port = 3306
+external: eth0
+user.notprivileged: ec2-user
+clientmethod: none
+socksmethod: none
+
+client pass {
+    from: 127.0.0.1/32 to: 127.0.0.1/32
+    log: error # connect disconnect iooperation
+}
+
+socks pass {
+    from: 127.0.0.1/32 to: 0.0.0.0/0
+    command: bind connect
+    protocol: tcp
+    log: error
+}